IExternalProvider Interface
Provides read-only information about an upstream (external) identity provider that Sphinx can delegate authentication to, acting as a relying party (RP) to it.
Remarks
When Sphinx acts as an identity broker / IdP proxy, the authentication of a user is delegated to an external OAuth2/OpenID Connect server. This interface exposes the settings needed to drive the authorization-code flow against that upstream server. The settings come from the upstream provider registered in the TSphinxConfig.ExternalProviders collection.
Syntax
Unit: Sphinx.ExternalProvider
IExternalProvider = interface(IInterface);
Properties
| Name | Description |
|---|---|
| Authority | The base URL (issuer) of the upstream OpenID Connect provider. When AutoDiscover is true, the discovery document is fetched from Authority + "/.well-known/openid-configuration". |
| AuthorizationEndpoint | The upstream authorization endpoint, used when AutoDiscover is false. |
| AutoDiscover | Indicates whether the upstream endpoint URLs are discovered automatically from its metadata. |
| ClaimMapping | For OAuth2 providers, maps the provider's user-profile fields onto OIDC claim names. Each entry is oidcClaim=sourceField (e.g. sub=id, preferred_username=login, picture=avatar_url). Only the claims listed here are copied into the profile read by the reconciliation policy. |
| ClientId | The client id registered for Sphinx at the upstream provider. |
| ClientSecret | The client secret used to authenticate Sphinx at the upstream token endpoint. |
| DisplayName | The user-friendly name of the provider, for display purposes. |
| IconUrl | Optional URL of an icon to display next to the provider name on its "Login with..." button. Absolute URLs are used as-is; relative values are resolved against the login app root (where the built-in provider icons, e.g. img/providers/google.svg, are hosted). |
| Issuer | The upstream issuer identifier, used when AutoDiscover is false. |
| Name | The unique name (id) identifying the upstream provider. |
| ProviderType | The protocol family this provider speaks. Defaults to OpenIDConnect.Set to OAuth2 for providers that do not issue an id_token (e.g. GitHub); the identity is then fetched from UserInfoEndpoint. |
| Scope | The space-separated list of scopes to request from the upstream provider. |
| ShowInLoginPage | Indicates whether this provider is offered as a "Login with..." button on the login page. |
| SkipIssuerValidation | Indicates whether issuer validation is skipped during upstream id_token processing. |
| TokenEndpoint | The upstream token endpoint, used when AutoDiscover is false. |
| UserEmailsEndpoint | Optional secondary endpoint returning a JSON array of the user's e-mail addresses, used when the primary profile does not expose a (verified) e-mail. For GitHub this is https://api.github.com/user/emails; Sphinx picks the primary, preferring verified ones. |
| UserInfoEndpoint | For OAuth2 providers, the endpoint queried (with the access token as a bearer credential) to obtain the user profile after the code exchange. |