Drop omniauth for openid_connect gem

config/database.yml

@@ -66,4 +66,4 @@ production:
   cable:
     <<: *sqlite_default
     database: storage/production_cable.sqlite3
-    migrations_paths: db/cable_migrate
+    migrations_paths: db/cable_migrate

config/initializers/omniauth.rb

@@ -1,29 +0,0 @@
-Rails.application.config.middleware.use OmniAuth::Builder do
-  # Only configure OIDC if environment variables are present
-  if ENV['OIDC_DISCOVERY_URL'].present? && ENV['OIDC_CLIENT_ID'].present? && ENV['OIDC_CLIENT_SECRET'].present?
-    provider :openid_connect, {
-      name: :oidc,
-      scope: [:openid, :email, :groups],
-      response_type: :code,
-      client_options: {
-        identifier: ENV['OIDC_CLIENT_ID'],
-        secret: ENV['OIDC_CLIENT_SECRET'],
-        redirect_uri: ENV['OIDC_REDIRECT_URI'],
-        discovery: true,
-        authorization_endpoint: nil,
-        token_endpoint: nil,
-        userinfo_endpoint: nil,
-        jwks_uri: nil
-      },
-      discovery_document: {
-        issuer: ENV['OIDC_ISSUER'] # Optional, defaults to discovery URL issuer
-      }
-    }
-  end
-end
-
-# Disable OmniAuth logging in production
-OmniAuth.config.logger = Rails.logger if Rails.env.production?
-
-# Set OmniAuth failure mode
-OmniAuth.config.failure_raise_out_environments = %w[development test]

config/routes.rb

@@ -4,9 +4,9 @@ Rails.application.routes.draw do
   resource :session
   resource :password
 
-  # OIDC authentication routes
-  get "/auth/failure", to: "omniauth_callbacks#failure"
-  get "/auth/:provider/callback", to: "omniauth_callbacks#oidc"
+  # OIDC authentication routes (explicit, no middleware)
+  post "/auth/oidc", to: "oidc_auth#authorize"
+  get "/auth/oidc/callback", to: "oidc_auth#callback"
 
   # Admin user management (admin only)
   resources :users, only: [:index, :show, :edit, :update]