fix(auth): resolve Keycloak OIDC issuer mismatch and API proxy routing

- Bypass NextAuth OIDC discovery with explicit token/userinfo endpoints using internal Docker DNS, avoiding 'issuer string did not match' errors.
- Fix next.config.ts API route interception that incorrectly forwarded NextAuth routes to backend by using 'fallback' rewrites.
- Add 'Use different credentials' button to login page and AuthGuard for clearing stale sessions.

frontend/src/components/auth-guard.tsx

@@ -1,6 +1,6 @@
 'use client';
 
-import { useSession } from 'next-auth/react';
+import { useSession, signOut } from 'next-auth/react';
 import { useRouter } from 'next/navigation';
 import { ReactNode, useEffect } from 'react';
 import { useTenant } from '../contexts/tenant-context';
@@ -47,10 +47,23 @@ export function AuthGuard({ children }: { children: ReactNode }) {
   }
 
   if (clubs.length === 0 && status === 'authenticated') {
+    const handleSwitchAccount = () => {
+      const keycloakLogoutUrl = `${process.env.NEXT_PUBLIC_KEYCLOAK_ISSUER || 'http://localhost:8080/realms/workclub'}/protocol/openid-connect/logout?redirect_uri=${encodeURIComponent(window.location.origin + '/login')}`;
+      signOut({ redirect: false }).then(() => {
+        window.location.href = keycloakLogoutUrl;
+      });
+    };
+
     return (
       <div className="flex flex-col items-center justify-center min-h-screen gap-4">
         <h2 className="text-2xl font-bold">No Clubs Found</h2>
         <p>Contact admin to get access to a club</p>
+        <button 
+          onClick={handleSwitchAccount}
+          className="mt-4 px-4 py-2 bg-gray-100 hover:bg-gray-200 text-gray-800 rounded-md border border-gray-300 transition-colors"
+        >
+          Use different credentials
+        </button>
       </div>
     );
   }