The problem arises when running thv VCL desktop application from the next step in the documentation.
Pressing the login-button instantly gives the following error:
TMS Sphinx tries to do that for you by default. It already includes the iss claim in JWT, and the value is the original URL the client requested, without the relative path segments.
Client-side, the issuer must be exactly the same as the authority. So, if you have configured your SphinxLogin1.Authority property to be http://myserverurl/sphinx, then the iss claim in JWT must be the same.
Something is mixing up here. While you can manually set an issuer value yourself in server, it usually should not be needed.
To clarify what's going on, can you please:
Provide the JSON result you get from the URL http://myserverurl/sphinx/.well-known/openid-configuration.
Provide the value of the Authority property you are setting in the TSphinxLogin component?
Provide the value of the BaseUrl property you are setting in the TSphinxServe component?
Are your Apache/network configuration that is out of Sphinx scope doing some kind of redirection (http/https, port, etc.)?
I am having the same issue. I have an apache module with a sphinx server embedded. The Apache server redirects all http to https. The authorization endpoint is on: https//:/sphinx/auth, this is set on the Authority property in TSphinxLogin component. The baseurl value of the TSphinxServer component is https//:/sphinx/auth. So I think it has to do with the redirection of the http to https configuration in apache.
Probably.
You have to make sure that Sphinx is aware of the correct URLs.
Either your redirect should set the proper forward headers (and then you use the forward middleware), or some other reviewing is need so that there isn't a mismatch between the URL your client invokes, the URL the server responds and the URL of the issuer in the JWT.
I made a quick change to my server code to check: I added Args.Token.Claims.AddOrSet('iss', 'https://myserver/sphinx/auth'); to the OnConfigureToken event, but that doesn't solve the problem. Maybe I should search in the Apache configuration to solve this issue.