diff --git a/.env.template b/.env.template
index d114200b..a8048486 100644
--- a/.env.template
+++ b/.env.template
@@ -30,7 +30,6 @@ HTTPS_PORT=443
 # EMAIL_PASSWORD=
 
 # Optional: configure Single Sign-on with OpenID Connect
-# OIDC_ENABLED=
 # OIDC_DISCOVERY_URL=
 # OIDC_CLIENT_ID=
 # OIDC_CLIENT_SECRET=
diff --git a/docker-compose.yml b/docker-compose.yml
index b38b662c..6d317637 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -64,7 +64,6 @@ services:
       - EMAIL_IGNORE_TLS=${EMAIL_IGNORE_TLS:-true}
       - EMAIL_USER=${EMAIL_USER:-''}
       - EMAIL_PASSWORD=${EMAIL_PASSWORD:-''}
-      - OIDC_ENABLED=${OIDC_ENABLED:-false}
       - OIDC_DISCOVERY_URL=${OIDC_DISCOVERY_URL:-''}
       - OIDC_CLIENT_ID=${OIDC_CLIENT_ID:-''}
       - OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET:-''}
@@ -79,7 +78,9 @@ services:
     build:
       context: .
       args:
-        - OIDC_ENABLED=${OIDC_ENABLED:-false}
+        - OIDC_DISCOVERY_URL=${OIDC_DISCOVERY_URL:-''}
+        - OIDC_CLIENT_ID=${OIDC_CLIENT_ID:-''}
+        - OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET:-''}
       dockerfile: nginx.dockerfile
     depends_on:
       - service
diff --git a/files/prebuild/build-frontend.sh b/files/prebuild/build-frontend.sh
index 041cdac6..799d7ebb 100755
--- a/files/prebuild/build-frontend.sh
+++ b/files/prebuild/build-frontend.sh
@@ -1,4 +1,7 @@
 #!/bin/bash -eu
 cd client
 npm clean-install --no-audit --fund=false --update-notifier=false
-VUE_APP_OIDC_ENABLED="$OIDC_ENABLED" npm run build
+if [[ -n $OIDC_DISCOVERY_URL && -n $OIDC_CLIENT_ID && -n $OIDC_CLIENT_SECRET ]]; then
+  export VUE_APP_OIDC_ENABLED=true
+fi
+npm run build
diff --git a/files/service/config.json.template b/files/service/config.json.template
index 235a7a17..423374d7 100644
--- a/files/service/config.json.template
+++ b/files/service/config.json.template
@@ -34,7 +34,6 @@
       "sysadminAccount": "${SYSADMIN_EMAIL}"
     },
     "oidc": {
-      "enabled": ${OIDC_ENABLED},
       "discoveryUrl": "${OIDC_DISCOVERY_URL}",
       "clientId": "${OIDC_CLIENT_ID}",
       "clientSecret": "${OIDC_CLIENT_SECRET}"
diff --git a/files/service/scripts/start-odk.sh b/files/service/scripts/start-odk.sh
index 935d5486..f8669fde 100755
--- a/files/service/scripts/start-odk.sh
+++ b/files/service/scripts/start-odk.sh
@@ -4,7 +4,7 @@ echo "generating local service configuration.."
 
 ENKETO_API_KEY=$(cat /etc/secrets/enketo-api-key) \
 BASE_URL=$( [ "${HTTPS_PORT}" = 443 ] && echo https://"${DOMAIN}" || echo https://"${DOMAIN}":"${HTTPS_PORT}" ) \
-envsubst '$DOMAIN $BASE_URL $SYSADMIN_EMAIL $ENKETO_API_KEY $DB_HOST $DB_USER $DB_PASSWORD $DB_NAME $DB_SSL $EMAIL_FROM $EMAIL_HOST $EMAIL_PORT $EMAIL_SECURE $EMAIL_IGNORE_TLS $EMAIL_USER $EMAIL_PASSWORD $OIDC_ENABLED $OIDC_DISCOVERY_URL $OIDC_CLIENT_ID $OIDC_CLIENT_SECRET $SENTRY_ORG_SUBDOMAIN $SENTRY_KEY $SENTRY_PROJECT' \
+envsubst '$DOMAIN $BASE_URL $SYSADMIN_EMAIL $ENKETO_API_KEY $DB_HOST $DB_USER $DB_PASSWORD $DB_NAME $DB_SSL $EMAIL_FROM $EMAIL_HOST $EMAIL_PORT $EMAIL_SECURE $EMAIL_IGNORE_TLS $EMAIL_USER $EMAIL_PASSWORD $OIDC_DISCOVERY_URL $OIDC_CLIENT_ID $OIDC_CLIENT_SECRET $SENTRY_ORG_SUBDOMAIN $SENTRY_KEY $SENTRY_PROJECT' \
     < /usr/share/odk/config.json.template \
     > /usr/odk/config/local.json
 
diff --git a/nginx.dockerfile b/nginx.dockerfile
index 72b4ecd9..6ddfb91e 100644
--- a/nginx.dockerfile
+++ b/nginx.dockerfile
@@ -1,9 +1,12 @@
-ARG OIDC_ENABLED
 FROM node:18.17 as intermediate
+ARG OIDC_DISCOVERY_URL
+ARG OIDC_CLIENT_ID
+ARG OIDC_CLIENT_SECRET
 
 COPY ./ ./
 RUN files/prebuild/write-version.sh
-RUN OIDC_ENABLED="$OIDC_ENABLED" files/prebuild/build-frontend.sh
+RUN OIDC_DISCOVERY_URL="$OIDC_DISCOVERY_URL" OIDC_CLIENT_ID="$OIDC_CLIENT_ID" OIDC_CLIENT_SECRET="$OIDC_CLIENT_SECRET" \
+  files/prebuild/build-frontend.sh
 
 # when upgrading, look for upstream changes to redirector.conf
 # also, confirm setup-odk.sh strips out HTTP-01 ACME challenge location