18.8.2 Creating Web Credentials

Create Web credentials from either Workspace Utilities or Shared Components.

To create Web credentials:

  1. Navigate to the Web Credentials page:
    • From Workspace Utilities:

      1. On the Workspace home page, click App Builder.

      2. Click Workspace Utilities.

      3. Click Web Credentials.

    • From Shared Components:

      1. On the Workspace home page, click App Builder.

      2. Select an application.

      3. On the Application home page, click Shared Components in the center of the page.

      4. Under Workspace Objects, select Credentials.

  2. On the Web Credentials page, click Create.
  3. Attributes - The following attributes are common to all Authentication Types.
    1. Attributes, Name - Enter a descriptive name.
    2. Attributes, Static ID - Enter a unique Static ID to identify this component in API calls or refer to it in application export files. If you change the Static ID, dependent components will retain their references, but any existing API calls using the old ID must be updated manually.
    3. Attributes, Authentication Type - Select an authentication type. To learn more about available Authentication Types, see field level Help or About Supported Authentication Types in Web Credentials.

      Note:

      The the Authentication Type you select, determines what options that display next.
  4. Use Database Credential - This switch only displays if the Authentication Type is Basic Authentication or OAuth2 Client Credentials.

    If the Use Database Credential switch is enabled, a section to configure the name of a database credential appears. Since a database credential is managed by the database and not by APEX, the attributes for Client ID, Client Secret, and Valid For URLs disappear.

    To learn more about Use Database Credential, see field-level Help.

  5. If the Authentication Type is Basic Authentication:
    1. Attributes, Client ID or Username - Enter the username for Basic Authentication and the Client ID for the OAuth2 Client Credentials flow. Oracle APEX does not store this information encrypted.
    2. Attributes, Client Secret or Password - Enter the Password for Basic Authentication and the Client Secret for the OAuth2 Client Credentials flow. Oracle APEX stores this information encrypted, so it cannot be retrieved back in clear text.
    3. Attributes, Verify Client Secret or Password - Enter the Client Secret or Password again to verify your input.
    4. Attributes, Valid for URLs - Enter each URL on a new line. See item Help for the list of supported URL schemes and to view examples.

      Oracle APEX checks whether the URL a Web credentials uses matches the URLs in this attribute. If the URL does not match, Oracle APEX raises an error.

    5. Advanced, Prompt On Install - Choose whether prompts for this credential display when the application is imported on another APEX instance. Since Oracle APEX never exports Passwords or Client Secrets, installation prompts are always generated when a Client ID or Username are provided.
    6. Advanced, Comments - Enter any comments or notes here. These comments never display when running the application.
  6. If the Authentication Type is OAuth2 Client Credentials:
    1. Attributes, OAuth Scope - Permissions represented by the Access Token in OAuth 2.0 terms are known as scopes. The scope parameter allows the application to express the desired scope of the access request.

      If your authentication server requires a scope to be specified for the access token request, provide it here. The OAuth2 access token will then be requested with the following request body:

      grant_type=client_credentials&scope={scope}
    2. Attributes, Client ID or Username - Enter the Username for Basic Authentication and the Client ID for the OAuth2 Client Credentials flow. Oracle APEX does not store this information encrypted.
    3. Attributes, Client Secret or Password - Enter the Password for Basic Authentication and the Client Secret for the OAuth2 Client Credentials flow. Oracle APEX stores this information encrypted, so it cannot be retrieved back in clear text.
    4. Attributes, Verify Client Secret or Password - Enter the Password or Client Secret again, to verify your input.
    5. Attributes, Token Authentication Method - Enter how the credential's Client ID and Client Secret should be passed to the token server. Options include:
      • Basic Authentication - Send Client ID and Client Secret in a Basic Authentication header.
      • Basic Authentication and Client ID in Body - Send Client ID and Client Secret in a Basic Authentication header, but also send Client ID in the request body.
      • Client ID and Client Secret in Body - Send Client ID and Client Secret in the request body.
      • Client ID in Body - Send only Client ID in the request body.
    6. Attributes, Valid for URLs - Enter each URL on a new line. See item Help for the list of supported URL schemes and to view examples.

      Oracle APEX checks whether the URL a Web credentials uses matches the URLs in this attribute. If the URL does not match, Oracle APEX raises an error.

    7. Named Scopes - Named Scopes are alias names for OAuth Scopes. When invocations or token requests use the alias name, Oracle APEX will use the Scope Value instead. Select Add Named Scrope.
    8. Advanced, Prompt On Install - Choose whether prompts for this credential should be displayed when the application is being imported on another Oracle APEX instance. Since Oracle APEX never exports Passwords or Client Secrets, installation prompts are always generated when a Client ID or Username are provided.
    9. Advanced, Comments - Enter any comments or notes here. These comments never display when running the application.
  7. If Authentication Type is OCI Native Authentication:
    1. Attributes, OCI User ID - Enter the Oracle Cloud Infrastructure User OCID. APEX does not store this information encrypted.
    2. Attributes, OCI Private Key - Enter the private key in PEM format for OCI authentication. APEX stores this information encrypted and secure, so it cannot be retrieved back in clear text.
    3. Attributes, OCI Tenancy ID - Enter the Oracle Cloud Infrastructure Tenancy's OCID.
    4. Attributes, OCI Public Key Fingerprint - Enter the public RSA key fingerprint for OCI authentication.
    5. Attributes, Valid for URLs - Enter each URL on a new line. See item Help for the list of supported URL schemes and to view examples.

      Oracle APEX checks whether the URL a Web credentials uses matches the URLs in this attribute. If the URL does not match, Oracle APEX raises an error.

    6. Advanced, Prompt On Install - Choose whether prompts for this credential should be displayed when the application is being imported on another Oracle APEX instance. Since Oracle APEX never exports Passwords or Client Secrets, installation prompts are always generated when a Client ID or Username are provided.
    7. Advanced, Comments - Enter any comments or notes here. These comments never display when running the application.
  8. If Authentication Type is HTTP Header:
    1. Attributes, Credential Name - Provide the name of the HTTP Header or URL Query String parameter to use for this credential.
    2. Attributes, Credential Secret - Enter the value (or secret) of the credential.
    3. Attributes, Valid for URLs - Enter each URL on a new line. See item Help for the list of supported URL schemes and to view examples.

      Oracle APEX checks whether the URL a Web credentials uses matches the URLs in this attribute. If the URL does not match, Oracle APEX raises an error.

    4. Advanced, Prompt On Install - Choose whether prompts for this credential should be displayed when the application is being imported on another Oracle APEX instance. Since Oracle APEX never exports Passwords or Client Secrets, installation prompts are always generated when a Client ID or Username are provided.
    5. Advanced, Comments - Enter any comments or notes here. These comments never display when running the application.
  9. If Authentication Type is URL Query String:
    1. Attributes, Credential Name - Enter the name of the URL Query String parameter to use for this credential.
    2. Attributes, Credential Secret - Enter the value (or secret) of the credential.
    3. Attributes, Valid for URLs - Enter each URL on a new line. See item Help for the list of supported URL schemes and to view examples.

      Oracle APEX checks whether the URL a Web credentials uses matches the URLs in this attribute. If the URL does not match, Oracle APEX raises an error.

    4. Advanced, Prompt On Install - Choose whether prompts for this credential should be displayed when the application is being imported on another Oracle APEX instance. Since Oracle APEX never exports Passwords or Client Secrets, installation prompts are always generated when a Client ID or Username are provided.
    5. Advanced, Comments - Enter any comments or notes here. These comments never display when running the application.
  10. If Authentication Type is OAuth2 Password Flow:
    1. Attributes, Credential Name - Enter the name of the URL Query String parameter to use for this credential.
    2. Attributes, OAuth Scope - Permissions represented by the Access Token in OAuth 2.0 terms are known as scopes. The scope parameter allows the application to express the desired scope of the access request.

      If your authentication server requires a scope to be specified for the access token request, provide it here. The OAuth2 access token will then be requested with the following request body:

      grant_type=client_credentials&scope={scope}

    3. Attributes, Client ID - Enter the Client ID for the OAuth2 Password Credentials flow. Oracle APEX does not store this information encrypted. This value is only used to authenticate the request to the token server URL.
    4. Attributes, Client Secret - Enter the Client Secret for the OAuth2 Password flow. . Oracle APEX stores this information encrypted, so it cannot be retrieved back in clear text. This value is only used to authenticate the request to the token server URL.
    5. Attributes, Verify Client Secret - Enter the Client Secret again, to verify your input.
    6. Attributes, Token Authentication Method - Enter how the credential's Client ID and Client Secret should be passed to the token server. Options include:
      • Basic Authentication - Send Client ID and Client Secret in a Basic Authentication header.
      • Basic Authentication and Client ID in Body - Send Client ID and Client Secret in a Basic Authentication header, but also send Client ID in the request body.
      • Client ID and Client Secret in Body - Send Client ID and Client Secret in the request body.
      • Client ID in Body - Send only Client ID in the request body.
    7. Attributes, Valid for URLs - Enter each URL on a new line. See item Help for the list of supported URL schemes and to view examples.

      Oracle APEX checks whether the URL a Web credentials uses matches the URLs in this attribute. If the URL does not match, Oracle APEX raises an error.

    8. OAuth2 Password flow, Authentication Credential - Select a Web Credential of the Basic Authentication type. This is the credential which is used by Oracle APEX to store the Username and Password..
    9. OAuth2 Password flow, Name - Enter a descriptive name for the Basic Authentication Credential. This name must be unique within the workspace.This is the credential which is used by Oracle APEX to store the Username and Password.
    10. OAuth2 Password flow, Username - Enter the Username for the OAuth2 Password flow. Oracle APEX does not store this information encrypted.
    11. OAuth2 Password flow, Password - Enter the Password for the OAuth2 Password flow. Oracle APEX stores this information encrypted, so it cannot be retrieved back in clear text.
    12. OAuth2 Password flow, Verify Password - Enter the Password again, to verify your input.
    13. Named Scopes - Named Scopes are alias names for OAuth Scopes. When invocations or token requests use the alias name, Oracle APEX will use the Scope Value instead. Select Add Named Scrope.
    14. Advanced, Prompt On Install - Choose whether prompts for this credential should be displayed when the application is being imported on another Oracle APEX instance. Since Oracle APEX never exports Passwords or Client Secrets, installation prompts are always generated when a Client ID or Username are provided.
    15. Advanced, Comments - Enter any comments or notes here. These comments never display when running the application.
  11. If Authentication Type is Signed User Assertion:
    1. Attributes, OAuth Scope - Permissions represented by the Access Token in OAuth 2.0 terms are known as scopes. The scope parameter allows the application to express the desired scope of the access request.

      If your authentication server requires a scope to be specified for the access token request, provide it here. The OAuth2 access token will then be requested with the following request body:

      grant_type=client_credentials&scope={scope}
    2. Attributes, Client ID or Username - Enter the username for Basic Authentication and the Client ID for the OAuth2 Client Credentials flow. Oracle APEX does not store this information encrypted.
    3. Attributes, Client Secret or Password - Enter the Password for Basic Authentication and the Client Secret for the OAuth2 Client Credentials flow. Oracle APEX stores this information encrypted, so it cannot be retrieved back in clear text.
    4. Attributes, Verify Client Secret or Password - Enter the Client Secret or Password again to verify your input.
    5. Attributes, Valid for URLs - Enter each URL on a new line. See item Help for the list of supported URL schemes and to view examples.

      Oracle APEX checks whether the URL a Web credentials uses matches the URLs in this attribute. If the URL does not match, Oracle APEX raises an error.

    6. Signed User Assertion, Signing Credential - Select a Web Credential of the User Assertion Signing Certificate type which is used by Oracle APEX to sign the user assertion when making the request to the token server.
    7. Signed User Assertion, Name - Enter a descriptive name for the Signing Credential. This name must be unique within the workspace.
    8. Signed User Assertion, Private Key - Enter the private key in PEM format. Oracle APEX stores this information encrypted and secure, so it cannot be retrieved back in clear text. Do not include the BEGIN PRIVATE KEY or END PRIVATE KEY lines.
    9. Signed User Assertion, Audience List - The audience, or list of audiences, for which the assertion signed with this certificate and key is intended. A value of https://identity.oraclecloud.com/ is used by many Oracle IDCS instances. For other Identity Providers, consult the relevant documentation.
    10. Signed User Assertion, Certificate Alias - The alias under which the signing certificate was registered with your Identity Provider. This value is used for the Key ID (kid) field when generating signed JWTs, if provided.
    11. Signed User Assertion, Username Expression - Provide a PL/SQL expression to convert the name of the logged-in APEX user (:APP_USER) to a value which will be asserted to the token server.
    12. Named Scopes - Named Scopes are alias names for OAuth Scopes. When invocations or token requests use the alias name, Oracle APEX will use the Scope Value instead. Select Add Named Scrope.
    13. Advanced, Prompt On Install - Choose whether prompts for this credential display when the application is imported on another APEX instance. Since Oracle APEX never exports Passwords or Client Secrets, installation prompts are always generated when a Client ID or Username are provided.
    14. Advanced, Comments - Enter any comments or notes here. These comments never display when running the application.
  12. If Authentication Type is User Assertion Signing Certificate:
    1. Attributes, Certificate - Enter the Certificate in PEM format. Enter the private key in PEM format. Oracle APEX stores this information encrypted and secure, so it cannot be retrieved back in clear text. Do not include the BEGIN CERTIFICATE or END CERTIFICATE lines.
    2. Attributes, Private Key - Enter the private key in PEM format. Oracle APEX stores this information encrypted and secure, so it cannot be retrieved back in clear text. Do not include the BEGIN PRIVATE KEY or END PRIVATE KEY lines.
    3. Attributes, Audience List - The audience, or list of audiences, for which the assertion signed with this certificate and key is intended.

      For a single audience just specify that value. For a list of audiences enter a string in the format of a JSON array. For example:

      ["audience.one","audience.two"]

      Many Oracle IDCS instances require an audience value of https://identity.oraclecloud.com/. For other Identity Providers, consult the relevant documentation.

    4. Attributes, Certificate Alias - The alias under which the signing certificate was registered with your Identity Provider. This value is used for the Key ID (kid) field when generating signed JWTs, if provided.
    5. Advanced, Prompt On Install - Choose whether prompts for this credential display when the application is imported on another APEX instance. Since Oracle APEX never exports Passwords or Client Secrets, installation prompts are always generated when a Client ID or Username are provided.
    6. Advanced, Comments - Enter any comments or notes here. These comments never display when running the application.
  13. If Authentication Type is Key Pair:
    1. Attributes, Public Key - Enter the public key for for the key pair credentials. Oracle APEX does not store this information encrypted.
    2. Attributes, Private Key - Enter the private key for the key pair credentials. Oracle APEX stores this information encrypted, so it cannot be retrieved back in clear text.
    3. Attributes, Verify Private Key - Enter the private key again, to verify your input.
    4. Advanced, Comments - Enter any comments or notes here. These comments never display when running the application.
  14. If Authentication Type is Certificate Pair - Used in combination with SAML authentication, and contains a pair of public certificate key and private key. Only available when SAML is enabled for the Oracle APEX instance. See item Help for details on required attributes.
  15. Click Apply Changes.

Parent topic: Managing Web Credentials