fix: hardcode OIDC_PROVIDER_ID to oidc (#497)

* Hardcode OIDC_PROVIDER_ID to "oidc"

The providerId is Better Auth's internal identifier used in the
OAuth2 callback URL path (e.g., /api/auth/oauth2/callback/oidc).
It is not related to any specific identity provider (Okta, Auth0,
etc.) and has no reason to vary between deployments.

Hardcoding it to "oidc" simplifies configuration and makes the
redirect URI predictable for all customers, removing one env var
that was confusing and unnecessary.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Use static "Sign in" button text instead of provider name

The sign-in button was deriving its text from OIDC_PROVIDER_ID (showing
"Oidc" after hardcoding). Replace with static "Sign in" text and remove
the Okta icon, matching the enterprise implementation.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Fix hono and postcss transitive vulnerabilities via pnpm overrides

- hono: ^4.12.12 → >=4.12.14 (GHSA-458j-xx4x-4375, HTML injection in JSX SSR)
- postcss: added >=8.5.10 override (GHSA-qx2v-qp2m-jg93, XSS via </style>)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Remove dead OktaIcon component

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Fix E2E fixture sign-in button selector

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Add explanatory comment for hardcoded OIDC_PROVIDER_ID

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: peppescg

.env.example

@@ -15,9 +15,6 @@ OIDC_CLIENT_ID=
 # OAuth2 Client Secret from your OIDC provider
 OIDC_CLIENT_SECRET=
 
-# OIDC Provider identifier (e.g., "okta", "auth0", "oidc")
-OIDC_PROVIDER_ID=
-
 # Better Auth Configuration
 # Secret key for token encryption (generate with: openssl rand -base64 32)
 BETTER_AUTH_SECRET=
@@ -48,7 +45,6 @@ API_BASE_URL=
 # OIDC_ISSUER_URL=http://localhost:3001
 # OIDC_CLIENT_ID=web-client
 # OIDC_CLIENT_SECRET=web-secret
-# OIDC_PROVIDER_ID=oidc
 # BETTER_AUTH_URL=http://localhost:3000
 # API_BASE_URL=http://localhost:9090
 

.github/workflows/e2e.yml

@@ -22,7 +22,6 @@ jobs:
       OIDC_ISSUER_URL: http://localhost:4000
       OIDC_CLIENT_ID: test-only-not-a-real-id
       OIDC_CLIENT_SECRET: test-only-not-a-real-secret
-      OIDC_PROVIDER_ID: oidc
       BETTER_AUTH_URL: http://localhost:3000
       BETTER_AUTH_SECRET: test-only-not-a-real-better-auth-secret
       USE_E2E_MODEL: "true"
@@ -72,7 +71,6 @@ jobs:
         env:
           # These env vars must match the runtime values for token encryption/decryption to work
           BETTER_AUTH_SECRET: test-only-not-a-real-better-auth-secret
-          OIDC_PROVIDER_ID: oidc
 
       - name: Run Playwright tests
         run: pnpm test:e2e

AGENTS.md

@@ -331,7 +331,6 @@ pnpm generate-client  # Fetch swagger.json and regenerate
   - `OIDC_ISSUER_URL` - OIDC provider URL
   - `OIDC_CLIENT_ID` - OAuth2 client ID
   - `OIDC_CLIENT_SECRET` - OAuth2 client secret
-  - `OIDC_PROVIDER_ID` - Provider identifier (e.g., "okta", "oidc") - **Required**, server-side only.
   - `BETTER_AUTH_URL` - Application base URL
   - `BETTER_AUTH_SECRET` - Secret for token encryption
 

CLAUDE.md

@@ -298,7 +298,6 @@ git push origin v0.x.x
   - `OIDC_ISSUER_URL` - OIDC provider URL
   - `OIDC_CLIENT_ID` - OAuth2 client ID
   - `OIDC_CLIENT_SECRET` - OAuth2 client secret
-  - `OIDC_PROVIDER_ID` - Provider identifier (e.g., "okta", "oidc") - Required, server-side only.
   - `BETTER_AUTH_URL` - Application base URL
   - `BETTER_AUTH_SECRET` - Secret for token encryption
 

Makefile

@@ -192,7 +192,6 @@ kind-setup: kind-create kind-deploy
 ##   OIDC_ISSUER_URL=https://your-org.okta.com
 ##   OIDC_CLIENT_ID=your-client-id
 ##   OIDC_CLIENT_SECRET=your-client-secret
-##   OIDC_PROVIDER_ID=okta
 ##   BETTER_AUTH_SECRET=your-secret
 compose-up:
 	@echo "Starting full stack (UI + Registry Server)..."

README.md

@@ -235,7 +235,6 @@ pnpm dev:mock-server
 OIDC_ISSUER_URL=https://your-oidc-provider.com
 OIDC_CLIENT_ID=your-client-id
 OIDC_CLIENT_SECRET=your-client-secret
-OIDC_PROVIDER_ID=okta  # or your provider
 BETTER_AUTH_SECRET=your-secret
 BETTER_AUTH_URL=http://localhost:3000
 ```
@@ -263,7 +262,6 @@ pnpm dev:next
 OIDC_ISSUER_URL=https://your-oidc-provider.com
 OIDC_CLIENT_ID=your-client-id
 OIDC_CLIENT_SECRET=your-client-secret
-OIDC_PROVIDER_ID=okta
 
 # Real backend API
 API_BASE_URL=https://your-backend-api.com
@@ -323,7 +321,6 @@ See [`docs/mocks.md`](./docs/mocks.md) for details.
 | `OIDC_ISSUER_URL`    | OIDC provider's issuer URL  | `https://auth.example.com`              |
 | `OIDC_CLIENT_ID`     | OAuth2 client ID            | `your-client-id`                        |
 | `OIDC_CLIENT_SECRET` | OAuth2 client secret        | `your-client-secret`                    |
-| `OIDC_PROVIDER_ID`   | Provider identifier         | `okta`, `auth0`, `oidc`                 |
 | `BETTER_AUTH_SECRET` | Secret for token encryption | Generate with `openssl rand -base64 32` |
 | `BETTER_AUTH_URL`    | Application base URL        | `https://your-app.example.com`          |
 | `API_BASE_URL`       | Backend API URL             | `https://api.example.com`               |
@@ -347,7 +344,6 @@ NODE_ENV=development
 OIDC_ISSUER_URL=http://localhost:3001
 OIDC_CLIENT_ID=web-client
 OIDC_CLIENT_SECRET=web-secret
-OIDC_PROVIDER_ID=oidc
 BETTER_AUTH_URL=http://localhost:3000
 API_BASE_URL=http://localhost:9090
 ```
@@ -425,7 +421,6 @@ git clone https://github.com/stacklok/toolhive-registry-server.git ../toolhive-r
    OIDC_ISSUER_URL=https://your-org.okta.com
    OIDC_CLIENT_ID=your-client-id
    OIDC_CLIENT_SECRET=your-client-secret
-   OIDC_PROVIDER_ID=okta  # or: azure-ad, auth0, oidc
    ```
 
 2. Start the stack:
@@ -451,7 +446,6 @@ To use an external backend API instead of the local registry-server, add `API_BA
 OIDC_ISSUER_URL=https://your-org.okta.com
 OIDC_CLIENT_ID=your-client-id
 OIDC_CLIENT_SECRET=your-client-secret
-OIDC_PROVIDER_ID=okta
 
 # Override local registry-server with external API
 API_BASE_URL=https://api.toolhive.example.com

dev-auth/README.md

@@ -53,6 +53,5 @@ Replace this with a real OIDC provider (Okta, Keycloak, Auth0, etc.) by updating
 - `OIDC_ISSUER_URL` - OIDC provider URL
 - `OIDC_CLIENT_ID` - OAuth2 client ID
 - `OIDC_CLIENT_SECRET` - OAuth2 client secret
-- `OIDC_PROVIDER_ID` - Provider identifier (e.g., "okta", "oidc") - **Required**, server-side only.
 - `BETTER_AUTH_URL` - Application base URL (e.g., `http://localhost:3000`)
 - `BETTER_AUTH_SECRET` - Secret for token encryption

docker-compose.yaml

@@ -11,7 +11,6 @@
 #   # OIDC_ISSUER_URL=https://your-org.okta.com
 #   # OIDC_CLIENT_ID=your-client-id
 #   # OIDC_CLIENT_SECRET=your-client-secret
-#   # OIDC_PROVIDER_ID=okta
 #   # BETTER_AUTH_SECRET=your-secret
 #   # API_BASE_URL=http://toolhive-registry-api:8080  (optional, default shown)
 #   docker compose up --build
@@ -98,7 +97,6 @@ services:
       - OIDC_ISSUER_URL=${OIDC_ISSUER_URL:-http://localhost:4000}
       - OIDC_CLIENT_ID=${OIDC_CLIENT_ID:-better-auth-dev}
       - OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET:-dev-secret-change-in-production}
-      - OIDC_PROVIDER_ID=${OIDC_PROVIDER_ID:-okta}
       # Database for session storage (handles large OIDC tokens like Azure AD)
       - DATABASE_URL=postgresql://auth:auth@toolhive-auth-db:5432/auth
     networks:

package.json

@@ -13,9 +13,9 @@
     "lint": "biome check",
     "format": "biome format --write",
     "test": "vitest",
-    "test:e2e": "BETTER_AUTH_SECRET=e2e-test-secret-at-least-32-chars-long OIDC_PROVIDER_ID=okta BETTER_AUTH_RATE_LIMIT=100 pnpm build && playwright test",
-    "test:e2e:ui": "BETTER_AUTH_SECRET=e2e-test-secret-at-least-32-chars-long OIDC_PROVIDER_ID=okta BETTER_AUTH_RATE_LIMIT=100 pnpm build && playwright test --ui",
-    "test:e2e:debug": "BETTER_AUTH_SECRET=e2e-test-secret-at-least-32-chars-long OIDC_PROVIDER_ID=okta BETTER_AUTH_RATE_LIMIT=100 pnpm build && playwright test --debug",
+    "test:e2e": "BETTER_AUTH_SECRET=e2e-test-secret-at-least-32-chars-long BETTER_AUTH_RATE_LIMIT=100 pnpm build && playwright test",
+    "test:e2e:ui": "BETTER_AUTH_SECRET=e2e-test-secret-at-least-32-chars-long BETTER_AUTH_RATE_LIMIT=100 pnpm build && playwright test --ui",
+    "test:e2e:debug": "BETTER_AUTH_SECRET=e2e-test-secret-at-least-32-chars-long BETTER_AUTH_RATE_LIMIT=100 pnpm build && playwright test --debug",
     "start:e2e": "concurrently -n \"OIDC,Mock,Next\" -c \"blue,magenta,green\" \"pnpm oidc\" \"pnpm mock:server\" \"pnpm start\"",
     "test:coverage": "vitest run --coverage",
     "type-check": "tsc --noEmit",
@@ -116,7 +116,7 @@
       "express-rate-limit": ">=8.2.2",
       "lodash": ">=4.17.23",
       "lodash-es": ">=4.17.23",
-      "hono": "^4.12.12",
+      "hono": ">=4.12.14",
       "@hono/node-server": "^1.19.13",
       "defu": "^6.1.5",
       "rollup": ">=4.59.0",
@@ -126,7 +126,8 @@
       "qs": ">=6.14.2",
       "yaml": ">=2.8.3",
       "path-to-regexp@>=8.0.0 <8.4.0": "8.4.0",
-      "path-to-regexp@>=0.1.0 <0.1.13": "0.1.13"
+      "path-to-regexp@>=0.1.0 <0.1.13": "0.1.13",
+      "postcss": ">=8.5.10"
     }
   }
 }

playwright.config.mts

@@ -45,7 +45,6 @@ export default defineConfig({
           OIDC_ISSUER_URL: "http://localhost:4000",
           OIDC_CLIENT_ID: "better-auth-dev",
           OIDC_CLIENT_SECRET: "dev-secret-change-in-production",
-          OIDC_PROVIDER_ID: "okta",
           BETTER_AUTH_URL: "http://localhost:3000",
           BETTER_AUTH_SECRET: "e2e-test-secret-at-least-32-chars-long",
           // Better Auth rate limits sign-in to 3 requests per 10 seconds by default.