Much work.

app/controllers/omniauth_callbacks_controller.rb

@@ -0,0 +1,26 @@
+class OmniauthCallbacksController < ApplicationController
+  allow_unauthenticated_access only: [:oidc, :failure]
+
+  def oidc
+    auth_hash = request.env['omniauth.auth']
+
+    user = User.from_oidc(auth_hash)
+
+    if user
+      start_new_session_for(user)
+      redirect_to after_login_path, notice: "Successfully signed in via OIDC"
+    else
+      redirect_to new_session_path, alert: "Failed to sign in via OIDC - email not found"
+    end
+  end
+
+  def failure
+    redirect_to new_session_path, alert: "Authentication failed: #{params[:message]}"
+  end
+
+  private
+
+  def after_login_path
+    session.delete(:return_to_after_authenticating) || root_url
+  end
+end