Set Up Custom Authentication

Introduction
Setting up custom authentication in Oracle APEX gives you complete control over how users are validated before gaining access to your application. This is especially useful when you need to integrate with an external user database, apply specific business rules, or support alternative login mechanisms like tokens, APIs, or multi-step verification. By replacing the default authentication logic with your own PL/SQL procedures or external service calls, you can design a secure and flexible authentication system tailored to your exact needs.

 Setting up custom authentication in Oracle APEX allows you to define your own logic for validating users instead of using built-in methods like APEX accounts or LDAP. This approach is useful when you have a custom user table, need to integrate with external services, or want full control over login behavior. The process involves creating a custom authentication scheme, building PL/SQL logic for validation, and configuring your login page to work with that logic.

Start by navigating to Shared Components > Authentication Schemes. Click Create and select From Scratch. Choose Custom as the scheme type and give it a meaningful name, such as “Custom Login Handler.” Set this scheme as current so your application will use it.

Within the authentication scheme settings, scroll to the section labeled PL/SQL Function Returning Boolean. This function is responsible for deciding if the credentials entered by the user are valid. You will write or reference a PL/SQL function here. For example:

return auth_pkg.validate_user(:USERNAME, :PASSWORD);

Now create the package auth_pkg in your database with the following logic:

CREATE OR REPLACE PACKAGE BODY auth_pkg AS
  FUNCTION validate_user(p_username IN VARCHAR2, p_password IN VARCHAR2) RETURN BOOLEAN IS
    v_hash  VARCHAR2(4000);
    v_valid BOOLEAN := FALSE;
  BEGIN
    SELECT password_hash INTO v_hash
    FROM app_users
    WHERE username = UPPER(p_username);

    IF v_hash = custom_hash(p_password) THEN
      APEX_UTIL.SET_AUTHENTICATION_RESULT(0);
      v_valid := TRUE;
    ELSE
      APEX_UTIL.SET_AUTHENTICATION_RESULT(1);
    END IF;

    RETURN v_valid;

  EXCEPTION
    WHEN NO_DATA_FOUND THEN
      APEX_UTIL.SET_AUTHENTICATION_RESULT(1);
      RETURN FALSE;
  END;

  FUNCTION custom_hash(p_text IN VARCHAR2) RETURN VARCHAR2 IS
  BEGIN
    RETURN DBMS_CRYPTO.HASH(UTL_I18N.STRING_TO_RAW(p_text, 'AL32UTF8'), DBMS_CRYPTO.HASH_SH256);
  END;
END auth_pkg;

The function checks if the password entered matches the stored hash for the given user. You can replace this logic with anything appropriate for your system, including API calls or third-party integrations.

Next, modify your login page to use custom items for username and password, such as P101_USERNAME and P101_PASSWORD. Add a login button and create a process on submit with this PL/SQL code:

BEGIN
  IF auth_pkg.validate_user(:P101_USERNAME, :P101_PASSWORD) THEN
    APEX_AUTHENTICATION.POST_LOGIN(:P101_USERNAME);
  ELSE
    APEX_ERROR.ADD_ERROR(
      p_message => 'Invalid login. Please try again.',
      p_display_location => apex_error.c_inline_in_notification);
  END IF;
END;

This will authenticate the user and start the session if credentials are correct. Make sure the page process runs Before Header, and that session state is correctly submitted for the username and password items.

In the authentication scheme, configure the Post-Logout URL to redirect to your login page. You can also customize session timeout behavior and whether users should be re-authenticated after timeout.

Setting up custom authentication also allows for additional enhancements. You can log failed login attempts, block accounts after multiple failures, or implement multi-factor authentication. You can also use the custom logic to assign roles or load additional user context into APEX session state.

With custom authentication, Oracle APEX gives you the flexibility to match your application’s security needs exactly. The APEX framework provides the necessary APIs and integration points so your authentication logic works seamlessly with APEX sessions, page authorization, and user access control.

Additional Info

Learn how to configure a custom authentication scheme in Oracle APEX.

Setting Up Custom Authentication

Learn how to configure a Custom Authentication Scheme in Oracle APEX.

Steps to Create a Custom Authentication Scheme:

Navigate to the Authentication Schemes Page

• On the Workspace home page, click App Builder.

• Select your application.

• On the Application home page, click Shared Components.

• The Shared Components page appears.

Create a New Authentication Scheme

• Under Security, click Authentication Schemes.

• On the Authentication Schemes page, click Create.

Select the Authentication Type

• Choose "Based on a pre-configured scheme from the gallery" and click Next.

Configure Authentication Details

• Name: Enter a descriptive name for the authentication scheme.

• Scheme Type: Select Custom.

Define Custom Authentication Logic

• Fill in the appropriate fields.

• For details about each field, refer to the field-level Help.

Save the Authentication Scheme

• Click Create Authentication Scheme to apply your changes.

Your custom authentication scheme is now set up and ready to be configured for login validation. 

Conclusion
Custom authentication in Oracle APEX is a powerful feature that allows you to move beyond standard login processes and design a solution that fits your application’s unique security requirements. Whether you’re validating users against a custom table, connecting to a third-party system, or implementing advanced login flows, the APEX platform provides the tools and flexibility to build secure, maintainable, and highly configurable authentication solutions.

 

Oracle APEX Expert: Custom Authentication

 

Introduction
Custom authentication in Oracle APEX gives developers full control over how users are validated before accessing an application. Unlike preconfigured schemes, a custom authentication approach allows integration with proprietary databases, external identity providers, API-based services, or unique login logic tailored to business rules. This level of flexibility is essential for applications that require more than just standard username and password validation or need to comply with specialized security protocols.

Custom authentication in Oracle APEX allows developers to define exactly how user credentials are verified when someone tries to access an application. This is essential when default methods such as APEX accounts, LDAP, or social sign-in do not meet specific business or security requirements. Implementing custom authentication involves writing your own logic, usually in PL/SQL, and configuring APEX to use this logic instead of the default mechanisms.

To start, go to Shared Components > Authentication Schemes, then click Create and choose From Scratch. Select Custom as the scheme type. Give the scheme a clear name, such as “Custom Auth Logic,” and set it as the current scheme. This tells APEX to use your logic during login.

Within the custom authentication scheme, you'll need to provide a PL/SQL function that returns a Boolean value. This function is where you define how the user is authenticated. A simple example might look like this:

RETURN my_auth_pkg.verify_credentials(:USERNAME, :PASSWORD);

In the database, create a package called my_auth_pkg with the verify_credentials function:

CREATE OR REPLACE PACKAGE BODY my_auth_pkg AS
  FUNCTION verify_credentials(p_username IN VARCHAR2, p_password IN VARCHAR2) RETURN BOOLEAN IS
    v_pwd users.password%TYPE;
  BEGIN
    SELECT password INTO v_pwd
    FROM users
    WHERE username = UPPER(p_username);

    IF v_pwd = hash_util.hash(p_password) THEN
      APEX_UTIL.SET_AUTHENTICATION_RESULT(0);
      RETURN TRUE;
    ELSE
      APEX_UTIL.SET_AUTHENTICATION_RESULT(1);
      RETURN FALSE;
    END IF;
  EXCEPTION
    WHEN NO_DATA_FOUND THEN
      APEX_UTIL.SET_AUTHENTICATION_RESULT(1);
      RETURN FALSE;
  END;
END my_auth_pkg;

You can also add features like account lockouts, audit logging, or IP filtering inside this function to meet security policies.

Next, customize the login page. Add page items for username and password. The Login button should execute a PL/SQL process that runs the custom logic and either redirects to the home page or displays an error message.

Here is a sample process:

BEGIN
  IF my_auth_pkg.verify_credentials(:P101_USERNAME, :P101_PASSWORD) THEN
    APEX_AUTHENTICATION.POST_LOGIN(:P101_USERNAME);
  ELSE
    APEX_ERROR.ADD_ERROR(
      p_message => 'Invalid credentials',
      p_display_location => apex_error.c_inline_in_notification);
  END IF;
END;

Set this process to run before header. Also make sure that on failed login attempts, the user stays on the login page and sees a useful error message.

You can use APEX_AUTHENTICATION.POST_LOGIN to complete the login programmatically after successful verification. This function sets up the session and redirects the user to the appropriate start page.

For logout handling, set a logout URL in your authentication scheme that points to a custom page or logs out the session and redirects the user.

Custom authentication in Oracle APEX is powerful because it gives you total control over who is allowed in and how login is handled. It works seamlessly with APEX session management and can be enhanced to support multi-factor authentication, REST-based verification, external token checks, or any other logic needed to secure your application.

 Additional explanation

 Creating a Custom Authentication Scheme in Oracle APEX gives you complete control over the authentication process, session management, and security policies. This method is ideal when built-in authentication methods (such as database authentication or LDAP) do not meet your requirements.

By implementing custom authentication, you can: 

• Build a custom login interface. 

• Define security policies for user sessions. 

• Audit and track user activity.

• Integrate APEX with external applications using a common authentication mechanism.

Why Use Custom Authentication?

Custom authentication is the best choice when:

 Built-in authentication methods (database, LDAP, SAML) are not sufficient.
 

You need a custom login form with additional validation logic.

• Advanced security features are required (e.g., multi-factor authentication (MFA), session tracking, or login throttling).

•  Session expiration and activity tracking need to be customized.

•  Your application consists of multiple applications that need to share the same authentication session.

• You need one-way redirection logic before page processing (e.g., redirecting users based on roles or login time).

•  Your APEX application must integrate with non-APEX systems using a shared authentication framework.

How to Implement Custom Authentication in Oracle APEX

1. Create a Custom Authentication Scheme

Navigate to Authentication Schemes

• Open App Builder > Select your application.

• Go to Shared Components > Click Authentication Schemes.

• Click Create.

Choose Authentication Method

• Select "Based on a preconfigured scheme from the gallery" > Choose Custom.

Enter Authentication Function

• Under PL/SQL Function Returning Boolean, enter a function that validates user credentials.

2. Create a Custom PL/SQL Authentication Function

In SQL Workshop, create a PL/SQL function that verifies user credentials against a custom user table.

CREATE OR REPLACE FUNCTION custom_authentication (

    p_username IN VARCHAR2,

    p_password IN VARCHAR2

) RETURN BOOLEAN IS

    v_count NUMBER;

BEGIN

    SELECT COUNT(*)

    INTO v_count

    FROM users

    WHERE username = LOWER(p_username)

    AND password = UPPER(DBMS_OBFUSCATION_TOOLKIT.MD5(input_string => p_password)); -- Example: Hashing passwords

    RETURN v_count = 1;

EXCEPTION

    WHEN OTHERS THEN

        RETURN FALSE;

END custom_authentication;

/

This function checks if the provided username and password exist in the users table.
It uses MD5 hashing for password security (use SHA-256 or bcrypt for better security).

3. Configure Custom Authentication Scheme in APEX

• Under PL/SQL Function Returning Boolean, enter: 

• return custom_authentication(:P101_USERNAME, :P101_PASSWORD);

• Click Apply Changes to save.

4. Create a Custom Login Page

1️. Create a Login Page

• Navigate to App Builder > Click Create Page.

• Select Login Page > Choose Blank Page.

• Add two Text Items: 

• P101_USERNAME (for username)

• P101_PASSWORD (for password)

• Add a Login Button and set its action to Submit Page.

1. Process Authentication on Login

• Go to Processing > Create a new process: 

• Name: Authenticate User

• Type: PL/SQL Code

• Code: 

IF custom_authentication(:P101_USERNAME, :P101_PASSWORD) THEN

    APEX_UTIL.SET_SESSION_STATE('APP_USER', :P101_USERNAME);

    APEX_AUTHENTICATION.LOGIN(p_username => :P101_USERNAME);

ELSE

    APEX_UTIL.SET_SESSION_STATE('LOGIN_FAILED', 'Y');

    RAISE_APPLICATION_ERROR(-20001, 'Invalid Username or Password');

END IF;

• If authentication succeeds, the user is logged in.

• If authentication fails, an error message is displayed.

5. Customizing Session Management & Security

Session Timeout: Set session expiration policies in Security Attributes under Shared Components.

Session Tracking: Store login activity in a custom table:

CREATE TABLE login_audit (

    log_id NUMBER GENERATED ALWAYS AS IDENTITY PRIMARY KEY,

    username VARCHAR2(50),

    login_time TIMESTAMP DEFAULT SYSTIMESTAMP,

    ip_address VARCHAR2(50)

);

Log user login details:

INSERT INTO login_audit (username, ip_address)

VALUES (:APP_USER, SYS_CONTEXT('USERENV', 'IP_ADDRESS'));

COMMIT;

Custom authentication in Oracle APEX gives you full control over login, session management, and security policies. It allows you to integrate with custom user repositories, external applications, and enforce advanced security measures. By using PL/SQL functions and session management techniques, you can build a secure and flexible authentication system tailored to your application's needs. 

Conclusion
Becoming proficient in custom authentication within Oracle APEX unlocks powerful capabilities for building secure, user-aware applications. By designing your own logic using PL/SQL, dynamic actions, or REST integrations, you can ensure that authentication aligns precisely with your application’s needs. While it requires more effort than using built-in schemes, custom authentication offers unmatched adaptability for complex environments.

Understanding Preconfigured Authentication Schemes in Oracle APEX

 

Introduction
Preconfigured authentication schemes in Oracle APEX provide a fast and reliable way to secure your applications using proven methods. These built-in options allow developers to implement common authentication strategies such as Oracle APEX Accounts, Social Sign-In, LDAP, and more without having to write custom code. By leveraging these predefined schemes, you can quickly enable user authentication while maintaining flexibility and control over login behavior and user session management.

 In Oracle APEX, preconfigured authentication schemes are built-in methods that control how users log in to your application. These schemes are designed to simplify authentication setup while offering flexibility for various use cases. When you create an application in APEX, it automatically includes a default authentication scheme, usually "Application Express Accounts," but you can choose from several other preconfigured options depending on your requirements.

To manage authentication schemes, go to Shared Components > Authentication Schemes. Here, you can view, create, edit, and set the current authentication scheme. Each scheme type comes with predefined logic that handles the login process, session validation, and logout behavior.

The most commonly used preconfigured authentication schemes are:

Application Express Accounts
This uses APEX’s internal user repository. You can manage users via App Builder > Manage Users and Groups. This option is useful for development or internal applications where you want to manually control access.

Database Accounts
This authenticates users against Oracle database usernames and passwords. It is less commonly used in web-based apps because database credentials are required. This scheme is mainly for administrative or utility applications.

LDAP Directory
This scheme integrates with enterprise directories like Microsoft Active Directory. You configure the LDAP server settings such as host, port, and base DN. Users are authenticated against the LDAP server. It's ideal for organizations with centralized user management.

Social Sign-In
This allows authentication via OAuth2 and OpenID Connect providers like Google, Microsoft, or Facebook. You must register your APEX app with the provider and configure the client ID, client secret, and redirect URI. This scheme is suited for modern, public-facing apps where convenience is important.

Oracle APEX Users
This uses the same logic as "Application Express Accounts" but is specifically linked to users defined within a specific APEX workspace. It is suitable for environments where user management is handled within APEX itself.

No Authentication (Public Application)
This allows users to access the application without logging in. It is useful for public websites or help pages. Be cautious with this option and ensure sensitive data is not exposed.

To switch between schemes, click on the scheme and choose “Set as Current.” Each scheme has attributes like session timeout, post-login procedure, and logout URL that can be customized. You can also configure how login failures are handled and whether to redirect to a custom login page.

Preconfigured schemes also allow fallback settings. You can define one scheme as the primary and others as fallback, which helps when migrating between authentication methods or when implementing conditional login logic.

Using these preconfigured authentication schemes in Oracle APEX allows developers to set up secure access control without building complex authentication logic from scratch. Each scheme is designed to work seamlessly with the APEX framework while offering room for customization through PL/SQL or dynamic actions. This approach enables you to match authentication strategy with the security policies of your application and organization.

 Oracle APEX provides several preconfigured authentication schemes that simplify user authentication and session management. These authentication schemes allow developers to quickly implement secure user authentication without writing complex authentication logic.

What Are Preconfigured Authentication Schemes?

Preconfigured authentication schemes are built-in authentication methods that Oracle APEX provides by default. They follow standard authentication and session management practices, making it easier to enforce security and control user access.

When creating an authentication scheme from the Authentication Scheme Gallery, you can choose from a list of predefined authentication schemes that handle different authentication methods, including database accounts, LDAP, social sign-in, and more.

Types of Preconfigured Authentication Schemes

1. Builder Extension Sign-in

• Allows users to log into an Extension App without signing in again if they have an active APEX session.

• Checks for an existing APEX session and grants access accordingly.

2. Custom Authentication

• Enables developers to create a fully customized authentication process.

• Typically implemented using PL/SQL functions to verify user credentials against a custom user repository.

3. Database Accounts

• Uses Oracle database user accounts for authentication.

• Users log in with their database schema credentials.

4. HTTP Header Variable

• Authenticates users externally using an HTTP header variable.

• The web server must be configured to set the username in an HTTP header.

5. LDAP Directory

• Authenticates users against an LDAP server.

• Requires LDAP configuration details such as server address, port, and search filters.

6. No Authentication (Using DAD)

• Uses the current database user as the authenticated user.

• Works with mod_plsql Database Access Descriptor (DAD) for authentication.

7. Open Door Credentials

• Allows anyone to access the application.

• Provides a basic login page where users can enter any username.

8. Oracle APEX Accounts

• Uses APEX workspace user accounts for authentication.

• Users must be registered in APEX’s internal user repository.

9. Oracle Application Server Single Sign-On (SSO)

• Delegates authentication to Oracle Application Server SSO.

• Requires registering the application with the SSO server.

10. SAML Sign-In

• Uses Security Assertion Markup Language (SAML) for authentication.

• Commonly used in enterprise applications for federated authentication.

11. Social Sign-In

• Allows users to log in using Google, Facebook, Microsoft, or other social providers.

• Supports authentication via OpenID Connect or OAuth2.

Choosing the Right Authentication Scheme

• For internal applications using APEX accounts → Use Oracle APEX Accounts.

• For database security where users have individual accounts → Use Database Accounts.

• For enterprise authentication with an existing user directory → Use LDAP or SAML Sign-In.

• For public applications without user restrictions → Use Open Door Credentials or No Authentication.

• For single sign-on (SSO) in Oracle environments → Use Oracle Application Server SSO.

• For external authentication via social providers → Use Social Sign-In.

• For applications behind a proxy or load balancer → Use HTTP Header Variable authentication.

Implementing a Preconfigured Authentication Scheme

1. Navigate to Authentication Schemes

• Open App Builder and select your application.

• Click Shared Components > Authentication Schemes.

2. Create a New Authentication Scheme

• Click Create.

• Select Based on a preconfigured scheme from the gallery.

• Choose the authentication scheme that fits your requirements.

3. Configure Authentication Settings

• Provide necessary credentials, server details, or API configurations.

• Define post-authentication and post-logout procedures, if needed.

4. Activate the Authentication Scheme

• Click Make Current to set the new authentication scheme as active.

Preconfigured authentication schemes in Oracle APEX provide a quick and secure way to implement authentication. They cover a variety of use cases, from database authentication to enterprise SSO and social login. By selecting the appropriate authentication method, developers can ensure their applications meet security and usability requirements.

Conclusion
Understanding and using preconfigured authentication schemes in Oracle APEX can save significant development time while ensuring your applications follow standard security practices. These schemes offer powerful configuration options and can be extended or combined with custom logic when needed. Whether you're building an internal enterprise tool or a public-facing app, selecting the right authentication scheme is a critical step toward delivering a secure and user-friendly experience.