Authentication in Oracle APEX is the security mechanism that ensures only authorized users can access your application. It verifies user identity before granting access to pages, components, or functions. APEX supports several authentication schemes out of the box—such as Application Express Accounts, LDAP, Social Sign-In (OAuth2), Custom PL/SQL, and Single Sign-On (SSO). Choosing the right authentication method helps you control access, enforce user policies, and integrate with enterprise security systems. In this blog, we'll explore how to configure and apply authentication in an Oracle APEX app.
How to Set Up Authentication in Oracle APEX
-
Navigate to Authentication Settings
-
From the APEX App Builder, go to your application
-
Click Shared Components → Authentication Schemes
-
-
Select or Create an Authentication Scheme
You’ll see predefined schemes like:-
Application Express (default, uses APEX-managed user accounts)
-
Database Account
-
Social Sign-In (OAuth2) for Google, Microsoft, etc.
-
LDAP Directory
-
Oracle Single Sign-On
-
Custom (using PL/SQL logic)
To create a new scheme:
-
Click Create
-
Choose From Scratch or Based on Existing Scheme
-
-
Configure Scheme Settings
For example, if using APEX accounts:-
Name:
APEX_USERS_AUTH -
Type:
Application Express -
Authentication Function: default
If using Social Sign-In: -
Provide OAuth2 client credentials
-
Set token URLs and scopes based on provider documentation
-
-
Set as Current Authentication Scheme
-
After creating, click Make Current to activate it for your application
-
-
Test Authentication Flow
-
Run the application
APEX will redirect users to the login page and apply the current scheme
-
Authentication
You control how your application interacts with users. If all users share the same access rights, they are considered public users. However, if your application needs to track users individually, you must define an authentication method to establish each user's identity.
Authentication verifies who a user is before granting access to the application. Most authentication methods require users to provide credentials, such as a username and password. These credentials are then validated—if they are correct, the user is granted access; otherwise, access is denied.
Once authenticated, Oracle APEX keeps track of the user by assigning their identity to the built-in substitution string APP_USER. As the user navigates through the application, APEX dynamically updates APP_USER, allowing it to serve as a unique identifier for tracking session activity. The APP_USER value is essential for enforcing security and user-specific functionality.
Accessing APP_USER in APEX
You can reference APP_USER in different ways, depending on where you use it:
As a bind variable in SQL or PL/SQL:
:APP_USER
From PL/SQL packages or triggers:
V('APP_USER')
Using the session context in SQL:
sys_context('APEX$SESSION', 'APP_USER')
Using APP_USER for Security Checks
The APP_USER value can be used to enforce security rules, control application behavior, and restrict access to specific users. One way to do this is by storing user privileges in a table and checking permissions dynamically.
Example: Creating a Security Table
To manage user privileges, you can create a table like this:
CREATE TABLE my_security_table (
user_id VARCHAR2(30),
privilege VARCHAR2(30)
);
After inserting privilege data for each user, you can reference this table to control access to pages, navigation items, buttons, and other UI components.
For example, to conditionally display a button only for users with a specific privilege, you can use this SQL condition:
EXISTS (
SELECT 1
FROM my_security_table
WHERE user_id = :APP_USER
AND privilege = 'ADMIN'
)
Applying User-Based Security in APEX
You can use APP_USER to:
Restrict page access based on user roles.
Show or hide UI components dynamically.
Log user activity for auditing purposes.
Implement custom authentication and authorization logic.
By leveraging APP_USER, Oracle APEX ensures secure, personalized, and role-based access control, allowing applications to deliver a tailored user experience while maintaining strong security measures.
Best Practices for Authentication in APEX
-
Use APEX Accounts only for development or internal testing
-
For enterprise apps, prefer SSO, OAuth2, or LDAP for centralized identity management
-
Secure authentication pages with HTTPS
-
Always review Authorization Schemes to restrict access after login
-
Use Session Timeout settings for better security control
-
Log and monitor authentication attempts when using custom schemes
Avoid storing passwords manually; use providers with token-based authentication
Oracle APEX Documentation Links
Conclusion
Authentication in Oracle APEX is more than just login—it’s your first line of defense. Whether you're using built-in APEX accounts for prototypes or integrating with enterprise identity systems, configuring authentication properly ensures secure access and a better user experience. With APEX's flexible authentication schemes and declarative tools, you can implement secure login strategies that fit the needs of your application without writing complex code.
