Testing & Verification
March 27, 2026 ยท View on GitHub
This guide provides steps to verify your OIDC authentication configuration is working correctly with the ATT&CK Workbench REST API.
Prerequisites
Before testing, ensure you have:
- Completed OIDC provider configuration (Authentik, Okta, Keycloak, etc.)
- Configured the REST API with OIDC settings
- Restarted the REST API
- Created at least one user in your OIDC provider
Verification Steps
Step 1: Check REST API Logs
When the REST API starts, it should log information about the authentication configuration.
View logs:
# If using Docker Compose
docker compose logs rest-api
# If running directly
# Check your console output or log files
Step 2: Test Configuration Endpoint
The REST API exposes an endpoint that returns the configured authentication mechanism.
Test the endpoint:
curl http://localhost:3000/api/config/authn
Expected response:
{
"mechanisms": [{"authnType":"oidc"}]
}
If you see a different response:
{"mechanisms":[{"authnType":"anonymous"}]}- OIDC is not enabled; check your configuration- Error or timeout - REST API is not running or not accessible
Step 3: Test Authentication Flow
Now test the complete authentication flow from the frontend.
-
Navigate to the Workbench frontend in your browser:
- If running locally: http://localhost:4200
- If deployed: Your Workbench URL (e.g., https://workbench.example.com)
-
Click "Log In" (or navigate to the login page)
-
Observe the redirect:
- You should be automatically redirected to your OIDC provider's login page
- The URL should match your provider's domain (not the Workbench domain)
-
Log in with credentials:
- Enter the username and password for a user in your OIDC provider
- Complete any MFA/2FA prompts if configured
-
Observe the callback:
- After successful authentication, you should be redirected back to the Workbench
- The URL should temporarily show
/api/authn/oidc/callbackbefore redirecting to the main page
-
Verify authenticated state:
- You should now be logged into the Workbench
- Your username should appear in the navigation bar
- You should have access based on your user's role
Step 4: Test Logout
Test the logout functionality:
- Click your username in the navigation bar
- Select "Logout"
- Verify:
- You are logged out of the Workbench
- Attempting to access protected pages redirects you to login
- Note: You may still be logged into your OIDC provider (single logout varies by provider)
Common Issues and Solutions
Issue: "Users authenticated but have no permissions"
Symptoms:
- Users can log in successfully
- Users cannot view or edit any content
- Error messages about insufficient permissions
Cause: User accounts exist in OIDC provider but not in the Workbench database.
Solutions:
-
Create user accounts in Workbench:
- OIDC only handles authentication, not authorization
- You must create corresponding user accounts in the Workbench database
- See the User Management documentation for details
-
Verify username matching:
- The username in Workbench must match the OIDC claim (usually
preferred_usernameoremail) - Check the REST API logs to see what username is being extracted from the OIDC token
- The username in Workbench must match the OIDC claim (usually
Debugging Tips
Test with curl
You can test the OIDC endpoints directly:
# Test the auth initiation endpoint
curl -v http://localhost:3000/api/authn/oidc/login
# This should return a redirect (302) to your OIDC provider
Next Steps
Once authentication is working correctly:
- Set up user accounts - Create users in the Workbench database with appropriate roles
- Configure authorization - Set up role-based access control
- Review security settings - Ensure production-ready security configuration
- Set up monitoring - Monitor authentication failures and session issues
Additional Resources
- Authentication Overview
- REST API Configuration
- Provider-specific guides: