Implements OIDC RP-Initiated Logout (#36724)

At logout time, if the user authenticated via OIDC, we look up the
provider's `end_session_endpoint` (already discovered by Goth from the
OIDC metadata) and redirect there with `client_id` and
`post_logout_redirect_uri`.

Non-OIDC OAuth2 providers (GitHub, GitLab, etc.) are unaffected — they
fall back to local-only logout.

Fix #14270 

---------

Signed-off-by: Nikita Vakula <nikita.vakula@alpsalpine.com>
Co-authored-by: Nikita Vakula <nikita.vakula@alpsalpine.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>

services/auth/source/oauth2/providers.go

@@ -20,6 +20,7 @@ import (
 	"code.gitea.io/gitea/modules/setting"
 
 	"github.com/markbates/goth"
+	"github.com/markbates/goth/providers/openidConnect"
 )
 
 // Provider is an interface for describing a single OAuth2 provider
@@ -197,6 +198,26 @@ func ClearProviders() {
 	goth.ClearProviders()
 }
 
+// GetOIDCEndSessionEndpoint returns the OIDC end_session_endpoint for the
+// given provider name. Returns "" if the provider is not OIDC or doesn't
+// advertise an end_session_endpoint in its discovery document.
+func GetOIDCEndSessionEndpoint(providerName string) string {
+	gothRWMutex.RLock()
+	defer gothRWMutex.RUnlock()
+
+	provider, ok := goth.GetProviders()[providerName]
+	if !ok {
+		return ""
+	}
+
+	oidcProvider, ok := provider.(*openidConnect.Provider)
+	if !ok || oidcProvider.OpenIDConfig == nil {
+		return ""
+	}
+
+	return oidcProvider.OpenIDConfig.EndSessionEndpoint
+}
+
 var ErrAuthSourceNotActivated = errors.New("auth source is not activated")
 
 // used to create different types of goth providers