Introduction
Authentication schemes in Oracle APEX are the cornerstone of securing your application, ensuring that only verified users can access it. These schemes define how users are identified and validated before gaining access to your application’s pages and features. Oracle APEX offers a variety of built-in authentication options, as well as the flexibility to create custom schemes tailored to your needs. This blog post will guide you through understanding and implementing authentication schemes in Oracle APEX, provide best practices for effective setup, and link to the official Oracle APEX documentation for deeper exploration.
Understanding and Implementing Authentication Schemes in Oracle APEX
Overview of Authentication Schemes
Authentication schemes in Oracle APEX determine how users are verified when they attempt to log in. They are configured in the Shared Components section of your application and support multiple methods, including Oracle APEX Accounts, LDAP, Single Sign-On (SSO), Open Door (for testing), and Custom Authentication. Each scheme serves specific use cases, such as local user management or integration with enterprise systems.Accessing Authentication Schemes
To manage authentication schemes:- Navigate to Shared Components > Authentication Schemes in your Oracle APEX application.
- View the list of available schemes or create a new one by selecting “Create Authentication Scheme.”
- Only one authentication scheme can be active (marked as “Current”) for the application at any time.
Types of Authentication Schemes
Oracle APEX provides several pre-built authentication schemes, each with unique characteristics:- Oracle APEX Accounts: Users are managed within the APEX workspace. Ideal for small applications or development environments. Users log in with credentials stored in the APEX user repository.
- LDAP Directory: Integrates with an LDAP server (e.g., Microsoft Active Directory) for enterprise-grade authentication. Requires configuration of LDAP server details, such as host, port, and credentials.
- Single Sign-On (SSO): Leverages an external SSO provider (e.g., Oracle Identity Governance) for centralized authentication across multiple applications.
- Custom Authentication: Allows developers to define a PL/SQL function to validate credentials against a custom database table or external system. For example:
FUNCTION custom_auth (p_username IN VARCHAR2, p_password IN VARCHAR2) RETURN BOOLEAN IS l_count NUMBER; BEGIN SELECT COUNT(*) INTO l_count FROM app_users WHERE username = p_username AND password = APEX_UTIL.GET_HASH(p_password); RETURN l_count = 1; END; - Open Door: Bypasses authentication for testing purposes. Not suitable for production environments.
Configuring an Authentication Scheme
To set up an authentication scheme:- In Shared Components > Authentication Schemes, select or create a scheme.
- For Oracle APEX Accounts, ensure users are added to the workspace via Workspace Administration > Manage Users and Groups.
- For LDAP, provide the LDAP server details, such as hostname, port, and distinguished name (DN) string. Test the connection to verify configuration.
- For custom authentication, write a PL/SQL function that returns a BOOLEAN value (TRUE for successful login, FALSE otherwise). Specify this function in the scheme’s “Authentication Function” field.
- Configure additional settings, such as session duration or post-authentication procedures, to customize user experience.
Testing and Validating the Scheme
- After setting up the scheme, test it by logging in with valid and invalid credentials to ensure correct behavior.
- Use the APEX debug mode or application logs to troubleshoot issues with authentication failures.
- Verify that the scheme integrates correctly with your application’s login page.
Managing Session and Post-Authentication
Authentication schemes are tied to session management. After successful authentication:- Use the Post-Authentication Procedure to initialize user-specific settings, such as setting application items (e.g.,
:APP_USER) or redirecting to a specific page. - Configure Session Timeout in Shared Components > Security Attributes to log out inactive users after a set period.
- Enable Secure Cookies to ensure session cookies are transmitted only over HTTPS.
- Use the Post-Authentication Procedure to initialize user-specific settings, such as setting application items (e.g.,
An Authentication Scheme is a saved configuration that determines how users log into an APEX application. It defines how user credentials are validated and how session management is handled. Authentication is essential for applications that require user identification and access control.
If authentication is not required, an application can be configured with a No Authentication scheme. This ensures that users can access the application without logging in. To disable authentication, create a No Authentication scheme and set it as the current scheme.
When creating an authentication scheme in APEX, developers can choose from a list of preconfigured authentication schemes that follow standard authentication and session management behaviors. Once a new authentication scheme is created, it must be explicitly enabled by setting it as the current scheme in the application's authentication settings.
Types of Authentication Schemes in Oracle APEX
Oracle APEX provides several preconfigured authentication schemes. Each scheme is designed for different use cases, ranging from simple user logins to enterprise-level authentication methods.
Builder Extension Sign-In
The Builder Extension Sign-In authentication scheme allows users to access an Extension App without requiring a separate login if they are already authenticated in an active APEX session. This method leverages existing APEX authentication to streamline access to related applications.
Custom Authentication
A Custom Authentication scheme gives developers full control over the authentication process. This approach requires implementing custom PL/SQL code to validate user credentials and manage authentication logic. It is useful when integrating with proprietary authentication mechanisms or when additional validation steps are required.
Database Accounts
The Database Accounts authentication scheme validates users against Oracle database schema accounts. Users must provide database credentials to log in, making this method suitable for internal applications where database-level security is required.
HTTP Header Variable Authentication
This authentication scheme relies on an HTTP Header variable to authenticate users. The web server is responsible for setting the HTTP Header with the username, and APEX retrieves this value to establish the session. This approach is commonly used in environments where authentication is handled externally by a reverse proxy or single sign-on system.
LDAP Directory Authentication
With LDAP Directory Authentication, user credentials are validated against an external LDAP server. This scheme is widely used in enterprise environments where authentication is centralized in a directory service, such as Microsoft Active Directory or Oracle Internet Directory.
No Authentication (Using DAD)
The No Authentication (Using DAD) method assigns the current database user as the application user. This scheme is often used in combination with mod_plsql Database Access Descriptor (DAD) configurations that use basic authentication to establish a session. It allows applications to inherit authentication from the database session.
Open Door Credentials
The Open Door Credentials scheme provides an application login page that allows users to enter a username, but it does not enforce password authentication. This approach is useful for applications that do not require strict user identity verification.
Oracle APEX Accounts
The Oracle APEX Accounts authentication scheme relies on APEX's built-in user repository. User accounts are created and managed within APEX, and authentication is performed against these stored accounts. This method is commonly used in APEX applications where authentication needs to be handled internally.
Oracle Application Server Single Sign-On (SSO)
This authentication scheme delegates authentication to the Oracle Application Server Single Sign-On (SSO) service. To use this scheme, the application must be registered as a partner application with the Oracle SSO server. This approach enables seamless authentication for users who are already logged into the enterprise's SSO environment.
SAML Sign-In Authentication
With SAML Sign-In, authentication is handled through Security Assertion Markup Language (SAML), a widely used protocol for single sign-on (SSO) in enterprise applications. This scheme is useful for integrating APEX applications with identity providers that support SAML-based authentication, such as Okta, Microsoft Entra ID (Azure AD), and other SAML 2.0-compliant providers.
Social Sign-In Authentication
The Social Sign-In authentication scheme enables users to log in using social network credentials or enterprise identity providers that support OpenID Connect or OAuth2 standards. This includes authentication through Google, Facebook, Microsoft, and other OAuth2-compliant services.
Configuring an Authentication Scheme in Oracle APEX
To set up authentication for an application:
Open Oracle APEX and navigate to the Application Builder.
Select the application where authentication needs to be configured.
Go to Shared Components and select Authentication Schemes under the Security section.
Click Create and choose one of the preconfigured authentication schemes.
Configure the required settings based on the selected authentication method.
Save the configuration and click Make Current Scheme to activate it.
By setting up an authentication scheme, developers can control how users log into their applications and enforce security policies appropriate for their organization's requirements.
Step 1 – Navigate to Application \ Shared Components \ authentication Schemes and press “Create”
Step 2 – follow the wizard
Step 3 – name the schema , select the type and Complete
Best Practices for Authentication Schemes in Oracle APEX
- Choose the Right Scheme: Select an authentication scheme that aligns with your application’s requirements. Use Oracle APEX Accounts for simplicity, LDAP or SSO for enterprise environments, and custom authentication for unique needs.
- Secure Password Storage: For custom authentication, store passwords securely using hashing functions like
APEX_UTIL.GET_HASHinstead of plain text. - Implement Strong Password Policies: Enforce complex passwords and periodic changes for Oracle APEX Accounts or custom schemes.
- Use HTTPS: Ensure your application runs over HTTPS to protect credentials during transmission. Enable the Require HTTPS option in Security Attributes.
- Limit Open Door Usage: Avoid using the Open Door scheme in production, as it bypasses authentication entirely.
- Regularly Test Configurations: Test authentication schemes in a development environment before deploying to production to catch configuration errors.
- Monitor and Log Activity: Enable Application Activity Logging in Shared Components > Security Attributes and review the
APEX_ACTIVITY_LOGview to track login attempts and detect suspicious activity. - Keep Documentation Updated: Document your authentication scheme setup, including custom PL/SQL logic, for easier maintenance and troubleshooting.
Oracle APEX Documentation
For detailed information on configuring and managing authentication schemes in Oracle APEX, refer to the official documentation:
Oracle APEX Authentication Schemes Documentation
Conclusion
Understanding and implementing authentication schemes in Oracle APEX is critical for building secure applications that protect user access and data. By leveraging the flexible options provided in Shared Components, such as Oracle APEX Accounts, LDAP, SSO, or custom authentication, you can tailor authentication to your application’s needs. Following best practices, such as securing passwords, using HTTPS, and regularly testing configurations, ensures a robust security foundation. Consult the Oracle APEX documentation for additional guidance and keep your authentication schemes updated to address evolving security requirements.
