Bootstrap your APEX authentication & authorisation
Transcript of Bootstrap your APEX authentication & authorisation
• independant Consultant since 2012
• smart4apex founding member (2010)
• oracle since 2002 (Oracle 8i)
• PL/SQL, Apex, HTML(5), CSS(3), Javascript, XML, XSLT
• special interest in UI
• oracle ace since 2015
• RIMA on Oracle Forums
• trainer at skillbuilders.com
Who am I?
Richard Martens
@rhjmartens
http://richardmartens.blogspot.com
Agenda
• Introducing: APEX SSO components
• Not "single" but better "second" sign on. Once signed in, it acts like "single"
• Conditions, Assumptions and Prerequisites
• The Authentication Process
• The Authorization Process
Conditions, Assumptions & Prerequisites• We need a central login application
• Central user and roles administration
• Optionally use 3rd party sign-on (Google Authentication etc.)
• We login using several workspaces and servers
• Once logged in we should be logged in in all applications
• Once logged out we must log out from all applications and workspaces
• Easily extendable to more workspaces, servers and applications
The Authentication Processuser is not yet logged in
1. User requests a page from the application
2. Application detects that the user is not logged in
3. Application sends user to login application
4. Login application authenticates the user
5. Login application sends user to originating applications’ callback
procedure
6. Callback procedure makes a REST request to the login server to
get the users roles
7. When roles are received, the user is authenticated
The Authentication Processuser is al ready logged in (another “suite” application)
1. User requests a page from the application
2. Application detects that the user is logged in
3. Application makes REST request to the login server to get the
users roles
4. When roles are received, the user is authenticated
5. When no roles received, the user is not authenticated
• Landing-page: “You are not authorized”
• Login-application
1. apex redirects end-user to google login-page
2. after successful login into google, google
redirects the end-user back to a redirect URL on
your server
(this is a pl/sql stored procedure)
3. when the pl/sql procedure runs it:a. requests google for an exchange token (using
RESTFUL web services)
b. reads a “token” from the google response
c. requests further info (email-address, name etc.)
d. creates a session for the end-user
e. stores the token in an application-item and in an
apex-collection
f. redirects the user to the home-page
4. apex is now equipped with a token to do further
requests to the google API’s
Remember Google Authentication scheme ?
suiteauthoweb
service
suiteautheengine
Better well stolen than badly invented “Fresh” Login
yourapp
Yourapp
apexloginapp
suitelogin
userrequestspage userisredirectedtologinapp
userisredirectedtoSuiteappcall-backprocedure
userauthenticatestologinapp
userisauthenticated
call-backprocedurerequestsforauthorisationroles
authorisationrolesaresentbywebservice
userisredirectedtoSuiteappcall-backprocedure
call-backprocedurerequestsforauthorisationroles
authorisationrolesaresentbywebservice
Usingtokenforsecurity
suiteauthoweb
service
suiteautheengine
Better well stolen than badly invented “Second” login
yourapp
Yourapp
apexloginapp
suitelogin
userrequestspage
userisauthenticated
Usingtokenforsecurity
Applicationdetectscookie
ApplicationsSentryfunctiondetectsnoroles
Sentryfunctionrequestsroles
authorisationrolesaresentbywebserviceauthorisationrolesaresentbywebservice
Useristechnicallyauthenticated
Sentryfunctionrequestsroles
So … what do we need ?
• Set the “session not valid URL”
• Allows APEX to use pl/sql to redirect to login application
• #OWNER#.s4s_authentication_pck.redirect_to_login
?p_goto_workspace=&WORKSPACE_ID.
&p_goto_app=&APP_ALIAS.
&p_goto_session=&APP_SESSION.
Client App
So what do we need? Recap
Inlog App
• Sentry function
• Authentication function
• Post logout procedure
• Session Not Valid = “Login page”
• Post Authentication procedure
• Cookie Name
Client app
• Sentry function
• Post logout procedure
• Session Not Valid URL
• Cookie Name
• Foremost we must allow our callback procedure to be run from outside of APEX
• Runs from ORDS:
So what do we need? Recap
Sentryfunctiondetectscookie(session)
Pagegetsdisplayed
Another view at the system
Sentryfunctiondetectsnosession
P101aftersubmit:authenticationfunction
Postauthenticationprocedure
Callback procedure:CreatesAPEXsession
Webservice returningJSONroles
Sentry function client app
• The Sentry function defines a valid session: “Is this session valid?”
• Session is valid when a valid cookie is found
• Cookies are bound to each server / domain
• Sentry is to check the session. In our case however we must create an APEX session when one is
not there, but the cookie is valid.
<pseudocode>
1. Get cookie data
2. If no cookie found: return “false” (making the app revert to login app)
3. If cookie found: is the APEX session available?1. Yes: check / create autho collection and return “true”
2. No: create apex session and use cookie data to check (or create) autho collection, then return “true”
</pseudocode>
Sentryfunctiondetectscookie
(session)
Pagegetsdisplayed
Sentryfunctiondetectsnosession
P101aftersubmit:authentication
function
Postauthenticationprocedure
Callback procedure:CreatesAPEXsession
Webservice returningJSONroles
Session not valid URL client app
• redirect_to_login with URL parameters
for setting page-item values<code>
owa_util.redirect_url ( curl => g_login_base_uri || 'f?p=' || g_login_app -- app || ':' || g_login_page_alias -- page || ':' -- session || ':' -- request
|| ':YES' -- debug || ':' -- clearcache
|| ':P101_GOTO_WORKSPACE,P101_GOTO_APP,P101_GOTO_SESSION' -- itemnames || ':' || l_goto_workspace -- itemvalues || ',' || l_goto_app || ',' || l_goto_session );
</code>
Sentryfunctiondetectscookie
(session)
Pagegetsdisplayed
Sentryfunctiondetectsnosession
P101aftersubmit:authentication
function
Postauthenticationprocedure
Callback procedure:CreatesAPEXsession
Webservice returningJSONroles
Authentication function login-app
• Takes only 2 parameters: username and password
• We need 5! username, password, workspace, app_alias, session
• On page 101: after-submit combine password + workspace +
app_alias + session into :P101_PASSWORD item, within the authentication function we will
unwrap this again
<pseudocode>
1. unwrap the password to obtain password, workspace, app_alias and session
2. hash the password and check for username, hash, app_aliascombination
3. return true when a record is found
</pseudocode>
Sentryfunctiondetectscookie
(session)
Pagegetsdisplayed
Sentryfunctiondetectsnosession
P101aftersubmit:authentication
function
Postauthenticationprocedure
Callback procedure:CreatesAPEXsession
Webservice returningJSONroles
Post authentication login-app
• Responsible for sending the user to the client-app’s callback function
• Generate token for security
• Clear session state for pw, goto_worksp, goto_app and goto_session on login-server
<pseudocode>
1. define clients’ ip-number and create token
2. get goto-app callback url
3. reset password, goto_workspace, goto_app and goto_session in session-state
4. Redirect user to application
</pseudocode>
Sentryfunctiondetectscookie
(session)
Pagegetsdisplayed
Sentryfunctiondetectsnosession
P101aftersubmit:authentication
function
Postauthenticationprocedure
Callback procedure:CreatesAPEXsession
Webservice returningJSONroles
Callback procedure client app
• Set client app cookie
• Create or use APEX Session
• Get roles from authorisation webservice and store in collection
<pseudocode>
1. Set SSO Cookie
2. Get Application info
3. If no error:1. Set security group (workspace)
2. Set Flow ID (application-id)
3. Set Session Info (session)
4. Define user session (session)
5. Get JSON from webservice and store in collection
6. Log the user into APEX (sets “APP_USERNAME")1. This uses the p_app_page parameter to send the user to a page inside the app
</pseudocode>
Sentryfunctiondetectscookie
(session)
Pagegetsdisplayed
Sentryfunctiondetectsnosession
P101aftersubmit:authentication
function
Postauthenticationprocedure
Callback procedure:CreatesAPEXsession
Webservice returningJSONroles
Post logout procedure client app
• Expire the cookie
or
• Remove the cookie
Sentryfunctiondetectscookie
(session)
Pagegetsdisplayed
Sentryfunctiondetectsnosession
P101aftersubmit:authentication
function
Postauthenticationprocedure
Callback procedure:CreatesAPEXsession
Webservice returningJSONroles
Authorisation
• Create authorisation scheme:
• PL/SQL function returning boolean:
• return s4s_authorisation_pck.has_role(p_role_name => ‘ROLENAME’);
function has_role ( p_role_id in s4s_roles_vw.grup_id%type ) return boolean is cursor c_roles is select count(1) from s4s_roles_vw r where r.grup_id = p_role_id; l_reccount pls_integer; begin open c_roles; fetch c_roles into l_reccount; close c_roles; return l_reccount > 0; end has_role;