Comprehensive plan for fixing the production 500 on POST /auth/sign-in/oauth2
and redesigning the frontend login page to be OIDC-aware with multi-method
authentication support.
Key areas covered:
- Backend: OIDC startup validation, auth config discovery endpoint, BetterAuth
error handling, PKCE, session hardening, trustedOrigins extraction
- Frontend: Multi-method login page, PDA-friendly error display, adaptive UI
based on backend-advertised providers, loading states, accessibility
- Security: CSRF rationale, secret leakage prevention, redirect URI validation,
session idle timeout, OIDC health checks
- 6 implementation phases with file change map and testing strategy
Created with input from frontend design, backend, security, and auth architecture
specialist reviews.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
