fix(oidc): add federated logout flow

[cxymds]

Type of Change

• New Feature
• Bug Fix
• Documentation
• Performance Improvement
• Test/CI
• Refactor
• Other:

Related Issues

• [BUG] Logout does not invalidate OIDC Session console#103

Summary of Changes

• add an OIDC logout endpoint that consumes a one-time logout token and redirects either to the IdP end-session URL or back to the console login page
• persist one-time logout sessions in the IAM OIDC state store instead of exposing raw ID tokens to browser storage
• include the logout token in the console callback fragment and cover the new route/fragment behavior with targeted tests

Checklist

• I have read and followed the CONTRIBUTING.md guidelines
• Passed make pre-commit
• Added/updated necessary tests
• Documentation updated (if needed)
• CI/CD passed (if applicable)

Impact

• Breaking change (compatibility)
• Requires doc/config/deployment update
• Other impact:
  Enables console-side OIDC federated logout when the provider exposes end_session_endpoint, with a safe fallback when it does not.

Additional Notes

Targeted verification run locally:

• cargo test -p rustfs-iam test_logout_state_store_insert_and_take
• PROTOC=/opt/homebrew/Cellar/protobuf@29/29.4/bin/protoc cargo test -p rustfs test_is_oidc_path_includes_logout
• PROTOC=/opt/homebrew/Cellar/protobuf@29/29.4/bin/protoc cargo test -p rustfs test_build_console_callback_fragment_includes_logout_token
• PROTOC=/opt/homebrew/Cellar/protobuf@29/29.4/bin/protoc cargo test -p rustfs test_register_routes_cover_representative_admin_paths
• cargo fmt --check --all

[github-actions]

CLA requirements are satisfied for this pull request.