APEX

Hi,

I setup a free tier Oracle Autonomous Database (Transaction) and have create a sample application which uses an openid authentication scheme. I've also setup a free tier account in auth0 (my openid platform for testing the openid connection in apex). I was planning on using this as a demo for any clients that maybe interested in the system I'm building. Easier to remember a custom domain rather than a long url. Also maybe more presentable to clients seeing a personalized url.

Anyway, everything is working fine except if I use a reverse proxy like nginx to hide the very long url that comes with the free tier of oracle.

For clarity here's what I did.

A. In Oracle Cloud Console

1. Setup a free tier Oracle ATP with APEX.
2. Setup a free tier Compute Instance using Canonical Ubuntu 24.
3. Installed nginx and certbot in compute instance.
4. Setup nginx for the custom domain based from this blog.

B. In auth0 admin

1. I created an application
2. Configured openid
3. Generated client id and secret
4. Entered the allowed callback urls
   1. Entered the callback url from the value of this query. (select apex_authentication.get_callback_url() from dual)
   2. Note: If I enter custom domain callback url (https://mydomain.com/ords/apex_authentication.callback), it doesn't work. Auth0 returns an error saying callback url (reverts back to value from B.4.a), is not in the allowed list.

C. In Oracle APEX

1. Setup web credentials using client id and secret from #3 above.
2. Create custom authentication scheme using scheme type Social Sign-In and Authentication Provided OpenID Connect Provider.
3. Entered the required fields, Discovery URL, Scope, Username.

Problem

I can't seem to reverse proxy the callback url. As mentioned above in B.4.a, using the custom url callback doesn't work. If using the original callback url (select apex_authentication.get_callback_url() from dual) ie. https://<very long text.oraclecloudapps.com/ords/apex_authentication.callback it gives me an error (session time out/ended) for every successful authentication from auth0.

I could only guess that this happens because the original url before authentication is from a custom domain ie. https://mydomain.com/ords/r/ws/app/* then when I click Sign-In redirects to the auth0 authentication url then redirects back to https://<very long text.oraclecloudapps.com/ords/r/ws/app after a successful authentication which somehow breaks the session.

A couple of questions I have.

1. Is there anyway to change to make this work without a paid subscription?
2. If my client were to purchase the paid Oracle ATP, will this problem go away if using their own domain? Most likely these clients/organizations will already have their own Identity Provider and will want to use it for the authentication.
3. If yes on #1, is this the way to do it? Also, the blog mentions using a Load Balancer which worries me a bit (I'm not a network expert please don't quote me on this), since the callback url will have the host url from where the Oracle APEX instance is (from my understanding based on my current experience with free tier) and not from the Load Balancer host (again based on my experience using a compute instance with nginx)? Won't this cause any issue during IdP redirect?
4. If no on #1, is there a document that can help with this?

Appreciate any feedback.