Prism OAuth
Lumen authenticates users via Prism. The session lives in a httpOnly cookie backed by a KV entry; the Prism access token is refreshed automatically when it nears expiry, provided the user granted offline_access.
Required scopes
Lumen requests these OAuth scopes when redirecting to Prism:
| Scope | Purpose |
|---|---|
openid | OpenID Connect identity |
profile | Display name, avatar |
email | Account email |
teams:read | Used for team-restricted access (allowed_team_id) |
offline_access | Refresh tokens — required for long sessions |
Creating the OAuth application in Prism
- Open Prism → Connected Apps → Create app.
- Set the Redirect URI to
https://<your-host>/callback. - Enable PKCE. Lumen defaults to PKCE; you can disable it and use a client secret instead by toggling Use PKCE in the InitPage and supplying a secret.
- Copy the Client ID (and Client secret if not using PKCE).
Filling in the InitPage
| Field | Notes |
|---|---|
| Prism Base URL | e.g. https://prism.siiway.org |
| Client ID | From Prism |
| Use PKCE | Recommended |
| Client secret | Required when PKCE is disabled |
| Redirect URI | Defaults to https://<host>/callback |
| Allowed team ID | Comma-separated team IDs to restrict who can sign in |
Settings are stored in KV under the key config:app and can be edited later from the Worker. Set ALLOWED_TEAM_ID as an environment variable in wrangler.jsonc if you want to lock it from being overridden in the UI.
Re-running the init flow
The init flow is gated by init:configured in KV. To re-run it, delete that key:
bunx wrangler kv key delete --binding=KV init:configuredIf you only want to change config (not the schema) you can keep init:configured = true and edit values via PUT /api/init/config (only team owners can do this when allowed_team_id is non-empty).