Problem
OIDC_PROVIDER_ID has a fallback default of "oidc" in src/lib/auth/constants.ts:
export const OIDC_PROVIDER_ID = process.env.OIDC_PROVIDER_ID || "oidc";
This value is interpolated directly into the OAuth2 callback URL:
redirectURI: `${BASE_URL}/api/auth/oauth2/callback/${OIDC_PROVIDER_ID}`,In production, if the operator forgets to set OIDC_PROVIDER_ID, the callback URL becomes /api/auth/oauth2/callback/oidc — which won't match what's registered in the OIDC provider (e.g. Okta expects /api/auth/oauth2/callback/okta). This causes a silent redirect URI mismatch that is hard to debug.
The documentation marks this variable as "Required" but the code silently falls back to a default, creating a gap between documented and actual behavior.
Proposal
Either:
- Validate at startup — fail fast if
OIDC_PROVIDER_ID is not set in production (NODE_ENV === "production"), with a clear error message
- Or remove the default and make it truly required (the app won't start without it)
Option 1 is preferred since it preserves the dev experience (default "oidc" works with the mock provider).
Additional context
- The
providerId is also used in the database to associate user accounts with the OIDC provider (db.ts:60). Changing the value after users exist would orphan their accounts.
- The E2E and dev setups already set this explicitly (
"oidc" in workflows, "okta" in Playwright config).
Problem
OIDC_PROVIDER_IDhas a fallback default of"oidc"insrc/lib/auth/constants.ts:This value is interpolated directly into the OAuth2 callback URL:
In production, if the operator forgets to set
OIDC_PROVIDER_ID, the callback URL becomes/api/auth/oauth2/callback/oidc— which won't match what's registered in the OIDC provider (e.g. Okta expects/api/auth/oauth2/callback/okta). This causes a silent redirect URI mismatch that is hard to debug.The documentation marks this variable as "Required" but the code silently falls back to a default, creating a gap between documented and actual behavior.
Proposal
Either:
OIDC_PROVIDER_IDis not set in production (NODE_ENV === "production"), with a clear error messageOption 1 is preferred since it preserves the dev experience (default
"oidc"works with the mock provider).Additional context
providerIdis also used in the database to associate user accounts with the OIDC provider (db.ts:60). Changing the value after users exist would orphan their accounts."oidc"in workflows,"okta"in Playwright config).