Test OIDC integration with Authentik provider #44

Closed
opened 2026-03-14 12:39:02 +01:00 by claude · 1 comment
Owner

Context

OIDC token exchange is implemented (a4de2a7) but has only been verified at the code level. Needs end-to-end testing with a real OIDC provider.

Steps

  1. Set up an Authentik instance (or use existing one)
  2. Create an OAuth2/OIDC application in Authentik for Cameleer
  3. Configure redirect URI to match the SPA callback URL
  4. Set env vars: CAMELEER_OIDC_ENABLED=true, CAMELEER_OIDC_ISSUER=https://..., CAMELEER_OIDC_CLIENT_ID=..., CAMELEER_OIDC_CLIENT_SECRET=...
  5. Configure CAMELEER_OIDC_ROLES_CLAIM to match Authentik's role claim path
  6. Verify: login flow works, roles are extracted, user is persisted in ClickHouse, internal JWT is issued correctly

Also Verify

  • Role resolution priority: DB override > OIDC claim > default
  • Token refresh preserves roles
  • OIDC config endpoint returns correct metadata for the SPA
  • Error handling when OIDC provider is unreachable
## Context OIDC token exchange is implemented (a4de2a7) but has only been verified at the code level. Needs end-to-end testing with a real OIDC provider. ## Steps 1. Set up an Authentik instance (or use existing one) 2. Create an OAuth2/OIDC application in Authentik for Cameleer 3. Configure redirect URI to match the SPA callback URL 4. Set env vars: `CAMELEER_OIDC_ENABLED=true`, `CAMELEER_OIDC_ISSUER=https://...`, `CAMELEER_OIDC_CLIENT_ID=...`, `CAMELEER_OIDC_CLIENT_SECRET=...` 5. Configure `CAMELEER_OIDC_ROLES_CLAIM` to match Authentik's role claim path 6. Verify: login flow works, roles are extracted, user is persisted in ClickHouse, internal JWT is issued correctly ## Also Verify - Role resolution priority: DB override > OIDC claim > default - Token refresh preserves roles - OIDC config endpoint returns correct metadata for the SPA - Error handling when OIDC provider is unreachable
Author
Owner

Successfully tested with Authentik — OIDC integration works end-to-end.

Successfully tested with Authentik — OIDC integration works end-to-end.
Sign in to join this conversation.