Version History

v2.2

• New : end_session_endpoint is now published in the OpenID Connect discovery metadata.
• New : TSphinxLogin.LogoutAndEndSession and TSphinxWebLogin.LogoutAndEndSession methods for client-side SSO logout, clearing the local session and redirecting to the identity provider''s end-session endpoint.
• New : TSphinxClientApp.PostLogoutRedirectUris property allows registering the list of URIs accepted as post_logout_redirect_uri in a logout request.
• New : TOidcClient.BuildLogoutUrl method builds the logout URL for the authorization server, supporting optional id_token_hint and post_logout_redirect_uri parameters.
• New : Support for WinArm64EC platform, introduced in Delphi 13.1.
• New : Mobile application authentication is now supported via custom URL schemes. TSphinxLogin now exposes a RedirectUri property and a HandleCallback method for iOS and Android.
• New : Logout web application is now served by the Sphinx server, providing a localized UI for the user to confirm or cancel the logout action.
• New : End session (logout) endpoint is now implemented, following the OpenID Connect RP-Initiated Logout specification.
• Fixed : TOidcClient.OnHttpClientCreate name fixed, it was misspelled as OnHttpClienCreate.

v2.1

• New : TSphinxLogin.SkipIssuerValidation and TSphinxWebLogin.SkipIssuerValidation properties to bypass strict issuer string comparison for multi-tenant identity providers.
• New : TSphinxLogin.RefreshTokens and TSphinxWebLogin.RefreshTokens methods for client-side token refresh.
• New : TSphinxLogin.OnValidateIssuer and TSphinxWebLogin.OnValidateIssuer events for custom issuer verification logic in multi-tenant scenarios.
• New : Silent token refresh in TSphinxLogin.Login and TSphinxWebLogin.Login when access token is expired but a refresh token is available.

v2.0

• New : Single Sign-On (SSO) support across client applications.
• New : Several languages added to the login web application. Now the login application is fully localized in over 20 languages.
• New : Refresh token support is now implemented, including refresh token rotation, single-use tokens, reuse detection, and scope reduction.
• New : OIDC prompt parameter support in the authorize endpoint.
• Improved : Transaction expired message is now more user friendly with automatic silent refresh.
• Improved : Sphinx login app and the full authentication flow now works from internal networks without internet access.
• Improved : Session cookie now includes SameSite=Lax attribute for improved CSRF protection.
• Improved : Refer to official documentation for the list of new features and improvements
• Improved : OpenID Connect metadata discovery endpoint now includes token_endpoint_auth_methods_supported property.
• Improved : Login web application now works much better with screen readers using ARIA attributes.
• Improved : Login web application CSS framework updated to latest version of Bootstrap 5.
• Improved : Increased overall security of the login process, including improved CSP headers and other improvements.
• Improved : Added new TSphinxClientApp.ClientAppUrl property for session expired redirect.
• Fixed : Error from ticket 25319 regarding missing required parameter tid should now be properly fixed.

v1.16

• New : Delphi 13 support.
• Fixed : Error sporadic "missing required parameter: tid" when setting up an authenticator during login process. Ticket #25319.

v1.15

• New : Added Russian translation (thanks to Tsvetov Vitaliy)
• Improved : LoginApp endpoints are not being displayed anymore in Sphinx server Swagger document. Request #25494.
• Fixed : TSphinxLogin.Login method was not being able to launch web browser for user to login, in iOS devices with latest iOS 18. Ticket #25378.
• Fixed : RedocOptions property now available in TSphinxServer component. Ticket #25397.

v1.14

• New : Support for the 64-bit IDE.
• Improved : Password reset workflow does not require a confirmed e-mail anymore. Ticket #24616.

v1.13.0.1

• New : Property TLoginOptions.?Require?TwoFactor requires users to enable two factor authentication, and present them a way to configure authenticator upon password login.
• New : Login app now automatically provides the QR Code to enable an authenticator app (e.g., Google Authenticator or similar). This can be achieved by setting two-factor authenticaction required by using TLoginOptions.?Require?TwoFactor or IUserManager.?Set?TwoFactor?Required
• Improved : Better error message in user registration form when user name is invalid. Sphinx now indicates the offending invalid character. Request #24019.
• Fixed : TSphinxServer.?Create?Context works better when called from XData services that are not in Sphinx model. Ticket #23803.
• Fixed : Memory issues when using Sphinx context (after calling TSphinxServer.?Create?Context), in the specific situation where the context was using the TObjectManager from the request context. It was causing Access Violation errors. Ticket 24273#.

v1.12

• Fixed : Reset password code was not being sent from the login app after user clicked "Send password reset code". User had to click "Resend code" to receive a code.

v1.11

• Improved : TSphinxLogin published the Client property which can be used to configure the underlying THttpClient object used in HTTP connections. Ticket #23416.
• Improved : Plus signs (+) in query strings are now decoded as spaces, for example scope=openid+email is understood as scope=openid email.
• Fixed : Sphinx simple demo failing to create sample users in an empty database.

v1.10

• New : Two-Factor Authentication (2FA) is now implemented, enhancing application security.
• Fixed : When choosing "forgot password" from login page, the password reset code was being generated twice.
• Fixed : Language JSON files for the login web app were not being included in distribution (regression). Ticket #23173
• Fixed : Do not use manager of the context if it does not belong to the Sphinx model. Ticket #22921.

v1.9

• New : TLoginOptions.?Forbid?Self?Registration property prevents or allows new users to create a new account by themselves. Request #19339.
• New : Full documentation page for login web application explaining how to customize and configure it.
• New : Developers can now choose which information can be used to perform a login (e-mail, phone number, username) by setting additional properties in TLoginOptions class. Request #19741.
• New : Added new methods and events in several classes to fully support phone number confirmation (token generation, confirmation with token). Request #19069.
• Improved : Registration (sign-up) page now automatically asks for username and phone number fields, in addition to e-mail, if they are configured as required in TUserOptions. Ticket #21929.
• Fixed : Some server-side error messages were not being localized.
• Fixed : Option TLoginOptions.?Require?Confirmed?Email was not being applied unless TUserOptions.?Require?Email was true. Now it will apply whenever the email is not empty, regardless if it''s required. Same for phone number.
• Fixed : Do not use manager of the context if it does not belong to the Sphinx model. Ticket #22921.
• Fixed : Demo web application was not being run from the default TMS Web Core application URL. Ticket #22440.

v1.8.0.1

• New : Added Italian translation. Thanks to Francesco Todini for the contribution.

v1.7

• Fixed : Delphi 12 specific issue: JSON serialization of numbers was serializing integers ending with ".0" due to a change in JSON serialization behavior in Delphi 12. This was also causing "missing iat" error in Sphinx due to wrongly generated JWT.

v1.6

• New : Delphi 12 support.

v1.5.0.0

• New : TSphinxClient?App.?OnValidate?Secret allows for arbitrary client secret validation.
• New : TConfigureToken?Args.?Client property provides client information at token configuration time in TSphinxConfig.?OnConfigure?Token event.
• Improved : Support for ARM64 macOS and ARM64 iOS Simulator platforms.
• Improved : Sphinx server doesn''t require database connection if only client credentials flow is used.
• Improved : Login web app now better integrates with browser autocompletion, receiving suggestions for user names, saved password and confirmation codes.
• Fixed : TSphinxWebLogin component compatibility with latest TMS Web Core releases. It now disables HandleOAuth property. Ticket #21678.

v1.4

• Improved : New Dutch translation. Thanks to Jacco Uijlenhoet.

v1.3

• Fixed : OAuth client was sending scope parameter when processing authorization code response. This was causing issues with some servers rejecting such parameter which is indeed not expected according to OAuth standard.
• Fixed : Access Violation when the well-known URL for OpenID Connect server fails to load.

v1.2

• New : Added French translation (thanks to Sylvain - Ticket #19301.
• New : Added Belgian Dutch translation (thanks to Smet Filip - Ticket #19442.
• Improved : TSphinxLogin now doesn't cause desktop client application to ask for firewall permissions.
• Improved : Swedish translation updated.
• Improved : Some TSphinxLogin messages are now translatable ("application authorized succcesfully", for example).
• Fixed : Refresh token was not being retrieved when using TSphinxLogin component.
• Fixed : Client secrets of clients created directly in the TSphinxConfig component were not being used. Ticket #19861.

v1.1

• New : Swedish translation of Sphinx messages and UI available (thanks to Åke Pettersson).
• New : Localization of UI and server messages is now available. Language JSON files were added to distribution, making it easier for users to localize Sphinx login app UI and server messages.**
• New : Demo application updated to show use of login page in form-embedded browser: The demo uses TEdgeBrowser component, check unit Forms.Main in project VclClient.dproj. Enable the directive USE_EDGEBROWSER to show the login page embedded in a form.
• New : Demo application updated to show API usage: A new multitenant API Server was added. This shows how to use Sphinx to also authorize the backend API used by the application (web or desktop).
• New : Brazilian Portuguese translation of Sphinx messages and UI available.
• Improved : User email is now being sanitized and saved as lowercase in database.
• Improved : Design-time components were greyed out in component palette if current platform was different than Win32.

v1.0

• New : First release.