39.1 Authentication

REST clients must authenticate before accessing the administrative REST services. First, an Oracle Application Express instance administrator must log into the Oracle Application Express application and register a REST client.

When a client has been registered in Instance Administration, the dialog shows Client ID and Client Secret, with which the client can then perform authentication following the OAuth2 Client Credentials flow. A client first connects with a Client ID and a Client Secret as the credentials. Upon successful authentication, the server sends back the OAuth Access Token. Using this access token, the client can then access the administrative REST services.

HTTP Request Syntax Parameter

Table 39-1 HTTP Request Syntax

Parameter Description

HTTP Method

POST

URL

http://application-express-host:port/ords/apex_instance_admin_user/oauth/token

Request Body

grant_type=client_credentials

HTTP Request Headers

"Content-Type": "application/x-www-form-urlencoded" "Authorization": Client-ID:Client Secret in Base64-encoded form

Returns

Returns a JSON object with the following structure upon successful authentication:

{
  "access_token": OAuth access token fot subsequent requests,
  "token_type":   "bearer",
  "expires_in":   lifetime of the OAuth token, in seconds; typically "3600"
}

If authentication is unsuccessful, the server responds with HTTP-401:Unauthorized.

Examples

In the following exampleClientID stands for the Client ID and ClientSecret for the Client Secret.

Example 1

The example displays the following output when you execute command line utility curl:

   $ curl -i 
          --user ClientId:ClientSecret 
          --data "grant_type=client_credentials" 
          http://application-express-host:port/ords/apex_instance_admin_user/oauth/token

   HTTP/1.1 200 OK
   Content-Type: application/json
   Transfer-Encoding: chunked

   "access_token":"LfXJilIBdzj5JPRn4xb5QQ..","token_type":"bearer","expires_in":3600

Use a JSON parser to extract the value of the access_token attribute and use it in subsequent requests.

Example 2

The example displays the following output when you use the APEX_WEB_SERVICE package in another Application Express instance:

  begin
       apex_web_service.oauth_authenticate(
           p_token_url =>     'http://application-express-host:port/ords/apex_instance_admin_user/oauth/token',
           p_client_id =>     'ClientId',
           p_client_secret => 'ClientSecret'
       );
       dbms_output.put_line( 'The token is: ' || apex_web_service.oauth_get_last_token );
   end;
   /

   The token is: LfXJilIBdzj5JPRn4xb5QQ..

With the acquired OAuth Access Token, the administrative REST Services can be called.

See Also:

Oracle Application Express Administration Guide

Parent topic: Using REST Administration Interface API