feat(auth): support OIDC RP-Initiated Logout (#3975)

POST /zot/auth/logout now returns an endSessionUrl in the JSON
response body when the session was established via an OIDC provider
whose discovery document advertises an endSessionEndpoint, so the
UI can navigate the browser to it and terminate the session at the
IdP in addition to clearing the local cookie.

- The OIDC callback records the provider name in the session after
  login; the github OAuth2 path is untouched.
- end_session_endpoint is read from the zitadel/oidc RelyingParty
  and validated as an absolute http(s) URL.
- post_logout_redirect_uri prefers http.externalUrl when set and
  falls back to deriving the origin from the incoming request.
- No id_token_hint is sent; client_id identifies the RP, so the
  ID token does not need to be persisted.
- Non-OIDC sessions (local/basic/LDAP/GitHub) retain the existing
  200 OK, no body behavior.

Operators must register the URI zot sends as a valid post-logout
redirect URI on the IdP client.

Ref: https://openid.net/specs/openid-connect-rpinitiated-1_0.html

Signed-off-by: Nikita Vakula <programmistov.programmist@gmail.com>

swagger/docs.go

@@ -1173,7 +1173,7 @@ const docTemplate = `{
         },
         "/zot/auth/logout": {
             "post": {
-                "description": "Logout by removing current session",
+                "description": "Logout by removing current session. For OIDC providers that advertise an\n` + "`" + `end_session_endpoint` + "`" + ` in their discovery metadata (OpenID Connect\nRP-Initiated Logout 1.0), the response body contains an ` + "`" + `endSessionUrl` + "`" + `\nthe client should navigate to in order to terminate the session at the IdP.",
                 "consumes": [
                     "application/json"
                 ],
@@ -1183,9 +1183,9 @@ const docTemplate = `{
                 "summary": "Logout by removing current session",
                 "responses": {
                     "200": {
-                        "description": "ok",
+                        "description": "OK",
                         "schema": {
-                            "type": "string"
+                            "$ref": "#/definitions/api.LogoutResponse"
                         }
                     },
                     "500": {
@@ -1313,6 +1313,14 @@ const docTemplate = `{
                 }
             }
         },
+        "api.LogoutResponse": {
+            "type": "object",
+            "properties": {
+                "endSessionUrl": {
+                    "type": "string"
+                }
+            }
+        },
         "api.RepositoryList": {
             "type": "object",
             "properties": {