feat(auth): support OIDC RP-Initiated Logout (#3975)

POST /zot/auth/logout now returns an endSessionUrl in the JSON
response body when the session was established via an OIDC provider
whose discovery document advertises an endSessionEndpoint, so the
UI can navigate the browser to it and terminate the session at the
IdP in addition to clearing the local cookie.

- The OIDC callback records the provider name in the session after
  login; the github OAuth2 path is untouched.
- end_session_endpoint is read from the zitadel/oidc RelyingParty
  and validated as an absolute http(s) URL.
- post_logout_redirect_uri prefers http.externalUrl when set and
  falls back to deriving the origin from the incoming request.
- No id_token_hint is sent; client_id identifies the RP, so the
  ID token does not need to be persisted.
- Non-OIDC sessions (local/basic/LDAP/GitHub) retain the existing
  200 OK, no body behavior.

Operators must register the URI zot sends as a valid post-logout
redirect URI on the IdP client.

Ref: https://openid.net/specs/openid-connect-rpinitiated-1_0.html

Signed-off-by: Nikita Vakula <programmistov.programmist@gmail.com>

errors/errors.go

@@ -208,4 +208,5 @@ var (
 	ErrOIDCAudienceMismatch             = errors.New("token audience does not match any of the expected audiences")
 	ErrCertificateNotLoaded             = errors.New("tls certificate not yet loaded")
 	ErrCertificateWatcherAlreadyRunning = errors.New("certificate watcher is already running")
+	ErrInvalidEndSessionEndpoint        = errors.New("end_session_endpoint must be an absolute http(s) URL")
 )