Basich Authentication
Definition:
Basic Authentication is a simple authentication method where the client sends HTTP requests with the Authorization header that contains the word "Basic" followed by a base64-encoded string of the username and password.
How it works:
1. The client sends a request to the server with the Authorization header in the format Basic <base64-encoded username:password>.
2. The server decodes the base64 string to retrieve the username and password.
3. The server verifies the credentials and, if valid, grants access to the requested resource.
Advantages:
• Simple and easy to implement.
• No need for additional libraries or complex setups.
Disadvantages:
• Credentials are sent with every request, which increases the risk if the connection is not secure.
• Requires HTTPS to ensure credentials are not exposed in transit.
• Not suitable for applications where strong security is required.
OAuth
Definition: OAuth (Open Authorization) is an authorization framework that allows third-party applications to access a user's resources without exposing their credentials. OAuth 2.0 is the most widely used version.
How it works:
1. Authorization Grant: The client application requests authorization from the resource owner (user).
2. Authorization Server: The resource owner grants authorization, and the client receives an authorization grant (code).
3. Access Token: The client exchanges the authorization grant for an access token from the authorization server.
4. API Request: The client makes API requests with the access token in the Authorization header.
Types of Grants:
• Authorization Code: Used by web and mobile applications.
• Implicit: Used by browser-based applications.
• Resource Owner Password Credentials: Used when the client is highly trusted.
• Client Credentials: Used for machine-to-machine communication.
Advantages:
• Does not expose user credentials to third-party applications.
• Access tokens can be scoped and time-limited.
• Supports multiple authorization flows to suit different application needs.
Disadvantages:
• More complex to implement compared to Basic Authentication.
• Requires a secure authorization server.
----------------------- Oracle APEX OAuth Setup and Testing using Postman -----------------------
For OAuth token you need authorization server URL like here I did on apex.oracle.com and this is how you can create your token URL.
Copy path of your API you are going to consume,
https://apex.oracle.com/pls/apex/erpstu ... employees/
remove module details /hr/employees/ and append with /oauth/token
https://apex.oracle.com/pls/apex/erpstu ... auth/token
Code: Select all
DECLARE
v_role varchar2(100) := 'erpstuff_role';
v_privilege_name varchar2(100) := 'erpstuff_privilege';
v_patterns varchar2(100) := '/employees/*';
v_modules varchar2(100) := 'erpstuff_module';
v_client_name varchar2(100) := 'erpstuff_client';
BEGIN
ORDS.create_role(
p_role_name => v_role
);
ORDS.create_privilege(
p_name => v_privilege_name,
p_role_name => v_role,
p_label => 'ERPSTUFF_PRIVILEGE',
p_description => 'ERPstuff training session'
);
ORDS.create_privilege_mapping(
p_privilege_name => v_privilege_name,
p_pattern => v_patterns
);
OAUTH.create_client(
p_name => v_client_name,
p_grant_type => 'client_credentials',
p_owner => 'ERPstuff IT',
p_description => 'A client for ERPstuff training session',
p_support_email => 'info@erpstuff.com',
p_privilege_names => v_privilege_name
);
OAUTH.grant_client_role(
p_client_name => v_client_name,
p_role_name => v_role
);
COMMIT;
END;
select * from user_ords_privileges;
select * from user_ords_privilege_roles;
select * from user_ords_privilege_mappings;
select name, client_id, client_secret from user_ords_clients;
select * from user_ords_client_privileges;
----------------------------------------
SELECT name, client_name
FROM user_ords_client_privileges;
SELECT client_name, role_name
FROM user_ords_client_roles;
In APEX after running above script,
Postman Testing
Removing Complete Data of this Excercise
Code: Select all
DECLARE
v_role varchar2(100) := 'erpstuff_role';
v_privilege_name varchar2(100) := 'erpstuff_privilege';
v_patterns varchar2(100) := '/employees/*';
v_modules varchar2(100) := 'erpstuff_module';
v_client_name varchar2(100) := 'erpstuff_client';
BEGIN
OAUTH.revoke_client_role(
p_client_name => v_client_name,
p_role_name => v_role
);
OAUTH.delete_client(
p_name => 'emp_client'
);
ORDS.delete_privilege_mapping(
p_privilege_name => v_privilege_name,
p_pattern => v_patterns
);
ORDS.delete_privilege (
p_name => v_privilege_name
);
ORDS.delete_role(
p_role_name => v_role
);
COMMIT;
END;
Using OAuth Token
Code: Select all
declare
l_clob clob;
begin
apex_web_service.oauth_authenticate(
p_token_url => 'https://apex.oracle.com/pls/apex/erpstuffords/oauth/token',
p_client_id => 'ys9f6Z9HLg8zhkdMBEargA..',
p_client_secret => 'JyIx0y1o1l1KgdOHJY1Vaw..');
apex_web_service.g_request_headers(1).name := 'Authorization';
apex_web_service.g_request_headers(1).value := 'Bearer ' || apex_web_service.oauth_get_last_token;
dbms_output.put_line(apex_web_service.oauth_get_last_token);
l_clob := apex_web_service.make_rest_request (
p_url => 'https://apex.oracle.com/pls/apex/erpstuffords/hr/employees/',
p_http_method => 'GET');
dbms_output.put_line('Here is the API call result -> '||l_clob);
end;
Code: Select all
declare
v_clob clob;
begin
v_clob := apex_web_service.make_rest_request (
p_url => 'https://apex.oracle.com/pls/apex/erpstuffords/hr/employees/',
p_http_method => 'GET',
p_scheme => 'Basic',
p_username => 'xx_username',
p_password => 'xx_password');
dbms_output.put_line('API Response: '|| l_clob);
end;