20.4.3 Understanding Preconfigured Authentication Schemes

Learn about the preconfigured authentication schemes.

When you create an authentication scheme from the gallery you can select a preconfigured authentication scheme which follows a standard behavior for authentication and session management. Note that if you create a new authentication scheme, it automatically becomes the current authentication scheme for the selected application. This section describes all preconfigured authentication schemes that ship with Oracle Application Express.

Tip:

Authentication schemes support plug-ins. To learn more, see "Implementing Plug-ins."

• Application Express Accounts
  Application Express Accounts are user accounts that are created within and managed in the Oracle Application Express user repository. When you use this method, your application is authenticated against these accounts.
• Custom Authentication
  Creating a Custom Authentication scheme from scratch to have complete control over your authentication interface.
• Database Accounts
  Database Account Credentials authentication utilizes database schema accounts to authenticate users.
• HTTP Header Variable
  Authenticate users externally by storing the username in a HTTP Header variable set by the web server.
• LDAP Directory
  Authenticate a user and password with an authentication request to a LDAP server.
• No Authentication (using DAD)
  Adopts the current database user. This approach can be used in combination with a mod_plsql Database Access Descriptor (DAD) configuration that uses basic authentication to set the database session user.
• Open Door Credentials
  Enable anyone to access your application using a built-in login page that captures a user name.
• Oracle Application Server Single Sign-On Server
  Delegates authentication to the Oracle AS Single Sign-On (SSO) Server. To use this authentication scheme, your site must have been registered as a partner application with the SSO server.
• Social Sign-In
  Social Sign-In supports authentication with Google, Facebook, and other social network that supports OpenID Connect or OAuth2 standards.

20.4.3.1 Application Express Accounts

Application Express Accounts are user accounts that are created within and managed in the Oracle Application Express user repository. When you use this method, your application is authenticated against these accounts.

• About Application Express Accounts
  
• Setting Up Application Express Accounts Authentication
  

20.4.3.1.1 About Application Express Accounts

Application Express Accounts authentication requires that a database user (schema) exists in the local database. When using this method, the user name and password of the database account is used to authenticate the user.

Application Express Accounts is a good solution when:

• You want control of the user account repository.

• User name and password-based approach to security is sufficient.

• You do not need to integrate into a single sign-on framework.

Application Express Accounts is an especially good approach when you must get a group of users up and running on a new application quickly.

Recommendations for Production Environments

Oracle does not recommend Application Express Accounts authentication in production environments. The credentials used to log in to an application may be the same as the credentials used to log in to a workspace. In production environments, Oracle recommends using another identity provider such as Oracle Access Manager (OAM), Oracle Identity Cloud Service (IDCS), Okta, or Microsoft Azure authentication.

See Also:

"Managing Application Express Users" in Oracle Application Express Administration Guide

20.4.3.1.2 Setting Up Application Express Accounts Authentication

To set up Application Express Accounts:

1. On the Workspace home page, click the App Builder icon.
2. Select an application.
3. On the Application home page, click Shared Components.

   The Shared Components page appears.

4. Under Security, select Authentication Schemes.
5. On the Authentication Schemes page, click Create.
6. Select Based on a pre-configured scheme from the gallery and click Next.
7. Under Name:
   1. Name - Enter the name used to reference the authentication scheme by other application developers.
   2. Scheme Type - Select Application Express Accounts.
   3. Click Create Authentication Scheme.

20.4.3.2 Custom Authentication

Creating a Custom Authentication scheme from scratch to have complete control over your authentication interface.

• About Custom Authentication
  
• Setting Up Custom Authentication
  
• About Session Management Security
  

20.4.3.2.1 About Custom Authentication

Custom Authentication is the best approach for applications when any of the following is true:

• Database authentication or other methods are not adequate.

• You want to develop your own login form and associated methods.

• You want to control security aspects of session management.

• You want to record or audit activity at the user or session level.

• You want to enforce session activity or expiry limits.

• You want to program conditional one-way redirection logic before Oracle Application Express page processing.

• You want to integrate your application with non-Oracle Application Express applications using a common session management framework.

• Your application consists of multiple applications that operate seamlessly (for example, more than one application ID).

Tip:

If you are planning on using the same authentication scheme for multiple applications, consider writing a custom authentication plug-in. See "Implementing Plug-ins."

20.4.3.2.2 Setting Up Custom Authentication

To create a custom authentication scheme:

1. On the Workspace home page, click the App Builder icon.
2. Select an application.
3. On the Application home page, click Shared Components.

   The Shared Components page appears.

4. Under Security, select Authentication Schemes.
5. On the Authentication Schemes page, click Create.
6. Select Based on a pre-configured scheme from the gallery and click Next.
7. Under Name:
   1. Name - Enter the name used to reference the authentication scheme by other application developers.
   2. Scheme Type - Select Custom.
8. Fill in the appropriate fields.

   To learn more about a specific field, see field-level Help.

9. Click Create Authentication Scheme.

See Also:

"Viewing Help"

20.4.3.2.3 About Session Management Security

When running custom authentication, Oracle Application Express attempts to prevent two improper situations:

• Intentional attempts by a user to access session state belonging to someone else. However, users can still type in an arbitrary application session ID into the URL.

• Inadvertent access to a stale session state (probably belonging to the same user from an earlier time). This would commonly result from using bookmarks to application pages.

Oracle Application Express checks that the user identity token set by the custom authentication function matches the user identity recorded when the application session was first created. If the user has not yet been authenticated and the user identity is not yet known, the session state being accessed does not belong to someone else. These checks determine whether the session ID in the request can be used. If not, the Application Express engine redirects back the same page using an appropriate session ID.

20.4.3.3 Database Accounts

Database Account Credentials authentication utilizes database schema accounts to authenticate users.

• About Database Account Credentials
  
• Setting Up Database Account Credentials
  

20.4.3.3.1 About Database Account Credentials

Database Account Credentials requires that a database user (schema) exist in the local database. This authentication method uses the database account user name and password to authenticate the user. Choose Database Account Credentials if having one database account for each named user of your application is feasible and account maintenance using database tools meets your needs.

20.4.3.3.2 Setting Up Database Account Credentials

To set up Database Account Credentials:

1. On the Workspace home page, click the App Builder icon.
2. Select an application.
3. On the Application home page, click Shared Components.

   The Shared Components page appears.

4. Under Security, select Authentication Schemes.
5. On the Authentication Schemes page, click Create.
6. Select Based on a pre-configured scheme from the gallery and click Next.
7. Under Name:
   1. Name - Enter the name used to reference the authentication scheme by other application developers.
   2. Scheme Type - Select Database Accounts.
   3. Click Create Authentication Scheme.

20.4.3.4 HTTP Header Variable

Authenticate users externally by storing the username in a HTTP Header variable set by the web server.

Note:

To ensure the security and performance of your development environment, this functionality is not available in Application Express instances running in Oracle Cloud.

• About HTTP Header Variable
  
• Setting Up HTTP Header Variable
  

20.4.3.4.1 About HTTP Header Variable

HTTP Header Variable supports the use of header variables to identify a user and to create an Application Express user session. Use HTTP Header Variable authentication scheme if your company employs a centralized web authentication solution like Oracle Access Manager which provides single sign-on across applications and technologies. User credential verification is performed by these systems and they pass the user's name to Oracle Application Express using a HTTP header variable such as "REMOTE_USER" (which is the default).

20.4.3.4.2 Setting Up HTTP Header Variable

To set up HTTP Header Variable:

1. On the Workspace home page, click the App Builder icon.
2. Select an application.
3. On the Application home page, click Shared Components.

   The Shared Components page appears.

4. Under Security, select Authentication Schemes.
5. On the Authentication Schemes page, click Create.
6. Select Based on a pre-configured scheme from the gallery and click Next.
7. Under Name:
   1. Name - Enter the name used to reference the authentication scheme by other application developers.
   2. Scheme Type - Select HTTP Header Variable.
8. Fill in the appropriate fields.

   To learn more about a specific field, see field-level Help.

9. Click Create Authentication Scheme.

See Also:

"Viewing Help"

20.4.3.5 LDAP Directory

Authenticate a user and password with an authentication request to a LDAP server.

Note:

To ensure the security and performance of your development environment, this functionality is not available in Application Express instances running in Oracle Cloud.

• About LDAP Directory Verification
  
• Setting Up LDAP Directory Verification
  

20.4.3.5.1 About LDAP Directory Verification

You can configure any authentication scheme that uses a login page to use Lightweight Directory Access Protocol (LDAP) to verify the user name and password submitted on the login page.

App Builder includes wizards and edit pages that explain how to configure this option. These wizards assume that an LDAP directory accessible to your application for this purpose already exists and that it can respond to a SIMPLE_BIND_S call for credentials verification. When you create an LDAP Credentials authentication scheme, the wizard requests and saves the LDAP host name, LDAP port, DN string, and determines whether to use SSL, exact DN, and optionally a search filter if not using exact DN. An optional preprocessing function can be specified to adjust formatting of the user name passed to the API.

20.4.3.5.2 Setting Up LDAP Directory Verification

To set up LDAP Directory:

1. On the Workspace home page, click the App Builder icon.
2. Select an application.
3. On the Application home page, click Shared Components.

   The Shared Components page appears.

4. Under Security, select Authentication Schemes.
5. On the Authentication Schemes page, click Create.
6. Select Based on a pre-configured scheme from the gallery and click Next.
7. Under Name:
   1. Name - Enter the name used to reference the authentication scheme by other application developers.
   2. Scheme Type - Select LDAP Directory.
8. Under Settings:
   1. Host - Enter the hostname of your LDAP directory server.
   2. Port - Enter the port number of your LDAP directory host. The default is 389.
   3. Use SSL - Choose whether to use SSL to bind to the LDAP directory. If SSL with Authentication is chosen, a wallet must be configured for the Application Express instance.
   4. Distinguished Name (DN) String - Enter the pattern used to construct the fully qualified distinguished name (DN) string to DBMS_LDAP.SIMPLE_BIND_S if using exact DN or the search base if using non-exact DN. Use %LDAP_USER% as a placeholder for the username. For example:

      Exact DN:

      cn=%LDAP_USER%,l=amer,dc=yourdomain,dc=com
      

      Non-Exact DN (Search Base):

      Non-Exact DN (Search Base)
      

   5. Use Distinguished Name (DN) - Choose whether the LDAP Distinguished Name (DN) String is exact or non-exact. If non-exact, LDAP Distinguished Name (DN) is the search base and you must supply a Search Filter.
   6. LDAP Username Edit Function - You may provide additional code to be executed to transform the username into a format perfectly suited to the LDAP directory entry or LDAP username. The bind variable :USERNAME contains the name the end user specified. For example, the following code calls a function which replaces all periods (.) with underscores (_) in the DN string:

      return apex_custom_auth.ldap_dnprep(p_username => :USERNAME);
      

   7. Username Escaping - Choose how Oracle Application Express escapes special characters in %LDAP_USER%. The correct value for this attribute depends on the used LDAP server and whether a LDAP Username Edit Function already escapes special characters.

   To learn more about a specific field, see field-level Help.

9. Click Create Authentication Scheme.

   Note:

   If you choose SSL with Authentication as the SSL mode, a wallet must be set up using the Oracle Application Express instance settings. Additionally, the root certification of the LDAP server must be imported into that wallet as a trusted certificate.

See Also:

• "Configuring Wallet Information" in Oracle Application Express Administration Guide

• "About Oracle Wallet Manager" in Oracle Database Security Guide

20.4.3.6 No Authentication (using DAD)

Adopts the current database user. This approach can be used in combination with a mod_plsql Database Access Descriptor (DAD) configuration that uses basic authentication to set the database session user.

• About DAD Credentials Verification
  
• Setting Up DAD Credentials Verification
  

20.4.3.6.1 About DAD Credentials Verification

DAD credentials verification uses the Oracle database native authentication and user mechanisms to authenticate users using a basic authentication scheme. This authentication scheme gets the user name from the DAD either as the value stored in the DAD configuration or, if the account information is not stored in the DAD configuration, as the user name captured using the basic authentication challenge.

To use DAD credentials verification:

• Each application user must have a user account in the Oracle database.

• You must configure a PL/SQL DAD for basic authentication (without account information).

  This results in one user name/password challenge for browser session for your application users. The user identity token is then made available in the APP_USER item.

DAD database authentication is useful when you must implement an authentication method that requires minimal setup for a manageable number of users. Ideally these users would have self-managed accounts in the database and your use of this authentication method would be short lived (for example, during the demonstration or prototyping stages of development).

The main drawback of this approach is burdensome account maintenance, especially if users do not administer their own passwords, or if their database accounts exist only to facilitate authentication to your application.

20.4.3.6.2 Setting Up DAD Credentials Verification

To set up DAD Credentials Verification:

1. On the Workspace home page, click the App Builder icon.
2. Select an application.
3. On the Application home page, click Shared Components.

   The Shared Components page appears.

4. Under Security, select Authentication Schemes.
5. On the Authentication Schemes page, click Create.
6. Select Based on a pre-configured scheme from the gallery and click Next.
7. Under Name:
   1. Name - Enter the name used to reference the authentication scheme by other application developers.
   2. Scheme Type - Select No Authentication.
8. Click Create Authentication Scheme.

20.4.3.7 Open Door Credentials

Enable anyone to access your application using a built-in login page that captures a user name.

Open Door Credentials enables anyone to access your application using a login page that captures a user name. This authentication scheme is useful during application development.

• Setting Up Open Door Credentials
  

20.4.3.7.1 Setting Up Open Door Credentials

To set up Open Door Credentials:

1. On the Workspace home page, click the App Builder icon.
2. Select an application.
3. On the Application home page, click Shared Components.

   The Shared Components page appears.

4. Under Security, select Authentication Schemes.
5. On the Authentication Schemes page, click Create.
6. Select Based on a pre-configured scheme from the gallery and click Next.
7. Under Name:
   1. Name - Enter the name used to reference the authentication scheme by other application developers.
   2. Scheme Type - Select Open Door Credentials.
8. Click Create Authentication Scheme.

20.4.3.8 Oracle Application Server Single Sign-On Server

Delegates authentication to the Oracle AS Single Sign-On (SSO) Server. To use this authentication scheme, your site must have been registered as a partner application with the SSO server.

Note:

To ensure the security and performance of your development environment, this functionality is not available in Application Express instances running in Oracle Cloud.

• About Application Server Single Sign-On Server
  
• Setting Up Oracle Application Server Single Sign-On
  

20.4.3.8.1 About Application Server Single Sign-On Server

Oracle Application Express applications can operate as partner applications with Oracle Application Server's Single Sign-On (SSO) infrastructure. You must register your application (or register the Application Express engine) as the partner application by following the Oracle Application Server instructions for registering partner applications and install the Oracle 9iAS SSO Software Developer Kit (SDK).

If you choose this approach, your application will not use an integrated login page. Instead, when a user accesses your application in a new browser session, the Application Express engine redirects to the Single Sign-On login page. After the user is authenticated by SSO, the SSO components redirect back to your application, passing the user identity and other information to the Application Express engine. The user can then continue to use the application until they log off, terminate their browser session, or until some other session-terminating event occurs.

20.4.3.8.2 Setting Up Oracle Application Server Single Sign-On

To set up Oracle Application Server Single Sign-On:

1. On the Workspace home page, click the App Builder icon.
2. Select an application.
3. On the Application home page, click Shared Components.

   The Shared Components page appears.

4. Under Security, select Authentication Schemes.
5. On the Authentication Schemes page, click Create.
6. Select Based on a pre-configured scheme from the gallery and click Next.
7. Under Name:
   1. Name - Enter the name used to reference the authentication scheme by other application developers.
   2. Scheme Type - Select Oracle Application Server Single Sign-On.
8. Fill in the appropriate fields.

   To learn more about a specific field, see field-level Help.

9. Click Create Authentication Scheme.

See Also:

"Viewing Help"

20.4.3.9 Social Sign-In

Social Sign-In supports authentication with Google, Facebook, and other social network that supports OpenID Connect or OAuth2 standards.

• About Social Sign-In
  
• Setting Up Social Sign-In Authentication
  

20.4.3.9.1 About Social Sign-In

Social Sign-In authentication is primarily useful for the following use cases:

• Your application is internet facing and you expect an unknown number of users from social networks to use your application.

• Your company has standardized on one of these identity providers for authentication: Oracle Identity Cloud Service, an internal OpenID Connect or OAuth2.

  Since these identity providers perform user credential verification, be aware that anyone who registers with the provider can use your application, unless you use authorization schemes for protection.

When registering your application with the identity provider, you need to use the full URI for one of the predefined Oracle Application Express callback URLs. For example, suppose your application URI is:

https://www.example.com/apex/f?p=100

Then, you can register one of the following:

https://www.example.com/apex/apex_authentication.callback

or

https://www.example.com/apex/apex_authentication.callback2

Social network authentication providers store a multitude of information about users. You can configure the Social Login authentication scheme to request this information, using the Scope attribute (see Item Help). In the authentication scheme's Post-Authentication procedure, you can access this information using APEX_JSON.GET_% function calls.

You can use multiple authentication schemes in your application, to support more than one Social Login provider and other schemes.

See Also:

"Authorization" for the authentication scheme attribute Switch in Session for details.

20.4.3.9.2 Setting Up Social Sign-In Authentication

Note:

As a prerequisite for creating the Social Sign-In Authentication , you have to request OAuth2 credentials from the authentication provider and configure your account to support redirects to your application. Check your authentication provider's documentation for the details. The steps below assume that this has been done and that you saved the OAuth2 credentials in the application's shared components.

To set up Social Sign-In Authentication:

1. On the Workspace home page, click the App Builder icon.
2. Select an application.
3. On the Application home page, click Shared Components.

   The Shared Components page appears.

4. Under Security, select Authentication Schemes.
5. On the Authentication Schemes page, click Create.
6. Select Based on a pre-configured scheme from the gallery and click Next.
7. Under Name:
   1. Name - Enter the name used to reference the authentication scheme by other application developers.
   2. Scheme Type - Select Social Sign-In.
8. Fill in the appropriate fields.

   To learn more about a specific field, see field-level Help.

9. Click Create Authentication Scheme.