From a0558746807e6ff98885c2eb5dd43f957f46f901 Mon Sep 17 00:00:00 2001
From: Jennie Robinson Faber <jennie@jenniefaber.com>
Date: Sun, 1 Mar 2026 16:41:38 +0000
Subject: [PATCH] Fix OIDC endpoint URLs to include /oidc prefix

Configure oidc-provider routes with explicit /oidc prefix so the
discovery document and token endpoints resolve correctly. Previously
the catch-all stripped the prefix, causing the provider to generate
URLs without it.
---
 server/routes/oidc/[...].ts   |  6 ++----
 server/utils/oidc-provider.ts | 16 ++++++++++++++++
 2 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/server/routes/oidc/[...].ts b/server/routes/oidc/[...].ts
index 8628a61..ec6d7be 100644
--- a/server/routes/oidc/[...].ts
+++ b/server/routes/oidc/[...].ts
@@ -14,10 +14,8 @@ export default defineEventHandler(async (event) => {
   const provider = await getOidcProvider();
   const { req, res } = event.node;
 
-  // oidc-provider expects paths relative to its own mount point.
-  // Nitro gives us the full path, so strip the /oidc prefix.
-  const originalUrl = req.url || "";
-  req.url = originalUrl.replace(/^\/oidc/, "") || "/";
+  // The provider's routes config includes the /oidc prefix,
+  // so pass the full path through without stripping.
 
   // Hand off to oidc-provider's Connect-style callback
   const callback = provider.callback() as Function;
diff --git a/server/utils/oidc-provider.ts b/server/utils/oidc-provider.ts
index a4b22f0..4da4e2a 100644
--- a/server/utils/oidc-provider.ts
+++ b/server/utils/oidc-provider.ts
@@ -90,6 +90,22 @@ export async function getOidcProvider() {
       rpInitiatedLogout: { enabled: true },
     },
 
+    // Mount all OIDC endpoints under /oidc prefix
+    routes: {
+      authorization: "/oidc/auth",
+      backchannel_authentication: "/oidc/backchannel",
+      code_verification: "/oidc/device",
+      device_authorization: "/oidc/device/auth",
+      end_session: "/oidc/session/end",
+      introspection: "/oidc/token/introspection",
+      jwks: "/oidc/jwks",
+      pushed_authorization_request: "/oidc/request",
+      registration: "/oidc/reg",
+      revocation: "/oidc/token/revocation",
+      token: "/oidc/token",
+      userinfo: "/oidc/me",
+    },
+
     interactions: {
       url(_ctx: unknown, interaction: { uid: string }) {
         return `/oidc/interaction/${interaction.uid}`;