Baseline requirements
- PKCE required for public clients.
- Redirect URIs must match exactly.
- Authorization Code flow only.
- Do not use Implicit flow.
Redirect URI policy
- No wildcard redirect URIs.
- No dynamic redirect hostnames.
- Register separate clients for sandbox/staging/production.
Token validation rules
Validate at minimum:
issequals the exact discovery issuer.audcontains expected client ID.expis in the future.nbfis in the past (bounded clock skew).noncematches original auth request for browser flows.
If you use a branded auth domain, validate against the branded issuer returned by discovery instead of hard-coding id.uselamba.com.
JWKS handling
- Cache signing keys by
kid. - Refresh JWKS on unknown
kid. - Retry validation once after refresh.
- Fail closed if signature still fails.
Session hardening checklist
- Keep cookies
httpOnly,secure,sameSite=lax. - Rotate refresh tokens and treat them as one-time credentials when possible.
- Revoke session credentials on membership/policy changes.
- Separate sandbox and production sessions.
Operational checks
- Monitor token exchange failures (
invalid_grant,invalid_client). - Log
traceIdand resolved workspace/project context for auth failures. - Run integration smoke tests for login + refresh before release.