Skip to Main Content
Forums

APEX

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

How to configure HTTP Header Authentication to fail when "username is empty"

RandyC22 hours ago

We've followed the confusing combination of Support Doc ID 2457010.1 and the App Builder Users Guide section on HTTP Header Variable authentication (at https://docs.oracle.com/en/database/oracle/apex/24.2/htmdb/http.header-variable.html#GUID-DCF33CEF-0996-4AAF-89A3-D7E2589E5585) to configure a functional HTTP Header authentication using OAM.

The Support Doc describes a configuration that's basically "backing in" to authentication by redirecting the "username is empty" error to "built-in url" and then protecting said URL (currently documented as apex_authentication.callback) by a WebGate. How do we configure this authentication scheme to catch a true "username is empty" error? If external authentication results in an empty username (doesn't set the HTTP header, for instance), the Scheme loops back to authentication_callback until the browser stops trying with ERR_TOO_MANY_REDIRECTS.

It appears that the configuration suggested by Doc ID 2457010.1 also prevents us from setting Verify Username to Each Request. This setting also results in too many redirects. I assume that this documentation...

Each Request will expect that the CGI variable is always set as soon as the login has been performed by the web server. If the username is not identical to the one stored in the current Oracle APEX session, the session will be invalidated and a new login will be initiated.

...means that it expects the HTTP header variable (CGI?) to be set when the authentication scheme is first called by a protected page (login has been performed by the web server?). Since it's not set until "username is empty", it's never set on first pass and Verify Username Each Request never succeeds. But, since there's no clear documentation here, nor any clear explanation of what's going on inside of the APEX authentication black box related to these configuration items in Oracle Support or web searches, we don't know if that's what's really happening.

We'd be grateful for any knowledge this community can provide. Oracle Support has no answers for us after three SR's from different angles.
Comments
Post Details
Added 22 hours ago
#oracle-apex
0 comments
43 views