Table of Contents

IExternalProvider Interface

Provides read-only information about an upstream (external) identity provider that Sphinx can delegate authentication to, acting as a relying party (RP) to it.

Remarks

When Sphinx acts as an identity broker / IdP proxy, the authentication of a user is delegated to an external OAuth2/OpenID Connect server. This interface exposes the settings needed to drive the authorization-code flow against that upstream server. The settings come from the upstream provider registered in the TSphinxConfig.ExternalProviders collection.

Syntax

Unit: Sphinx.ExternalProvider

IExternalProvider = interface(IInterface);

Properties

Name Description
Authority The base URL (issuer) of the upstream OpenID Connect provider. When AutoDiscover is true, the discovery document is fetched from Authority + "/.well-known/openid-configuration".
Authorization​Endpoint The upstream authorization endpoint, used when AutoDiscover is false.
AutoDiscover Indicates whether the upstream endpoint URLs are discovered automatically from its metadata.
ClaimMapping For OAuth2 providers, maps the provider's user-profile fields onto OIDC claim names. Each entry is oidcClaim=sourceField (e.g. sub=id, preferred_username=login, picture=avatar_url). Only the claims listed here are copied into the profile read by the reconciliation policy.
ClientId The client id registered for Sphinx at the upstream provider.
ClientSecret The client secret used to authenticate Sphinx at the upstream token endpoint.
DisplayName The user-friendly name of the provider, for display purposes.
IconUrl Optional URL of an icon to display next to the provider name on its "Login with..." button.
Absolute URLs are used as-is; relative values are resolved against the login app root (where the built-in provider icons, e.g. img/providers/google.svg, are hosted).
Issuer The upstream issuer identifier, used when AutoDiscover is false.
Name The unique name (id) identifying the upstream provider.
ProviderType The protocol family this provider speaks. Defaults to OpenIDConnect.
Set to OAuth2 for providers that do not issue an id_token (e.g. GitHub); the identity is then fetched from UserInfoEndpoint.
Scope The space-separated list of scopes to request from the upstream provider.
ShowInLoginPage Indicates whether this provider is offered as a "Login with..." button on the login page.
SkipIssuerValidation Indicates whether issuer validation is skipped during upstream id_token processing.
TokenEndpoint The upstream token endpoint, used when AutoDiscover is false.
UserEmailsEndpoint Optional secondary endpoint returning a JSON array of the user's e-mail addresses, used when the primary profile does not expose a (verified) e-mail. For GitHub this is https://api.github.com/user/emails; Sphinx picks the primary, preferring verified ones.
UserInfoEndpoint For OAuth2 providers, the endpoint queried (with the access token as a bearer credential) to obtain the user profile after the code exchange.