Record whynot OpenBao lane apply evidence

tests/test_credential_change.py

@@ -127,6 +127,18 @@ class CredentialChangeTests(unittest.TestCase):
         self.assertEqual(payload["bound_service_account_namespaces"], ["issue-core"])
         self.assertNotIn("bound_claims", payload)
 
+    def test_oidc_auth_payload_includes_redirect_uris(self) -> None:
+        ccr, errors, _warnings = credential_change.validate_ccr(self.sample)
+        self.assertEqual(errors, [])
+        payload = credential_change.auth_payload(ccr)
+        self.assertEqual(
+            payload["allowed_redirect_uris"],
+            [
+                "https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback",
+                "http://localhost:8250/oidc/callback",
+            ],
+        )
+
     def test_apply_plan_refuses_unapproved_ccr(self) -> None:
         with self.assertRaises(SystemExit):
             credential_change.command_apply_plan(type("Args", (), {"ref": str(self.issue_core)})())
@@ -151,6 +163,11 @@ class CredentialChangeTests(unittest.TestCase):
         )
         self.assertIn('role_payload_file="$(mktemp)"', rendered)
         self.assertIn('"bound_claims": {', rendered)
+        self.assertIn('"allowed_redirect_uris": [', rendered)
+        self.assertIn(
+            '"https://bao.coulomb.social/ui/vault/auth/netkingdom/oidc/callback"',
+            rendered,
+        )
         self.assertIn(
             'bao write auth/netkingdom/role/whynot-design-workload-kv-read @"$role_payload_file"',
             rendered,