Implement AWS Cognito Authentication in your APEX Application

AWS Cognito is a popular cloud-based user authentication and management service provided by Amazon Web Services (AWS). It provides a simple and secure way for developers to manage user identities and access control for their applications. In this blog, we'll look at how to use AWS Cognito to authenticate an Oracle APEX application using Single Sign-On (SSO). This will allow users to log in to the Oracle APEX application using their existing AWS credentials, making the authentication process smoother and more secure. Whether you're a developer looking to implement SSO in your Oracle APEX application or simply interested in learning more about AWS Cognito, this blog is for you.

Before getting started with the APEX side of things, there are a few prerequisites.

You must have an AWS account and have set up Cognito:

1. Sign up for amazon AWS (https://portal.aws.amazon.com/)
2. Add billing info.
3. Follow this guide to set up Cognito on your account (https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-getting-started.html)

This will show you how to:

• Create an App client and note down the App client ID.
• Add a custom domain name to the user pool.
• Enable the hosted UI for the user pool.
• Get the Discovery URL and relevant required details.
• Set the callback URL for your APEX application (enable 'Implicit Grant' for 'OAuths' at this point).

Once you have successfully set up and configured Cognito, APEX requires the following information for the integration. It is worth saving this information somewhere handy at this point:

• Discovery URL
• Client ID
• Client Secret

Step 1

We need to add the client ID as a web credential at the workspace level to utilise it in our app(s).

• Navigate to Workspace Utilities -> Web Credentials -> Create
• Give the credential a name and static identifier.
• Authentication type: OAuth2 Client Credentials Flow
• Client ID: <your cognito client ID>
• Client Secret <your cognito client secret>
• Apply Changes

Step 2

Now we need to create an authentication scheme for our application.

• In your application, navigate to Shared Components -> Authentication Schemes -> Create
• Select: 'Based on a pre-configured scheme from the gallery' -> Next
• Give your Auth scheme a name and select 'Social Sign-In' as the Scheme type.
• Select the web credential we created in the last step as the Credential Store and enter the Cognito Discovery URL we saved earlier.
• Scope: profile
• Username: #email#

Leave everything else as default for now and select Apply Changes.

Step 3

Now that the authentication scheme is set up, we need to handle the logout of the application. To do this, we must create a new (blank) page.

• Create 3 hidden page items:

PX_AWS_CLIENT_ID
PX_AWS_ENV
PX_AWS_REDIRECT_URL

• Add a pre-rendering process to populate these details. I would suggest storing these in an applications_settings table or something similar. (Replace X with your page number)

PX_AWS_CLIENT_ID: Cognito Client ID.

PX_AWS_ENV: Domain name from Cognito e.g: https://installer-connect-staging.auth.eu-west-2.amazoncognito.com.

PX_AWS_REDIRECT_URL: This should be the home page URL of your application.

• Next, create a Dynamic Action on Page Load to initialise the logout.
• True Action: Execute Server-side Code
• Code:

begin
   
apex_session.delete_session (
     p_session_id => :APP_SESSION);
 end;

• Now create another True action, this time Execute JavaScript Code (again replacing the X with your logout page number):
  
  window.location.replace(apex.item( "PX_AWS_ENV" ).getValue()+"/logout?client_id="+apex.item( "PX_AWS_CLIENT_ID" ).getValue()+"&redirect_uri="+apex.item( "PX_AWS_REDIRECT_URL" ).getValue()+"&response_type=code");

Step 4

Finally, we need to set our Post Logout URL.

• Navigate to Shared Components -> Our newly created Authentication Scheme -> Post-Logout URL and set this to the URL of our new log-out page.

In conclusion, it is great that we can integrate SSO authentication seamlessly into our APEX applications, giving our users a modern, seamless and secure authentication experience. AWS Cognito is very popular and is relatively simple to set up and implement in your application, allowing you to focus on application development while Cognito handles the heavy lifting of authentication and access control. For more information on Cognito and its capabilities, check out the developer guide.

If this blog was of interest, be sure to take a look at our AWS and Oracle Application Development services. If you would like to speak to one of our Oracle APEX experts, get in touch through enquiries@dsp.co.uk.