Oracle APEX Less Social Sign-In with MS Azure and Office 365
After my last blog post a natural question came up: what if I'm a little anti-social?
Specifically, what if I do NOT want to make my APEX application available to everyone on the planet that has (or is willing to get) a Microsoft Azure / Office 365 account? What if I only want people in my company, that uses Azure AD, to be able to log in?
There are several ways you can do this, and I recommend you employ at least two. No, recommend is too lenient, I insist you employ at least two :). The first is to change the way you call the Microsoft OAuth2 provider. Instead of using the values in my last blog post:
Authorization Endpoint URL: login.microsoftonline.comcommon/oauth2/v2.0/authorize
Token Endpoint URL: login.microsoftonline.comcommon/oauth2/v2.0/token
Use the following:
Authorization Endpoint URL: login.microsoftonline.comyourCompanyDomain/oauth2/v2.0/authorize
Token Endpoint URL: login.microsoftonline.comyourCompanyDomain/oauth2/v2.0/token
For Insum, this would be insum.ca:
Authorization Endpoint URL: login.microsoftonline.cominsum.ca/oauth2/v2.0/authorize
Token Endpoint URL: login.microsoftonline.cominsum.ca/oauth2/v2.0/token
The method above does NOT secure your application to just your domain. It just makes it harder for someone to use another domain. A savvy user can bypass that by just typing "common" in the url.
The REAL step to secure your application is to do one or both of the following:
- Create an Authentication Scheme sentry function that makes sure the username includes @yourdomain
- Create Authorization Scheme that makes sure the username includes @yourdomain and apply it to the application.
I am often logged into multiple Azure AD accounts at the same time. By adding yourCompanyDomain to the Endpoint URLs you have the added bonus that users do not need to select a login each time they go to your application. Microsoft will detect the correct one to use.
Edit:
You can also log into the Azure Portal
https://portal.azure.com
and edit the manifest of your application.
Azure Active Directory > App Registrations > [Your Application] > Manifest
Change
"signInAudience": "AzureADandPersonalMicrosoftAccount",
to
"signInAudience": "AzureADMyOrg",