Bootstrap your APEX authentication & authorisation. a presentation by

Transcription

1 Bootstrap your APEX authentication & authorisation a presentation by

2 Who am I? Richard Martens independant Consultant since 2012 smart4apex founding member (2010) oracle since 2002 (Oracle 8i) PL/SQL, Apex, HTML(5), CSS(3), Javascript, XML, XSLT special interest in UI oracle ace since 2015 RIMA on Oracle Forums trainer at

3 Bootstrap your APEX authentication & authorisation a presentation by

4

5

6 This is what we re talking about

7

8 Agenda Introducing: APEX SSO components Not "single" but better "second" sign on. Once signed in, it acts like "single" Conditions, Assumptions and Prerequisites The Authentication Process The Authorization Process

9 Conditions, Assumptions & Prerequisites We need a central login application Central user and roles administration Optionally use 3rd party sign-on (Google Authentication etc.) We login using several workspaces and servers Once logged in we should be logged in in all applications Once logged out we must log out from all applications and workspaces Easily extendable to more workspaces, servers and applications

10 The Authentication Process user is not yet logged in 1. User requests a page from the application 2. Application detects that the user is not logged in 3. Application sends user to login application 4. Login application authenticates the user 5. Login application sends user to originating applications callback procedure 6. Callback procedure makes a REST request to the login server to get the users roles 7. When roles are received, the user is authenticated

11 The Authentication Process user is al ready logged in (another suite application) 1. User requests a page from the application 2. Application detects that the user is logged in 3. Application makes REST request to the login server to get the users roles 4. When roles are received, the user is authenticated 5. When no roles received, the user is not authenticated Landing-page: You are not authorized Login-application

12 Remember Google Authentication scheme?

13 Remember Google Authentication scheme? 1. apex redirects end-user to google login-page 2. after successful login into google, google redirects the end-user back to a redirect URL on your server (this is a pl/sql stored procedure) 3. when the pl/sql procedure runs it: a. requests google for an exchange token (using RESTFUL web services) b. reads a token from the google response c. requests further info ( -address, name etc.) d. creates a session for the end-user e. stores the token in an application-item and in an apex-collection f. redirects the user to the home-page 4. apex is now equipped with a token to do further requests to the google API s

14 Better well stolen than badly invented Fresh Login your app suite login user requests page user is redirected to login app user authenticates to login app apex login app user is authenticated user is redirected to Suite app call-back procedure call-back procedure requests for authorisation roles authorisation roles are sent by web service suite authe engine suite autho web service Using token for security Your app

15 Better well stolen than badly invented Second login your app user requests page Application detects cookie User is technically authenticated Applications Sentry function detects no roles suite login apex login app suite authe engine user is authenticated Sentry function requests roles authorisation roles are sent by web service suite autho web service Using token for security Your app

16 So what do we need? Client App Set Cookie name Mainly for same workspace authentication

17 So what do we need? Client App Set the session not valid URL Allows APEX to use pl/sql to redirect to login application #OWNER#.s4s_authentication_pck.redirect_to_login?p_goto_workspace=&WORKSPACE_ID. &p_goto_app=&app_alias. &p_goto_session=&app_session.

18 So what do we need? Client App Set Sentry, Invalid Session and Post logout procedures

19 So what do we need? Inlog App

20 So what do we need? Recap Inlog App Sentry function Client app Sentry function Authentication function Post logout procedure Session Not Valid = Login page Post Authentication procedure Post logout procedure Session Not Valid URL Cookie Name Cookie Name

21 So what do we need? Recap Foremost we must allow our callback procedure to be run from outside of APEX Runs from ORDS:

22 Another view at the system Sentry function detects no session P 101 after submit: authentication function Callback procedure: Creates APEX session Post authentication procedure Webservice returning JSON roles Sentry function detects cookie (session) Page gets displayed

23 Sentry function client app Sentry function detects no session P 101 after submit: authentication function The Sentry function defines a valid session: Is this session valid? Callback procedure: Creates APEX session Post authentication procedure Webservice returning JSON roles Session is valid when a valid cookie is found Sentry function detects cookie (session) Cookies are bound to each server / domain Page gets displayed Sentry is to check the session. In our case however we must create an APEX session when one is not there, but the cookie is valid. <pseudocode> 1. Get cookie data 2. If no cookie found: return false (making the app revert to login app) 3. If cookie found: is the APEX session available? 1. Yes: check / create autho collection and return true 2. No: create apex session and use cookie data to check (or create) autho collection, then return true </pseudocode>

24 Session not valid URL client app Sentry function detects no session P 101 after submit: authentication function redirect_to_login with URL parameters for setting page-item values Callback procedure: Creates APEX session <code> owa_util.redirect_url ( curl => g_login_base_uri 'f?p=' g_login_app -- app ':' g_login_page_alias -- page ':' -- session ':' -- request ':YES' -- debug ':' -- clearcache ':P101_GOTO_WORKSPACE,P101_GOTO_APP,P101_GOTO_SESSION' -- itemnames ':' l_goto_workspace -- itemvalues ',' l_goto_app ',' l_goto_session ); </code> Sentry function detects cookie (session) Page gets displayed Post authentication procedure Webservice returning JSON roles

25 Authentication function login-app Sentry function detects no session P 101 after submit: authentication function Takes only 2 parameters: username and password Callback procedure: Creates APEX session Post authentication procedure Webservice returning JSON roles We need 5! username, password, workspace, app_alias, session Sentry function detects cookie (session) On page 101: after-submit combine password + workspace + app_alias + session into :P101_PASSWORD item, within the authentication function we will unwrap this again <pseudocode> 1. unwrap the password to obtain password, workspace, app_alias and session 2. hash the password and check for username, hash, app_alias combination 3. return true when a record is found </pseudocode> Page gets displayed

26 Post authentication login-app Sentry function detects no session P 101 after submit: authentication function Responsible for sending the user to the client-app s callback function Callback procedure: Creates APEX session Post authentication procedure Webservice returning JSON roles Generate token for security Sentry function detects cookie (session) Clear session state for pw, goto_worksp, goto_app and goto_session on login-server Page gets displayed <pseudocode> 1. define clients ip-number and create token 2. get goto-app callback url 3. reset password, goto_workspace, goto_app and goto_session in session-state 4. Redirect user to application </pseudocode>

27 Callback procedure client app Sentry function detects no session P 101 after submit: authentication function Set client app cookie Create or use APEX Session Get roles from authorisation webservice and store in collection Callback procedure: Creates APEX session Sentry function detects cookie (session) Page gets displayed Post authentication procedure Webservice returning JSON roles <pseudocode> 1. Set SSO Cookie 2. Get Application info 3. If no error: 1. Set security group (workspace) 2. Set Flow ID (application-id) 3. Set Session Info (session) 4. Define user session (session) 5. Get JSON from webservice and store in collection 6. Log the user into APEX (sets APP_USERNAME") 1. This uses the p_app_page parameter to send the user to a page inside the app </pseudocode>

28 Post logout procedure client app Sentry function detects no session P 101 after submit: authentication function Expire the cookie Callback procedure: Creates APEX session Post authentication procedure Webservice returning JSON roles or Sentry function detects cookie (session) Page gets displayed Remove the cookie

29 DEMO TIME

30

31 Authorisation Create authorisation scheme: PL/SQL function returning boolean: return s4s_authorisation_pck.has_role(p_role_name => ROLENAME ); function has_role ( p_role_id in s4s_roles_vw.grup_id%type ) return boolean is cursor c_roles is from select count(1) s4s_roles_vw r where r.grup_id = p_role_id; l_reccount pls_integer; begin open c_roles; fetch c_roles into l_reccount; close c_roles; return l_reccount > 0; end has_role;