Thursday, February 07, 2019

Oracle APEX Less Social Sign-On with MS Azure and Office 365

After my last blog post a natural question came up: what if I'm a little anti-social?

Specifically, what if I do NOT want to make my APEX application available to everyone on the planet that has (or is willing to get) a Microsoft Azure / Office 365 account? What if I only want people in my company, that uses Azure AD, to be able to log in?

There are several ways you can do this, and I recommend you employ at least two. No, recommend is too lenient, I insist you employ at least two :). The first is to change the way you call the Microsoft OAuth2 provider. Instead of using the values in my last blog post:

Authorization Endpoint URL:
Token Endpoint URL:

Use the following:

Authorization Endpoint URL:
Token Endpoint URL:

For Insum, this would be

Authorization Endpoint URL:
Token Endpoint URL:

The method above does NOT secure your application to just your domain. It just makes it harder for someone to use another domain. A savvy user can bypass that by just typing "common" in the url.

The REAL step to secure your application is to do one or both of the following:

  1. Create an Authentication Scheme sentry function that makes sure the username includes @yourdomain
  2. Create Authorization Scheme that makes sure the username includes @yourdomain and apply it to the application.

I am often logged into multiple Azure AD accounts at the same time. By adding yourCompanyDomain to the Endpoint URLs you have the added bonus that users do not need to select a login each time they go to your application. Microsoft will detect the correct one to use.

1 comment:

Chris said...

Hi Anton,

great that you are blogging about Social Sign-In. Did you ever try the OpenID Connect mode, too? I think your discovery URL should be