Oracle APEX Expert: Custom Authentication

 

Introduction
Custom authentication in Oracle APEX gives developers full control over how users are validated before accessing an application. Unlike preconfigured schemes, a custom authentication approach allows integration with proprietary databases, external identity providers, API-based services, or unique login logic tailored to business rules. This level of flexibility is essential for applications that require more than just standard username and password validation or need to comply with specialized security protocols.

Custom authentication in Oracle APEX allows developers to define exactly how user credentials are verified when someone tries to access an application. This is essential when default methods such as APEX accounts, LDAP, or social sign-in do not meet specific business or security requirements. Implementing custom authentication involves writing your own logic, usually in PL/SQL, and configuring APEX to use this logic instead of the default mechanisms.

To start, go to Shared Components > Authentication Schemes, then click Create and choose From Scratch. Select Custom as the scheme type. Give the scheme a clear name, such as “Custom Auth Logic,” and set it as the current scheme. This tells APEX to use your logic during login.

Within the custom authentication scheme, you'll need to provide a PL/SQL function that returns a Boolean value. This function is where you define how the user is authenticated. A simple example might look like this:

RETURN my_auth_pkg.verify_credentials(:USERNAME, :PASSWORD);

In the database, create a package called my_auth_pkg with the verify_credentials function:

CREATE OR REPLACE PACKAGE BODY my_auth_pkg AS
  FUNCTION verify_credentials(p_username IN VARCHAR2, p_password IN VARCHAR2) RETURN BOOLEAN IS
    v_pwd users.password%TYPE;
  BEGIN
    SELECT password INTO v_pwd
    FROM users
    WHERE username = UPPER(p_username);

    IF v_pwd = hash_util.hash(p_password) THEN
      APEX_UTIL.SET_AUTHENTICATION_RESULT(0);
      RETURN TRUE;
    ELSE
      APEX_UTIL.SET_AUTHENTICATION_RESULT(1);
      RETURN FALSE;
    END IF;
  EXCEPTION
    WHEN NO_DATA_FOUND THEN
      APEX_UTIL.SET_AUTHENTICATION_RESULT(1);
      RETURN FALSE;
  END;
END my_auth_pkg;

You can also add features like account lockouts, audit logging, or IP filtering inside this function to meet security policies.

Next, customize the login page. Add page items for username and password. The Login button should execute a PL/SQL process that runs the custom logic and either redirects to the home page or displays an error message.

Here is a sample process:

BEGIN
  IF my_auth_pkg.verify_credentials(:P101_USERNAME, :P101_PASSWORD) THEN
    APEX_AUTHENTICATION.POST_LOGIN(:P101_USERNAME);
  ELSE
    APEX_ERROR.ADD_ERROR(
      p_message => 'Invalid credentials',
      p_display_location => apex_error.c_inline_in_notification);
  END IF;
END;

Set this process to run before header. Also make sure that on failed login attempts, the user stays on the login page and sees a useful error message.

You can use APEX_AUTHENTICATION.POST_LOGIN to complete the login programmatically after successful verification. This function sets up the session and redirects the user to the appropriate start page.

For logout handling, set a logout URL in your authentication scheme that points to a custom page or logs out the session and redirects the user.

Custom authentication in Oracle APEX is powerful because it gives you total control over who is allowed in and how login is handled. It works seamlessly with APEX session management and can be enhanced to support multi-factor authentication, REST-based verification, external token checks, or any other logic needed to secure your application.

 Additional explanation

 Creating a Custom Authentication Scheme in Oracle APEX gives you complete control over the authentication process, session management, and security policies. This method is ideal when built-in authentication methods (such as database authentication or LDAP) do not meet your requirements.

By implementing custom authentication, you can: 

• Build a custom login interface. 

• Define security policies for user sessions. 

• Audit and track user activity.

• Integrate APEX with external applications using a common authentication mechanism.

Why Use Custom Authentication?

Custom authentication is the best choice when:

 Built-in authentication methods (database, LDAP, SAML) are not sufficient.
 

You need a custom login form with additional validation logic.

• Advanced security features are required (e.g., multi-factor authentication (MFA), session tracking, or login throttling).

•  Session expiration and activity tracking need to be customized.

•  Your application consists of multiple applications that need to share the same authentication session.

• You need one-way redirection logic before page processing (e.g., redirecting users based on roles or login time).

•  Your APEX application must integrate with non-APEX systems using a shared authentication framework.

How to Implement Custom Authentication in Oracle APEX

1. Create a Custom Authentication Scheme

Navigate to Authentication Schemes

• Open App Builder > Select your application.

• Go to Shared Components > Click Authentication Schemes.

• Click Create.

Choose Authentication Method

• Select "Based on a preconfigured scheme from the gallery" > Choose Custom.

Enter Authentication Function

• Under PL/SQL Function Returning Boolean, enter a function that validates user credentials.

2. Create a Custom PL/SQL Authentication Function

In SQL Workshop, create a PL/SQL function that verifies user credentials against a custom user table.

CREATE OR REPLACE FUNCTION custom_authentication (

    p_username IN VARCHAR2,

    p_password IN VARCHAR2

) RETURN BOOLEAN IS

    v_count NUMBER;

BEGIN

    SELECT COUNT(*)

    INTO v_count

    FROM users

    WHERE username = LOWER(p_username)

    AND password = UPPER(DBMS_OBFUSCATION_TOOLKIT.MD5(input_string => p_password)); -- Example: Hashing passwords

    RETURN v_count = 1;

EXCEPTION

    WHEN OTHERS THEN

        RETURN FALSE;

END custom_authentication;

/

This function checks if the provided username and password exist in the users table.
It uses MD5 hashing for password security (use SHA-256 or bcrypt for better security).

3. Configure Custom Authentication Scheme in APEX

• Under PL/SQL Function Returning Boolean, enter: 

• return custom_authentication(:P101_USERNAME, :P101_PASSWORD);

• Click Apply Changes to save.

4. Create a Custom Login Page

1️. Create a Login Page

• Navigate to App Builder > Click Create Page.

• Select Login Page > Choose Blank Page.

• Add two Text Items: 

• P101_USERNAME (for username)

• P101_PASSWORD (for password)

• Add a Login Button and set its action to Submit Page.

1. Process Authentication on Login

• Go to Processing > Create a new process: 

• Name: Authenticate User

• Type: PL/SQL Code

• Code: 

IF custom_authentication(:P101_USERNAME, :P101_PASSWORD) THEN

    APEX_UTIL.SET_SESSION_STATE('APP_USER', :P101_USERNAME);

    APEX_AUTHENTICATION.LOGIN(p_username => :P101_USERNAME);

ELSE

    APEX_UTIL.SET_SESSION_STATE('LOGIN_FAILED', 'Y');

    RAISE_APPLICATION_ERROR(-20001, 'Invalid Username or Password');

END IF;

• If authentication succeeds, the user is logged in.

• If authentication fails, an error message is displayed.

5. Customizing Session Management & Security

Session Timeout: Set session expiration policies in Security Attributes under Shared Components.

Session Tracking: Store login activity in a custom table:

CREATE TABLE login_audit (

    log_id NUMBER GENERATED ALWAYS AS IDENTITY PRIMARY KEY,

    username VARCHAR2(50),

    login_time TIMESTAMP DEFAULT SYSTIMESTAMP,

    ip_address VARCHAR2(50)

);

Log user login details:

INSERT INTO login_audit (username, ip_address)

VALUES (:APP_USER, SYS_CONTEXT('USERENV', 'IP_ADDRESS'));

COMMIT;

Custom authentication in Oracle APEX gives you full control over login, session management, and security policies. It allows you to integrate with custom user repositories, external applications, and enforce advanced security measures. By using PL/SQL functions and session management techniques, you can build a secure and flexible authentication system tailored to your application's needs. 

Conclusion
Becoming proficient in custom authentication within Oracle APEX unlocks powerful capabilities for building secure, user-aware applications. By designing your own logic using PL/SQL, dynamic actions, or REST integrations, you can ensure that authentication aligns precisely with your application’s needs. While it requires more effort than using built-in schemes, custom authentication offers unmatched adaptability for complex environments.

Understanding Preconfigured Authentication Schemes in Oracle APEX

 

Introduction
Preconfigured authentication schemes in Oracle APEX provide a fast and reliable way to secure your applications using proven methods. These built-in options allow developers to implement common authentication strategies such as Oracle APEX Accounts, Social Sign-In, LDAP, and more without having to write custom code. By leveraging these predefined schemes, you can quickly enable user authentication while maintaining flexibility and control over login behavior and user session management.

 In Oracle APEX, preconfigured authentication schemes are built-in methods that control how users log in to your application. These schemes are designed to simplify authentication setup while offering flexibility for various use cases. When you create an application in APEX, it automatically includes a default authentication scheme, usually "Application Express Accounts," but you can choose from several other preconfigured options depending on your requirements.

To manage authentication schemes, go to Shared Components > Authentication Schemes. Here, you can view, create, edit, and set the current authentication scheme. Each scheme type comes with predefined logic that handles the login process, session validation, and logout behavior.

The most commonly used preconfigured authentication schemes are:

Application Express Accounts
This uses APEX’s internal user repository. You can manage users via App Builder > Manage Users and Groups. This option is useful for development or internal applications where you want to manually control access.

Database Accounts
This authenticates users against Oracle database usernames and passwords. It is less commonly used in web-based apps because database credentials are required. This scheme is mainly for administrative or utility applications.

LDAP Directory
This scheme integrates with enterprise directories like Microsoft Active Directory. You configure the LDAP server settings such as host, port, and base DN. Users are authenticated against the LDAP server. It's ideal for organizations with centralized user management.

Social Sign-In
This allows authentication via OAuth2 and OpenID Connect providers like Google, Microsoft, or Facebook. You must register your APEX app with the provider and configure the client ID, client secret, and redirect URI. This scheme is suited for modern, public-facing apps where convenience is important.

Oracle APEX Users
This uses the same logic as "Application Express Accounts" but is specifically linked to users defined within a specific APEX workspace. It is suitable for environments where user management is handled within APEX itself.

No Authentication (Public Application)
This allows users to access the application without logging in. It is useful for public websites or help pages. Be cautious with this option and ensure sensitive data is not exposed.

To switch between schemes, click on the scheme and choose “Set as Current.” Each scheme has attributes like session timeout, post-login procedure, and logout URL that can be customized. You can also configure how login failures are handled and whether to redirect to a custom login page.

Preconfigured schemes also allow fallback settings. You can define one scheme as the primary and others as fallback, which helps when migrating between authentication methods or when implementing conditional login logic.

Using these preconfigured authentication schemes in Oracle APEX allows developers to set up secure access control without building complex authentication logic from scratch. Each scheme is designed to work seamlessly with the APEX framework while offering room for customization through PL/SQL or dynamic actions. This approach enables you to match authentication strategy with the security policies of your application and organization.

 Oracle APEX provides several preconfigured authentication schemes that simplify user authentication and session management. These authentication schemes allow developers to quickly implement secure user authentication without writing complex authentication logic.

What Are Preconfigured Authentication Schemes?

Preconfigured authentication schemes are built-in authentication methods that Oracle APEX provides by default. They follow standard authentication and session management practices, making it easier to enforce security and control user access.

When creating an authentication scheme from the Authentication Scheme Gallery, you can choose from a list of predefined authentication schemes that handle different authentication methods, including database accounts, LDAP, social sign-in, and more.

Types of Preconfigured Authentication Schemes

1. Builder Extension Sign-in

• Allows users to log into an Extension App without signing in again if they have an active APEX session.

• Checks for an existing APEX session and grants access accordingly.

2. Custom Authentication

• Enables developers to create a fully customized authentication process.

• Typically implemented using PL/SQL functions to verify user credentials against a custom user repository.

3. Database Accounts

• Uses Oracle database user accounts for authentication.

• Users log in with their database schema credentials.

4. HTTP Header Variable

• Authenticates users externally using an HTTP header variable.

• The web server must be configured to set the username in an HTTP header.

5. LDAP Directory

• Authenticates users against an LDAP server.

• Requires LDAP configuration details such as server address, port, and search filters.

6. No Authentication (Using DAD)

• Uses the current database user as the authenticated user.

• Works with mod_plsql Database Access Descriptor (DAD) for authentication.

7. Open Door Credentials

• Allows anyone to access the application.

• Provides a basic login page where users can enter any username.

8. Oracle APEX Accounts

• Uses APEX workspace user accounts for authentication.

• Users must be registered in APEX’s internal user repository.

9. Oracle Application Server Single Sign-On (SSO)

• Delegates authentication to Oracle Application Server SSO.

• Requires registering the application with the SSO server.

10. SAML Sign-In

• Uses Security Assertion Markup Language (SAML) for authentication.

• Commonly used in enterprise applications for federated authentication.

11. Social Sign-In

• Allows users to log in using Google, Facebook, Microsoft, or other social providers.

• Supports authentication via OpenID Connect or OAuth2.

Choosing the Right Authentication Scheme

• For internal applications using APEX accounts → Use Oracle APEX Accounts.

• For database security where users have individual accounts → Use Database Accounts.

• For enterprise authentication with an existing user directory → Use LDAP or SAML Sign-In.

• For public applications without user restrictions → Use Open Door Credentials or No Authentication.

• For single sign-on (SSO) in Oracle environments → Use Oracle Application Server SSO.

• For external authentication via social providers → Use Social Sign-In.

• For applications behind a proxy or load balancer → Use HTTP Header Variable authentication.

Implementing a Preconfigured Authentication Scheme

1. Navigate to Authentication Schemes

• Open App Builder and select your application.

• Click Shared Components > Authentication Schemes.

2. Create a New Authentication Scheme

• Click Create.

• Select Based on a preconfigured scheme from the gallery.

• Choose the authentication scheme that fits your requirements.

3. Configure Authentication Settings

• Provide necessary credentials, server details, or API configurations.

• Define post-authentication and post-logout procedures, if needed.

4. Activate the Authentication Scheme

• Click Make Current to set the new authentication scheme as active.

Preconfigured authentication schemes in Oracle APEX provide a quick and secure way to implement authentication. They cover a variety of use cases, from database authentication to enterprise SSO and social login. By selecting the appropriate authentication method, developers can ensure their applications meet security and usability requirements.

Conclusion
Understanding and using preconfigured authentication schemes in Oracle APEX can save significant development time while ensuring your applications follow standard security practices. These schemes offer powerful configuration options and can be extended or combined with custom logic when needed. Whether you're building an internal enterprise tool or a public-facing app, selecting the right authentication scheme is a critical step toward delivering a secure and user-friendly experience.

Build Extension Sign-in in Oracle APEX

 Build Extension Sign-in in Oracle APEX

 Introduction
Building an extension sign-in process in Oracle APEX allows developers to create customized authentication flows tailored to specific business requirements. Unlike the default login page, an extension sign-in can incorporate external identity providers, added security layers, and flexible user interface enhancements. This approach is especially useful for applications requiring integration with third-party systems, branding control, or advanced user validation logic.

 To build an extension sign-in process in Oracle APEX, you must override the default authentication method and design a customized login experience that meets your application's requirements. This approach allows you to introduce custom validations, external identity checks, multi-step flows, or a branded user interface. Below are the detailed steps to create a functional and secure extension sign-in:

1. Create a New Authentication Scheme
Navigate to Shared Components > Authentication Schemes. Click “Create” and choose “From Scratch.” Select “Custom” as the scheme type. Give it a name like “Custom Extension Sign-in.” Set it as current.

2. Implement Custom PL/SQL Code
In the authentication scheme’s attributes, under the “PL/SQL Function Returning Boolean” section, define the logic for authentication. For example:

return custom_auth_pkg.authenticate_user(:USERNAME, :PASSWORD);

You will need to create this package and function in your database. A basic version might look like this:

CREATE OR REPLACE PACKAGE BODY custom_auth_pkg AS FUNCTION authenticate_user(p_username IN VARCHAR2, p_password IN VARCHAR2) RETURN BOOLEAN IS v_stored_password users.password%TYPE; BEGIN SELECT password INTO v_stored_password FROM users WHERE username = UPPER(p_username); IF v_stored_password = custom_auth_pkg.hash_password(p_password) THEN APEX_UTIL.SET_AUTHENTICATION_RESULT(0); RETURN TRUE; ELSE APEX_UTIL.SET_AUTHENTICATION_RESULT(1); RETURN FALSE; END IF; EXCEPTION WHEN NO_DATA_FOUND THEN APEX_UTIL.SET_AUTHENTICATION_RESULT(1); RETURN FALSE; END; FUNCTION hash_password(p_password IN VARCHAR2) RETURN VARCHAR2 IS BEGIN RETURN DBMS_CRYPTO.hash(UTL_I18N.string_to_raw(p_password, 'AL32UTF8'), DBMS_CRYPTO.hash_sh256); END; END custom_auth_pkg;

3. Create a Custom Login Page
Create a new APEX page (Page Mode: Dialog or Normal), and add two items: PXXX_USERNAME and PXXX_PASSWORD. Add a login button.

Under the button’s "Action," set it to “Defined by Dynamic Action.”

4. Create a Dynamic Action to Authenticate
When the login button is clicked:

• Action: Execute PL/SQL Code

• Code:

IF custom_auth_pkg.authenticate_user(:PXXX_USERNAME, :PXXX_PASSWORD) THEN APEX_AUTHENTICATION.POST_LOGIN(:PXXX_USERNAME); ELSE APEX_ERROR.ADD_ERROR( p_message => 'Invalid username or password.', p_display_location => apex_error.c_inline_in_notification); END IF;

• Items to Submit: PXXX_USERNAME, PXXX_PASSWORD

• Page Action on Success: Redirect to desired page (e.g., home page)

5. Optional: Logging and Security Enhancements
Log every login attempt using an insert statement to a custom log table. Add account lockout after N failed attempts, or validate against third-party services like Okta, Active Directory, or OAuth 2.0 providers.

6. Redirect Unauthorized Access
In the authentication scheme, set the “Invalid Session” and “Logout URL” to point to your custom login page so that session timeouts or logouts return users correctly.

7. Apply Your Branding
Modify the HTML or use CSS to match your sign-in page to your brand. You can adjust the login region template, use custom button styles, or add logos, footers, and user instructions.

8. Testing and Troubleshooting
Test different scenarios: valid login, invalid credentials, expired sessions, and account locks. Use debug logs or insert logs into a database table to trace issues. Ensure HTTPS is used and passwords are never logged or stored in plaintext.

Custom extension sign-in gives you complete control over the authentication experience in Oracle APEX. With PL/SQL, dynamic actions, and APEX utilities, you can build a secure, branded, and adaptable login process tailored to your users and enterprise requirements.

The Builder Extension Sign-in authentication scheme in Oracle APEX allows users to log in to an Extension App without requiring a separate authentication process if they are already signed into an APEX session. This authentication scheme checks for an active APEX session and grants access based on the existing session credentials.

How Builder Extension Sign-in Works

• This authentication scheme relies on the existing APEX session to validate users.

• Users who are already logged into Oracle APEX can access the extension application without needing to re-enter credentials.

• If a valid session is not found, the user is redirected to the APEX login page.

Steps to Use Builder Extension Sign-in

1. Navigate to Authentication Schemes

• Open App Builder and select your application.

• Click Shared Components > Authentication Schemes.

2. Create a New Authentication Scheme

• Click Create to add a new authentication scheme.

• Select Based on a preconfigured scheme from the gallery.

• Choose Builder Extension Sign-in from the list of authentication schemes.

3. Configure Authentication Settings

• Set the scheme Name (e.g., "Extension App Sign-in").

• Configure Session Timeout settings to ensure session security.

• Optionally, define Post-Authentication Procedures for additional validation.

• Click Create Authentication Scheme.

4. Activate the Authentication Scheme

• Once created, the scheme is not active by default.

• Click Make Current to set it as the active authentication scheme for the application.

Use Cases for Builder Extension Sign-in

• Seamless access to custom APEX extensions without requiring users to log in again.

• Simplified user experience for APEX-based tools, dashboards, and utilities.

• Improved security by leveraging APEX session management instead of custom authentication methods.

By using the Builder Extension Sign-in authentication scheme, APEX developers can ensure a smooth and secure login experience for extension applications within their workspace.

 Conclusion
A well-designed extension sign-in process in Oracle APEX enhances both user experience and application security. By leveraging APEX's built-in authentication framework and extending it through PL/SQL, REST APIs, or JavaScript, developers can deliver secure and seamless login mechanisms suited to complex enterprise environments. With proper planning and testing, the extension sign-in becomes a powerful feature that elevates the professionalism and robustness of your application.