governance

OIDC SSO

OpenID Connect single sign-on. Mission Control accepts JWTs from any configured IdP (Okta, Auth0, Azure AD, Google Workspace).

Set MC_OIDC_ISSUER + MC_OIDC_AUDIENCE. Mission Control fetches the issuer's openid-configuration, caches the JWKS, and on every request: parses the bearer JWT, picks the matching key by kid, verifies RS256 signature, checks iss/aud/exp, and maps the configured org claim onto req.auth.org_id.

Key rotation is handled — an unknown kid forces a JWKS refresh. Static MC_API_TOKENS continues to work alongside; clients using static tokens fall through to the bearer-map path.

Related