IdP connections
Org-scoped (/api/org/{slug}/idp-connections, session-authenticated). One active connection per org; saving a new one deactivates the prior (history preserved).
Connection types
Section titled “Connection types”named-okta, named-entra, named-google, named-kakao, named-naver, custom-oidc, custom-saml (IdpConnectionEndpoints.cs:25). The named-* providers use the same OIDC payload/validation as custom-oidc — the brand label is preserved only for UI display (:135).
Endpoints
Section titled “Endpoints”| Method · Route | Purpose | Source |
|---|---|---|
| GET “ | Current active connection, or null. OIDC client secret is redacted (only oidc_client_secret_set is returned). | :36 |
| POST “ | Create a connection. Deactivates any prior active row. | :82 |
POST /deactivate | Switch back to Axowl native login (deactivates active rows; history kept). | :228 |
Validation & behaviour
Section titled “Validation & behaviour”- OIDC (
custom-oidc/named-*): requires a discovery URL or manual issuer + authorization + token endpoints, plusclient_id. If a discovery URL is given, the well-known doc is fetched and endpoints are auto-filled (:158). A blank client secret on update reuses the prior secret (:193). - SAML (
custom-saml): requires metadata URL or metadata XML or manual (SSO URL + EntityID + certificate). Blank certificate on update reuses the prior (:198).
Axowl-native fallback rule
Section titled “Axowl-native fallback rule”There is no direct IdP→IdP switch. To change providers you POST /deactivate (back to Axowl native), then configure the new one — this prevents email-mapping lockout. After deactivation, /idp/{slug}/login returns idp_not_configured and native login is active (:223).