I guess, that i don't use the correct way to transmit the Secret.
Below is my attempt to realise the automatic authentification.
I double checked the authority, CliendID and Scope in the TSphinxLogin component.
(Authentification from WebCore to the same Sphinx Server works fine! Thanks again).
The Error still remains when i pass 'test' as Parameter.
Do i have to create a Pseudo-user for the Server in the Dataset? Could that be the problem?
It's the same Sphinx Server i use to Authenticate my Web-Users and which returns the TenantId.
So i also have the two functions OnConfigureTokens and OnGetSigningData configured.
May that be a/the problem?
No, the client_credentials flow doesn't have a user involved.
Also no, those events do not affect authentication using client_credentials.
Are you setting `SphinxLogin1.ClientId to "server"?
Other than this, can you please maybe send me a sample project reproducing the issue? If we can compile and reproduce the problem here, I'm sure we can quickly see why it's failing.
Thank you for the project. You've hit a bug in TMS Sphinx. We have fixed this internally and next released version will work properly, but in the meanwhile you can work around this issue by moving the code from ConfigureClients method to the OnGetClient event of SphinxConfig1 component. This should be the code in the event:
procedure TForm7.SphinxConfig1GetClient(Sender: TObject; Client: TSphinxClientApp; var Accept: Boolean);
begin
// The following properties can be simply set at design-time using the TSphinxConfig.Clients property
// We keep it in the code here for learning purposes
// Create desktop client
if Client.ClientId = 'desktop' then
begin
Client.ClientId := 'desktop';
Client.DisplayName := 'My App';
Client.RequireClientSecret := True;
Client.AllowedGrantTypes := [TGrantType.gtClientCredentials];
Client.AddSha256Secret(THashSHA2.GetHashBytes('test'));
Client.ValidScopes.Add('openid');
Client.ValidScopes.Add('email');
Accept := True;
end;
// Create web client
if Client.ClientId = 'web' then
begin
Client.ClientId := 'web';
Client.DisplayName := 'My App';
Client.RedirectUris.Add('http://localhost:2001/tms/WebClient/');
Client.RequireClientSecret := False;
Client.AllowedGrantTypes := [TGrantType.gtAuthorizationCode];
Client.ValidScopes.Add('openid');
Client.ValidScopes.Add('email');
Accept := True;
end;
end;
Also note that since you are now accepting non-impersonated requests, you should improve the code in OnConfigureToken event to test is Args.User is nil (which will be the case for client credentials token requests):
procedure TForm7.SphinxConfig1ConfigureToken(Sender: TObject; Args: TConfigureTokenArgs);
var
TenantId: string;
P: Integer;
begin
if Args.User <> nil then
begin
TenantId := Args.User.Email.ValueOrDefault;
P := Pos('@tmssoftware.local', TenantId);
if P > 1 then
TenantId := UpperCase(Copy(TenantId, 1, 1)) + Copy(TenantId, 2, P - 2);
Args.Token.Claims.AddOrSet('tenantId', TenantId)
end;
end;