cameleer/cameleer-server
1
0
Fork 0
Code Issues 41 Pull Requests Actions Packages Projects Releases Wiki Activity

Test OIDC integration with Authentik provider #44

New Issue
Closed
opened 2026-03-14 12:39:02 +01:00 by claude · 1 comment
claude commented 2026-03-14 12:39:02 +01:00
Owner
Copy Link

Context

OIDC token exchange is implemented (a4de2a7) but has only been verified at the code level. Needs end-to-end testing with a real OIDC provider.

Steps

  1. Set up an Authentik instance (or use existing one)
  2. Create an OAuth2/OIDC application in Authentik for Cameleer
  3. Configure redirect URI to match the SPA callback URL
  4. Set env vars: CAMELEER_OIDC_ENABLED=true, CAMELEER_OIDC_ISSUER=https://..., CAMELEER_OIDC_CLIENT_ID=..., CAMELEER_OIDC_CLIENT_SECRET=...
  5. Configure CAMELEER_OIDC_ROLES_CLAIM to match Authentik's role claim path
  6. Verify: login flow works, roles are extracted, user is persisted in ClickHouse, internal JWT is issued correctly

Also Verify

  • Role resolution priority: DB override > OIDC claim > default
  • Token refresh preserves roles
  • OIDC config endpoint returns correct metadata for the SPA
  • Error handling when OIDC provider is unreachable
## Context OIDC token exchange is implemented (a4de2a7) but has only been verified at the code level. Needs end-to-end testing with a real OIDC provider. ## Steps 1. Set up an Authentik instance (or use existing one) 2. Create an OAuth2/OIDC application in Authentik for Cameleer 3. Configure redirect URI to match the SPA callback URL 4. Set env vars: `CAMELEER_OIDC_ENABLED=true`, `CAMELEER_OIDC_ISSUER=https://...`, `CAMELEER_OIDC_CLIENT_ID=...`, `CAMELEER_OIDC_CLIENT_SECRET=...` 5. Configure `CAMELEER_OIDC_ROLES_CLAIM` to match Authentik's role claim path 6. Verify: login flow works, roles are extracted, user is persisted in ClickHouse, internal JWT is issued correctly ## Also Verify - Role resolution priority: DB override > OIDC claim > default - Token refresh preserves roles - OIDC config endpoint returns correct metadata for the SPA - Error handling when OIDC provider is unreachable
claude commented 2026-03-14 22:19:31 +01:00
Author
Owner
Copy Link

Successfully tested with Authentik — OIDC integration works end-to-end.

Successfully tested with Authentik — OIDC integration works end-to-end.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
accessibility
Accessibility (a11y) improvements
 bug
Something isn't working correctly
 cleanup
Code cleanup, dead code removal, refactoring
 epic
Epic: groups related issues
 feature
New functionality
 pmf
Product-market fit: critical for first market offer
 route-diagram
Route diagram page and execution overlay
 security
Authentication, authorization, RBAC
 ui
Frontend / React UI
 ux
UX/usability improvements
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
claude
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: cameleer/cameleer-server#44
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?