Keycloak  Authentication with APEX

Keycloak Authentication with APEX

Keycloak is a handy tool for managing user authentication. Specifically, I'll provide steps on how to use Keycloak to authenticate with Oracle APEX.

Once Authenticated, the Groups the User is a member of will be derived as native authorization schemes in APEX.

It's a practical approach to secure APEX Applications.

If you want to install and configure your own Keycloak instance on Oracle Cloud Compute (which works great on Always Free Micro) then follow this guide:
https://mattmulvaney.hashnode.dev/keycloak-installation-for-oracle-compute-with-custom-domain-apex-configuration

Preparation

  1. Run the following in SQL Workshop

       select APEX_AUTHENTICATION.GET_CALLBACK_URL from dual;
    

    From the results, just copy everything up to the callback phrase, e.g

      https://apex.oracle.com/pls/apex/apex_authentication.callback
    

    Paste this into Notepad as the Callback URL

Keycloak

  1. Login to Keycloak Admin Panel

  2. Click master > Create Realm

  3. Select a Realm Name

  4. Click Groups

  5. Create 3 groups for MANAGERS, SUPERVISORS and SUPERUSERS

  6. Click Users

  7. Create a User and join all groups

  8. Click Create

  9. Click Credentials > Set Password

  10. Click Save

  11. Click Clients > Create Client and enter a random Client ID. Also, save this Client ID to Notepad.

  12. Click Next and switch Client Authentication & Authorization to the On position.

  13. Click Next

  14. Enter the Root URL of your APEX application. e.g.

    https://g4cf-lufatp.adb.eu-frankfurt-1.oraclecloudapps.com/ords/r/
    
  15. Enter a Home URL of the home URL e.g. My app called l which is a bit confusing

    https://g4cf-lufatp.adb.eu-frankfurt-1.oraclecloudapps.com/ords/r/wksp_x/l?request=APEX_AUTHENTICATION%3DKEYCLOAK
    
  16. Enter a Valid Redirect URL of the callback e.g.

    https://g4cf-lufatp.adb.eu-frankfurt-1.oraclecloudapps.com/ords/apex_authentication.callback
    
  17. Enter a Valid Post logout redirect URL e.g.

    https://g4cf-lufatp.adb.eu-frankfurt-1.oraclecloudapps.com/ords/*
    
  18. Click Save

  19. Click on Credentials and copy the Client Secret to Notepad.

  20. Click on Realm Settings and copy the URL from OpenID Endpoint Configuration to Notepad

  21. Click Client Scopes > Create Client Scope

  22. Complete the form as per the picture below

  23. Click Save

  24. Click on Mappers > Configure a new Mapper

  25. Click on Group Membership

  26. Complete the form like this

  27. Click Save

  28. Click Client Scope Details in the breadcrumb

  29. Click on Scope > Assign Role

  30. Select default-roles-[your realm]

  31. Click Assign

  32. Click Clients > APEX Client > Client Scopes > Add Client Scopes > Check groups

  33. Click Add > Default

APEX Configuration

  1. In APEX click App Builder > Workspace Utilities > Web Credentials > Create

    Use the following table:
    Name: KEYCLOAK
    Client ID or Username: Paste Client ID from Notepad
    Client Secret or Password: Paste Client Secret from Notepad
    Verify Client Secret or Password: Paste Client Secret from Notepad

  2. Click Create

  3. Click Shared Components > Authorization Schemes > Create > Next

    Use the table below:

  4. Click Create Authorization Scheme

  5. Use the following details:

  6. Click Create to create a new Authorization Scheme and click Next

  7. Repeat the above steps to create Authorization Schemes for MANAGERS and SUPERUSERS (as appropriate)

  8. Click Shared Components > Security Attributes > Source for Role or Group Schemes and set it to Custom Code

  9. Click APEX Application > Shared Components > Application Items > Create

  10. In Name type G_SUB and click Create Application Item

  11. Click APEX Application > Shared Components > Authentication Schemes > Create

  12. Click Next on Based on a pre-configured scheme from the gallery

  13. Use the following table
    Name: KEYCLOAK
    Scheme Type: Social Sign-In
    Credential Store: KEYCLOAK
    Discovery URL: Paste Discovery URL from Notepad
    Scope: email,profile,groups
    Username: email
    Additional User Attributes: sub,user_id,name
    Map Additional User Attributes To: G_SUB

  14. Click Create Authentication Scheme

  15. Click on KEYCLOAK Authentication Scheme

  16. Set Switch in Session to Enabled

  17. In the Source > PL/SQL Code > paste the code below.

     PROCEDURE p_post_processing 
      IS
        l_group_names apex_t_varchar2;
      BEGIN
    
        -- add all group names to l_group_names
        for i in 1 .. apex_json.get_count('groupmembership') loop
            apex_string.push (
              p_table => l_group_names,
              p_value => apex_json.get_varchar2 (
                            p_path => 'groupmembership[%d]',
                            p0     => i ));
        end loop;
    
        -- save group names in session
        apex_authorization.enable_dynamic_groups (
            p_group_names => l_group_names );
    
      END p_post_processing;
    
  18. On the Post-Authentication Procedure Name type

    p_post_processing
    
  19. Click Apply Changes

  20. On Page 1, add an Interactive Report region using the following SQL statement

    select *
      from APEX_WORKSPACE_SESSION_GROUPS
     where apex_session_id = :APP_SESSION
    

    This will show you the Keycloak Roles that have been translated into Dynamic Groups

  21. Optional: Add a test, you can add the MANAGERS, SUPERVISORS or SUPERUSERS APEX Authorization Schemes to APEX Components, to test that the Authorization is working correctly.

  22. Run the APEX App and you'll see a Login Screen. Enter your KEYCLOAK User Credentials and click Sign-In

  23. Once in your APEX application, you should see the Keycloak Roles, mapped to APEX Authorizations & correctly observed by APEX. You should also see three entries in your Interactive Report

  24. Sign out of APEX and you will see the Keycloak Login screen again, all set to log back into APEX

  25. ENJOY!

Credits to Artur Morawski for lending me his Keycloak instance and cracking this Authentication before I did.

Whats the picture? From a Train Window near Huddersfield (not the HS2 - lol Rishi). Visit Yorkshire!