Handbook
Scenario — OIDC login rehearsal
Validate issuer metadata, JWKS reachability, redirect URLs, and /api/auth/status parity inside the same hostname you publish to teammates.
Updated
Scenario summary
Validate issuer metadata, JWKS reachability, redirect URLs, and /api/auth/status parity inside the same hostname you publish to teammates.
User role
Security engineer + operator pair.
Starting state
- Reverse proxy hostname matches what browsers use for Studio.
- Maintainers captured OIDC env vars in Configuration reference.
Steps
- Fetch
.well-known/openid-configurationfrom the issuer. - Exercise login through the proxy path described in Enterprise — OIDC sessions.
- Confirm GET-only routes still answer without session.
Example input
Sanitized snippet of LENSES_OIDC_ISSUER + callback base URL (no secrets).
Example output or expected state
Session cookie established, /api/auth/status shows expected subject, no redirect loops.
Verification
Follow the Verify section in Enterprise — OIDC sessions.
Failure / recovery
Purge cookies, disable allowlists, return to loopback-only listener, compare env matrix vs config reference.