I see in the documentation (and have tested this on apex.oracle.com), that a ORDS rest service can be secured using the current APEX session using First Party Authentication:
https://docs.oracle.com/en/database/oracle/oracle-rest-data-services/19.2/aelig/REST-development-tutorial.html#GUID-FB0CCF4A-FC81-4726-963E-75E0E26C3B8E
Basically:
- Assign the APEX user a group eg “RESTful Services”
- Define a ORDS Role of the same name as the APEX user group eg “RESTful Services”
- Define the ORDS Privilege and assign the Role (RESTful Services) and set the module to project
- When you call the web service you pass the APP_ID and SESSION from APEX in the header or URL
- If you have a valid session in APEX you get access to the Web service, if not you are denied.
This works as documented on apex.oracle.com using a APEX user.
The question is can this type of scenario work for other types of authentication, for instance Social Sign in? If this does work using a Social login then how do you assign the group (“RESTful Services”), to this user?
I think you can do this with WebLogic users https://docs.oracle.com/en/database/oracle/oracle-rest-data-services/19.2/aelig/developing-REST-applications.html#GUID-9F6B143E-8107-43A3-A554-9EF58124FBE4 by using role mapping.