OIDC SSO (external IdP)

✅ Verified

Connection config against Axowl.Auth/EndPoints/IdpConnectionEndpoints.cs (origin/main) — 2026-06-22. The login round-trip uses /idp/{slug}/login (IdpAuthEndpoints) + FederatedLoginCommand (not re-read this pass; treat that step as ⚠️ until line-verified).

This is the consumer side — Axowl federates to an external OIDC IdP. (For Axowl as an OIDC provider, see OIDC / OAuth2 reference.)

1. Configure the connection

POST /api/org/{slug}/idp-connections with a custom-oidc or named-* (okta/entra/google/kakao/naver) type. Provide a discovery URL (endpoints auto-filled) or manual issuer + authorization + token endpoints, plus client_id/client_secret. See IdP connections.

2. Login round-trip

Users hit /idp/{slug}/login, which redirects to the configured IdP’s authorization endpoint; the callback exchanges the code and JIT-provisions the membership via the federated login path.

3. Switching providers — Axowl-native fallback

There is no direct IdP→IdP switch. POST /api/org/{slug}/idp-connections/deactivate returns the org to Axowl-native login first; then configure the new provider. This prevents email-mapping lockout.