Skip to Main Content
Posted on

Authenticate APEX workspace with Oracle cloud identity domain

Category APEX Tips and Tricks

By integrating Oracle Cloud Identity Domain into your APEX environment, you create a robust authentication mechanism that not only streamlines user management but also enhances security. This seamless integration allows organizations to leverage advanced identity management features, enabling secure single sign-on (SSO) capabilities while simplifying user experience. In this blog post, we will explore the steps to authenticate your Oracle APEX development and administration services with Oracle Cloud Identity Domain.

Access your Oracle Cloud tenancy and go to Identity & Security → Domains. Choose the Default domain and make a note of the Domain URL. You'll need this information later when setting up the APEX authentication scheme.

First, we need to create an integrated application to authenticate APEX workspaces. Navigate to the Integrated Applications section and click the "Add Application" button.

Select Confidential Application and click “Launch workflow” button.

Enter Name for application. Optionally add also Description and upload Application Icon.

Enter to Application URL “https://<your ORDS sever host>/ords/r/apex/workspace-sign-in/select-workspace” and click "Next" button.

Choose the option to Configure this application as client now and input the required details.

  • Make sure to check the Authorization code checkbox.
  • For the Redirect URL, enter: https://<your ORDS server host>/ords/apex_authentication.callback.
  • For the Post-logout redirect URL, use: https://<your ORDS server host>/ords/apex.

After that, click the "Next" button, and on the following page of the wizard, click the “Finish” button.

Once the application is created, click the "Activate" button.

Scroll down to Resource server configuration and find the Client ID and make a note of it. Then, click on Show Secret to reveal the Client Secret and jot it down. You will need these details later when setting up the APEX authentication scheme.

Before configuring authentication schemes in the APEX development environment, log in to the database as an admin user and check the current value of APEX_BUILDER_AUTHENTICATION from the APEX_INSTANCE_PARAMETERS view. Make a note of this value in case you need to revert the authentication scheme to its original state.

select
 name
, value
from APEX_INSTANCE_PARAMETERS
where 1 = 1
 and name = ‘APEX_BUILDER_AUTHENTICATION’
;

To authorize access to the APEX development environment and administration services, you must create users in APEX workspaces, even when using external authentication.

APEX documentation says:

Even for external authentication schemes (such as HTTP Header Variable), make sure that users exist as developers or administrators in your workspace. Otherwise, APEX will not be able to verify in which workspace a user is allowed to work.

Log in to APEX Administration Services and go to Manage Workspaces → Manage Developers and Users. Create a new user in the INTERNAL workspace, using the same username as your Oracle Cloud Identity Domain account. Ensure that the User is an administrator option is set to Yes.

You can also create your user in other workspaces as needed or update your existing users username to match your Oracle Cloud username.

Next navigate Manage Instance → Security and scroll down and edit Social Sign-In authorization scheme.

Enter needed information:

  • Client ID: <Identity Domain application client id noted down earlier>
  • Client Secret: <Identity Domain application client secret noted down earlier>
  • Confirm Client Secret: <Identity Domain application client secret noted down earlier>
  • Authentication Provider: OpenID Connection Provider
  • Discovery URL: <Domain URL you noted down earlier>/.well-known/openid-configuration
  • Scope: profile
  • Username Attribute: sub
  • Verify Username: Yes

Then click "Apply Changes".

Edit again Social Sign-In authorization scheme and click Make Current Scheme.

Click “OK” to confirm authorization scheme change.

Log out of the APEX Administration Service, then return to your APEX instance login URL.

Now you should see Oracle cloud login screen.

Log in to see a list of workspaces you are authorized to access.

If an issue arises, you can restore the APEX instance authentication scheme by logging into the database as an admin user and executing the following command. Replace DB with the value you obtained earlier from the APEX_INSTANCE_PARAMETERS view query.

begin
 apex_instance_admin.set_parameter( 'APEX_BUILDER_AUTHENTICATION', 'DB' );
end;
/

Comments

  • Jari Laine 21 Dec 2025

    Hi Tuhin,

    If you refer to page attribute HTML Header, field help says:

    HTML Header

    Enter text to replace the #HEAD# substitution string in the page template header. The values entered here are inserted after the HTML <head> tag. Use this page attribute to add page specific meta tags.

    I can confirm that when entering to page HTML Header content that belongs to HTML document head e.g. meta tags, rendered document is valid HTML and Install APP link is visible as expected.

    If you enter to page HTML Header, something not belonging to HTML document head, it produce invalid HTML document, and I'm quite sure you could encounter the issue.

    Regards,
    Jari

  • Md. Tuhin Alom 20 Dec 2025

    Subject: Issue with PWA "Install App" button visibility when using HTML Header in Oracle APEX

    Dear Jari,

    I am experiencing an issue related to the Progressive Web App (PWA) feature in Oracle APEX. Specifically, the "Install App" button in the navigation bar does not appear when I add custom content in the "HTML Header" section of a page.

    Here are the details of my observation:

    • When no custom HTML is added in the HTML Header, the "Install App" button appears as expected.

    • As soon as I add any HTML code (such as , , or other tags) in the HTML Header, the "Install App" button disappears.

    My question is:

    • Is this a known limitation or bug in Oracle APEX?

    • Are there recommended practices to safely include custom HTML without breaking the PWA install ability criteria?

    I would appreciate your guidance on whether this is expected behavior or a defect that needs to be addressed.

    ~

    Tuhin