Auth And OIDC

Symptoms

• The login page does not show an OIDC provider.
• OIDC redirects fail.
• Login transactions fail after restart.
• Users authenticate but do not get expected roles.

Checks

Read metadata:

curl -fsS http://localhost:6743/api/v1/meta

If OIDC is enabled, providers appear in the oidc.providers list.

Check startup logs for OIDC discovery warnings or rejected config.

Common Causes

Cause	Fix
Missing issuer or client ID	Set both values under auth.oidc.<slug>.
Missing public_url	Set server.public_url or explicit provider redirect_url.
Unstable cookie_secret	Set auth.cookie_secret to a stable shared value.
Provider secret in wrong env var	Use ORIEL_AUTH_OIDC_<SLUG>_CLIENT_SECRET.
Invalid group role map	Map groups only to built-in roles: owner, admin, editor, viewer.
Existing local account	Oriel does not auto-link OIDC users to local accounts.

Recovery

1. Fix config.
2. Restart Oriel.
3. Confirm /api/v1/meta includes the provider.
4. Start a fresh browser login flow.
5. Review member grants after first login.