Provider
This section holds the configuration of a third-party provider (identified by id) the end-user can go through to authenticate itself.
providers.<id>
| Key | Type | Description | Required Default |
|---|---|---|---|
id | string | Identifier of the provider. ex. google | YES |
name | string | Name of the provider that will be displayed to users by UI. ex. Google | YES |
oauth2 | object | Info to initiate an OAuth2 authorization code grant flow with the provider. See OAuth2 keys for more details. | NO |
oidc | object | Info to initiate an OpenID Connect flow with the provider. See OIDC keys for more details. | NO |
ui | object | NO | |
user-info | object | Endpoint called to obtain end-user info from the provider. See user info keys for more details. | - OAuth2: YES - OpenID Connect: NO |
Each provider must have exactly one of
oauth2oroidcconfigured — not both. OIDC providers use OpenID Connect Discovery to automatically resolve endpoints from theissuerURL. This means you do not need to specify endpoint URLs or claim mappings manually.
providers.<id>.oidc
| Key | Type | Description | Required Default |
|---|---|---|---|
issuer | url | The OpenID Connect issuer URL. SympAuthy will fetch the discovery document at {issuer}/.well-known/openid-configuration to resolve all endpoints. | YES |
client-id | string | An identifier provided by the provider to identify authentication initiated by this authorization server. | YES |
client-secret | string | A secret provided by the provider. It must only be shared between the provider and this authorization server. | YES |
scopes | string[] | Scopes requested to the provider. The openid scope is always included automatically. | NO[openid] |
userinfo-enabled | boolean | Whether to also call the provider's UserInfo endpoint to fetch additional claims. When false, claims are extracted from the ID token only. | NOfalse |
The discovery document is fetched at startup. If the issuer URL is invalid or unreachable, SympAuthy will fail fast with a clear error message.
When
userinfo-enabledisfalse(the default), SympAuthy extracts user claims directly from the ID token returned by the provider. This is sufficient for most providers (Google, Microsoft, Auth0, etc.) and avoids an extra HTTP call.
providers.<id>.oauth2
| Key | Type | Description | Required Default |
|---|---|---|---|
| client-id | string | An identifier provided by the provider to identify authentication initiated by this authorization server. | YES |
| client-secret | string | A secret provided by the provider. It must only be shared between the provider and this authorization server. | YES |
| scopes | string | Scope requested to the provider to access the info of the user. | YES |
| authorization-url | url | The OAuth2 authorize url where to redirect the end-user to initiate an authentication with this provider. | YES |
| token-url | url | The OAuth2 token endpoint this authorization server should contact to obtain an access tokens | YES |
| token-auth-method | string | How this authorization server should pass the client id and the client secret to the token endpoint. | YES |
providers.<id>.user-info
| Key | Type | Description | Required Default |
|---|---|---|---|
url | url | Endpoint URL to get end-user information from the provider. | YES |
paths | object | Object containing JSONPath to use to extract the end-user info from the response of the UserInfo endpoint of the provider. The key is one of the OpenID defined claims. The value is the JSONPath used to extract the claim value from the response. | YES |