Page 1 of 14
SINGLE SIGN-ON
FOR (APEX) APPLICATIONS
USING OAUTH2
Author: Niels de Bruijn
Version: 2.1
Date: 14-APR-2020
Page 2 of 14
1
INTRODUCTION
A feature called “Social Sign-In” was introduced in APEX 18.1 which handles authentication based on
the OAuth2 standard. Although the name suggests that it can only be used with Facebook & Co. as
authentication provider, you can also use Azure Active Directory.
This document will explain the process flow for authentication based on OAuth2 as well as the
implementation steps to undertake to achieve this goal when using Azure AD as authentication
provider.
2 ARCHITECTURE & PROCESS FLOW
Here is what happens in detail when you access an APEX app protected by OAuth2 also known as
“Authorization Code Flow”:
0. APEX is registered once as OAuth2 client at the provider. The given client ID (=app username) and
client secret (=app password) are stored as “Web Credentials” on APEX workspace level.
1. The user accesses ie. https://apex.oracle.com/pls/apex/f?p=123:1.
2. APEX creates a session for “nobody” and checks if the page requires authentication. If so, the
details of the current authentication scheme are retrieved from the metadata. If OpenID is used as
authentication provider, the discovery URL is used to retrieve the endpoint/token/user info URL with its
parameters. If “generic OAuth2 provider” was selected, these URLs have to be entered in APEX. The
user is redirected to the authorization endpoint URL.
3. The user logs in ie. using username/password.
Page 3 of 14
4. Depending on the provider used, the user may also need to explicitly consent access to resources
like e-mail, street, ZIP code, etc.
5. After authentication, an authorization code was returned by the provider with which the browser is
redirected to the APEX callback URL https://apex.oracle.com/pls/apex/apex_authentication.callback.
6. APEX contacts the token endpoint URL over HTT