diff --git a/.rubocop_todo.yml b/.rubocop_todo.yml
index 945d7514a..adfd47689 100644
--- a/.rubocop_todo.yml
+++ b/.rubocop_todo.yml
@@ -37,7 +37,7 @@ Layout/HashAlignment:
 Layout/LeadingCommentSpace:
   Exclude:
     - 'config/application.rb'
-    - 'config/initializers/omniauth.rb'
+    - 'config/initializers/3_omniauth.rb'
 
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: Max, AllowHeredoc, AllowURI, URISchemes, IgnoreCopDirectives, AllowedPatterns.
@@ -86,7 +86,7 @@ Lint/UnusedBlockArgument:
 Lint/UselessAssignment:
   Exclude:
     - 'app/services/activitypub/process_status_update_service.rb'
-    - 'config/initializers/omniauth.rb'
+    - 'config/initializers/3_omniauth.rb'
     - 'db/migrate/20190511134027_add_silenced_at_suspended_at_to_accounts.rb'
     - 'db/post_migrate/20190511152737_remove_suspended_silenced_account_fields.rb'
     - 'spec/controllers/api/v1/favourites_controller_spec.rb'
@@ -573,11 +573,11 @@ Style/FetchEnvVar:
     - 'config/environments/development.rb'
     - 'config/environments/production.rb'
     - 'config/initializers/2_limited_federation_mode.rb'
+    - 'config/initializers/3_omniauth.rb'
     - 'config/initializers/blacklists.rb'
     - 'config/initializers/cache_buster.rb'
     - 'config/initializers/content_security_policy.rb'
     - 'config/initializers/devise.rb'
-    - 'config/initializers/omniauth.rb'
     - 'config/initializers/paperclip.rb'
     - 'config/initializers/vapid.rb'
     - 'lib/mastodon/premailer_webpack_strategy.rb'
@@ -811,7 +811,7 @@ Style/StringLiterals:
 # AllowedMethods: define_method, mail, respond_to
 Style/SymbolProc:
   Exclude:
-    - 'config/initializers/omniauth.rb'
+    - 'config/initializers/3_omniauth.rb'
 
 # This cop supports safe autocorrection (--autocorrect).
 # Configuration parameters: EnforcedStyle, AllowSafeAssignment.
diff --git a/config/initializers/omniauth.rb b/config/initializers/3_omniauth.rb
similarity index 97%
rename from config/initializers/omniauth.rb
rename to config/initializers/3_omniauth.rb
index 0f968bd66..7520f09e5 100644
--- a/config/initializers/omniauth.rb
+++ b/config/initializers/3_omniauth.rb
@@ -1,5 +1,9 @@
 # frozen_string_literal: true
 
+# OmniAuth providers need to be initialized before the CSP initializer
+# in `config/initializers/content_security_policy.rb`, which sets the
+# `form-action` directive based on them.
+
 Rails.application.config.middleware.use OmniAuth::Builder do
   # Vanilla omniauth strategies
 end
diff --git a/config/initializers/content_security_policy.rb b/config/initializers/content_security_policy.rb
index 5b32ee49b..6ce84a6e4 100644
--- a/config/initializers/content_security_policy.rb
+++ b/config/initializers/content_security_policy.rb
@@ -26,12 +26,14 @@ def sso_host
 
   provider = Devise.omniauth_configs[Devise.omniauth_providers[0]]
   @sso_host ||= begin
-    # using CAS
-    provider.cas_url if ENV['CAS_ENABLED'] == 'true'
-    # using SAML
-    provider.options[:idp_sso_target_url] if ENV['SAML_ENABLED'] == 'true'
-    # or using OIDC
-    ENV['OIDC_AUTH_ENDPOINT'] || (OpenIDConnect::Discovery::Provider::Config.discover!(ENV['OIDC_ISSUER']).authorization_endpoint if ENV['OIDC_ENABLED'] == 'true')
+    case provider.provider
+    when :cas
+      provider.cas_url
+    when :saml
+      provider.options[:idp_sso_target_url]
+    when :openid_connect
+      provider.options.dig(:client_options, :authorization_endpoint) || OpenIDConnect::Discovery::Provider::Config.discover!(provider.options[:issuer]).authorization_endpoint
+    end
   end
 end