Handbook
Enterprise — OIDC and reverse proxies
Enterprise builds can pair OIDC sign-in with lenses-access.json RBAC. Keep loopback binding until the proxy terminates TLS and injects identity headers deliberately.
Updated
What it is
Enterprise builds can pair OIDC sign-in with lenses-access.json RBAC. Keep loopback binding until the proxy terminates TLS and injects identity headers deliberately.
Telemetry and governance POST endpoints still honor local-first defaults. Historical governance decisions (audit logging, bearer flows)—including the material summarized as ADR 013 for contributors—are indexed from the Maintainer handbook on GitHub; this public handbook avoids deep-linking individual ADR files.
Environment
OIDC-related LENSES_OIDC_* variables are summarized in Configuration reference and flagged in env matrix.
Verify
Login completes without redirect loops and /api/auth/status reflects the expected session when exercised through the same hostname operators publish.