diff --git a/apps/api/src/routes/admin/authProvider.ts b/apps/api/src/routes/admin/authProvider.ts
index e8acd15..311fef1 100644
--- a/apps/api/src/routes/admin/authProvider.ts
+++ b/apps/api/src/routes/admin/authProvider.ts
@@ -124,10 +124,8 @@ authProviderRouter.put(
 // ─── POST /api/admin/auth-provider/test ─────────────────────────────────────
 
 const testAuthProviderSchema = z.object({
-  providerId: z.string().min(1).max(100),
   issuerUrl: z.string().url(),
-  clientId: z.string().min(1),
-  clientSecret: z.string().min(1),
+  internalBaseUrl: z.string().url().nullable().optional(),
 });
 
 authProviderRouter.post(
@@ -135,10 +133,12 @@ authProviderRouter.post(
   requireSuperUser(),
   zValidator("json", testAuthProviderSchema),
   async (c) => {
-    const { issuerUrl } = c.req.valid("json");
+    const { issuerUrl, internalBaseUrl } = c.req.valid("json");
 
     // Fetch OIDC discovery document
-    const discoveryUrl = `${issuerUrl.replace(/\/$/, "")}/.well-known/openid-configuration`;
+    const discoveryUrl = internalBaseUrl
+      ? `${internalBaseUrl.replace(/\/$/, "")}/application/o/.well-known/openid-configuration`
+      : `${issuerUrl.replace(/\/$/, "")}/.well-known/openid-configuration`;
 
     let metadata: Record<string, unknown> | null = null;
     let errorMessage: string | null = null;
diff --git a/apps/web/src/pages/Settings.tsx b/apps/web/src/pages/Settings.tsx
index 16b8ff2..088a685 100644
--- a/apps/web/src/pages/Settings.tsx
+++ b/apps/web/src/pages/Settings.tsx
@@ -235,9 +235,8 @@ export function SettingsPage() {
         method: "POST",
         headers: { "Content-Type": "application/json" },
         body: JSON.stringify({
-          providerId: authForm.providerId,
-          issuerUrl: authForm.issuerUrl,
-          clientId: authForm.clientId,
+issuerUrl: authForm.issuerUrl,
+          ...(authForm.internalBaseUrl ? { internalBaseUrl: authForm.internalBaseUrl } : {}),
         }),
       });
       const data = await res.json();