Table of Contents

TExternalSignInArgs Class

Arguments passed to the OnExternalSignIn event, fired after Sphinx has obtained tokens from an upstream (external) identity provider and must resolve which local user the upstream identity maps to.

Remarks

The event handler inspects the upstream identity exposed here (ProviderName and the raw AuthResult) and assigns User with the local user that should be signed in -- typically by looking it up, linking it, or provisioning a new one via UserManager. Leaving User unassigned, or calling Reject, aborts the sign-in and surfaces an error to the downstream client. Sphinx does not apply any built-in provisioning or linking policy: the mapping is entirely in the developer's hands.

Syntax

Unit: Sphinx.EventArgs

TExternalSignInArgs = class(TSphinxModuleArgs);

Methods

Name Description
Reject Rejects the external sign-in. The downstream client receives an access_denied error and no Sphinx session is established.
Resolve Runs Sphinx's built-in reconciliation policy and assigns User with its result.
SetResolver Sets the resolver used by Resolve. For internal use by Sphinx.

Properties

Name Description
AuthResult The tokens obtained from the upstream provider for this sign-in. Use AuthResult.Profile to read the user profile parsed from the upstream id_token.
Email The user's e-mail as reported by the upstream provider, if any.
EmailVerified Indicates whether the upstream provider reported the e-mail as verified.
ProviderName The name of the upstream provider that authenticated the user.
Rejected Indicates whether Reject was called.
RejectReason The reason passed to Reject, if any.
SkipTwoFactor When set to True, the user is signed in without running Sphinx's own two-factor challenge, fully trusting the upstream provider's authentication. When left False (the default), the sign-in respects the user's normal Sphinx two-factor configuration (e.g.
TUser.TwoFactorEnabled), exactly like an interactive login. Decide this based on what you know about the upstream provider -- for example, after inspecting the amr/acr claims in AuthResult to confirm the upstream already performed multi-factor authentication.
Subject The upstream subject (the sub claim): the stable identifier of the user at the provider.
User The local user to sign in. Assign the user that the upstream identity maps to. When left nil (and Reject was not called) the sign-in is treated as rejected.
UserManager The user manager bound to the current request, used to look up or create the local user.