Skip to Main Content
Forums

ORDS, SODA & JSON in the Database

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

ORDS with EntraID JWT – "No JWK State was identified" and Authorization Issues - Client Credentials Flow

DuncsJun 11 2025 — edited Jun 16 2025

Hi all,

I’m working on integrating ORDS with EntraID using JWT-based authentication (Client Credentials Flow), and I’m running into a few issues during validation and role-based access.

Environment Overview

  • ORDS Version: 25.1.0
  • Schema: MYSCHEMA
  • REST Module: v1.example.people
  • ORDS Privilege & Role Name: example.people
  • JWT Profile Configuration:
BEGIN 
 OAUTH_ADMIN.DELETE_JWT_PROFILE('MYSCHEMA');
 OAUTH_ADMIN.CREATE_JWT_PROFILE
 (
   p_schema           => 'MYSCHEMA',
   p_issuer           => 'https://sts.windows.net/11111111-2222-3333-4444-555555555555/',
   p_audience         => 'api://aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee',
   p_jwk_url          => 'https://login.microsoftonline.com/11111111-2222-3333-4444-555555555555/discovery/v2.0/keys',
   p_role_claim_name  => 'roles'
 );
 COMMIT;
END;

EntraID Setup

  • Tenant ID: 11111111-2222-3333-4444-555555555555
  • Two apps registered:
    1. Resource API App
      • Exposes an API - Application ID URI: api://*df…………………
      • App Role: example.people
    2. Client App
      • Has a client secret
      • Assigned the example.people App Role
  • JWT successfully obtained by the client app via client credentials grant. The token payload looks like this:
{
 "aud": "api://aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee",
 "iss": "https://sts.windows.net/11111111-2222-3333-4444-555555555555/",
 "roles": ["example.people"],
 ...
}

Current Problems

  1. Calling the ORDS backend directly with the JWT:

    • Returns 401 Unauthorized

      No JWK State was identified to verify this JWT

  2. The JWK URL (https://login.microsoftonline.com/.../discovery/v2.0/keys) is publicly accessible and returns valid keys, so I'm unsure why ORDS is failing to parse it.

What Is Working

  • Calling the ORDS endpoint without a JWT returns the correct JSON response.
  • The JWT passes validation in Azure API Management using validate-jwt.
  • The App Role (example.people) matches the ORDS privilege and role names exactly.

What I Need Help With

  • Has anyone successfully used EntraID JWTs (with App Roles) to authorize access to protected ORDS endpoints?
  • What does the No JWK State was identified to verify this JWT message mean in practice? Is it a caching or parsing issue on ORDS’s side?
  • Could the format of the roles claim (as an array) be causing trouble in ORDS?
  • Any known gotchas with role-to-privilege mappings in ORDS?

Any pointers or shared experiences would be massively helpful. I feel like I’m close but missing one key piece to get authentication and authorization working consistently.

Duncs
Comments
Post Details
Added on Jun 11 2025
#clientcredentialsflow, #jwt, #ords
9 comments
240 views
2 mentions