APEX Field Notes

Learning Oracle APEX can be challenging, especially without practical guidance. These are my field notes—captured directly from hands-on development work. I’m sharing them here as a living tutorial for anyone looking to get up to speed with APEX quickly and effectively. From beginner concepts to advanced techniques, I cover the essentials: forms, reports, dynamic actions, and much more. Whether you're just starting out or aiming to refine your skills, you'll find practical insights to help you

Sunday, July 6, 2025

Build Extension Sign-in in Oracle APEX

Introduction
Building an extension sign-in process in Oracle APEX allows developers to create customized authentication flows tailored to specific business requirements. Unlike the default login page, an extension sign-in can incorporate external identity providers, added security layers, and flexible user interface enhancements. This approach is especially useful for applications requiring integration with third-party systems, branding control, or advanced user validation logic.

To build an extension sign-in process in Oracle APEX, you must override the default authentication method and design a customized login experience that meets your application's requirements. This approach allows you to introduce custom validations, external identity checks, multi-step flows, or a branded user interface. Below are the detailed steps to create a functional and secure extension sign-in:

1. Create a New Authentication Scheme
Navigate to Shared Components > Authentication Schemes. Click “Create” and choose “From Scratch.” Select “Custom” as the scheme type. Give it a name like “Custom Extension Sign-in.” Set it as current.

2. Implement Custom PL/SQL Code
In the authentication scheme’s attributes, under the “PL/SQL Function Returning Boolean” section, define the logic for authentication. For example:

return custom_auth_pkg.authenticate_user(:USERNAME, :PASSWORD);

You will need to create this package and function in your database. A basic version might look like this:

CREATE OR REPLACE PACKAGE BODY custom_auth_pkg AS
  FUNCTION authenticate_user(p_username IN VARCHAR2, p_password IN VARCHAR2) RETURN BOOLEAN IS
    v_stored_password users.password%TYPE;
  BEGIN
    SELECT password INTO v_stored_password
    FROM users
    WHERE username = UPPER(p_username);

    IF v_stored_password = custom_auth_pkg.hash_password(p_password) THEN
      APEX_UTIL.SET_AUTHENTICATION_RESULT(0);
      RETURN TRUE;
    ELSE
      APEX_UTIL.SET_AUTHENTICATION_RESULT(1);
      RETURN FALSE;
    END IF;
  EXCEPTION
    WHEN NO_DATA_FOUND THEN
      APEX_UTIL.SET_AUTHENTICATION_RESULT(1);
      RETURN FALSE;
  END;

  FUNCTION hash_password(p_password IN VARCHAR2) RETURN VARCHAR2 IS
  BEGIN
    RETURN DBMS_CRYPTO.hash(UTL_I18N.string_to_raw(p_password, 'AL32UTF8'), DBMS_CRYPTO.hash_sh256);
  END;
END custom_auth_pkg;

3. Create a Custom Login Page
Create a new APEX page (Page Mode: Dialog or Normal), and add two items: PXXX_USERNAME and PXXX_PASSWORD. Add a login button.

Under the button’s "Action," set it to “Defined by Dynamic Action.”

4. Create a Dynamic Action to Authenticate
When the login button is clicked:

Action: Execute PL/SQL Code
Code:

IF custom_auth_pkg.authenticate_user(:PXXX_USERNAME, :PXXX_PASSWORD) THEN APEX_AUTHENTICATION.POST_LOGIN(:PXXX_USERNAME); ELSE APEX_ERROR.ADD_ERROR( p_message => 'Invalid username or password.', p_display_location => apex_error.c_inline_in_notification); END IF;

Items to Submit: PXXX_USERNAME, PXXX_PASSWORD
Page Action on Success: Redirect to desired page (e.g., home page)

5. Optional: Logging and Security Enhancements
Log every login attempt using an insert statement to a custom log table. Add account lockout after N failed attempts, or validate against third-party services like Okta, Active Directory, or OAuth 2.0 providers.

6. Redirect Unauthorized Access
In the authentication scheme, set the “Invalid Session” and “Logout URL” to point to your custom login page so that session timeouts or logouts return users correctly.

7. Apply Your Branding
Modify the HTML or use CSS to match your sign-in page to your brand. You can adjust the login region template, use custom button styles, or add logos, footers, and user instructions.

8. Testing and Troubleshooting
Test different scenarios: valid login, invalid credentials, expired sessions, and account locks. Use debug logs or insert logs into a database table to trace issues. Ensure HTTPS is used and passwords are never logged or stored in plaintext.

Custom extension sign-in gives you complete control over the authentication experience in Oracle APEX. With PL/SQL, dynamic actions, and APEX utilities, you can build a secure, branded, and adaptable login process tailored to your users and enterprise requirements.

The Builder Extension Sign-in authentication scheme in Oracle APEX allows users to log in to an Extension App without requiring a separate authentication process if they are already signed into an APEX session. This authentication scheme checks for an active APEX session and grants access based on the existing session credentials.

How Builder Extension Sign-in Works

This authentication scheme relies on the existing APEX session to validate users.
Users who are already logged into Oracle APEX can access the extension application without needing to re-enter credentials.
If a valid session is not found, the user is redirected to the APEX login page.

Steps to Use Builder Extension Sign-in

1. Navigate to Authentication Schemes

Open App Builder and select your application.
Click Shared Components > Authentication Schemes.

2. Create a New Authentication Scheme

Click Create to add a new authentication scheme.
Select Based on a preconfigured scheme from the gallery.
Choose Builder Extension Sign-in from the list of authentication schemes.

3. Configure Authentication Settings

Set the scheme Name (e.g., "Extension App Sign-in").
Configure Session Timeout settings to ensure session security.
Optionally, define Post-Authentication Procedures for additional validation.
Click Create Authentication Scheme.

4. Activate the Authentication Scheme

Once created, the scheme is not active by default.
Click Make Current to set it as the active authentication scheme for the application.

Use Cases for Builder Extension Sign-in

Seamless access to custom APEX extensions without requiring users to log in again.
Simplified user experience for APEX-based tools, dashboards, and utilities.
Improved security by leveraging APEX session management instead of custom authentication methods.

By using the Builder Extension Sign-in authentication scheme, APEX developers can ensure a smooth and secure login experience for extension applications within their workspace.

Conclusion
A well-designed extension sign-in process in Oracle APEX enhances both user experience and application security. By leveraging APEX's built-in authentication framework and extending it through PL/SQL, REST APIs, or JavaScript, developers can deliver secure and seamless login mechanisms suited to complex enterprise environments. With proper planning and testing, the extension sign-in becomes a powerful feature that elevates the professionalism and robustness of your application.

Tuesday, July 1, 2025

View Authentication Scheme Reports in Oracle APEX

Oracle APEX provides built-in reports that allow developers to view and manage authentication schemes within an application. These reports help track the current authentication scheme, review available authentication methods, and monitor subscription statuses for authentication schemes copied from other applications.

Steps to View Authentication Scheme Reports

1. Navigate to the Authentication Schemes Page

Log in to Oracle APEX.
Open App Builder and select the application you want to inspect.
Click Shared Components > Authentication Schemes.

2. Review the Authentication Scheme Report

On the Authentication Schemes page, a report displays the following key details for each authentication scheme:

Scheme Name – The name of the authentication scheme.
Scheme Type – The type of authentication used (e.g., APEX Accounts, LDAP, Social Sign-In, etc.).
Current Scheme – Indicates which authentication scheme is active for the application.
Subscribed From – Shows if the authentication scheme is subscribed from another application.
Subscription Status – Displays whether the authentication scheme is up to date or requires synchronization with its master.

3. Filter or Search for Specific Authentication Schemes

Use the Search bar or filtering options to find a specific authentication scheme based on:

Scheme Type (e.g., LDAP, Database Accounts, OAuth2).
Subscription Status (Subscribed, Unsubscribed).
Active/Inactive Schemes.

4. View Detailed Information for a Specific Authentication Scheme

Click on an authentication scheme name to open its Edit page.
Review or modify attributes, including session management settings, authentication process hooks, and login page configurations.

Use Cases for Viewing Authentication Scheme Reports

Identifying which authentication scheme is currently active in the application.
Monitoring authentication scheme subscriptions and ensuring they are synchronized with their master definitions.
Verifying authentication security settings to comply with organizational policies.
Troubleshooting authentication-related issues by reviewing session settings and authentication behavior.

By leveraging authentication scheme reports, Oracle APEX developers can efficiently manage and monitor authentication settings within their applications.

Use a Procedure to Configure Authentication at Runtime in Oracle

In Oracle APEX, you can dynamically configure authentication at runtime by specifying a PL/SQL procedure on the Security Attributes page. This allows you to control authentication behavior dynamically, such as switching authentication schemes based on conditions, user roles, or application settings.

Steps to Configure Authentication at Runtime

1. Navigate to the Security Attributes Page

Log in to Oracle APEX.
Open App Builder and select the application you want to configure.
Click Shared Components > Security Attributes.

2. Specify a PL/SQL Procedure for Runtime Authentication

Locate the Authentication section.
In the Authentication Procedure Name field, enter the name of a PL/SQL procedure that will determine the authentication behavior.

3. Create the Authentication Procedure in PL/SQL

Define a PL/SQL procedure in your database schema that dynamically configures authentication. The procedure should set the authentication scheme based on conditions like the application ID, session attributes, or other logic.

CREATE OR REPLACE PROCEDURE set_authentication AS

v_auth_scheme VARCHAR2(255);

BEGIN

-- Example: Switch authentication based on the application ID

IF :APP_ID = 100 THEN

v_auth_scheme := 'APEX_ACCOUNTS'; -- Use APEX authentication

ELSE

v_auth_scheme := 'LDAP_AUTH'; -- Use LDAP authentication

END IF;

-- Set the authentication scheme for the session

APEX_UTIL.SET_AUTHENTICATION_SCHEME(v_auth_scheme);

END set_authentication;

This procedure selects an authentication scheme based on the application ID and sets it for the session.

4. Apply the Authentication Procedure

Save the Security Attributes page.
The authentication will now be dynamically determined based on the procedure at runtime.

5. Test the Configuration

Run the application and verify that authentication behavior changes dynamically based on the defined procedure.

Use Cases for Runtime Authentication Configuration

Switching authentication methods based on user roles or groups.
Enforcing different authentication schemes for different applications.
Enabling or disabling authentication dynamically based on security policies.

By using a PL/SQL procedure for authentication at runtime, Oracle APEX provides flexibility in managing authentication schemes dynamically, ensuring enhanced security and adaptability.

Subscribe an Authentication Scheme in Oracle APEX

Subscribing to an Authentication Scheme allows applications to reuse authentication configurations from a master application. This ensures consistency across multiple applications and makes it easier to manage authentication settings.

Why Subscribe to an Authentication Scheme?

Ensures authentication settings remain consistent across multiple applications.
Reduces maintenance effort by allowing changes to be managed from a single master scheme.
Automatically updates subscribed authentication schemes when changes are made to the master.

How to Subscribe to an Authentication Scheme

Navigate to the Authentication Schemes Page

Log in to your Oracle APEX workspace.
Open App Builder and select your application.
Click Shared Components from the application menu.
Under Security, select Authentication Schemes.

Select or Create an Authentication Scheme

If you are creating a new authentication scheme, click Create and follow the setup process.
If you want to subscribe an existing scheme, select it from the list.

Subscribe to an Authentication Scheme

On the Authentication Scheme Create / Edit page, find the Subscription section.
Under Subscribe From, select the source application that has the master authentication scheme.
Click Apply Changes to establish the subscription.

Manage Subscription Updates

When the master authentication scheme is updated, subscribed schemes can be refreshed to reflect changes.
To update, navigate to Authentication Schemes, select the subscribed scheme, and click Refresh Subscription.

Unsubscribe if Needed

If you want to detach the authentication scheme from the master, select Unsubscribe on the Authentication Scheme Edit page.
Once unsubscribed, the authentication scheme becomes independent and no longer receives updates from the master.

By subscribing to an authentication scheme, developers can streamline authentication management across multiple applications while maintaining security and consistency.

Creating a Login Page in Oracle APEX

A login page is essential for securing your application by authenticating users before granting access. Oracle APEX automatically generates a login page when you create an application that requires authentication. However, you can also create a custom login page manually.

Steps to Create a Login Page in Oracle APEX

1. Navigate to the App Builder

Log in to Oracle APEX.
Open App Builder and select the application where you want to create a login page.

2. Create a New Page

Click Create to add a new page.
Select Login Page under Authentication.
Click Next to proceed.

3. Configure the Login Page

Page Name: Enter a name for the login page (e.g., "User Login").
Page Mode: Choose whether this will be the default login page or a custom one.
Authentication Scheme: Select the authentication scheme to use (e.g., APEX Accounts, Database Authentication, LDAP, Social Sign-In).
Click Next and then Create Page.

4. Customize the Login Page (Optional)

Open the newly created Login Page in Page Designer.
Modify UI elements like the username and password fields, buttons, and messages.
Add any additional PL/SQL validation logic for custom authentication.

5. Set the Login Page as the Authentication Page

Go to Shared Components > Authentication Schemes.
Open your authentication scheme and ensure it references the newly created Login Page as the Login URL.
Click Apply Changes.

6. Test the Login Page

Run the application and verify that the login page appears before accessing other pages.
Enter credentials to confirm authentication works correctly.

Customizing the Login Process

Use Session State Protection to enhance security.
Add custom authentication logic using PL/SQL functions.
Implement password reset functionality if needed.

By following these steps, you can create a fully functional login page in Oracle APEX, ensuring that only authenticated users can access your application.