diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.Api/Infrastructure/Security/ApiKeyAuthenticationHandler.cs b/TeachingRecordSystem/src/TeachingRecordSystem.Api/Infrastructure/Security/ApiKeyAuthenticationHandler.cs
index 3815818c5..416f8e9d8 100644
--- a/TeachingRecordSystem/src/TeachingRecordSystem.Api/Infrastructure/Security/ApiKeyAuthenticationHandler.cs
+++ b/TeachingRecordSystem/src/TeachingRecordSystem.Api/Infrastructure/Security/ApiKeyAuthenticationHandler.cs
@@ -68,7 +68,7 @@ protected async override Task<AuthenticateResult> HandleAuthenticateAsync()
             return AuthenticateResult.Fail($"API key is expired.");
         }
 
-        var principal = CreatePrincipal(apiKey.ApplicationUserId.ToString(), apiKey.ApplicationUser.Name, apiKey.ApplicationUser.ApiRoles);
+        var principal = CreatePrincipal(apiKey.ApplicationUserId.ToString(), apiKey.ApplicationUser.Name, apiKey.ApplicationUser.ApiRoles ?? []);
         var ticket = new AuthenticationTicket(principal, Scheme.Name);
 
         LogContext.PushProperty("ClientId", apiKey.ApplicationUser.UserId);
diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Controllers/OidcController.cs b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Controllers/OidcController.cs
index 22e245a0c..3f18a1d92 100644
--- a/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Controllers/OidcController.cs
+++ b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Controllers/OidcController.cs
@@ -35,7 +35,6 @@ public async Task<IActionResult> Authorize()
         {
             var parameters = Request.HasFormContentType ? Request.Form.ToList() : Request.Query.ToList();
 
-
             var authenticationProperties = new AuthenticationProperties()
             {
                 RedirectUri = Request.PathBase + Request.Path + QueryString.Create(parameters)
diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Infrastructure/Filters/NotFoundResourceFilter.cs b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Infrastructure/Filters/NotFoundResourceFilter.cs
new file mode 100644
index 000000000..b2db1757d
--- /dev/null
+++ b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Infrastructure/Filters/NotFoundResourceFilter.cs
@@ -0,0 +1,17 @@
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.Filters;
+
+namespace TeachingRecordSystem.AuthorizeAccess.Infrastructure.Filters;
+
+public class NotFoundResourceFilter : IResourceFilter
+{
+    public void OnResourceExecuted(ResourceExecutedContext context)
+    {
+        throw new NotImplementedException();
+    }
+
+    public void OnResourceExecuting(ResourceExecutingContext context)
+    {
+        context.Result = new NotFoundResult();
+    }
+}
diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Infrastructure/Security/OneLoginAuthenticationSchemeProvider.cs b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Infrastructure/Security/OneLoginAuthenticationSchemeProvider.cs
index e7be7efa1..fba18880c 100644
--- a/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Infrastructure/Security/OneLoginAuthenticationSchemeProvider.cs
+++ b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Infrastructure/Security/OneLoginAuthenticationSchemeProvider.cs
@@ -155,6 +155,15 @@ void IConfigureNamedOptions<OneLoginOptions>.Configure(string? name, OneLoginOpt
 
         options.SignInScheme = AuthenticationSchemes.FormFlowJourney;
 
+        options.Events.OnRedirectToIdentityProvider = context =>
+        {
+            // A large RedirectUri here can make the state parameter so large that One Login rejects the request.
+            // We have the RedirectUri stashed away on the FormFlow journey any way so we can clear it out.
+            context.Properties.RedirectUri = null;
+
+            return Task.CompletedTask;
+        };
+
         options.Events.OnRedirectToIdentityProviderForSignOut = context =>
         {
             // The standard sign out process will call Authenticate() on SignInScheme then try to extract the id_token from the Principal.
diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Pages/OidcTest/SignOut.cshtml b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Pages/OidcTest/SignOut.cshtml
new file mode 100644
index 000000000..08eac25d5
--- /dev/null
+++ b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Pages/OidcTest/SignOut.cshtml
@@ -0,0 +1,11 @@
+@page "/oidc-test/sign-out"
+@addTagHelper *, Joonasw.AspNetCore.SecurityHeaders
+@model TeachingRecordSystem.AuthorizeAccess.Pages.OidcTest.SignOutModel
+@{
+}
+
+<form asp-page="SignOut" method="post">
+    <govuk-button type="submit">Sign out</govuk-button>
+</form>
+
+<script asp-add-nonce="true">document.forms[0].submit();</script>
diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Pages/OidcTest/SignOut.cshtml.cs b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Pages/OidcTest/SignOut.cshtml.cs
new file mode 100644
index 000000000..c90e77748
--- /dev/null
+++ b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Pages/OidcTest/SignOut.cshtml.cs
@@ -0,0 +1,27 @@
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.Cookies;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.RazorPages;
+
+namespace TeachingRecordSystem.AuthorizeAccess.Pages.OidcTest;
+
+[Authorize(AuthenticationSchemes = TestAppConfiguration.AuthenticationSchemeName)]
+public class SignOutModel : PageModel
+{
+    public void OnGet()
+    {
+    }
+
+    public async Task<IActionResult> OnPost()
+    {
+        await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
+
+        return SignOut(
+            new AuthenticationProperties()
+            {
+                RedirectUri = Url.Page("Start")
+            },
+            TestAppConfiguration.AuthenticationSchemeName);
+    }
+}
diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Pages/OidcTest/SignedIn.cshtml b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Pages/OidcTest/SignedIn.cshtml
new file mode 100644
index 000000000..1fd77f6d8
--- /dev/null
+++ b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Pages/OidcTest/SignedIn.cshtml
@@ -0,0 +1,27 @@
+@page "/oidc-test/signed-in"
+@using System.Text.Json
+@using TeachingRecordSystem.AuthorizeAccess.Pages.OidcTest
+@addTagHelper *, Joonasw.AspNetCore.SecurityHeaders
+@model SignedInModel
+@{
+    var claimsJson = JsonSerializer.Serialize(
+        User.Claims.ToDictionary(c => c.Type, c => c.Value),
+        new JsonSerializerOptions() { WriteIndented = true });
+}
+
+@section Head {
+    <style type="text/css" asp-add-nonce="true">
+        .claims-json {
+            font-family: monospace !important;
+            white-space: nowrap;
+            height: 260px;
+        }
+    </style>
+}
+
+<p class="govuk-body">
+    <govuk-textarea name="Claims" textarea-class="claims-json">
+        <govuk-textarea-label>Claims</govuk-textarea-label>
+        <govuk-textarea-value>@claimsJson</govuk-textarea-value>
+    </govuk-textarea>
+</p>
diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Pages/OidcTest/SignedIn.cshtml.cs b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Pages/OidcTest/SignedIn.cshtml.cs
new file mode 100644
index 000000000..9c3f9cbbe
--- /dev/null
+++ b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Pages/OidcTest/SignedIn.cshtml.cs
@@ -0,0 +1,12 @@
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc.RazorPages;
+
+namespace TeachingRecordSystem.AuthorizeAccess.Pages.OidcTest;
+
+[Authorize(AuthenticationSchemes = TestAppConfiguration.AuthenticationSchemeName)]
+public class SignedInModel : PageModel
+{
+    public void OnGet()
+    {
+    }
+}
diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Pages/OidcTest/Start.cshtml b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Pages/OidcTest/Start.cshtml
new file mode 100644
index 000000000..186a1fd44
--- /dev/null
+++ b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Pages/OidcTest/Start.cshtml
@@ -0,0 +1,8 @@
+@page "/oidc-test"
+@model TeachingRecordSystem.AuthorizeAccess.Pages.OidcTest.StartModel
+@{
+}
+
+<form asp-page="OidcTest" method="post">
+    <govuk-button type="submit" is-start-button="true">Start</govuk-button>
+</form>
diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Pages/OidcTest/Start.cshtml.cs b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Pages/OidcTest/Start.cshtml.cs
new file mode 100644
index 000000000..d7541707f
--- /dev/null
+++ b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Pages/OidcTest/Start.cshtml.cs
@@ -0,0 +1,19 @@
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.AspNetCore.Mvc.RazorPages;
+
+namespace TeachingRecordSystem.AuthorizeAccess.Pages.OidcTest;
+
+public class StartModel : PageModel
+{
+    public void OnGet()
+    {
+    }
+
+    public IActionResult OnPost() => Challenge(
+        new AuthenticationProperties()
+        {
+            RedirectUri = Url.Page("SignedIn")
+        },
+        TestAppConfiguration.AuthenticationSchemeName);
+}
diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Pages/OidcTest/_Layout.cshtml b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Pages/OidcTest/_Layout.cshtml
new file mode 100644
index 000000000..1d05a503c
--- /dev/null
+++ b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Pages/OidcTest/_Layout.cshtml
@@ -0,0 +1,29 @@
+@{
+    Layout = "../Shared/_Layout";
+
+    ViewBag.ServiceName = "OIDC Sample";
+}
+
+@section Head {
+    @RenderSection("Head", required: false)
+}
+
+@if (User.Identity?.IsAuthenticated == true)
+{
+    @section Nav {
+        <nav aria-label="Menu" class="govuk-header__navigation">
+            <button type="button" class="govuk-header__menu-button govuk-js-header-toggle" aria-controls="navigation" hidden>
+                Menu
+            </button>
+            <ul id="navigation" class="govuk-header__navigation-list">
+                <li class="govuk-header__navigation-item govuk-header__navigation-item--active">
+                    <a class="govuk-header__link" asp-page="SignOut">
+                        Sign out
+                    </a>
+                </li>
+            </ul>
+        </nav>
+    }
+}
+
+@RenderBody()
diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Pages/OidcTest/_ViewStart.cshtml b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Pages/OidcTest/_ViewStart.cshtml
new file mode 100644
index 000000000..989f3d13e
--- /dev/null
+++ b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Pages/OidcTest/_ViewStart.cshtml
@@ -0,0 +1,3 @@
+@{
+    Layout = "./_Layout";
+}
diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Pages/Shared/_Layout.cshtml b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Pages/Shared/_Layout.cshtml
index f093fb75f..d893d176f 100644
--- a/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Pages/Shared/_Layout.cshtml
+++ b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Pages/Shared/_Layout.cshtml
@@ -1,9 +1,15 @@
+@inject GovUk.Frontend.AspNetCore.PageTemplateHelper PageTemplateHelper
 @{
     Layout = "_GovUkPageTemplate";
 
     var serviceName = ViewBag.ServiceName ?? "Authorise access to a teaching record";
 }
 
+@section Head {
+    @RenderSection("Head", required: false)
+    @PageTemplateHelper.GenerateStyleImports()
+}
+
 @section Header {
     <header class="govuk-header" role="banner" data-module="govuk-header">
         <div class="govuk-header__container govuk-width-container">
diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Program.cs b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Program.cs
index d98dc00e0..807ef9bf5 100644
--- a/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Program.cs
+++ b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/Program.cs
@@ -164,6 +164,8 @@ static SecurityKey LoadKey(string configurationValue)
     .ValidateDataAnnotations()
     .ValidateOnStart();
 
+builder.AddTestApp();
+
 var app = builder.Build();
 
 app.MapDefaultEndpoints();
@@ -191,6 +193,10 @@ static SecurityKey LoadKey(string configurationValue)
         .From(pageTemplateHelper.GetCspScriptHashes())
         .AddNonce();
 
+    csp.AllowStyles
+        .FromSelf()
+        .AddNonce();
+
     // Ensure ASP.NET Core's auto refresh works
     // See https://github.com/dotnet/aspnetcore/issues/33068
     if (builder.Environment.IsDevelopment())
diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/TestAppConfiguration.cs b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/TestAppConfiguration.cs
new file mode 100644
index 000000000..bebc0e312
--- /dev/null
+++ b/TeachingRecordSystem/src/TeachingRecordSystem.AuthorizeAccess/TestAppConfiguration.cs
@@ -0,0 +1,49 @@
+using Microsoft.AspNetCore.Authentication.Cookies;
+using Microsoft.AspNetCore.Mvc.RazorPages;
+using TeachingRecordSystem.AuthorizeAccess.Infrastructure.Filters;
+using static IdentityModel.OidcConstants;
+
+namespace TeachingRecordSystem.AuthorizeAccess;
+
+public static class TestAppConfiguration
+{
+    public const string AuthenticationSchemeName = "OidcTest";
+    public const string ClientId = "test-app";
+    public const string ClientSecret = "Devel0pm3ntSecr4t";
+    public const string RedirectUriPath = "/test-app/callback";
+    public const string PostLogoutRedirectUriPath = "/test-app/logout-callback";
+
+    public static WebApplicationBuilder AddTestApp(this WebApplicationBuilder builder)
+    {
+        if (builder.Environment.IsDevelopment() || builder.Environment.IsEndToEndTests())
+        {
+            builder.Services.AddAuthentication()
+                .AddCookie()
+                .AddOpenIdConnect(AuthenticationSchemeName, options =>
+                {
+                    options.Authority = "https://localhost:7236";
+                    options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
+                    options.ClientId = ClientId;
+                    options.ClientSecret = ClientSecret;
+                    options.CallbackPath = RedirectUriPath;
+                    options.SignedOutCallbackPath = PostLogoutRedirectUriPath;
+                    options.ResponseMode = ResponseModes.Query;
+                    options.ResponseType = ResponseTypes.Code;
+                    options.MapInboundClaims = false;
+                    options.SaveTokens = true;
+                    options.Scope.Clear();
+                    options.Scope.Add("openid");
+                    options.Scope.Add("email");
+                    options.Scope.Add("profile");
+                });
+        }
+        else
+        {
+            builder.Services.Configure<RazorPagesOptions>(options =>
+                options.Conventions.AddFolderApplicationModelConvention(
+                    "/OidcTest", model => model.Filters.Add(new NotFoundResourceFilter())));
+        }
+
+        return builder;
+    }
+}
diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.Core/DataStore/Postgres/Models/User.cs b/TeachingRecordSystem/src/TeachingRecordSystem.Core/DataStore/Postgres/Models/User.cs
index c14a40308..457aa4c97 100644
--- a/TeachingRecordSystem/src/TeachingRecordSystem.Core/DataStore/Postgres/Models/User.cs
+++ b/TeachingRecordSystem/src/TeachingRecordSystem.Core/DataStore/Postgres/Models/User.cs
@@ -35,7 +35,7 @@ public class ApplicationUser : UserBase
     public const string ClientIdUniqueIndexName = "ix_users_client_id";
     public const string OneLoginAuthenticationSchemeNameUniqueIndexName = "ix_users_one_login_authentication_scheme_name";
 
-    public required string[] ApiRoles { get; set; }
+    public string[]? ApiRoles { get; set; }
     public ICollection<ApiKey> ApiKeys { get; } = null!;
     public bool IsOidcClient { get; set; }
     public string? ClientId { get; set; }
diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.Core/Events/Models/ApplicationUser.cs b/TeachingRecordSystem/src/TeachingRecordSystem.Core/Events/Models/ApplicationUser.cs
index 6517d1483..3928e3b57 100644
--- a/TeachingRecordSystem/src/TeachingRecordSystem.Core/Events/Models/ApplicationUser.cs
+++ b/TeachingRecordSystem/src/TeachingRecordSystem.Core/Events/Models/ApplicationUser.cs
@@ -4,7 +4,7 @@ public record ApplicationUser
 {
     public required Guid UserId { get; init; }
     public required string Name { get; init; }
-    public required string[] ApiRoles { get; init; }
+    public string[]? ApiRoles { get; init; }
     public bool IsOidcClient { get; init; }
     public string? ClientId { get; init; }
     public string? ClientSecret { get; init; }
diff --git a/TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Pages/ApplicationUsers/EditApplicationUser.cshtml.cs b/TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Pages/ApplicationUsers/EditApplicationUser.cshtml.cs
index 187878c35..e889ed99c 100644
--- a/TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Pages/ApplicationUsers/EditApplicationUser.cshtml.cs
+++ b/TeachingRecordSystem/src/TeachingRecordSystem.SupportUi/Pages/ApplicationUsers/EditApplicationUser.cshtml.cs
@@ -173,7 +173,7 @@ key is nameof(ClientId) or nameof(ClientSecret) or nameof(RedirectUris) or nameo
 
         var changes = ApplicationUserUpdatedEventChanges.None |
             (Name != _user!.Name ? ApplicationUserUpdatedEventChanges.Name : 0) |
-            (!new HashSet<string>(_user.ApiRoles).SetEquals(new HashSet<string>(newApiRoles)) ? ApplicationUserUpdatedEventChanges.ApiRoles : 0) |
+            (!new HashSet<string>(_user.ApiRoles ?? []).SetEquals(new HashSet<string>(newApiRoles)) ? ApplicationUserUpdatedEventChanges.ApiRoles : 0) |
             (IsOidcClient != _user.IsOidcClient ? ApplicationUserUpdatedEventChanges.IsOidcClient : 0);
 
         if (IsOidcClient)
diff --git a/TeachingRecordSystem/tests/TeachingRecordSystem.AuthorizeAccess.EndToEndTests/HostFixture.cs b/TeachingRecordSystem/tests/TeachingRecordSystem.AuthorizeAccess.EndToEndTests/HostFixture.cs
index 5fed3b42a..4e68f55ec 100644
--- a/TeachingRecordSystem/tests/TeachingRecordSystem.AuthorizeAccess.EndToEndTests/HostFixture.cs
+++ b/TeachingRecordSystem/tests/TeachingRecordSystem.AuthorizeAccess.EndToEndTests/HostFixture.cs
@@ -1,10 +1,13 @@
 using System.Diagnostics;
 using System.Diagnostics.CodeAnalysis;
 using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authentication.OpenIdConnect;
 using Microsoft.AspNetCore.Mvc.Testing;
 using Microsoft.AspNetCore.TestHost;
 using Microsoft.Playwright;
+using OpenIddict.Server.AspNetCore;
 using TeachingRecordSystem.AuthorizeAccess.EndToEndTests.Infrastructure.Security;
+using TeachingRecordSystem.Core.DataStore.Postgres;
 using TeachingRecordSystem.Core.Services.TrsDataSync;
 using TeachingRecordSystem.FormFlow.State;
 using TeachingRecordSystem.UiTestCommon.Infrastructure.FormFlow;
@@ -67,6 +70,16 @@ private Host<Program> CreateHost() =>
                         options.AddScheme(FakeOneLoginAuthenticationScheme, b => b.HandlerType = typeof(FakeOneLoginHandler));
                     });
 
+                    services.Configure<OpenIdConnectOptions>(
+                        TestAppConfiguration.AuthenticationSchemeName,
+                        options =>
+                        {
+                            options.Authority = BaseUrl;
+                            options.RequireHttpsMetadata = false;
+                        });
+
+                    services.Configure<OpenIddictServerAspNetCoreOptions>(options => options.DisableTransportSecurityRequirement = true);
+
                     services.AddSingleton<OneLoginCurrentUserProvider>();
                     services.AddSingleton<TestData>(
                         sp => ActivatorUtilities.CreateInstance<TestData>(sp, TestDataSyncConfiguration.Sync(sp.GetRequiredService<TrsDataSyncHelper>())));
@@ -86,6 +99,25 @@ private void ThrowIfNotInitialized()
         }
     }
 
+    private async Task AddTestAppToApplicationUsers()
+    {
+        await using var dbContext = await Services.GetRequiredService<IDbContextFactory<TrsDbContext>>().CreateDbContextAsync();
+
+        dbContext.ApplicationUsers.Add(new Core.DataStore.Postgres.Models.ApplicationUser()
+        {
+            UserId = Guid.NewGuid(),
+            Name = "Test App",
+            IsOidcClient = true,
+            ClientId = TestAppConfiguration.ClientId,
+            ClientSecret = TestAppConfiguration.ClientSecret,
+            RedirectUris = [BaseUrl + TestAppConfiguration.RedirectUriPath],
+            PostLogoutRedirectUris = [BaseUrl + TestAppConfiguration.PostLogoutRedirectUriPath],
+            OneLoginAuthenticationSchemeName = FakeOneLoginAuthenticationScheme
+        });
+
+        await dbContext.SaveChangesAsync();
+    }
+
     async Task IStartupTask.Execute()
     {
         _host = CreateHost();
@@ -108,6 +140,8 @@ async Task IStartupTask.Execute()
         _browser = await _playwright.Chromium.LaunchAsync(browserOptions);
 
         _initialized = true;
+
+        await AddTestAppToApplicationUsers();
     }
 
     async ValueTask IAsyncDisposable.DisposeAsync()
diff --git a/TeachingRecordSystem/tests/TeachingRecordSystem.AuthorizeAccess.EndToEndTests/Infrastructure/Security/FakeOneLoginHandler.cs b/TeachingRecordSystem/tests/TeachingRecordSystem.AuthorizeAccess.EndToEndTests/Infrastructure/Security/FakeOneLoginHandler.cs
index 21913a906..71cf9325b 100644
--- a/TeachingRecordSystem/tests/TeachingRecordSystem.AuthorizeAccess.EndToEndTests/Infrastructure/Security/FakeOneLoginHandler.cs
+++ b/TeachingRecordSystem/tests/TeachingRecordSystem.AuthorizeAccess.EndToEndTests/Infrastructure/Security/FakeOneLoginHandler.cs
@@ -6,7 +6,7 @@
 
 namespace TeachingRecordSystem.AuthorizeAccess.EndToEndTests.Infrastructure.Security;
 
-public class FakeOneLoginHandler(OneLoginCurrentUserProvider currentUserProvider) : IAuthenticationHandler
+public class FakeOneLoginHandler(OneLoginCurrentUserProvider currentUserProvider) : IAuthenticationHandler, IAuthenticationSignOutHandler
 {
     private HttpContext? _context;
 
@@ -51,6 +51,11 @@ public Task InitializeAsync(AuthenticationScheme scheme, HttpContext context)
         _context = context;
         return Task.CompletedTask;
     }
+
+    public Task SignOutAsync(AuthenticationProperties? properties)
+    {
+        return Task.CompletedTask;
+    }
 }
 
 public class OneLoginCurrentUserProvider
diff --git a/TeachingRecordSystem/tests/TeachingRecordSystem.AuthorizeAccess.EndToEndTests/OidcTests.cs b/TeachingRecordSystem/tests/TeachingRecordSystem.AuthorizeAccess.EndToEndTests/OidcTests.cs
new file mode 100644
index 000000000..b20823130
--- /dev/null
+++ b/TeachingRecordSystem/tests/TeachingRecordSystem.AuthorizeAccess.EndToEndTests/OidcTests.cs
@@ -0,0 +1,32 @@
+using System.Text.Json;
+
+namespace TeachingRecordSystem.AuthorizeAccess.EndToEndTests;
+
+public class OidcTests(HostFixture hostFixture) : TestBase(hostFixture)
+{
+    [Fact]
+    public async Task SignInAndOut()
+    {
+        var person = await TestData.CreatePerson(x => x.WithTrn());
+        var oneLoginUser = await TestData.CreateOneLoginUser(person.PersonId);
+
+        var coreIdentityVc = TestData.CreateOneLoginCoreIdentityVc(person.FirstName, person.LastName, person.DateOfBirth);
+        SetCurrentOneLoginUser(OneLoginUserInfo.Create(oneLoginUser.Subject, oneLoginUser.Email, coreIdentityVc));
+
+        await using var context = await HostFixture.CreateBrowserContext();
+        var page = await context.NewPageAsync();
+
+        await page.GotoAsync("/oidc-test");
+        await page.ClickButton("Start");
+        await page.WaitForUrlPathAsync("/oidc-test/signed-in");
+
+        var claims = JsonSerializer.Deserialize<Dictionary<string, string>>(await page.GetByLabel("Claims").InputValueAsync()) ?? [];
+        Assert.Equal(oneLoginUser.Subject, claims.GetValueOrDefault("sub"));
+        Assert.Equal(person.Trn, claims.GetValueOrDefault("trn"));
+        Assert.Equal(oneLoginUser.Email, claims.GetValueOrDefault("email"));
+        Assert.NotEmpty(claims.GetValueOrDefault("onelogin_id") ?? "");
+
+        await page.ClickAsync("a:text-is('Sign out')");
+        await page.WaitForUrlPathAsync("/oidc-test");
+    }
+}
diff --git a/TeachingRecordSystem/tests/TeachingRecordSystem.SupportUi.Tests/PageTests/ApplicationUsers/EditApplicationUserTests.cs b/TeachingRecordSystem/tests/TeachingRecordSystem.SupportUi.Tests/PageTests/ApplicationUsers/EditApplicationUserTests.cs
index ad3fb406c..23b89874e 100644
--- a/TeachingRecordSystem/tests/TeachingRecordSystem.SupportUi.Tests/PageTests/ApplicationUsers/EditApplicationUserTests.cs
+++ b/TeachingRecordSystem/tests/TeachingRecordSystem.SupportUi.Tests/PageTests/ApplicationUsers/EditApplicationUserTests.cs
@@ -190,7 +190,7 @@ public async Task Post_WithOidcClientButInvalidDetails_RendersExpectedError(
             Content = new FormUrlEncodedContentBuilder()
             {
                 { "Name", applicationUser.Name },
-                { "ApiRoles", applicationUser.ApiRoles },
+                { "ApiRoles", applicationUser.ApiRoles ?? [] },
                 { "IsOidcClient", bool.TrueString },
                 { "ClientId", clientId },
                 { "ClientSecret", clientSecret },
@@ -260,7 +260,7 @@ public async Task Post_ValidRequest_UpdatesNameAndRolesAndOneLoginSettingsAndCre
         await WithDbContext(async dbContext =>
         {
             applicationUser = await dbContext.ApplicationUsers.SingleAsync(u => u.UserId == applicationUser.UserId);
-            Assert.True(new HashSet<string>(applicationUser.ApiRoles).SetEquals(new HashSet<string>(newRoles)));
+            Assert.True(new HashSet<string>(applicationUser.ApiRoles ?? []).SetEquals(new HashSet<string>(newRoles)));
         });
 
         EventObserver.AssertEventsSaved(
@@ -271,8 +271,8 @@ await WithDbContext(async dbContext =>
                 Assert.Equal(GetCurrentUserId(), applicationUserUpdatedEvent.RaisedBy.UserId);
                 Assert.Equal(originalName, applicationUserUpdatedEvent.OldApplicationUser.Name);
                 Assert.Equal(newName, applicationUserUpdatedEvent.ApplicationUser.Name);
-                Assert.True(applicationUserUpdatedEvent.ApplicationUser.ApiRoles.SequenceEqual(newRoles));
-                Assert.Empty(applicationUserUpdatedEvent.OldApplicationUser.ApiRoles);
+                Assert.True((applicationUserUpdatedEvent.ApplicationUser.ApiRoles ?? []).SequenceEqual(newRoles));
+                Assert.Empty(applicationUserUpdatedEvent.OldApplicationUser.ApiRoles ?? []);
                 Assert.False(applicationUserUpdatedEvent.OldApplicationUser.IsOidcClient);
                 Assert.Null(applicationUserUpdatedEvent.OldApplicationUser.ClientId);
                 Assert.Null(applicationUserUpdatedEvent.OldApplicationUser.ClientSecret);