Bootstrap your APEX authentication & authorisation

Bootstrap your APEX authentication &

authorisation

a presentation by

• independant Consultant since 2012

• smart4apex founding member (2010)

• oracle since 2002 (Oracle 8i)

• PL/SQL, Apex, HTML(5), CSS(3), Javascript, XML, XSLT

• special interest in UI

• oracle ace since 2015

• RIMA on Oracle Forums

• trainer at skillbuilders.com

Who am I?

Richard Martens

@rhjmartens

http://richardmartens.blogspot.com

Bootstrap your APEX authentication &

authorisation

a presentation by

This is what we’re talking about

Agenda

• Introducing: APEX SSO components

• Not "single" but better "second" sign on. Once signed in, it acts like "single"

• Conditions, Assumptions and Prerequisites

• The Authentication Process

• The Authorization Process

Conditions, Assumptions & Prerequisites• We need a central login application

• Central user and roles administration

• Optionally use 3rd party sign-on (Google Authentication etc.)

• We login using several workspaces and servers

• Once logged in we should be logged in in all applications

• Once logged out we must log out from all applications and workspaces

• Easily extendable to more workspaces, servers and applications

The Authentication Processuser is not yet logged in

1. User requests a page from the application

2. Application detects that the user is not logged in

3. Application sends user to login application

4. Login application authenticates the user

5. Login application sends user to originating applications’ callback

procedure

6. Callback procedure makes a REST request to the login server to

get the users roles

7. When roles are received, the user is authenticated

The Authentication Processuser is al ready logged in (another “suite” application)

1. User requests a page from the application

2. Application detects that the user is logged in

3. Application makes REST request to the login server to get the

users roles

4. When roles are received, the user is authenticated

5. When no roles received, the user is not authenticated

• Landing-page: “You are not authorized”

• Login-application

Remember Google Authentication scheme ?

1. apex redirects end-user to google login-page

2. after successful login into google, google

redirects the end-user back to a redirect URL on

your server

(this is a pl/sql stored procedure)

3. when the pl/sql procedure runs it:a. requests google for an exchange token (using

RESTFUL web services)

b. reads a “token” from the google response

c. requests further info (email-address, name etc.)

d. creates a session for the end-user

e. stores the token in an application-item and in an

apex-collection

f. redirects the user to the home-page

4. apex is now equipped with a token to do further

requests to the google API’s

Remember Google Authentication scheme ?

suiteauthoweb

service

suiteautheengine

Better well stolen than badly invented “Fresh” Login

yourapp

Yourapp

apexloginapp

suitelogin

userrequestspage userisredirectedtologinapp

userisredirectedtoSuiteappcall-backprocedure

userauthenticatestologinapp

userisauthenticated

call-backprocedurerequestsforauthorisationroles

authorisationrolesaresentbywebservice

userisredirectedtoSuiteappcall-backprocedure

call-backprocedurerequestsforauthorisationroles

authorisationrolesaresentbywebservice

Usingtokenforsecurity

suiteauthoweb

service

suiteautheengine

Better well stolen than badly invented “Second” login

yourapp

Yourapp

apexloginapp

suitelogin

userrequestspage

userisauthenticated

Usingtokenforsecurity

Applicationdetectscookie

ApplicationsSentryfunctiondetectsnoroles

Sentryfunctionrequestsroles

authorisationrolesaresentbywebserviceauthorisationrolesaresentbywebservice

Useristechnicallyauthenticated

Sentryfunctionrequestsroles

So … what do we need ?

• Set “Cookie name”

• Mainly for same workspace authentication

Client App


• Set the “session not valid URL”

• Allows APEX to use pl/sql to redirect to login application

• #OWNER#.s4s_authentication_pck.redirect_to_login

?p_goto_workspace=&WORKSPACE_ID.

&p_goto_app=&APP_ALIAS.

&p_goto_session=&APP_SESSION.

Client App


• Set “Sentry”, “Invalid Session” and “Post logout procedures”

Client App

So … what do we need ? Inlog App

So what do we need? Recap

Inlog App

• Sentry function

• Authentication function

• Post logout procedure

• Session Not Valid = “Login page”

• Post Authentication procedure

• Cookie Name

Client app

• Sentry function

• Post logout procedure

• Session Not Valid URL

• Cookie Name

• Foremost we must allow our callback procedure to be run from outside of APEX

• Runs from ORDS:

So what do we need? Recap

Sentryfunctiondetectscookie(session)

Pagegetsdisplayed

Another view at the system

Sentryfunctiondetectsnosession

P101aftersubmit:authenticationfunction

Postauthenticationprocedure

Callback procedure:CreatesAPEXsession

Webservice returningJSONroles

Sentry function client app

• The Sentry function defines a valid session: “Is this session valid?”

• Session is valid when a valid cookie is found

• Cookies are bound to each server / domain

• Sentry is to check the session. In our case however we must create an APEX session when one is

not there, but the cookie is valid.

<pseudocode>

1. Get cookie data

2. If no cookie found: return “false” (making the app revert to login app)

3. If cookie found: is the APEX session available?1. Yes: check / create autho collection and return “true”

2. No: create apex session and use cookie data to check (or create) autho collection, then return “true”

</pseudocode>

Sentryfunctiondetectscookie

(session)

Pagegetsdisplayed


P101aftersubmit:authentication

function




Session not valid URL client app

• redirect_to_login with URL parameters

for setting page-item values<code>

owa_util.redirect_url ( curl => g_login_base_uri || 'f?p=' || g_login_app -- app || ':' || g_login_page_alias -- page || ':' -- session || ':' -- request

|| ':YES' -- debug || ':' -- clearcache

|| ':P101_GOTO_WORKSPACE,P101_GOTO_APP,P101_GOTO_SESSION' -- itemnames || ':' || l_goto_workspace -- itemvalues || ',' || l_goto_app || ',' || l_goto_session );

</code>


(session)

Pagegetsdisplayed



function




Authentication function login-app

• Takes only 2 parameters: username and password

• We need 5! username, password, workspace, app_alias, session

• On page 101: after-submit combine password + workspace +

app_alias + session into :P101_PASSWORD item, within the authentication function we will

unwrap this again

<pseudocode>

1. unwrap the password to obtain password, workspace, app_alias and session

2. hash the password and check for username, hash, app_aliascombination

3. return true when a record is found

</pseudocode>


(session)

Pagegetsdisplayed



function




Post authentication login-app

• Responsible for sending the user to the client-app’s callback function

• Generate token for security

• Clear session state for pw, goto_worksp, goto_app and goto_session on login-server

<pseudocode>

1. define clients’ ip-number and create token

2. get goto-app callback url

3. reset password, goto_workspace, goto_app and goto_session in session-state

4. Redirect user to application

</pseudocode>


(session)

Pagegetsdisplayed



function




Callback procedure client app

• Set client app cookie

• Create or use APEX Session

• Get roles from authorisation webservice and store in collection

<pseudocode>

1. Set SSO Cookie

2. Get Application info

3. If no error:1. Set security group (workspace)

2. Set Flow ID (application-id)

3. Set Session Info (session)

4. Define user session (session)

5. Get JSON from webservice and store in collection

6. Log the user into APEX (sets “APP_USERNAME")1. This uses the p_app_page parameter to send the user to a page inside the app

</pseudocode>


(session)

Pagegetsdisplayed



function




Post logout procedure client app

• Expire the cookie

or

• Remove the cookie


(session)

Pagegetsdisplayed



function




DEMO TIME

Authorisation

• Create authorisation scheme:

• PL/SQL function returning boolean:

• return s4s_authorisation_pck.has_role(p_role_name => ‘ROLENAME’);

function has_role ( p_role_id in s4s_roles_vw.grup_id%type ) return boolean is cursor c_roles is select count(1) from s4s_roles_vw r where r.grup_id = p_role_id; l_reccount pls_integer; begin open c_roles; fetch c_roles into l_reccount; close c_roles; return l_reccount > 0; end has_role;

Bootstrap your APEX authentication & authorisation

Documents

Transcript of Bootstrap your APEX authentication & authorisation