Scenario — OIDC login rehearsal

Validate issuer metadata, JWKS reachability, redirect URLs, and /api/auth/status parity inside the same hostname you publish to teammates.

Updated

Scenario summary

Validate issuer metadata, JWKS reachability, redirect URLs, and /api/auth/status parity inside the same hostname you publish to teammates.

User role

Security engineer + operator pair.

Starting state

  • Reverse proxy hostname matches what browsers use for Studio.
  • Maintainers captured OIDC env vars in Configuration reference.

Steps

  1. Fetch .well-known/openid-configuration from the issuer.
  2. Exercise login through the proxy path described in Enterprise — OIDC sessions.
  3. Confirm GET-only routes still answer without session.

Example input

Sanitized snippet of LENSES_OIDC_ISSUER + callback base URL (no secrets).

Example output or expected state

Session cookie established, /api/auth/status shows expected subject, no redirect loops.

Verification

Follow the Verify section in Enterprise — OIDC sessions.

Failure / recovery

Purge cookies, disable allowlists, return to loopback-only listener, compare env matrix vs config reference.

sample-oauth-oidc-endpoint.json.