Skip to content

OIDC/Oauth2 in Apex, with wallet for felf sign cert

Creating wallet for APEX with oracle client orapki

You need to do it only if your sso server have self-signed certificate.

Get your certs.

openssl s_client -connect sso-rho-sso-corpo-test.apps.playcloud-test.p4.int:443 -showcerts

You need full installation of oracle client to do this, instant client is not sufficent.
You can also use database instance if you have access.

cd C:\oracle\product\12.2.0\client_1\bin
set JAVA_HOME="c:\Program Files\java\jdk1.8.0_202"
orapki wallet create -wallet c:\temp\sso.wallet -auto_login
orapki wallet add -wallet c:\temp\sso.wallet -trusted_cert -cert c:\temp\sso.wallet\crt2.crt
orapki wallet add -wallet c:\temp\sso.wallet -trusted_cert -cert c:\temp\sso.wallet\crt1.crt

Now copy whole folder wallet.sso to location on oracle DB server and change it access rights to DB, for example chmod -R oracle:oracle wallet.sso

Next go to instance asmin console Manage Instance -> Instance Settings, there is section Wallet.
Because we used -auto_login option uppon creation, you do not need to put any password, just mark Auto-login Wallet.

Configure oracle APEX application for oidc/oauth2.

OIDC

We are assuming that you are using keycloak and your client_id is already configured there.
You need at least point your domain.

Go to your application in apex next Shared Components and Authentication Schemes.

  • Create authentication schema with your favorite name, adding Scheme Type ->Social Sign-In.
  • In Settings chose:
    • Credential Store -> ss0
    • Authentication Provider -> OpenID Connect Provider
    • Discovery URL -> https://<keycloak_frontend_url>/auth/realms/<your_realm>/.well-known/openid-configuration
    • Scope -> openid
    • Username -> attribute identifing your Username
    • Convert Username To Upper Case -> Suggested is Yes
    • Additional User Attributes -> for example email,profile,picture,preferred_username,sub,user_position,first_name,last_name
    • Map Additional User Attributes To -> G_EMAIL,G_PROFILE,G_PICTURE,G_DOMAIN_LOGIN,G_SUB,G_USER_POSITION,G_FIRST_NAME,G_LAST_NAME
  • In Session Not Valid chose:
    • GoTo -> Login page
  • In Post-Logout URL set:
    • Go To -> URL
    • URL -> https://<keycloak_backend_url>/auth/realms/ssopm/protocol/openid-connect/logout

Now it is done

Last updated on