Gitea 1.11.5 - no UI displays to register a new user with third party auth

I’m trying to set up a publicly-facing Gitea instance that only allows user registrations from configured third-party authentication providers. I’m starting with Microsoft’s, which I’ve configured as a generic OpenID provider.

This is my relevant config information in /etc/gitea/app.ini:

ENABLE_OPENID_SIGNIN = true        
ENABLE_OPENID_SIGNUP = true                
WHITELISTED_URIS     =                
BLACKLISTED_URIS     =

[service]    
ACTIVE_CODE_LIVE_MINUTES                      = 180    
RESET_PASSWD_CODE_LIVE_MINUTES                = 180    
REGISTER_EMAIL_CONFIRM                        = false        
EMAIL_DOMAIN_WHITELIST                        =    
DISABLE_REGISTRATION                          = false    
ALLOW_ONLY_EXTERNAL_REGISTRATION              = true    
REQUIRE_SIGNIN_VIEW                           = false    
ENABLE_NOTIFY_MAIL                            = false            
ENABLE_BASIC_AUTHENTICATION                   = true    
ENABLE_REVERSE_PROXY_AUTHENTICATION           = true
ENABLE_REVERSE_PROXY_AUTO_REGISTRATION        = true
ENABLE_REVERSE_PROXY_EMAIL                    = true

Logging in with OpenID works, and the Microsoft auth provider works, but Gitea then shows a 500 error since there’s no user associated with the OpenID account. How do I make registration allow the use of third party providers?

Bump.

I’ve also validated that my Azure app registration is set up according to this. The Gitea log is giving an error, but I can’t figure out what is misconfigured.

routers/user/auth.go:601:handleOAuth2SignIn() [E] UserSignIn: oauth2: error validating JWT token: issuer in token does not match issuer in OpenIDConfig discovery