Basic Authentication vs OAuth & OAuth Demo in Oracle APEX 24.1

Oracle Application Express is a rapid development tool for Web applications on the Oracle database.
Post Reply
admin
Posts: 2071
Joined: Fri Mar 31, 2006 12:59 am
Location: Pakistan
Contact:

Basic Authentication vs OAuth & OAuth Demo in Oracle APEX 24.1

Post by admin »

First of all, we need to understand differences between these two methods used to implement security while doing integration of two applications. Once understanding is established then it will be very easy to implement one of them as per your requirements in Oracle APEX. In is topic we will be doing OAuth (Open Authorization) only while Basic you may be already using which is everytime passing username and password with each call of API.

Basich Authentication

Definition:
Basic Authentication is a simple authentication method where the client sends HTTP requests with the Authorization header that contains the word "Basic" followed by a base64-encoded string of the username and password.

How it works:
1. The client sends a request to the server with the Authorization header in the format Basic <base64-encoded username:password>.
2. The server decodes the base64 string to retrieve the username and password.
3. The server verifies the credentials and, if valid, grants access to the requested resource.

Advantages:
• Simple and easy to implement.
• No need for additional libraries or complex setups.

Disadvantages:
• Credentials are sent with every request, which increases the risk if the connection is not secure.
• Requires HTTPS to ensure credentials are not exposed in transit.
• Not suitable for applications where strong security is required.

OAuth
Definition: OAuth (Open Authorization) is an authorization framework that allows third-party applications to access a user's resources without exposing their credentials. OAuth 2.0 is the most widely used version.

How it works:
1. Authorization Grant: The client application requests authorization from the resource owner (user).
2. Authorization Server: The resource owner grants authorization, and the client receives an authorization grant (code).
3. Access Token: The client exchanges the authorization grant for an access token from the authorization server.
4. API Request: The client makes API requests with the access token in the Authorization header.

Types of Grants:
• Authorization Code: Used by web and mobile applications.
• Implicit: Used by browser-based applications.
• Resource Owner Password Credentials: Used when the client is highly trusted.
• Client Credentials: Used for machine-to-machine communication.

Advantages:
• Does not expose user credentials to third-party applications.
• Access tokens can be scoped and time-limited.
• Supports multiple authorization flows to suit different application needs.

Disadvantages:
• More complex to implement compared to Basic Authentication.
• Requires a secure authorization server.

----------------------- Oracle APEX OAuth Setup and Testing using Postman -----------------------


For OAuth token you need authorization server URL like here I did on apex.oracle.com and this is how you can create your token URL.

Copy path of your API you are going to consume,

https://apex.oracle.com/pls/apex/erpstu ... employees/

remove module details /hr/employees/ and append with /oauth/token

https://apex.oracle.com/pls/apex/erpstu ... auth/token

Code: Select all

DECLARE
v_role varchar2(100) := 'erpstuff_role';
v_privilege_name varchar2(100) := 'erpstuff_privilege';
v_patterns varchar2(100) := '/employees/*';
v_modules varchar2(100) := 'erpstuff_module';
v_client_name varchar2(100) := 'erpstuff_client';

BEGIN

  ORDS.create_role(
    p_role_name => v_role
  );

  ORDS.create_privilege(
      p_name        => v_privilege_name,
      p_role_name   => v_role,
      p_label       => 'ERPSTUFF_PRIVILEGE',
      p_description => 'ERPstuff training session'
      );

  ORDS.create_privilege_mapping(
      p_privilege_name => v_privilege_name,
      p_pattern        => v_patterns
      );     

  OAUTH.create_client(
    p_name            => v_client_name,
    p_grant_type      => 'client_credentials',
    p_owner           => 'ERPstuff IT',
    p_description     => 'A client for ERPstuff training session',
    p_support_email   => 'info@erpstuff.com',
    p_privilege_names => v_privilege_name
  );

  OAUTH.grant_client_role(
    p_client_name => v_client_name,
    p_role_name   => v_role
  );

  COMMIT;
END;
select * from user_ords_roles;
select * from user_ords_privileges;
select * from user_ords_privilege_roles;
select * from user_ords_privilege_mappings;
select name, client_id, client_secret from user_ords_clients;
select * from user_ords_client_privileges;

----------------------------------------

SELECT name, client_name
FROM user_ords_client_privileges;

SELECT client_name, role_name
FROM user_ords_client_roles;

In APEX after running above script,
r2.jpg
Postman Testing
r33.jpg
r3.jpg
r4.jpg
r5.jpg
Removing Complete Data of this Excercise

Code: Select all

DECLARE
v_role varchar2(100) := 'erpstuff_role';
v_privilege_name varchar2(100) := 'erpstuff_privilege';
v_patterns varchar2(100) := '/employees/*';
v_modules varchar2(100) := 'erpstuff_module';
v_client_name varchar2(100) := 'erpstuff_client';

BEGIN
  OAUTH.revoke_client_role(
    p_client_name => v_client_name,
    p_role_name   => v_role
  );


  OAUTH.delete_client(
    p_name => 'emp_client'
  );

  ORDS.delete_privilege_mapping(
    p_privilege_name => v_privilege_name,
    p_pattern => v_patterns
  );   

  ORDS.delete_privilege (
    p_name => v_privilege_name
  );

  ORDS.delete_role(
    p_role_name => v_role
  );

  COMMIT;
END;
PLSQL Code to use OAuth Token in calling web service in Oracle APEX 24.1

Using OAuth Token

Code: Select all


declare
  l_clob    clob;  
begin
 
  apex_web_service.oauth_authenticate(
        p_token_url     => 'https://apex.oracle.com/pls/apex/erpstuffords/oauth/token',
        p_client_id     => 'ys9f6Z9HLg8zhkdMBEargA..',
        p_client_secret => 'JyIx0y1o1l1KgdOHJY1Vaw..');  
 
  apex_web_service.g_request_headers(1).name  := 'Authorization';
  apex_web_service.g_request_headers(1).value := 'Bearer ' || apex_web_service.oauth_get_last_token;

  dbms_output.put_line(apex_web_service.oauth_get_last_token);

  l_clob := apex_web_service.make_rest_request (
                p_url         => 'https://apex.oracle.com/pls/apex/erpstuffords/hr/employees/', 
                p_http_method => 'GET');
 
  dbms_output.put_line('Here is the API call result -> '||l_clob);
 

end;  
Using Basic Authentication

Code: Select all

declare
  v_clob    clob;  
begin

  v_clob := apex_web_service.make_rest_request (
                p_url         => 'https://apex.oracle.com/pls/apex/erpstuffords/hr/employees/', 
                p_http_method => 'GET',
                p_scheme      => 'Basic',
                p_username    => 'xx_username',
                p_password    => 'xx_password');
           
  dbms_output.put_line('API Response: '|| l_clob);
end;
Thanks
You do not have the required permissions to view the files attached to this post.
Malik Sikandar Hayat
Oracle ACE Pro
info@erpstuff.com
Post Reply

Who is online

Users browsing this forum: No registered users and 0 guests