The OIDC Configuration advertised by https://backboard.railway.com/oauth/.well-known/openid-configuration says the authorization response should include the iss parameter. According to RFC 9207, when authorization_response_iss_parameter_supported: true the response should include the issuer along with the code and state.

Clients that perform discovery and expect an issuer parameter will reject the response when one is not provided.

The simple fix is to flip the authorization_response_iss_parameter_supported to false.

The better solution is to implement the RFC properly and include the iss parameter with the value already defined in the OIDC configuration endpoint for both success and error responses. The docs page should also guide users to pass the iss parameter along with the code and state to their oauth library.