Table of Contents

TSphinxExternalProvider Class

Holds the configuration of an upstream (external) identity provider that Sphinx can delegate authentication to, acting as a relying party (RP).

Remarks

When Sphinx acts as an identity broker / IdP proxy, an authorization request can be transparently delegated to an external OAuth2/OpenID Connect server registered here. Sphinx drives the authorization-code flow (with PKCE) against this provider, and after the upstream user authenticates, maps the identity to a local user and completes the original request with Sphinx-issued tokens.

Syntax

Unit: Sphinx.Comp.ExternalProvider

TSphinxExternalProvider = class(TCollectionItem);

Properties

Name Description
Authority The base URL (issuer) of the upstream OpenID Connect provider.
Authorization​Endpoint The upstream authorization endpoint, used when AutoDiscover is false.
AutoDiscover Indicates whether the upstream endpoint URLs are discovered automatically from the provider metadata. When false, set Issuer, Authorization​Endpoint and TokenEndpoint manually.
ClaimMapping For an OAuth2 provider, maps the provider's user-profile fields onto OIDC claim names. Each line is oidcClaim=sourceField, e.g. sub=id, preferred_username=login, name=name, picture=avatar_url, email=email. Only the claims listed here are copied into the profile read by the reconciliation policy.
ClientId The client id registered for Sphinx at the upstream provider.
ClientSecret The client secret used to authenticate Sphinx at the upstream token endpoint.
DisplayName The user-friendly name of the provider, to be displayed in the UI when needed.
IconUrl Optional URL of an icon to display next to the provider name on its "Login with..." button.
Issuer The upstream issuer identifier, used when AutoDiscover is false.
Name The unique name (id) identifying this upstream provider, used to reference it from code.
ProviderType The protocol family this provider speaks. Defaults to OpenIDConnect. Set to OAuth2 for providers that do not issue an id_token (e.g. GitHub), in which case the user identity is fetched from UserInfoEndpoint and mapped via ClaimMapping.
Scope The space-separated list of scopes to request from the upstream provider. Defaults to openid email profile.
ShowInLoginPage Indicates whether this provider is offered as a "Login with..." button on the Sphinx login page, letting the end user pick it interactively. Defaults to False.
SkipIssuerValidation Indicates whether issuer validation is skipped during upstream id_token processing. Enable only for multi-tenant providers where the per-tenant issuer never matches the authority URL.
TokenEndpoint The upstream token endpoint, used when AutoDiscover is false.
UserEmailsEndpoint Optional secondary endpoint returning a JSON array of the user's e-mail addresses, used when the primary profile does not expose a (verified) e-mail. For GitHub this is https://api.github.com/user/emails; Sphinx picks the primary address, preferring verified ones.
UserInfoEndpoint For an OAuth2 provider, the endpoint queried (with the access token as a bearer credential) to obtain the user profile after the code exchange. For GitHub this is https://api.github.com/user.