fix(auth): restore BetterAuth OIDC flow across api/web/compose

docs/1-getting-started/2-installation/3-docker-setup.md

@@ -219,7 +219,7 @@ JWT_EXPIRATION=24h
 OIDC_ISSUER=https://auth.example.com/application/o/mosaic/
 OIDC_CLIENT_ID=prod-client-id
 OIDC_CLIENT_SECRET=prod-client-secret
-OIDC_REDIRECT_URI=https://mosaic.example.com/auth/callback
+OIDC_REDIRECT_URI=https://mosaic.example.com/auth/oauth2/callback/authentik
 ```
 
 ### Compose Override for Production

docs/1-getting-started/3-configuration/1-environment.md

@@ -89,7 +89,7 @@ OIDC_CLIENT_ID=your-client-id
 OIDC_CLIENT_SECRET=your-client-secret
 
 # Callback URL (must match Authentik configuration)
-OIDC_REDIRECT_URI=http://localhost:3001/auth/callback
+OIDC_REDIRECT_URI=http://localhost:3001/auth/oauth2/callback/authentik
 ```
 
 See [Authentik Setup](2-authentik.md) for complete OIDC configuration.
@@ -229,7 +229,7 @@ JWT_EXPIRATION=24h
 OIDC_ISSUER=https://auth.example.com/application/o/mosaic-stack/
 OIDC_CLIENT_ID=your-client-id
 OIDC_CLIENT_SECRET=your-client-secret
-OIDC_REDIRECT_URI=http://localhost:3001/auth/callback
+OIDC_REDIRECT_URI=http://localhost:3001/auth/oauth2/callback/authentik
 
 # ======================
 # Cache

docs/1-getting-started/3-configuration/2-authentik.md

@@ -54,17 +54,17 @@ Sign up at [goauthentik.io](https://goauthentik.io) for managed Authentik.
 
 4. **Configure Provider:**
 
-   | Field                          | Value                                           |
-   | ------------------------------ | ----------------------------------------------- |
-   | **Name**                       | Mosaic Stack                                    |
-   | **Authorization flow**         | default-provider-authorization-implicit-consent |
-   | **Client type**                | Confidential                                    |
-   | **Client ID**                  | (auto-generated, save this)                     |
-   | **Client Secret**              | (auto-generated, save this)                     |
-   | **Redirect URIs**              | `http://localhost:3001/auth/callback`           |
-   | **Scopes**                     | `openid`, `email`, `profile`                    |
-   | **Subject mode**               | Based on User's UUID                            |
-   | **Include claims in id_token** | ✅ Enabled                                      |
+   | Field                          | Value                                                  |
+   | ------------------------------ | ------------------------------------------------------ |
+   | **Name**                       | Mosaic Stack                                           |
+   | **Authorization flow**         | default-provider-authorization-implicit-consent        |
+   | **Client type**                | Confidential                                           |
+   | **Client ID**                  | (auto-generated, save this)                            |
+   | **Client Secret**              | (auto-generated, save this)                            |
+   | **Redirect URIs**              | `http://localhost:3001/auth/oauth2/callback/authentik` |
+   | **Scopes**                     | `openid`, `email`, `profile`                           |
+   | **Subject mode**               | Based on User's UUID                                   |
+   | **Include claims in id_token** | ✅ Enabled                                             |
 
 5. **Click "Create"**
 
@@ -96,7 +96,7 @@ Update your `.env` file:
 OIDC_ISSUER=http://localhost:9000/application/o/mosaic-stack/
 OIDC_CLIENT_ID=<your-client-id-from-step-2>
 OIDC_CLIENT_SECRET=<your-client-secret-from-step-2>
-OIDC_REDIRECT_URI=http://localhost:3001/auth/callback
+OIDC_REDIRECT_URI=http://localhost:3001/auth/oauth2/callback/authentik
 ```
 
 **Important Notes:**
@@ -113,7 +113,7 @@ For production deployments:
 OIDC_ISSUER=https://auth.example.com/application/o/mosaic-stack/
 OIDC_CLIENT_ID=prod-client-id
 OIDC_CLIENT_SECRET=prod-client-secret
-OIDC_REDIRECT_URI=https://mosaic.example.com/auth/callback
+OIDC_REDIRECT_URI=https://mosaic.example.com/auth/oauth2/callback/authentik
 ```
 
 Update Authentik redirect URIs to match your production URL.
@@ -143,7 +143,7 @@ docker compose restart api
 
 ```bash
 # Initiate OIDC flow
-curl http://localhost:3001/auth/callback/authentik
+curl http://localhost:3001/auth/oauth2/callback/authentik
 
 # This will return a redirect URL to Authentik
 ```
@@ -223,8 +223,8 @@ Customize Authentik's login page:
 
 ```bash
 # Ensure exact match (including http vs https)
-# In Authentik: http://localhost:3001/auth/callback
-# In .env: OIDC_REDIRECT_URI=http://localhost:3001/auth/callback
+# In Authentik: http://localhost:3001/auth/oauth2/callback/authentik
+# In .env: OIDC_REDIRECT_URI=http://localhost:3001/auth/oauth2/callback/authentik
 ```
 
 ### Error: "Invalid client credentials"

docs/1-getting-started/3-configuration/3-docker.md

@@ -89,7 +89,7 @@ AUTHENTIK_PORT_HTTPS=9443
 OIDC_ISSUER=http://localhost:9000/application/o/mosaic-stack/
 OIDC_CLIENT_ID=your-client-id-here
 OIDC_CLIENT_SECRET=your-client-secret-here
-OIDC_REDIRECT_URI=http://localhost:3001/auth/callback
+OIDC_REDIRECT_URI=http://localhost:3001/auth/oauth2/callback/authentik
 ```
 
 **Bootstrap Credentials:**