Introduction
In APEX, we've got various Authentication Options, like the default Oracle APEX Accounts, Database Accounts, LDAP, Social Sign-In, and more. In this guide, we'll discuss using Microsoft Azure or Office 365 for authentication in APEX Apps. There are some great reasons to use a third-party identity provider like Azure, such as enabling Single Sign-On (SSO) to access multiple apps with just one set of credentials and Multi-Factor Authentication (MFA) for an extra layer of security.
Prerequisites
Before we dive in, please make sure you have completed the following prerequisites listed below. This will enable you to move through this guide seamlessly.
Azure AD/Office 365 Account ✅
Accessing an APEX Instance ✅
Build an APEX Application
Before we can start we need an APEX application to set up Social Sign-In. So, go ahead and log in to your APEX Workspace, then create a new application using the App Builder. Feel free to name it something like Azure Demo App in the wizard.
Once you've set up your APEX application set up, go ahead and run it. Take a look at the URL for future reference. In this example, the URL would be:
https://gfc4fe40cd2a327-apex1.adb.eu-frankfurt-1.oraclecloudapps.com/ords/r/demo/azure-demo-app/home
Azure Configuration for APEX Social Login
First, let's create a new Application in Azure. To do this, log in to the Azure portal https://portal.azure.com/ and click on the navigation menu. From there, go to Microsoft Entra ID. In the left navigation menu click on the App registrations link. At the top of the page, click on the New registration button.
Go ahead and give the app a name, for example, My APEX Application. As the Supported Account Types choose Accounts in any organizational directory (Any Microsoft Entra ID tenant - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox). Then change the Redirect URI Type to Web. For the Redirect URL, we'll need to enter the APEX callback URL. If you're not sure what your callback URL is, you can find it by running this SQL:
select apex_authentication.get_callback_url from dual;
Your result should look something like this:
https://gfc4fe40cd2a327-apex1.adb.eu-frankfurt-1.oraclecloudapps.com/ords/apex_authentication.callback
Then paste the callback URL into the Redirect URL field and click Register.
Finally, note the Client-ID and Tenant-ID, as we'll need them later in Oracle APEX.
Then click Add a certificate or secret and create a new one by clicking New client secret. The Add a client secret Panel is displayed. Give it a name like My Client Secret and set the expiration date to 365 days or whatever you prefer.
Click Add and take note of the Value, as we'll need it later in Oracle APEX as well.
For the final step, navigate to Authentication in the left-side navigation menu. In the Front-channel Logout URL section, enter the Home URL from your application that we noted in the first step when we created the APEX application. Then check the ID tokens (used for implicit and hybrid flows) checkbox and click Save.
And there you have it! The Azure part is all done. Now, let's move on to the APEX side of things.
APEX Configuration for APEX Social Login
The first part is complete. So go back to the APEX Builder and let´s continue there.
Setting Up Web Credentials for Authentication
First things first, we'll need to create a new Web Credential for our authentication process. Web Credentials are really useful because they securely store and encrypt authentication credentials for Oracle APEX components and APIs. These credentials can't be retrieved in plain text. Plus, they're stored at the Workspace Level, which means they're visible in all applications.
To create a new Web Credential in APEX, click on Workspace Utilities in the App Builder. Once you're there, look for Web Credentials and give it a click. Finally, click the Create button to make your new Web Credential.
Give it a name and a Static ID, for example, Azure. Keep the Authentication Type as Basic Authentication, and then paste in your Client ID and Value from the Azure App registration we created earlier. Then click Apply Changes.
Create the APEX Application Login Mechanism
Finally, we need to let our application know that the login is coming from Azure. To do this, we'll set up a new Authentication Scheme. Go back to your APEX App and click on Shared Components. Look for the Security section, and click on the link for Authentication Schemes. Click Create and keep the option Based on a preconfigured scheme from the gallery selected and then click Next.
In the final step, we have to fill out some settings for the Authentication Scheme. Give it a unique name, like Azure Sign-In and choose the Scheme-Type Social Sign-In. Next, select the Web Credential Azure we created earlier. Pick the Authentication Provider OpenID Connect Provider and type in the Discovery URL.
Note: To get the Discovery URL, just use the link below and replace the Tenant-id with the one you noted earlier.
https://login.microsoftonline.com/{tenant-id}/.well-known/openid-configuration
Click Create Authentication Scheme to create it right away. Once the Scheme is created click on it again to make some final settings. Scroll down to the Post-Logout URL Section and set Go To to URL. Enter the application URL in the URL field.
For the Post-logout-URL, simply use your APEX application URL once again e.g.
https://gfc4fe40cd2a327-apex1.adb.eu-frankfurt-1.oraclecloudapps.com/ords/r/demo/azure-demo-app/home
And there you have it ✅
Test your Social Login
To verify if everything's working fine, go ahead and run the application. If all is good, you'll see the Azure Login Dialog.
Note: When you sign in for the first time, you'll need to allow access.
Here we go 🚀
Conclusion
In conclusion, implementing Social Sign-in with Microsoft Azure/Office 365 in Oracle APEX applications introduces several advantages such as Single Sign-On and Multi-Factor Authentication, enhancing not just the security but also the user experience. By following these easy steps, you can leverage the benefits of integrating Azure with your APEX applications for Social Sign-in.