Auth0 is a cutting-edge authentication platform with a cool free option. It offers social logins, multi-factor authentication, and user management for startups and small projects, delivering robust security and a seamless login experience. You can use Auth0's free plan to explore its powerful features and enhance your APEX app's identity management.
Auth0 is powered by OKTA, however, whilst it offers a similar API, the token, API style and Logout URIs differ significantly. It made for an interesting blog to write.
I do like Auth0. It's feature-rich, has good documentation, a full API and a super Management Explorer API which helped me in this blog.
Pre-Requisites
Run the following in SQL Workshop
select APEX_AUTHENTICATION.GET_CALLBACK_URL from dual;From the results, just copy everything up to the callback phrase, e.g
https://apex.oracle.com/pls/apex/apex_authentication.callbackPaste this into Notepad as the Login URI
Obtain your APEX Login URL.. and paste it to Notepad as Login URL (including the APEX Authentication name) e.g.
[BASE URL]/ords/r/[WORKSPACE]/[APP]/home?request=APEX_AUTHENTICATION%3DAUTH0e.g
https://apex.oracle.com/pls/apex/r/wksp_x/z-products/home?request=APEX_AUTHENTICATION%3DAUTH0Now we need to Encode the Login URL for use later, so go here https://www.urlencoder.org/ and paste in the Login URL, click ENCODE and copy the encoded URL to Notepad as Encoded Login URL
Auth0 Configuration
Sign up for Auth0 - see the plan details for more information. This guide uses the Free Plan & no features from the paid plans.
Once in the Dashboard, click on the top left and copy your AUTH0 Domain to Notepad as AUTH0 Domain . Mine is dev-ipga6 (obfuscated of course).
Take this Domain (e.g dev-ipga6) & Country (e.g. uk) and create a discovery URL and save it in Notepad i.e.
https://YOUR_AUTH0_DOMAIN.COUNTRY.auth0.com/.well-known/openid-configurationlike this for example
https://dev-ipga6.uk.auth0.com/.well-known/openid-configurationOnce started, just follow the Create Application Wizard
Choose Name = APEX and Regular Web Applications and click Create
When the Quickstart tab shows, immediately change to the Settings tab
Copy the Client ID and Client Secret to Notepad
Copy the Login URL from Notepad (Not the encoded one) to both the Application Login URI & Allowed Logout URLs
Add the Callback URL to the Allowed Callback URLs
The final configuration looks a bit like this
Click Save Changes
Click on Applications > APIs
Click on Auth0 Management API
Click on Machine To Machine Applications and Authorize the APEX application
On the Permissions, select the following three permissions and click Update
READ:USERSREAD:ROLES
READ:ROLE_MEMBERS
These permissions allow us to use the Management API to find the Roles our user is assigned to
Click Update (see button on the picture above)
Click on User Management > Roles > Create Role
Create three test roles (for demonstration, you can remove them later)
MANAGERS
SUPERVISORS
SUPERUSERSClick on User Management > Users
Click the three dots/ellipses next to your Username and change your password (IDK why. I had to do this before the first login)
Click on your Username > Roles
Assign all roles you just created to your username
APEX Configuration
In APEX click App Builder > Workspace Utilities > Web Credentials > Create
Use the following table:
Name: AUTH0
Client ID or Username: Paste Client ID from Notepad
Client Secret or Password: Paste Client Secret from Notepad
Verify Client Secret or Password: Paste Client Secret from NotepadClick Create
Click Shared Components > Authorization Schemes > Create > Next
Use the table below:
Click Create Authorization Scheme
Use the following details:
Click Create to create a new Authorization Scheme and click Next
Repeat the above steps to create Authorization Schemes for MANAGERS and SUPERUSERS (as appropriate)
Click Shared Components > Security Attributes > Source for Role or Group Schemes and set it to Custom Code
Click APEX Application > Shared Components > Application Items > Create
In Name type G_SUB and click Create Application Item
Click APEX Application > Shared Components > Authentication Schemes > Create
Click Next on Based on a pre-configured scheme from the gallery
Use the following table
Name: AUTH0
Scheme Type: Social Sign-In
Credential Store: AUTH0
Discovery URL: Paste Discovery URL from Notepad
Scope: email,profile
Username: email
Additional User Attributes: sub,user_id,name
Map Additional User Attributes To: G_SUB
Click Create Authentication Scheme
Click on AUTH0 Authentication Scheme
Set Switch in Session to Enabled
In the Post-Logout URL, set Go To to URL
Set URL to this:
https://YOUR_AUTH0_DOMAIN.COUNTRY.auth0.com/v2/logout?returnTo=[ENCODED LOGIN URL]&client_id=[YOUR CLIENT ID]e.g.
https://dev-ipga6.uk.auth0.com/v2/logout?returnTo=http%3A%2F%2Fwww.example.com&client_id=123456This should ensure that you can log out of APEX & AUTH0 and then return to the APEX Application's AUTH0 login page.
In the Source > PL/SQL Code > paste the code below replacing the three constant default values with your credentials
PROCEDURE p_post_processing IS l_token_clob CLOB; l_clob CLOB; j apex_json.t_values; l_domain CONSTANT VARCHAR2(32767) DEFAULT 'https://dev-ipga6.uk.auth0.com'; l_client CONSTANT VARCHAR2(32767) DEFAULT 'nj7tROGwERT'; l_secret CONSTANT VARCHAR2(32767) DEFAULT 'd1VjjlZXNYS'; l_token CLOB DEFAULT empty_clob; l_sub VARCHAR2(32767) DEFAULT apex_util.url_encode(:G_SUB); l_group_names apex_t_varchar2; BEGIN apex_web_service.set_request_headers( p_name_01 => 'Content-Type', p_value_01 => 'application/json' ); l_token_clob := apex_web_service.make_rest_request( p_url => l_domain || '/oauth/token', p_http_method => 'POST', p_body => apex_string.format( '{"client_id":"%0", "client_secret":"%1", "audience":"%2/api/v2/", "grant_type":"client_credentials"}', l_client, l_secret, l_domain )); apex_json.parse(j, l_token_clob); l_token := apex_json.get_clob(p_path=>'access_token',p_values=>j); apex_web_service.clear_request_headers; apex_web_service.set_request_headers( p_name_01 => 'Accept', p_value_01 => 'application/json', p_name_02 => 'Authorization', p_value_02 => 'Bearer ' || l_token ); l_clob := apex_web_service.make_rest_request( p_url => l_domain || apex_string.format('/api/v2/users/%0/roles',l_sub), p_http_method => 'GET' ); apex_json.parse(p_values => j, p_source => l_clob); FOR i IN 1 .. apex_json.get_count(p_path=> '.', p_values=> j) LOOP -- add all group names to l_group_names apex_string.push ( p_table => l_group_names, p_value => apex_json.get_varchar2(p_path=>'[%d].name',p0=> i,p_values=>j) ); END LOOP; -- save group names in session apex_authorization.enable_dynamic_groups ( p_group_names => l_group_names ); END p_post_processing;On the Post-Authentication Procedure Name type
p_post_processingClick Apply Changes
On Page 1, add an Interactive Report region using the following SQL statement
select * from APEX_WORKSPACE_SESSION_GROUPS where apex_session_id = :APP_SESSIONThis will show you the AUTH0 Roles that have been translated to Dynamic Groups
Optional: Add a test, you can add the MANAGERS, SUPERVISORS or SUPERUSERS APEX Authorization Schemes to APEX Components, to test that the Authorization is working correctly.
Run the APEX App and you'll see a Login Screen. Enter your AUTH0 User Credentials and click continue
Once in your APEX application, you should see the Auth0 Roles, mapped to APEX Authorizations & correctly observed by APEX. You should also see three entries in your Interactive Report
Sign out of APEX and you will see the Auth0 Login screen again, all set to log in to APEX
ENJOY!
What's the cover image in this blog? It's Brimham Rocks. Visit Yorkshire!