View the Authentication Scheme Associated with an Application in Oracle APEX

 In Oracle APEX, every application uses an authentication scheme to determine how users are identified and granted access. Viewing the authentication scheme associated with an application is an essential task for developers and administrators, especially when managing security, troubleshooting login issues, or planning to switch authentication methods.

Below is a detailed step-by-step explanation of how to view the authentication scheme associated with an application in Oracle APEX:

Step-by-Step: View the Authentication Scheme Associated with an Application

1. Log in to Oracle APEX

• Open your web browser and navigate to the Oracle APEX development environment.

• Log in to the Workspace where your application resides.

2. Navigate to the Application Builder

• On the APEX home screen, click “App Builder.”

• Locate the application you want to inspect, and click on its name to open it.

3. Access Shared Components

• Within the application dashboard, look for the section called “Shared Components.”

• Click on “Shared Components.”

• This area contains reusable elements of your application, including the authentication scheme.

4. Find Authentication Schemes

• In the “Security” section of the Shared Components page, click “Authentication Schemes.”

• This brings up a list of all available authentication schemes defined for the application.

5. Identify the Current Scheme

• In the list, locate the authentication scheme marked with a green check mark (✓) in the “Current” column.

• This indicates the active (in use) authentication method for your application.

• The “Name” column shows the scheme’s name (e.g., APEX Accounts, Database Account, Social Sign-In, Custom, etc.).

• The “Type” column shows the kind of authentication being used.

6. View the Scheme Details

• Click on the name of the active authentication scheme to view its configuration details.

• Here, you will see important settings such as:

  • Scheme Type (APEX, LDAP, Social Sign-In, Custom, etc.)

  • Authentication Function (if custom)

  • Login Processing Settings

  • Post-Authentication Procedure

  • Logout URL

  • Session Timeout Behavior

  • Cookie Settings

This information is critical if you want to understand how users are being authenticated, what happens when they log in or out, and how the session is managed.

Additional Notes:

• You can define multiple authentication schemes within one application, but only one scheme can be active at a time.

• If you need to change the active scheme, you can click the “Make Current” button next to another defined scheme.

• You can also copy or create new schemes from this screen if your application requires more complex login options (like switching between development and production logins or supporting multiple user sources).

Use Cases for Viewing Authentication Scheme

• Verifying the login method currently used by the app.

• Updating or troubleshooting login settings (e.g., incorrect username/password errors).

• Preparing for security audits or compliance.

• Integrating with external systems like LDAP or Single Sign-On (SSO).

• Switching from development accounts to production user accounts before deployment.

In Oracle APEX, each application has an authentication scheme that controls how users log in. You can easily view the authentication scheme associated with an application through the Shared Components section.

Steps to View the Authentication Scheme

1. Access the App Builder

• Log in to your Oracle APEX workspace.

• Click on App Builder to view your applications.

2. Select the Application

• Click on the application you want to inspect.

• This will take you to the application's home page.

3. Navigate to Authentication Schemes

• Click on Shared Components under the application menu.

• Under the Security section, click Authentication Schemes.

4. View the Current Authentication Scheme

• The Authentication Schemes page displays a list of authentication schemes available for the application.

• The scheme marked as Current is the one currently in use.

5. Review Authentication Scheme Details

• Click on the current authentication scheme to open its details.

• Here, you can see its type (e.g., APEX Accounts, LDAP, Social Sign-In) and its configuration settings.

By following these steps, you can quickly check which authentication method is securing your Oracle APEX application.

Viewing the authentication scheme in Oracle APEX is a quick yet powerful step that allows developers to confirm how user access is controlled. By accessing the Authentication Schemes section under Shared Components, you can identify the active scheme, explore its settings, and make adjustments if needed. This is a foundational skill for managing secure, role-based applications in Oracle APEX.

Understanding Preconfigured Authentication Schemes in Oracle APEX

 Oracle APEX provides several preconfigured authentication schemes that developers can use to control access to applications. These built-in authentication methods simplify user identity verification without requiring extensive custom development.

Types of Preconfigured Authentication Schemes

1. Oracle APEX Accounts
   This method uses Oracle APEX’s built-in user repository for authentication. Developers can create and manage user accounts directly within APEX, making it ideal for applications that don’t require external authentication services.

2. Database Accounts
   Authentication is performed using database schema credentials. Users log in with their database usernames and passwords, ensuring security at the database level.

3. LDAP Directory
   Authentication is delegated to an LDAP (Lightweight Directory Access Protocol) server. Users log in with their LDAP credentials, enabling integration with enterprise directory services.

4. Social Sign-In
   Supports authentication using social identity providers like Google, Facebook, Microsoft, or any provider that supports OpenID Connect or OAuth2. This allows users to log in with their existing social media or enterprise accounts.

5. SAML Sign-In
   Allows authentication through Security Assertion Markup Language (SAML). This method is commonly used for integrating with corporate identity providers, enabling Single Sign-On (SSO) across multiple applications.

6. Oracle Application Server Single Sign-On (SSO)
   Authentication is managed by an Oracle Single Sign-On (SSO) server, allowing seamless login across multiple Oracle applications.

7. HTTP Header Variable
   Authentication is performed by checking the username stored in an HTTP header variable set by a web server. This is useful in environments where authentication is handled externally, such as reverse proxies or enterprise authentication gateways.

8. No Authentication (Public Access)
   This scheme disables authentication, allowing anyone to access the application without logging in. This is typically used for public applications where authentication is unnecessary.

9. Open Door Credentials
   Allows users to access the application using a built-in login page that captures a username without requiring a password. This is useful for simple access control scenarios.

10. Builder Extension Sign-In
    Used for APEX Builder extensions, allowing users to access extension apps without signing in again if they are already logged into APEX.

Configuring a Preconfigured Authentication Scheme

To configure an authentication scheme:

• Navigate to App Builder > Shared Components > Authentication Schemes

• Select an existing scheme or create a new one from the authentication scheme gallery

• Configure the settings based on the chosen authentication method

• Click Make Current to activate the authentication scheme for the application

Oracle APEX allows developers to switch between authentication schemes as needed, ensuring flexibility and security for different application requirements.

Establish User Identity with Authentication in Oracle APEX

Authentication is used to verify a user's identity and control access to an application. Depending on the authentication method, users may need to provide credentials such as a username and password, or use alternative security measures like digital certificates or secure keys.

Understand Authentication in Oracle APEX

Authentication is the process of verifying a user's identity before granting access to an application. In Oracle APEX, authentication ensures that only authorized users can interact with the application based on the authentication method configured.

Authentication can be as simple as requiring a username and password or as complex as integrating with external identity providers using Single Sign-On (SSO), OAuth2, LDAP, or SAML. Once authenticated, Oracle APEX tracks the user session using the built-in substitution string APP_USER, which helps in session management and security enforcement throughout the application.

By configuring authentication schemes, developers can customize how users log in and how their identities are managed within the APEX environment.

Access and Use APP_USER in Oracle APEX

APP_USER is a built-in substitution string in Oracle APEX (Application Express) that represents the currently authenticated user within an APEX application session. It is used to retrieve the username or identification of the user who is actively logged in to the application. This string plays a critical role in managing session states, enforcing security, and personalizing content for individual users.

Understanding APP_USER

1. What APP_USER Represents:

   • APP_USER holds the username or identifier of the user currently logged in to the Oracle APEX application.

   • The value of APP_USER is automatically populated by Oracle APEX when a user successfully authenticates using the specified authentication scheme (for example, APEX accounts, database accounts, LDAP, etc.).

   • If a user is not authenticated, the APP_USER value will typically be NULL or the default value, depending on how the application is set up.

2. Where APP_USER is Used:

   • Session Management: Oracle APEX uses APP_USER to associate data with the correct session. This allows applications to personalize the user experience, track activities, and maintain security.

   • Personalization: Developers can use APP_USER to display personalized content, such as the user’s name, preferences, and settings. For example, a user might see their own tasks, notifications, or reports once logged in, based on their APP_USER value.

   • Role-Based Security: By referencing APP_USER, you can implement role-based security within the application. For example, an application might restrict certain pages or features to specific users or roles. You can create rules that check the APP_USER value and determine what parts of the application they can access.

3. How APP_USER is Used:

   • Dynamic Actions/Validation: You can reference APP_USER in dynamic actions, validations, or PL/SQL code to execute logic based on the authenticated user.

   • SQL Queries: In SQL queries, APP_USER is often used to filter data related to the logged-in user. For example:

     SELECT * FROM orders WHERE created_by = :APP_USER;
     

     In this case, only orders created by the currently logged-in user (identified by APP_USER) would be retrieved.

   • Personalized Messages: The APP_USER value can be included in messages or displayed on the page to show a personalized greeting, such as "Welcome back, John!"

     <h1>Welcome, &APP_USER! </h1>
     

4. Security Considerations:

   • APP_USER is tied directly to the session, which means that only the authenticated user can access their own APP_USER value. You cannot access another user’s APP_USER unless specifically permitted by the application’s security model.

   • When using APP_USER, especially in SQL or PL/SQL, ensure that the value is properly sanitized and validated to prevent SQL injection or unauthorized access.

5. Handling Invalid or Null APP_USER:

   • In cases where APP_USER is NULL (such as when the user is not authenticated), you may want to implement logic that redirects them to a login page or shows a generic message.

   • Example of checking APP_USER for a logged-in user:

     SELECT * FROM employees
     WHERE employee_id = :APP_USER;
     

     This query retrieves data only if APP_USER is properly authenticated.

6. Examples of Using APP_USER in APEX Applications:

   • Personalized Greetings:

     SELECT 'Hello, ' || :APP_USER || '!' FROM dual;
     

     This SQL statement could be used to display a personalized greeting to the user.

   • Access Control:
     In a page’s authorization settings, you might check the APP_USER value to ensure that only certain users can access a page:

     SELECT 1 FROM users WHERE username = :APP_USER AND role = 'ADMIN';
     

     If the result returns no rows, access is denied to users who are not administrators.

   • Session Tracking: You can keep track of the user's activity, such as the last time they logged in or their last action, by storing this data in a session-based table using APP_USER as a reference.

From a programming perspective, the APP_USER value can be accessed in multiple ways, depending on the context:

• As a bind variable in PL/SQL or SQL: 

:APP_USER

• Within PL/SQL packages and triggers: 

V('APP_USER')

• As an attribute of the APEX session context: 

sys_context('APEX$SESSION', 'APP_USER')

Using APP_USER for Security and Conditional Processing

The APP_USER variable can be leveraged to implement security checks and manage application behavior dynamically. For instance, you can create a table to store user privilege levels and use it to control access to different components:

CREATE TABLE my_security_table (

  user_id   VARCHAR2(30),

  privilege VARCHAR2(30)

);

Once populated with user privilege data, this table can be referenced to conditionally display pages, tabs, navigation bars, buttons, or regions based on the authenticated user’s role.

APP_USER in Oracle APEX is a powerful tool that enables session tracking, user-specific content, and role-based security by storing the identifier of the currently authenticated user. It helps developers customize the user experience and enforce security policies across applications. By leveraging APP_USER in your application’s logic and security model, you can provide a personalized and secure experience for each user.

r.

Understand Authentication in Oracle APEX

Authentication in Oracle APEX defines how users gain access to your application and whether their identities are individually recognized or treated as public users with uniform privileges. This distinction is crucial because it determines how user access and permissions are managed.

If your application does not require tracking individual users, all users are treated as public users. Public users share the same level of access and privileges, with no differentiation based on identity. This model is suitable for applications where no personalized data or user-specific security is needed.

However, if your application requires differentiating users—such as providing personalized content, securing sensitive data, or auditing user actions—you must specify an authentication method. Authentication is the process that verifies the identity of each user who attempts to access the application.

How Authentication Works

The authentication process typically requires users to provide credentials, most commonly a username and password. When a user submits these credentials, Oracle APEX validates them against the chosen authentication scheme, which could be APEX accounts, database accounts, LDAP, social login providers, or custom authentication logic.

• If the credentials are valid and authentication succeeds, the user is granted access to the application.

• If the credentials are invalid or authentication fails, the user is denied access and typically redirected to a login page or shown an error.

Tracking Authenticated Users

Once authenticated, Oracle APEX maintains the user’s session and identity throughout their interaction with the application. This is achieved using the built-in substitution string APP_USER. The APP_USER value dynamically reflects the currently logged-in user and updates as the user navigates from page to page.

This mechanism allows APEX to associate session data with the correct user, enabling critical features such as:

• Role-Based Security: By checking the value of APP_USER, the application can enforce access controls based on user roles or privileges.

• Personalization: Applications can tailor content, display user-specific data, or modify the user interface depending on who is logged in.

• Auditing and Logging: Tracking which user performed certain actions is possible by referencing APP_USER in logging or audit trails.

Overall, authentication and the tracking of authenticated users via APP_USER form the foundation for secure, user-aware Oracle APEX applications.

Adding User Role Assignments in Oracle APEX

 In Oracle APEX, user role assignments are used to control access to application components such as pages, regions, and features based on the user's assigned role. These roles are part of the Access Control framework available in Shared Components. Assigning roles to users allows you to implement fine-grained security, ensuring each user sees and interacts only with the features intended for their access level.

What Are User Role Assignments?

User role assignments associate specific users with predefined roles such as ADMIN, MANAGER, or USER. Once assigned, these roles can be referenced throughout your APEX application to conditionally show or hide content, allow or deny page access, and control business logic.

Steps to Add User Role Assignments

1. Access the Application Builder

Log in to Oracle APEX, open the App Builder, and select the application in which you want to assign user roles.

2. Navigate to Access Control

Go to:
Shared Components > Security > Access Control

3. Enable Access Control (if not already)

If Access Control is not yet enabled:

• Click on the Access Control link.

• Choose an Access Control method like By User or By Role.

• Click Apply Changes.

4. Open Access Control Entries

After enabling, you'll see the Access Control Entries section. Click on it to manage user-role mappings.

5. Add a New User Role Assignment

• Click the Create button.

• In the form, fill in the following fields:

  • Username: Enter the APEX username or user email (based on your authentication scheme).

  • Role: Select the appropriate role from the list (e.g., ADMIN, USER, READER).

  • Status: Choose whether the role assignment is Active or Inactive.

Click Create to save the assignment.

Understanding Access Control Fields

Field	Description
Username	The APEX username of the user you want to assign a role to. Must match the user’s login identity.
Role	The role you want to assign. These roles must be previously defined in Access Control Roles.
Status	Determines if the role is currently active. Inactive roles will be ignored during runtime authorization checks.

Where User Role Assignments Are Used

• Page Access Control: Limit access to certain pages based on user role.

• Button and Region Conditions: Show/hide UI components conditionally.

• Authorization Schemes: Use role checks in authorization logic.

• PL/SQL Conditions: Use apex_util.get_user_roles or similar API to programmatically check assigned roles.

Tips and Best Practices

• Consistent Role Names: Use a clear and consistent naming convention for roles.

• Use Substitutions or Constants: Reference roles via constants to avoid hardcoding strings throughout the app.

• Review Periodically: Regularly audit user-role assignments to ensure they reflect current access needs.

• Testing: Test role assignments using different test users or session overrides.

You can assign specific roles to users in your application through the Application Access Control page. This allows you to control access based on predefined roles.

Steps to Add a User Role Assignment

1. Navigate to the Shared Components page:

• Go to the Workspace home page.

• Click the App Builder icon.

• Select the application where you want to assign roles.

• On the Application home page, click Shared Components.

2. Access the Application Access Control page:

• Under Security, click Application Access Control.

3. Add a new user role assignment:

• Under User Role Assignments, click Add User Role Assignment.

• The User Assignment dialog will appear.

4. Define the user assignment:

• User Name – Enter the name of the user. The name must contain only alphanumeric characters or underscores (_).

• Application Role – Select the appropriate role for the user.

5. Save the assignment:

• Click Create Assignment to complete the process.

• The newly assigned user role will now be displayed under User Role Assignments.

These role assignments help enforce access control within your application, ensuring users have the appropriate privileges.

Note:
Application users are not included when exporting an application. After deploying your application, you must manually configure user-to-role assignments. However, roles are exported along with the application and will be imported automatically during the application import process.

Summary

Adding user role assignments in Oracle APEX is a key part of implementing robust application security. By mapping users to roles through the Access Control framework, developers can control user experience and protect sensitive features. This centralized role management simplifies maintenance and enhances both security and flexibility across APEX applications.

Deleting Access Control Roles in Oracle APEX

In Oracle APEX, Access Control Roles are part of the built-in role-based security system used to manage user permissions within an application. Over time, you may need to remove obsolete or unused roles from your application—for example, after restructuring role logic or simplifying the security model. Deleting Access Control Roles is a straightforward process, but it should be done carefully to avoid breaking page-level authorizations or logic that relies on those roles.

What Are Access Control Roles?

Access Control Roles in Oracle APEX represent named permissions (such as ADMIN, MANAGER, or READER) that can be assigned to users. These roles control access to components such as:

• Pages and regions

• Buttons and items

• PL/SQL processes and conditions

• Dynamic actions and validations

Deleting a role will remove it from the Access Control configuration, and any references to it elsewhere in the app will no longer evaluate as true, which may result in restricted access or logic failures.

Steps to Delete Access Control Roles

1. Open Shared Components

From the APEX App Builder, click your application, then navigate to:

Shared Components > Security > Access Control

2. Open Access Control Roles

Click Access Control Roles to view the list of currently defined roles.

3. Locate the Role to Delete

You’ll see a table with all defined roles including Name, Display Name, and Role Code. Find the role you want to delete. Confirm that this role is not currently assigned to any users or referenced in conditional logic.

4. Click the Delete Icon

To the right of the role, click the Delete (trash bin) icon. A confirmation dialog will appear.

5. Confirm the Deletion

Click Yes to confirm the role deletion. This will permanently remove the role from the Access Control system for this application.

Important Considerations Before Deletion

• Check Usage References: Use Find or Page Search from the APEX Builder toolbar to search for where the role is used in conditions or authorizations.

• Review Page Authorizations: Pages, regions, or buttons that rely on a deleted role will no longer be accessible unless their condition is updated.

• Test the Application: After deletion, run the application and verify that all access control-related features behave as expected.

What Happens After Deletion?

• The role is removed from the Access Control table.

• Any APEX logic using that role will fail its authorization check.

• If the role was assigned to users, those entries in the APEX workspace's user-role mapping will become invalid or ignored.

• You can always re-create the same role later if needed, but you will have to manually reassign it and reconfigure its usage.

Best Practices

• Always backup your application before deleting roles—use the "Export" feature from the App Builder.

• Keep a documentation of which roles are active and where they are used.

• If unsure, consider disabling or removing role conditions temporarily rather than fully deleting the role until verified.

You can remove an access control role from your application by following these steps.

Steps to Delete a Role

1. Navigate to the Shared Components page:

• Go to the Workspace home page.

• Click the App Builder icon.

• Select the application where the role is defined.

• On the Application home page, click Shared Components.

2. Access the Application Access Control page:

• Under Security, select Application Access Control.

3. Select the role to delete:

• Locate the role you want to remove.

• Click on the role name to open the Role dialog.

4. Delete the role:

• Click Delete to remove the role permanently.

Once deleted, the role will no longer be available for authorization checks or assignments within the application.

Deleting Access Control Roles in Oracle APEX helps maintain a clean and secure security model, but it requires careful validation. Before deleting, always confirm that the role is no longer used in your app’s logic or interface. With proper review and testing, role deletion can streamline your application’s authorization structure without unintended side effects.