Release Notes

Version 2.0 (Feb-2026)

• New: Refresh token support is now implemented. Client applications can now obtain new access tokens without requiring user re-authentication by using refresh tokens. Sphinx implements modern security best practices including refresh token rotation, single-use tokens, reuse detection, and scope reduction. Refresh tokens are only issued during the authorization code flow, never for implicit or client credentials flows.

• New: Several languages added to the login web application, and existing languages updated. Now the login application is fully localized in the following languages: English, German, Spanish, French (France and Canada), Brazilian Portuguese, Portuguese, Italian, Chinese (Simplified), Japanese, Korean, Hindi, Russian,Polish, Dutch (Netherlands and Belgium), Swedish, Norwegian, Finnish, Hungarian, Danish, and Czech.**

• New: Single Sign-On (SSO) support across client applications. When a user has already authenticated with Sphinx (valid session cookie exists), subsequent authorization requests from other client applications skip the login UI and issue an authorization code silently. This eliminates the need for users to log in multiple times when accessing different applications that share the same Sphinx authorization server.

• New: OIDC prompt parameter support in the authorize endpoint. The prompt query parameter is now recognized in authorization requests per the OpenID Connect specification. Supported values are none (attempt silent authentication, return login_required error if no session exists) and login (force re-authentication even if a session exists). The consent and select_account values are accepted but currently ignored.

• Improved: You can now use Sphinx login app and the full authentication flow from internal networks even without internet access, as the login web application does not download any dependency from CDN anymore.

• Improved: Increased overall security of the login process, including but not limited to: No CDN dependencies, improved Content Security Policy (CSP) headers, X-Content-Type-Options header, removed unnecessary query parameters from the login app call, among other improvements.

• Improved: "Transaction expired" message is now more user friendly. First, the login web app automatically tries to silently refresh the existing transaction for a few times, allowing a much longer time for the user to complete the login process. If the transaction still expires, the user is presented with a message explaining that the session is expired and providing a button to restart the login process.

• Improved: Session cookie now includes SameSite=Lax attribute for improved security against cross-site request forgery (CSRF) attacks.

• Improved: Login web application now works much better with screen readers by implementing ARIA attributes, making it more accessible to users with disabilities.

• Improved: Login web application CSS framework updated to latest version of Bootstrap 5, improving responsiveness and mobile device compatibility. This might cause breaking changes if you have customized the login web application CSS.

• Improved: Added new TSphinxClient​App.​Client​AppUrl property allows specifying an URL where the login web app can be redirected to in case user get a "Session expired" error due to being idle for too long.

• Improved: OpenID Connect metadata discovery endpoint now includes optional token_endpoint_auth_methods_supported property for compatibility with Microsoft Entra. Ticket #26116.

• Fixed: Error from ticket #25319 was actually not fixed in previous release. It should be fixed now.

Version 1.16 (Sep-2025)

• New: Delphi 13 support.

• Fixed: Error sporadic "missing required parameter: tid" when setting up an authenticator during login process. Ticket #25319.

Version 1.15 (Jul-2025)

• New: Added Russian translation (thanks to Tsvetov Vitaliy)

• Improved: LoginApp endpoints are not being displayed anymore in Sphinx server Swagger document. Request #25494.

• Fixed: TSphinxLogin.Login method was not being able to launch web browser for user to login, in iOS devices with latest iOS 18. Ticket #25378.

• Fixed: RedocOptions property now available in TSphinxServer component. Ticket #25397.

Version 1.14 (Apr-2025)

• New: Support for the 64-bit IDE.

• Improved: Password reset workflow does not require a confirmed e-mail anymore. Ticket #24616.

Version 1.13 (Dec-2024)

• New: Login app now automatically provides the QR Code to enable an authenticator app (e.g., Google Authenticator or similar). This can be achieved by setting two-factor authenticaction required by using TLoginOptions.​Require​TwoFactor or IUserManager.​Set​TwoFactor​Required

• New: Property TLoginOptions.​Require​TwoFactor requires users to enable two factor authentication, and present them a way to configure authenticator upon password login.

• New: Support for new web designer in TMS Web Core. Web Core packages are now provided and can now be used to install Sphinx components for new TMS Web Core web designer.

• Improved: Better error message in user registration form when user name is invalid. Sphinx now indicates the offending invalid character. Request #24019.

• Fixed: Memory issues when using Sphinx context (after calling TSphinxServer.​Create​Context), in the specific situation where the context was using the TObjectManager from the request context. It was causing Access Violation errors. Ticket 24273#.

• Fixed: TSphinxServer.​Create​Context works better when called from XData services that are not in Sphinx model. Ticket #23803.

Version 1.12 (Aug-2024)

• Fixed: Reset password code was not being sent from the login app after user clicked "Send password reset code". User had to click "Resend code" to receive a code.

Version 1.11 (Jul-2024)

• Improved: TSphinxLogin published the Client property which can be used to configure the underlying THttpClient object used in HTTP connections. Ticket #23416.

• Improved: Plus signs (+) in query strings are now decoded as spaces, for example scope=openid+email is understood as scope=openid email.

• Fixed: Sphinx simple demo failing to create sample users in an empty database.

Version 1.10 (Jul-2024)

• New: Two-Factor Authentication (2FA) is now implemented, enhancing application security. This feature requires users to provide a second form of authentication, such as a time-based one-time password (TOTP) from an authenticator app, in addition to their password. Developers can now enable 2FA for existing user accounts, manage authenticator keys, and verify tokens to safeguard against unauthorized access. To utilize 2FA, retrieve the ISphinxContext, enable TwoFactorEnabled for the user, and generate the authenticator key. Refer to the updated documentation for integration details.

• Fixed: Language JSON files for the login web app were not being included in distribution (regression). Ticket #23173

• Fixed: When choosing "forgot password" from login page, the password reset code was being generated twice.

• Fixed: Do not use manager of the context if it does not belong to the Sphinx model. Ticket #22921.

Version 1.9 (Mar-2024)

• New: TLoginOptions.​Forbid​Self​Registration property prevents or allows new users to create a new account by themselves. Request #19339.

• New: Developers can now choose which information can be used to perform a login (e-mail, phone number, username) by setting additional properties in TLoginOptions class. Request #19741.

• New: Added new methods and events in several classes to fully support phone number confirmation (token generation, confirmation with token). Request #19069.

• New: Full documentation page for login web application explaining how to customize and configure it.

• Improved: Registration (sign-up) page now automatically asks for username and phone number fields, in addition to e-mail, if they are configured as required in TUserOptions. Ticket #21929.

• Fixed: Option TLoginOptions.​Require​Confirmed​Email was not being applied unless TUserOptions.​Require​Email was true. Now it will apply whenever the email is not empty, regardless if it's required. Same for phone number.

• Fixed: Demo web application was not being run from the default TMS Web Core application URL. Ticket #22440.

• Fixed: Do not use manager of the context if it does not belong to the Sphinx model. Ticket #22921.

• Fixed: Some server-side error messages were not being localized.

Version 1.8 (Jan-2024)

• New: Added Italian translation. Thanks to Francesco Todini for the contribution.

Version 1.7 (Nov-2023)

• Fixed: Delphi 12 specific issue: JSON serialization of numbers was serializing integers ending with ".0" due to a change in JSON serialization behavior in Delphi 12. This was also causing "missing iat" error in Sphinx due to wrongly generated JWT.

Version 1.6 (Nov-2023)

• New: Delphi 12 Support.

• New: Added German translation (thanks to Andreas Stapel)

Version 1.5 (Oct-2023)

• New: TSphinxClient​App.​OnValidate​Secret allows for arbitrary client secret validation.

• New: TConfigureToken​Args.​Client property provides client information at token configuration time in TSphinxConfig.​OnConfigure​Token event.

• Improved: Support for ARM64 macOS and ARM64 iOS Simulator platforms.

• Improved: Login web app now better integrates with browser autocompletion, receiving suggestions for user names, saved password and confirmation codes.

• Improved: Sphinx server doesn't require database connection if only client credentials flow is used.

• Fixed: TSphinxWebLogin component compatibility with latest TMS Web Core releases. It now disables HandleOAuth property. Ticket #21678.

Version 1.4 (Jul-2023)

• Improved: New Dutch translation. Thanks to Jacco Uijlenhoet.

Version 1.3 (Feb-2023)

• Fixed: OAuth client was sending scope parameter when processing authorization code response. This was causing issues with some servers rejecting such parameter which is indeed not expected according to OAuth standard.

• Fixed: Access Violation when the well-known URL for OpenID Connect server fails to load.

Version 1.2 (Dec-2022)

• New: Added French translation (thanks to Sylvain - Ticket #19301.

• New: Added Belgian Dutch translation (thanks to Smet Filip - Ticket #19442.

• Improved: TSphinxLogin now doesn't cause desktop client application to ask for firewall permissions.

• Improved: Some TSphinxLogin messages are now translatable ("application authorized succcesfully", for example).

• Improved: Swedish translation updated.

• Fixed: Refresh token was not being retrieved when using TSphinxLogin component.

• Fixed: Client secrets of clients created directly in the TSphinxConfig component were not being used. Ticket #19861.

Version 1.1 (Sep-2022)

• New: Localization of UI and server messages is now available. Language JSON files were added to distribution, making it easier for users to localize Sphinx login app UI and server messages.**

• New: Demo application updated to show API usage: A new multitenant API Server was added. This shows how to use Sphinx to also authorize the backend API used by the application (web or desktop).

• New: Demo application updated to show use of login page in form-embedded browser: The demo uses TEdgeBrowser component, check unit Forms.Main in project VclClient.dproj. Enable the directive USE_EDGEBROWSER to show the login page embedded in a form.

• New: Swedish translation of Sphinx messages and UI available (thanks to Åke Pettersson).

• New: Brazilian Portuguese translation of Sphinx messages and UI available.

• Improved: Design-time components were greyed out in component palette if current platform was different than Win32.

• Improved: User email is now being sanitized and saved as lowercase in database.

Version 1.0 (Aug-2022)

• First release.