The OIDC-only path in hack_club_auth.rb generates:
response_type: :id_token,
response_mode: :form_post
This is the implicit flow, which HCA doesn't appear to support (and is discouraged by the OAuth 2.0 Security BCP regardless). The config should use the standard authorization code flow instead:
and drop the response_mode: :form_post line (the default redirect response mode works fine with code flow).
🤖 Generated with Claude Code
The OIDC-only path in
hack_club_auth.rbgenerates:This is the implicit flow, which HCA doesn't appear to support (and is discouraged by the OAuth 2.0 Security BCP regardless). The config should use the standard authorization code flow instead:
and drop the
response_mode: :form_postline (the default redirect response mode works fine with code flow).🤖 Generated with Claude Code