apex_debug

Oracle APEX Less Social Sign-In with MS Azure and Office 365

Anton Nielsen's photo
Anton Nielsen
·

2 min read

After my last blog post a natural question came up: what if I'm a little anti-social?

Specifically, what if I do NOT want to make my APEX application available to everyone on the planet that has (or is willing to get) a Microsoft Azure / Office 365 account? What if I only want people in my company, that uses Azure AD, to be able to log in?

There are several ways you can do this, and I recommend you employ at least two. No, recommend is too lenient, I insist you employ at least two :). The first is to change the way you call the Microsoft OAuth2 provider. Instead of using the values in my last blog post:

Authorization Endpoint URL: login.microsoftonline.comcommon/oauth2/v2.0/authorize
Token Endpoint URL: login.microsoftonline.comcommon/oauth2/v2.0/token

Use the following:

Authorization Endpoint URL: login.microsoftonline.comyourCompanyDomain/oauth2/v2.0/authorize
Token Endpoint URL: login.microsoftonline.comyourCompanyDomain/oauth2/v2.0/token

For Insum, this would be insum.ca:

Authorization Endpoint URL: login.microsoftonline.cominsum.ca/oauth2/v2.0/authorize
Token Endpoint URL: login.microsoftonline.cominsum.ca/oauth2/v2.0/token

The method above does NOT secure your application to just your domain. It just makes it harder for someone to use another domain. A savvy user can bypass that by just typing "common" in the url.

The REAL step to secure your application is to do one or both of the following:

  1. Create an Authentication Scheme sentry function that makes sure the username includes @yourdomain
  2. Create Authorization Scheme that makes sure the username includes @yourdomain and apply it to the application.

I am often logged into multiple Azure AD accounts at the same time. By adding yourCompanyDomain to the Endpoint URLs you have the added bonus that users do not need to select a login each time they go to your application. Microsoft will detect the correct one to use.

Edit:

You can also log into the Azure Portal
https://portal.azure.com
and edit the manifest of your application.

Azure Active Directory > App Registrations > [Your Application] > Manifest

Change

"signInAudience": "AzureADandPersonalMicrosoftAccount",

to

"signInAudience": "AzureADMyOrg",