fix(#337): Replace hardcoded OIDC values in federation with env vars

- Use OIDC_ISSUER and OIDC_CLIENT_ID from environment for JWT validation
- Federation OIDC properly configured from environment variables
- Fail fast with clear error when OIDC config is missing
- Handle trailing slash normalization for issuer URL
- Add tests verifying env var usage and missing config error handling

Refs #337

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

apps/api/src/federation/oidc.service.ts

@@ -129,16 +129,47 @@ export class OIDCService {
         };
       }
 
+      // Get OIDC configuration from environment variables
+      // These must be configured for federation token validation to work
+      const issuer = this.config.get<string>("OIDC_ISSUER");
+      const clientId = this.config.get<string>("OIDC_CLIENT_ID");
+
+      // Fail fast if OIDC configuration is missing
+      if (!issuer || issuer.trim() === "") {
+        this.logger.error(
+          "Federation OIDC validation failed: OIDC_ISSUER environment variable is not configured"
+        );
+        return {
+          valid: false,
+          error:
+            "Federation OIDC configuration error: OIDC_ISSUER is required for token validation",
+        };
+      }
+
+      if (!clientId || clientId.trim() === "") {
+        this.logger.error(
+          "Federation OIDC validation failed: OIDC_CLIENT_ID environment variable is not configured"
+        );
+        return {
+          valid: false,
+          error:
+            "Federation OIDC configuration error: OIDC_CLIENT_ID is required for token validation",
+        };
+      }
+
       // Get validation secret from config (for testing/development)
       // In production, this should fetch JWKS from the remote instance
       const secret =
         this.config.get<string>("OIDC_VALIDATION_SECRET") ?? "test-secret-key-for-jwt-signing";
       const secretKey = new TextEncoder().encode(secret);
 
+      // Remove trailing slash from issuer for JWT validation (jose expects issuer without trailing slash)
+      const normalizedIssuer = issuer.endsWith("/") ? issuer.slice(0, -1) : issuer;
+
       // Verify and decode JWT
       const { payload } = await jose.jwtVerify(token, secretKey, {
-        issuer: "https://auth.example.com", // TODO: Fetch from remote instance config
-        audience: "mosaic-client-id", // TODO: Get from config
+        issuer: normalizedIssuer,
+        audience: clientId,
       });
 
       // Extract claims