diff --git a/front.go b/front.go
index 782fe31..791941c 100644
--- a/front.go
+++ b/front.go
@@ -332,7 +332,8 @@ func FrontRoot(app *App) func(c echo.Context) error {
 				Secure:   true,
 			})
 
-			for name, provider := range app.OIDCProvidersByName {
+			for _, name := range app.OIDCProviderNames {
+				provider := app.OIDCProvidersByName[name]
 				authURL, err := makeOIDCAuthURL(&c, provider, stateBase64)
 				if err != nil {
 					return err
@@ -438,7 +439,8 @@ func FrontRegistration(app *App) func(c echo.Context) error {
 			Secure:   true,
 		})
 
-		for name, provider := range app.OIDCProvidersByName {
+		for _, name := range app.OIDCProviderNames {
+			provider := app.OIDCProvidersByName[name]
 			authURL, err := makeOIDCAuthURL(&c, provider, stateBase64)
 			if err != nil {
 				return err
@@ -624,7 +626,7 @@ func (app *App) oidcLink(c echo.Context, oidcProvider *OIDCProvider, tokens *oid
 	return c.Redirect(http.StatusSeeOther, returnURL)
 }
 
-func (app *App) oidcSignIn(c echo.Context, oidcProvider *OIDCProvider, tokens *oidc.Tokens[*oidc.IDTokenClaims], state oidcState) error {
+func (app *App) oidcSignIn(c echo.Context, _ *OIDCProvider, tokens *oidc.Tokens[*oidc.IDTokenClaims], state oidcState) error {
 	failureURL := state.ReturnURL
 	completeRegistrationURL, err := url.JoinPath(app.FrontEndURL, "web/complete-registration")
 	if err != nil {
@@ -994,7 +996,8 @@ func FrontUser(app *App) func(c echo.Context) error {
 				}
 			}
 
-			for name, provider := range app.OIDCProvidersByName {
+			for _, name := range app.OIDCProviderNames {
+				provider := app.OIDCProvidersByName[name]
 				if !linkedOIDCProviderNames.Contains(name) {
 					authURL, err := makeOIDCAuthURL(&c, provider, stateBase64)
 					if err != nil {
diff --git a/main.go b/main.go
index d1cb3c9..a448696 100644
--- a/main.go
+++ b/main.go
@@ -67,6 +67,7 @@ type App struct {
 	AEAD                     cipher.AEAD
 	SkinMutex                *sync.Mutex
 	VerificationSkinTemplate *image.NRGBA
+	OIDCProviderNames        []string
 	OIDCProvidersByName      map[string]*OIDCProvider
 	OIDCProvidersByIssuer    map[string]*OIDCProvider
 }
@@ -500,6 +501,7 @@ func setup(config *Config) *App {
 	}
 
 	// OIDC providers
+	oidcProviderNames := make([]string, 0, len(config.RegistrationOIDC))
 	oidcProvidersByName := map[string]*OIDCProvider{}
 	oidcProvidersByIssuer := map[string]*OIDCProvider{}
 	scopes := []string{"openid", "email"}
@@ -528,6 +530,7 @@ func setup(config *Config) *App {
 			Config:       oidcConfig,
 		}
 
+		oidcProviderNames = append(oidcProviderNames, oidcConfig.Name)
 		oidcProvidersByName[oidcConfig.Name] = &oidcProvider
 		oidcProvidersByIssuer[oidcConfig.Issuer] = &oidcProvider
 	}
@@ -555,6 +558,7 @@ func setup(config *Config) *App {
 		AuthlibInjectorURL:       Unwrap(url.JoinPath(config.BaseURL, "authlib-injector")),
 		APIURL:                   Unwrap(url.JoinPath(config.BaseURL, DRASL_API_PREFIX)),
 		VerificationSkinTemplate: verificationSkinTemplate,
+		OIDCProviderNames:        oidcProviderNames,
 		OIDCProvidersByName:      oidcProvidersByName,
 		OIDCProvidersByIssuer:    oidcProvidersByIssuer,
 	}
diff --git a/util.go b/util.go
index a9d5f6c..c87a392 100644
--- a/util.go
+++ b/util.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"cmp"
 	"crypto"
 	"crypto/rand"
 	"crypto/rsa"
@@ -11,6 +12,7 @@ import (
 	"io"
 	"log"
 	"os"
+	"slices"
 	"strings"
 	"sync"
 )