4.6 Configure the Client for Interactive Sign-In

Configure SQL*Plus to trigger the browser-based OAuth sign-in.

1. Configure network and token authentication (sqlnet.ora).
   This step enables token-based authentication and directs the client to the security wallet.
   1. In $ORACLE_HOME/network/admin, open sqlnet.ora.

      vi sqlnet.ora

   2. Add the following configuration.

      Note:

      As this is a single-host setup, you'll configure both the client and the server to use the server wallet to avoid key-certificate mismatch issues during TLS authentication.

      # --- Authentication ---
      SQLNET.AUTHENTICATION_SERVICES = (BEQ, TOKENAUTH)
      
      # --- TLS Configuration ---
      TLS_CLIENT_AUTHENTICATION = FALSE
      TLS_SERVER_DN_MATCH = TRUE
      
      # Prevents conflicts between Native Encryption and TLS
      SQLNET.IGNORE_ANO_ENCRYPTION_FOR_TCPS = TRUE
      
      # Pointing both Client and Server to the Server wallet avoids
      # the "missing private key" issue in single-box setups.
      WALLET_LOCATION = (SOURCE = (METHOD = FILE) (METHOD_DATA = (DIRECTORY = /u01/app/oracle/wallets/server)))
      

2. Create the database connection alias (tnsnames.ora).
   This file defines the connection string for your database. It includes the Microsoft Entra ID application details required to trigger the browser sign-in.
   1. In $ORACLE_HOME/network/admin, open tnsnames.ora.

      vi tnsnames.ora

   2. Add the following entry. Ensure you replace the placeholder values with the IDs you saved earlier. See Register the Database Resource and Register the Client Application.

      Additionally, use the database server’s fully qualified domain name (FQDN) for both HOST and CN fields, and specify the service name of your target PDB.

      db_entraid =
        (DESCRIPTION =
          (ADDRESS = (PROTOCOL = TCPS)(HOST = <your-vm-fqdn>)(PORT = 2484))
          (CONNECT_DATA =
            (SERVICE_NAME = <your-pdb-service-name>)
          )
          (SECURITY =
            (TLS_SERVER_CERT_DN = "CN=<your-vm-fqdn>,O=Oracle,C=US")
      
            # Use OAuth 2.0 (Authorization Code Flow)
            (TOKEN_AUTH = AZURE_INTERACTIVE)
      
            # App Registration Details
            (CLIENT_ID = <[CLIENT_APP_ID]>)
            (TENANT_ID = <[TENANT_ID]>)
            (AZURE_DB_APP_ID_URI = <[DB_APP_ID_URI]>)
          )
        )