Skip to Main Content
Posted on

Authenticate APEX workspace with Oracle cloud identity domain

Category APEX Tips and Tricks

By integrating Oracle Cloud Identity Domain into your APEX environment, you create a robust authentication mechanism that not only streamlines user management but also enhances security. This seamless integration allows organizations to leverage advanced identity management features, enabling secure single sign-on (SSO) capabilities while simplifying user experience. In this blog post, we will explore the steps to authenticate your Oracle APEX development and administration services with Oracle Cloud Identity Domain.

Access your Oracle Cloud tenancy and go to Identity & Security → Domains. Choose the Default domain and make a note of the Domain URL. You'll need this information later when setting up the APEX authentication scheme.

First, we need to create an integrated application to authenticate APEX workspaces. Navigate to the Integrated Applications section and click the "Add Application" button.

Select Confidential Application and click “Launch workflow” button.

Enter Name for application. Optionally add also Description and upload Application Icon.

Enter to Application URL “https://<your ORDS sever host>/ords/r/apex/workspace-sign-in/select-workspace” and click "Next" button.

Choose the option to Configure this application as client now and input the required details.

  • Make sure to check the Authorization code checkbox.
  • For the Redirect URL, enter: https://<your ORDS server host>/ords/apex_authentication.callback.
  • For the Post-logout redirect URL, use: https://<your ORDS server host>/ords/apex.

After that, click the "Next" button, and on the following page of the wizard, click the “Finish” button.

Once the application is created, click the "Activate" button.

Scroll down to Resource server configuration and find the Client ID and make a note of it. Then, click on Show Secret to reveal the Client Secret and jot it down. You will need these details later when setting up the APEX authentication scheme.

Before configuring authentication schemes in the APEX development environment, log in to the database as an admin user and check the current value of APEX_BUILDER_AUTHENTICATION from the APEX_INSTANCE_PARAMETERS view. Make a note of this value in case you need to revert the authentication scheme to its original state.

select
 name
, value
from APEX_INSTANCE_PARAMETERS
where 1 = 1
 and name = ‘APEX_BUILDER_AUTHENTICATION’
;

To authorize access to the APEX development environment and administration services, you must create users in APEX workspaces, even when using external authentication.

APEX documentation says:

Even for external authentication schemes (such as HTTP Header Variable), make sure that users exist as developers or administrators in your workspace. Otherwise, APEX will not be able to verify in which workspace a user is allowed to work.

Log in to APEX Administration Services and go to Manage Workspaces → Manage Developers and Users. Create a new user in the INTERNAL workspace, using the same username as your Oracle Cloud Identity Domain account. Ensure that the User is an administrator option is set to Yes.

You can also create your user in other workspaces as needed or update your existing users username to match your Oracle Cloud username.

Next navigate Manage Instance → Security and scroll down and edit Social Sign-In authorization scheme.

Enter needed information:

  • Client ID: <Identity Domain application client id noted down earlier>
  • Client Secret: <Identity Domain application client secret noted down earlier>
  • Confirm Client Secret: <Identity Domain application client secret noted down earlier>
  • Authentication Provider: OpenID Connection Provider
  • Discovery URL: <Domain URL you noted down earlier>/.well-known/openid-configuration
  • Scope: profile
  • Username Attribute: sub
  • Verify Username: Yes

Then click "Apply Changes".

Edit again Social Sign-In authorization scheme and click Make Current Scheme.

Click “OK” to confirm authorization scheme change.

Log out of the APEX Administration Service, then return to your APEX instance login URL.

Now you should see Oracle cloud login screen.

Log in to see a list of workspaces you are authorized to access.

If an issue arises, you can restore the APEX instance authentication scheme by logging into the database as an admin user and executing the following command. Replace DB with the value you obtained earlier from the APEX_INSTANCE_PARAMETERS view query.

begin
 apex_instance_admin.set_parameter( 'APEX_BUILDER_AUTHENTICATION', 'DB' );
end;
/

Comments

No comments yet on this post