The Sphinx login component does not provide a property for storing secret. We get back a code and how do you get back a JWT token at the end? As we know the secret is necessary for getting the JWT token.
How is the validity of JWT token verified?
One of our client would like to know these information.
Sorry, I didn't understand your diagram very well.
But regardless, about Sphinx, have you checked the Sphinx demo? It implements all the flow for authenticating, including generating the JWT with a secret.
In the case of the demo, you can see that the JWT secret is provided in the event TSphinxConfig.OnGetSigningData:
procedure TForm7.SphinxConfig1GetSigningData(Sender: TObject; Args: TGetSigningDataArgs);
begin
Args.Data.Key := TEncoding.UTF8.GetBytes('a secret that has the minimum length');
end;
Thanks for your answer, but I would ask the question in a different way.
How is it possible that the Tsphinx login component does not need to specify a secret property. No secret property can be specified. Still, the process works well.
The Sphinx login is client-side. Of course, you can't (and shouldn't) have a secret at client-side.
The Sphinx login communicates with the Sphinx server, the user provides its credentials and then the server returns a JWT signed with the secret provided at server-side.