XData with Sphinx authorization

van_den_Berg_Mark · June 9, 2025, 8:02am

Perhaps a "dumb" question, but how do I process the access token - obtained from a Sphinx server - in an XData server?

I understand it with the JWT access token (in demo) but that's merely because the XData server generates the token and can compare. XData has no knowledge whatsoever of a token that was generated by Sphinx, so how can it be validated?

Is there any good demo code, as I cannot seem to find it on my installation.

wlandgraf · June 9, 2025, 12:08pm

It should have knowledge. You have two options:

If you use symmetric keys (sign the token with a secret), then the Sphinx server and XData server should share the secret. So Sphinx signs the JWT with the secret, and XData uses the same secret to validate.
You can use asymmetric keys. The Sphinx server signs the token with its private key, and then you use the respective public key from XData to validate the token.

We have demos for both situations. For 1, it's the regular Sphinx simple demo. Also, in XData demos you have JwtAuthDemo which shows both options in action. Finally the BIZ-Boilerplate project in GitHub also shows public/private key usage.

The documentation also mentions both approaches:

van_den_Berg_Mark · June 10, 2025, 9:59am

Hi Wagner,

Thanks for the info but the more I read, the more I seem to get confused. My main "struggle" at this point where to implement the signing:

In the XData server it appears that I must add the JWT middleware in order to use the GetSecretEx event for validating the signature.
Looking at the Sphinx Simple Demo, I see the TSphinxConfig.OnConfigureToken and the TSphinxConfig.OnGetSigningData events implemented. My understanding is that the former is used to "build" the token (payload etc.) and the latter to return the secret (equivalent of JWT GetSecretEx?)

Is my understanding of the above correct? If not, can you perhaps describe in a few simple steps the required workflow (for XData, Sphinx and a VCL client). Just some simple steps. I'll figure out the code myself from the many examples.

Thanks in advance!

PS: Due to circumstances it may take a while for me to respond further.

wlandgraf · June 10, 2025, 1:02pm

Yes, your understanding is correct, you got it right, that's all to it.

van_den_Berg_Mark · June 10, 2025, 1:54pm

For clarity: does that also apply to point 1? I.e. I MUST include JWT middleware?

wlandgraf · June 10, 2025, 2:26pm

The JWT middleware is the one that decode requests sent with JWT and set the Request.User property based on what it found. It also rejects requests with invalid JWT and, if you forbid anonymous requests, it also rejects requests without JWT.

So, you do not must add a JWT to your server - it's up to you, of course. But if you don't, your server will be open to anyone.

van_den_Berg_Mark · June 10, 2025, 2:34pm

Clear! I'll do some further trials. Thanks so far...

Topic		Replies	Views
Accessing JWT payload in XData CRUD end point TMS XData	4	174	April 8, 2024
How to pass the Tenant_id from TMS Webcore to XData TMS Sphinx	8	672	December 4, 2022
Trying to get JWT working - what have I missed ? TMS XData	6	53	March 14, 2025
Request = demo coupling Sphinx and xData Server TMS Sphinx	11	723	September 30, 2022
Swagger and JWT and XData 5.8 TMS XData	12	775	October 19, 2022

XData with Sphinx authorization

Related topics