Make account the OAuth authorization server instead of federation

All client apps (including federation) now redirect to account for OAuth.
Factory excludes account from OAuth client blueprint registration.
SSO logout chains through account instead of federation.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

infrastructure/oauth.py

@@ -1,7 +1,7 @@
-"""OAuth2 client blueprint for non-federation apps.
+"""OAuth2 client blueprint for non-account apps.
 
 Each client app gets /auth/login, /auth/callback, /auth/logout.
-Federation is the OAuth authorization server.
+Account is the OAuth authorization server.
 """
 from __future__ import annotations
 
@@ -21,7 +21,7 @@ from sqlalchemy import select
 from shared.db.session import get_session
 from shared.models import User
 from shared.models.oauth_code import OAuthCode
-from shared.infrastructure.urls import federation_url, app_url
+from shared.infrastructure.urls import account_url, app_url
 from shared.infrastructure.cart_identity import current_cart_identity
 from shared.events import emit_activity
 
@@ -41,7 +41,7 @@ def create_oauth_blueprint(app_name: str) -> Blueprint:
         qsession["oauth_next"] = next_url
 
         redirect_uri = app_url(app_name, "/auth/callback")
-        authorize_url = federation_url(
+        authorize_url = account_url(
             f"/auth/oauth/authorize?client_id={app_name}"
             f"&redirect_uri={redirect_uri}"
             f"&state={state}"
@@ -136,7 +136,7 @@ def create_oauth_blueprint(app_name: str) -> Blueprint:
         qsession.pop(SESSION_USER_KEY, None)
         qsession.pop("cart_sid", None)
         qsession.pop("sso_checked", None)
-        # Redirect through federation to clear the SSO session too
-        return redirect(federation_url("/auth/sso-logout/"))
+        # Redirect through account to clear the SSO session too
+        return redirect(account_url("/auth/sso-logout/"))
 
     return bp