Fix OIDC endpoint URLs to include /oidc prefix

Configure oidc-provider routes with explicit /oidc prefix so the
discovery document and token endpoints resolve correctly. Previously
the catch-all stripped the prefix, causing the provider to generate
URLs without it.

server/routes/oidc/[...].ts

@@ -14,10 +14,8 @@ export default defineEventHandler(async (event) => {
   const provider = await getOidcProvider();
   const { req, res } = event.node;
 
-  // oidc-provider expects paths relative to its own mount point.
-  // Nitro gives us the full path, so strip the /oidc prefix.
-  const originalUrl = req.url || "";
-  req.url = originalUrl.replace(/^\/oidc/, "") || "/";
+  // The provider's routes config includes the /oidc prefix,
+  // so pass the full path through without stripping.
 
   // Hand off to oidc-provider's Connect-style callback
   const callback = provider.callback() as Function;

server/utils/oidc-provider.ts

@@ -90,6 +90,22 @@ export async function getOidcProvider() {
       rpInitiatedLogout: { enabled: true },
     },
 
+    // Mount all OIDC endpoints under /oidc prefix
+    routes: {
+      authorization: "/oidc/auth",
+      backchannel_authentication: "/oidc/backchannel",
+      code_verification: "/oidc/device",
+      device_authorization: "/oidc/device/auth",
+      end_session: "/oidc/session/end",
+      introspection: "/oidc/token/introspection",
+      jwks: "/oidc/jwks",
+      pushed_authorization_request: "/oidc/request",
+      registration: "/oidc/reg",
+      revocation: "/oidc/token/revocation",
+      token: "/oidc/token",
+      userinfo: "/oidc/me",
+    },
+
     interactions: {
       url(_ctx: unknown, interaction: { uid: string }) {
         return `/oidc/interaction/${interaction.uid}`;