2 Replies Latest reply on Apr 17, 2020 2:32 PM by RN

    Questions on OAuth2.0 basics


      I would first like to apologize if answers to my questions are easily available on the net. I did try to do some research but didn't work.


      We are Oracle/Apex shop and I am learning ORDS Authentication methods using OAuth2. I can run the client-credential method using curl and Postman, can I test how the Authorization Code method will work?


      1. I have created a client, privilege, role, and all mappings. and to test when I access url similar to


      I get prompted for sign-in. But after entering valid ORDS credentials, I get the following error:

      400 Bad Request

      One of the following request parameter values is missing or incorrect: client_id


      What does it take to have an Approval page?


      2. The second question, I have protected a resource using OAUTH2 client- credential grant for a server to server communication. If there has to be a Java application to consume this web service, where should client ID, Client Secret, and Access Token URL (/oauth/token) be stored on the Web Server (Tomcat in this case) so they are protected. What are the best practices?

      3. Will the Access Token URL always be  (../ords/schema_name/oauth/token) OR something else needs to be configured when going to production?




        • 1. Re: Questions on OAuth2.0 basics

          When I was first learning how to use OAuth2 authentication to protect my ORDS services, this was a great resource: https://oracle-base.com/articles/misc/oracle-rest-data-services-ords-authentication#oauth2


          To answer your questions:

          1. When any protected resource is accessed and the proper authentication is not provided, you will be taken to that sign in page.  The sign in page only accepts credentials for Basic authentication, so if you are not using Basic authentication, you will never be able to enter a valid username/password on that login page.
          2. I don't have too much experience with storing credentials in Java, so I don't want to give you an incorrect answer on this question.
          3. Yes, the URL to get the access token will always be ../ords/schema_name/oauth/token
          • 2. Re: Questions on OAuth2.0 basics

            Thanks for your response.

            1. Yes, I have been using the same Oracle documentation. It is a great resource for beginners. What I didn't understand is that in the Authorization Code section, it mentions about an approval page after I login as an ORDS user. I am using correct ORDS user credentials (because I get some invalid user message if credentials are wrong) but I can't go past that page. Looks like the "Approval" page needs to be built in some way. I am not clear about this part.

            3. Thanks for confirming this.