Auth0 Authentication with APEX

Auth0 Authentication with APEX

Auth0 is a cutting-edge authentication platform with a cool free option. It offers social logins, multi-factor authentication, and user management for startups and small projects, delivering robust security and a seamless login experience. You can use Auth0's free plan to explore its powerful features and enhance your APEX app's identity management.

Auth0 is powered by OKTA, however, whilst it offers a similar API, the token, API style and Logout URIs differ significantly. It made for an interesting blog to write.

I do like Auth0. It's feature-rich, has good documentation, a full API and a super Management Explorer API which helped me in this blog.


  1. Run the following in SQL Workshop


    From the results, just copy everything up to the callback phrase, e.g

    Paste this into Notepad as the Login URI

  2. Obtain your APEX Login URL.. and paste it to Notepad as Login URL (including the APEX Authentication name) e.g.


  3. Now we need to Encode the Login URL for use later, so go here and paste in the Login URL, click ENCODE and copy the encoded URL to Notepad as Encoded Login URL

Auth0 Configuration

  1. Sign up for Auth0 - see the plan details for more information. This guide uses the Free Plan & no features from the paid plans.

  2. Once in the Dashboard, click on the top left and copy your AUTH0 Domain to Notepad as AUTH0 Domain . Mine is dev-ipga6 (obfuscated of course).

  3. Take this Domain (e.g dev-ipga6) & Country (e.g. uk) and create a discovery URL and save it in Notepad i.e.

    like this for example
  4. Once started, just follow the Create Application Wizard

  5. Choose Name = APEX and Regular Web Applications and click Create

  6. When the Quickstart tab shows, immediately change to the Settings tab

  7. Copy the Client ID and Client Secret to Notepad

  8. Copy the Login URL from Notepad (Not the encoded one) to both the Application Login URI & Allowed Logout URLs

  9. Add the Callback URL to the Allowed Callback URLs

  10. The final configuration looks a bit like this

  11. Click Save Changes

  12. Click on Applications > APIs

  13. Click on Auth0 Management API

  14. Click on Machine To Machine Applications and Authorize the APEX application

  15. On the Permissions, select the following three permissions and click Update


    These permissions allow us to use the Management API to find the Roles our user is assigned to

  16. Click Update (see button on the picture above)

  17. Click on User Management > Roles > Create Role

  18. Create three test roles (for demonstration, you can remove them later)

  19. Click on User Management > Users

  20. Click the three dots/ellipses next to your Username and change your password (IDK why. I had to do this before the first login)

  21. Click on your Username > Roles

  22. Assign all roles you just created to your username

APEX Configuration

  1. In APEX click App Builder > Workspace Utilities > Web Credentials > Create

    Use the following table:
    Name: AUTH0
    Client ID or Username: Paste Client ID from Notepad
    Client Secret or Password: Paste Client Secret from Notepad
    Verify Client Secret or Password: Paste Client Secret from Notepad

  2. Click Create

  3. Click Shared Components > Authorization Schemes > Create > Next

    Use the table below:

  4. Click Create Authorization Scheme

  5. Use the following details:

  6. Click Create to create a new Authorization Scheme and click Next

  7. Repeat the above steps to create Authorization Schemes for MANAGERS and SUPERUSERS (as appropriate)

  8. Click Shared Components > Security Attributes > Source for Role or Group Schemes and set it to Custom Code

  9. Click APEX Application > Shared Components > Application Items > Create

  10. In Name type G_SUB and click Create Application Item

  11. Click APEX Application > Shared Components > Authentication Schemes > Create

  12. Click Next on Based on a pre-configured scheme from the gallery

  13. Use the following table
    Name: AUTH0
    Scheme Type: Social Sign-In
    Credential Store: AUTH0
    Discovery URL: Paste Discovery URL from Notepad
    Scope: email,profile
    Username: email
    Additional User Attributes: sub,user_id,name
    Map Additional User Attributes To: G_SUB

  14. Click Create Authentication Scheme

  15. Click on AUTH0 Authentication Scheme

  16. Set Switch in Session to Enabled

  17. In the Post-Logout URL, set Go To to URL

  18. Set URL to this:[ENCODED LOGIN URL]&client_id=[YOUR CLIENT ID]


    This should ensure that you can log out of APEX & AUTH0 and then return to the APEX Application's AUTH0 login page.

  19. In the Source > PL/SQL Code > paste the code below replacing the three constant default values with your credentials

    PROCEDURE p_post_processing
        l_token_clob     CLOB;
        l_clob          CLOB;
        j apex_json.t_values;
        l_domain CONSTANT VARCHAR2(32767) DEFAULT ''; 
        l_client CONSTANT VARCHAR2(32767) DEFAULT 'nj7tROGwERT';
        l_secret CONSTANT VARCHAR2(32767) DEFAULT 'd1VjjlZXNYS';
        l_token  CLOB DEFAULT empty_clob;
        l_sub    VARCHAR2(32767) DEFAULT apex_util.url_encode(:G_SUB);
        l_group_names apex_t_varchar2;
            p_name_01        => 'Content-Type',
            p_value_01       => 'application/json' );
        l_token_clob := apex_web_service.make_rest_request(
            p_url => l_domain || '/oauth/token',
            p_http_method => 'POST',
            p_body => apex_string.format(
                        l_domain ));
        apex_json.parse(j, l_token_clob); 
        l_token := apex_json.get_clob(p_path=>'access_token',p_values=>j);
            p_name_01        => 'Accept',
            p_value_01       => 'application/json',
            p_name_02        => 'Authorization',
            p_value_02       => 'Bearer ' || l_token );
        l_clob := apex_web_service.make_rest_request(
            p_url => l_domain || apex_string.format('/api/v2/users/%0/roles',l_sub),
            p_http_method => 'GET' );
        apex_json.parse(p_values => j, p_source => l_clob);
       FOR i IN 1 .. apex_json.get_count(p_path=> '.', p_values=> j) 
            -- add all group names to l_group_names
             apex_string.push (
                      p_table => l_group_names,
                      p_value => apex_json.get_varchar2(p_path=>'[%d].name',p0=> i,p_values=>j) );   
       END LOOP;
        -- save group names in session
        apex_authorization.enable_dynamic_groups (
            p_group_names => l_group_names );
    END p_post_processing;
  20. On the Post-Authentication Procedure Name type

  21. Click Apply Changes

  22. On Page 1, add an Interactive Report region using the following SQL statement

    select *
     where apex_session_id = :APP_SESSION

    This will show you the AUTH0 Roles that have been translated to Dynamic Groups

  23. Optional: Add a test, you can add the MANAGERS, SUPERVISORS or SUPERUSERS APEX Authorization Schemes to APEX Components, to test that the Authorization is working correctly.

  24. Run the APEX App and you'll see a Login Screen. Enter your AUTH0 User Credentials and click continue

  25. Once in your APEX application, you should see the Auth0 Roles, mapped to APEX Authorizations & correctly observed by APEX. You should also see three entries in your Interactive Report

  26. Sign out of APEX and you will see the Auth0 Login screen again, all set to log in to APEX

  27. ENJOY!

What's the cover image in this blog? It's Brimham Rocks. Visit Yorkshire!