feat(KLEF): Add loading spiner, oidc session fix between oidc switch

[JeremyNRoos]

Pull Request

Summary

• Adds a loading spinner to the login page while an IDP plugin is starting up (replaces the form, which was shown incorrectly during startup)
• Fixes stale OIDC session tokens from a previous IDP causing auto-redirect to the wrong identity provider after an IDP switch
• Fixes the marketplace "Activate" button bypassing the config sheet — it now always opens the sheet so settings can be reviewed before activating
• Adds cache: "no-store" to fetchAuthConfig to ensure the browser never serves a cached IDP config after switching providers

Related Issues

Closes #

---

Changes

What's Included

• store-tokens.ts: adds clearStoredSession() — removes all oidc.user:* keys from localStorage before IDP-switch redirects
• index.ts (auth feature): exports clearStoredSession
• api/index.ts (auth feature): fetch("/api/v1/auth/config", { cache: "no-store" }) — prevents browser caching a stale IDP config
• provider.tsx: polls GET /api/v1/auth/config every 3 s when enabled && !ready; skips creating OidcProvider until ready: true
• login/page.tsx: renders a spinner when enabled && !ready (IDP plugin starting) instead of the login form
• marketplace/page.tsx: openActivate always opens the config sheet (previously skipped it for plugins with no required fields); distinguishes already-installed vs. fresh-install in handleConfigSubmit; calls clearStoredSession + broadcastSignout before redirecting to /auth/login after IDP switch
• setup/page.tsx: clears oidc.user:* localStorage keys before redirecting to /auth/login after initial setup install

What's Not Included

• Session migration between IDPs (user must log in fresh after any IDP switch — by design)

---

Testing

How Was This Tested?

• Activated Keycloak from marketplace: verified loading spinner shown until admin account and gRPC are ready
• Activated Authentik from marketplace: verified no redirect to old Keycloak auth endpoint
• Pressed "Activate" on an already-installed plugin: verified config sheet opens with current values prefilled
• Completed setup wizard with Authentik: verified no auto-login as bootstrap admin after install

Test Coverage

• Unit tests added or updated
• Integration tests added or updated
• Manually tested end-to-end

---

Breaking Changes

Does this PR introduce breaking changes?

• Yes
• No

---

Security Considerations

• This PR affects authentication or authorization logic
• This PR touches secrets, tokens, or environment variables

clearStoredSession() removes stale access/refresh/id tokens from localStorage on IDP switch, preventing a previous session from auto-authenticating with the wrong identity. cache: "no-store" on the config endpoint prevents a cached config with a different IDP's authority from being used after switching.

---

Documentation

Does this PR require documentation updates?

• Yes
• No

---

UI/UX (If Applicable)

• Includes new components or views
• Responsive behavior verified

Login page now has a "Starting identity provider…" spinner state. Marketplace config sheet is always shown on Activate.

Screenshots or recordings: (see PR description above)

---

Pre-Merge Checklist

• PR title follows semantic format (fix: show spinner while IDP starts, fix stale session on IDP switch)
• All CI checks passing
• Code follows project style guidelines
• No debug logs or commented-out code left in
• Dependencies reviewed (no unnecessary additions)
• No sensitive information included

---

Reviewer Notes