dmcghan
commented
9 years ago @advancedits Could you please clarify what it is you're trying to do? Are you trying to create an SSO server with Node.js?
Closed advancedits closed 9 years ago
dmcghan
commented
9 years ago @advancedits Could you please clarify what it is you're trying to do? Are you trying to create an SSO server with Node.js?
advancedits
commented
9 years ago Hi Dan, yes exactly. I want SSO between the 2 existing applications. NodeJS app is using PassportJS authentication and APEX is using the a custom authentication scheme. Do I need a 3rd SSO server?
Sorry I also added this question on your blog yesterday too :) https://jsao.io/2015/02/fun-with-node-js-and-apex/
dmcghan
commented
9 years ago @advancedits Let me first say that I'm NOT a security expert...
Yes, you would need some kind of SSO solution/server. If you already have Oracle Application Server SSO then APEX has an authentication scheme built in that's made to work with that solution and you would only need to configure it for your Node.js app as well. Of course there are other options for SSO solutions, though I don't know of or have any experience with any based on Node.js.
Most often, SSO is approached as a global/enterprise solution but it seems like you're looking for something more isolated for these two applications, is that correct? If so, are they on the same domain? If so, you could use a shared secret/cookie technique whereby upon authentication in one app, a cookie is generated based on and encryption algorithm that uses a key which both apps are aware of on the server side and use for decryption. With this method you would update the apps to check for this cookie if there's no valid session. If the cookie is valid you'd create the session, otherwise redirect for authentication.
There's an old white paper by Rod West which uses this technique to do something similar when going from EBS to APEX. You can find that here: http://www.oracle.com/technetwork/developer-tools/apex/apex-ebs-wp-cabot-consulting-169064.pdf
I think there was an issue of missing parenthesis in the code - just be on the lookout if you choose to use it.
advancedits
commented
9 years ago Thanks Dan, that was very helpful.
Could you please share your thoughts on using the HTTP header variable solution with APEX? We just found this in APEX documentation: https://docs.oracle.com/database/121/HTMDB/sec_authentication.htm#CIHEBJEH
Can we call APEX from Node for example by putting user id in the header? Thought I get your view on this :)
dmcghan
commented
9 years ago @advancedits The HTTP header variable solution is great, but it requires an SSO solution to do it :) The SSO server basically acts as a proxy server between the end user and the application. The user tries to access the application(s) and the SSO server authenticates the user (once) then allows the request to proceed to the application along with a new HTTP header variable that it added which can be used by the application to identify the user.
advancedits
commented
9 years ago Thanks Dan. Do you recommend any SSO Server solutions? We are hoping to be vendor agnostic.
dmcghan
commented
9 years ago @advancedits Oracle SSO Server! :) Sorry, no, not really... This isn't my area of expertise. I just work with what has been decided upon. As I said before, it's typically an enterprise decision lots of things to consider.
advancedits
commented
9 years ago Thanks @dmcghan , appreciate it
This might not be the right place to ask but I thought I'll try.
Does anyone have experience implementing SSO using an application built on NodeJS with an Oracle APEX application? Is it possible?