TSphinxExternalProvider Class
Holds the configuration of an upstream (external) identity provider that Sphinx can delegate authentication to, acting as a relying party (RP).
Remarks
When Sphinx acts as an identity broker / IdP proxy, an authorization request can be transparently delegated to an external OAuth2/OpenID Connect server registered here. Sphinx drives the authorization-code flow (with PKCE) against this provider, and after the upstream user authenticates, maps the identity to a local user and completes the original request with Sphinx-issued tokens.
Syntax
Unit: Sphinx.Comp.ExternalProvider
TSphinxExternalProvider = class(TCollectionItem);
Properties
| Name | Description |
|---|---|
| Authority | The base URL (issuer) of the upstream OpenID Connect provider. |
| AuthorizationEndpoint | The upstream authorization endpoint, used when AutoDiscover is false. |
| AutoDiscover | Indicates whether the upstream endpoint URLs are discovered automatically from the provider metadata. When false, set Issuer, AuthorizationEndpoint and TokenEndpoint manually. |
| ClaimMapping | For an OAuth2 provider, maps the provider's user-profile fields onto OIDC claim names. Each line is oidcClaim=sourceField, e.g. sub=id, preferred_username=login, name=name, picture=avatar_url, email=email. Only the claims listed here are copied into the profile read by the reconciliation policy. |
| ClientId | The client id registered for Sphinx at the upstream provider. |
| ClientSecret | The client secret used to authenticate Sphinx at the upstream token endpoint. |
| DisplayName | The user-friendly name of the provider, to be displayed in the UI when needed. |
| IconUrl | Optional URL of an icon to display next to the provider name on its "Login with..." button. |
| Issuer | The upstream issuer identifier, used when AutoDiscover is false. |
| Name | The unique name (id) identifying this upstream provider, used to reference it from code. |
| ProviderType | The protocol family this provider speaks. Defaults to OpenIDConnect. Set to OAuth2 for providers that do not issue an id_token (e.g. GitHub), in which case the user identity is fetched from UserInfoEndpoint and mapped via ClaimMapping. |
| Scope | The space-separated list of scopes to request from the upstream provider. Defaults to openid email profile. |
| ShowInLoginPage | Indicates whether this provider is offered as a "Login with..." button on the Sphinx login page, letting the end user pick it interactively. Defaults to False. |
| SkipIssuerValidation | Indicates whether issuer validation is skipped during upstream id_token processing. Enable only for multi-tenant providers where the per-tenant issuer never matches the authority URL. |
| TokenEndpoint | The upstream token endpoint, used when AutoDiscover is false. |
| UserEmailsEndpoint | Optional secondary endpoint returning a JSON array of the user's e-mail addresses, used when the primary profile does not expose a (verified) e-mail. For GitHub this is https://api.github.com/user/emails; Sphinx picks the primary address, preferring verified ones. |
| UserInfoEndpoint | For an OAuth2 provider, the endpoint queried (with the access token as a bearer credential) to obtain the user profile after the code exchange. For GitHub this is https://api.github.com/user. |