feat: oidc rp-initiated logout

[aymericcousaert]

Summary

• When an OIDC user logs out, redirect to the provider's end_session_endpoint to terminate the SSO session
• User must re-authenticate on next visit instead of silent re-login
• Extract resolveCoreIdProvider helper to deduplicate provider resolution (keepalive + logout)
• Add endSessionEndpoint to OAuthProvider type from OIDC discovery doc
• Clean up stored OAuth token on logout
• Include client_id and id_token_hint per OIDC RP-Initiated Logout spec
• Graceful fallback to current 204 behavior for non-OIDC users

Involved services

• @data-fair/lib: data-fair/lib#30 (frontend session logout handler)

Test plan

• Logout with OIDC coreIdProvider user: verify redirect to SSO end_session_endpoint
• Verify SSO session is terminated (re-authentication required)
• Logout with password-only user: verify existing 204 behavior unchanged
• Verify post_logout_redirect_uri is registered in IdP client config
• Multi-site: verify logout from secondary site redirects back to correct site login page