TExternalSignInArgs Class
Arguments passed to the OnExternalSignIn event, fired after Sphinx has obtained tokens from an upstream (external) identity provider and must resolve which local user the upstream identity maps to.
Remarks
The event handler inspects the upstream identity exposed here (ProviderName and the raw AuthResult) and assigns User with the local user that should be signed in -- typically by looking it up, linking it, or provisioning a new one via UserManager. Leaving User unassigned, or calling Reject, aborts the sign-in and surfaces an error to the downstream client. Sphinx does not apply any built-in provisioning or linking policy: the mapping is entirely in the developer's hands.
Syntax
Unit: Sphinx.EventArgs
TExternalSignInArgs = class(TSphinxModuleArgs);
Methods
| Name | Description |
|---|---|
| Reject | Rejects the external sign-in. The downstream client receives an access_denied error and no Sphinx session is established. |
| Resolve | Runs Sphinx's built-in reconciliation policy and assigns User with its result. |
| SetResolver | Sets the resolver used by Resolve. For internal use by Sphinx. |
Properties
| Name | Description |
|---|---|
| AuthResult | The tokens obtained from the upstream provider for this sign-in. Use AuthResult.Profile to read the user profile parsed from the upstream id_token. |
| The user's e-mail as reported by the upstream provider, if any. | |
| EmailVerified | Indicates whether the upstream provider reported the e-mail as verified. |
| ProviderName | The name of the upstream provider that authenticated the user. |
| Rejected | Indicates whether Reject was called. |
| RejectReason | The reason passed to Reject, if any. |
| SkipTwoFactor | When set to True, the user is signed in without running Sphinx's own two-factor challenge, fully trusting the upstream provider's authentication. When left False (the default), the sign-in respects the user's normal Sphinx two-factor configuration (e.g.TUser.TwoFactorEnabled), exactly like an interactive login. Decide this based on what you know about the upstream provider -- for example, after inspecting the amr/acr claims in AuthResult to confirm the upstream already performed multi-factor authentication. |
| Subject | The upstream subject (the sub claim): the stable identifier of the user at the provider. |
| User | The local user to sign in. Assign the user that the upstream identity maps to. When left nil (and Reject was not called) the sign-in is treated as rejected. |
| UserManager | The user manager bound to the current request, used to look up or create the local user. |