In a new TYPO3 v13 installation $GLOBALS['TYPO3_CONF_VARS']['FE']['cacheHash']['enforceValidation] is activated by default. This requires almost all query string parameters to be signed with a cHash.

\Causal\Oidc\Service\OpenIdConnectService::getFinalLoginUrl produces the login URL with two query string arguments logintype and tx_oidc[code] but without a cHash.

Example:

https://v13.t3ext-oidc.test/en/?logintype=login&tx_oidc%5Bcode%5D=B65…A-1

This leads to a 404:

404
The page did not exist or was inaccessible. Reason: Request parameters could not be validated (&cHash empty)

I see three options to solve this:

A) Add a cHash to the login URL.

This is not trivial, because we would need the page id of the login page, but we only have a URL.
The following does not work, because the cacheHashCalculator fails with "ID parameter needs to be passed for the cHash calculation!".

 class OpenIdConnectService implements LoggerAwareInterface
 {
@@ -141,7 +142,11 @@ class OpenIdConnectService implements LoggerAwareInterface
         $loginUrl = new Uri($this->authContext->getLoginUrl());
 
         $query = $loginUrl->getQuery() . GeneralUtility::implodeArrayForUrl('', $loginUrlParams);
-
+        $cacheHashCalculator = GeneralUtility::makeInstance(CacheHashCalculator::class);
+        $cHash = $cacheHashCalculator->generateForParameters($query);
+        if ($cHash) {
+            $query .= '&cHash=' . $cHash;
+        }
         return $loginUrl->withQuery(ltrim($query, '&'));
     }

To get the page id, we would have resolve the site and page from the URL.

B) Exclude the parameters from the cHash

$GLOBALS['TYPO3_CONF_VARS']['FE']['cacheHash']['excludedParameters'] = array_merge($GLOBALS['TYPO3_CONF_VARS']['FE']['cacheHash']['excludedParameters'] ?? [], [
    'tx_oidc[code]',
    'logintype',
]);

But logintype does not belong to this extension, so I am hesitant to put it on the list.

C) Add a warning to the README.md