Backchannel logout, azp&loa claims and several smaller fixes

• Tunnistamo now supports backchannel logout as RP, upstream OPs can now terminate Tunnistamo session
• Tokens now contain "azp"-claim, identifying the client the token was issued to
• Tokens can now contain "loa"-claim, carrying information on how whether user can be traced to national identity
• E-mail address can now be made optional
• backends can now set the global UUID for the user