KEYCLOAK is an open-source software product with functionalities of single sign-on with Identity and Access Management aimed at modern applications and services. As of March 2018, this JBoss community project is under the stewardship of Red Hat who uses it as the upstream project for their RH-SSO product. So if you are building an Oracle APEX application and don’t want to bother with building custom authentication, KEYCLOAK could be the solution for you.

We have tried it out and it has proven to be reliable for implementing Single Sign-on for APEX, Java-based, and ODOO solution all in one platform.

After you have set up KEYCLOAK and you have Oracle APEX up and running you can integrate them. We are using KEYCLOAK 11.0.2 and APEX 20.1.

After logging in on KEYCLOAK with your admin user (URL to our KEYCLOAK is http://XYZ02:8180/auth/) and setting up our realm (our realm name is XYZCloud) you can proceed to create the integration. Details on setting up your KEYCLOAK server can be found here.

We have created our client with the Client protocol set up as OpenID-connect and Access Type as confidential so the client requires a secret to initiate a login protocol (our client name is APEXCK_TEST).

All URLs are https://XYZAPEX, except the redirect URL which is https://XYZAPEX/*  (without port since HTTPS is on 443 and without /ords/ part)

You have to copy the secret from the credential tab so you can create a web credential on the APEX side.

Additionally, create a user APEXTEST for testing purposes and in the credential part specified a password.

Now on the APEX side create web credential in you applications share components page (note: web credential is created for you whole workspace, so all applications can use it)

When creating Web credential authentication type is specified as OAuth2 Client Credentials flow, the Client ID is the name of the client specified in KEYCLOAK in our case it is APEXKC_TEST. And in the field “Client Secret or Password” and “Verify Client Secret or Password” copy/past your secret generated on the KEYCLOAK side.

Now we can create an Authentication Scheme for your application or change the existing one. Go to shared components in your application and go to Authentication Scheme

Where you will see the default Application Express Accounts specified as Current

You can now change it to Social Sign-in Schema Type, select your web credential in the Credential store filed. The authentication provider is Generic OAuth2 Provider. URLs for Authorization Endpoint, Token, and User info are all linked to your server where the KEYCLOAK is installed (our server is XYZ02 on port 8181) with realm name specified (our realm is XYZCloud)

In our examples the URLs are as followed:

Authorization Endpoint URL - http://XYZ02:8180/auth/realms/XYZCloud/protocol/openid-connect/auth

Token Endpoint URL - http://XYZ02:8180/auth/realms/XYZCloud/protocol/openid-connect/token

User Info Endpoint URL - http://XYZ02:8180/auth/realms/XYZCloud/protocol/openid-connect/userinfo

Additionally, specify your logout URL so when the user logs-out your KEYCLOAK session is doped and the user returns to the login screen.

Example of our logout URL:

http://XYZ02:8180/auth/realms/XYZCloud/protocol/openid-connect/logout?redirect_uri=https://XYZAPEX/ords/&HOME_LINK.

Now just start your APEX application and the KEYCLOAK login page should appear.

After entering the correct user/pass it should redirect you to the APEX application home page.

Good luck!