2 Replies Latest reply on Jun 3, 2020 1:25 AM by Christian OTN

    ORDS security with APEX session (First Party Authentication)

    Christian OTN

      I see in the documentation (and have tested this on apex.oracle.com), that a ORDS rest service can be secured using the current APEX session using First Party Authentication:

       

      https://docs.oracle.com/en/database/oracle/oracle-rest-data-services/19.2/aelig/REST-development-tutorial.html#GUID-FB0CCF4A-FC81-4726-963E-75E0E26C3B8E

       

      Basically:

      1. Assign the APEX user a group eg “RESTful Services”
      2. Define a ORDS Role of the same name as the APEX user group eg “RESTful Services”
      3. Define the ORDS Privilege and assign the Role (RESTful Services) and set the module to project
      4. When you call the web service you pass the APP_ID and SESSION from APEX in the header or URL
      5. If you have a valid session in APEX you get access to the Web service, if not you are denied.

       

      This works as documented on apex.oracle.com using a APEX user.

       

      The question is can this type of scenario work for other types of authentication, for instance Social Sign in?  If this does work using a Social login then how do you assign the group (“RESTful Services”), to this user?

       

      I think you can do this with WebLogic users https://docs.oracle.com/en/database/oracle/oracle-rest-data-services/19.2/aelig/developing-REST-applications.html#GUID-9F6B143E-8107-43A3-A554-9EF58124FBE4 by using role mapping.