Search code examples
oracle-apexopenid-connectauth0

Extracting Parameter Values Returned by APEX_AUTHENTICATION.CALLBACK?

I am trying to use Auth0 as Open ID Connect provider for authentication with Oracle APEX. By setting up an Authentication Scheme, I could signin using Auth0, and APEX can get #sub# like auth0|66042494aef3827a64c1f9e5, so at least it is partly successful.

The issue is that Auth0, would redirect to APEX with an URL like https://(myapexsite)/ords/apex_authentication.callback?code=(something)&state=(something) (I think this is standard with OpenID Connect / OAuth2) . I need to use the value of code parameter for further communication with Auth0 server. However, I am not sure how to I get the value within APEX. Is it automagically stored somewhere? Or am I supposed to write my own callback procedure instead of using the standard one?

The documentation of APEX APEX_AUTHENTICATION.CALLBACK said nothing about this

Solution

  • Answering my question. As a summary, the code is useless. Oracle has already consumed and make the result available in post authentication procedure as e.g., apex_json.get_clob('access_token').

    Long answer: The whole query string (i.e., code=(something)&state=(something) in above example) is available in the post authentication proc as owa_util.get_cgi_env('QUERY_STRING'). To extract using string manipulation procedures:

    procedure post_authentication
is
    q_string varchar2(1000);
    start_pos number;
    end_pos number;
BEGIN
...
q_string := owa_util.get_cgi_env('QUERY_STRING');

start_pos := instr(q_string, 'code=');
end_pos := instr(q_string, '&', start_pos + 1);
if end_pos <= 0 then
   end_pos := length(q_string) + 1;
end if;
:G_AUTH0_CODE := substr(q_string, start_pos + length('code='), end_pos - length('code=') - 1);
...
end;

    Here comes the key point: APEX has already consumed the code (which is oneoff). As a result, the extracted code is useless. The objective of code is to retrieve an access token (among other things), and APEX has made it available in the post authentication procedure as apex_json.get_clob('access_token') or apex_json.get_clob('id_token') . It is said that APEX has discarded the refresh_token (at least until APEX 23.1)

    Marking this as answered (by myself).