# IDCS Applications & Groups

<div data-node-type="callout">
<div data-node-type="callout-emoji">🕵</div>
<div data-node-type="callout-text">This article is part of a series called "Who Are You?". View all articles in the series <a target="_blank" rel="noopener noreferrer nofollow" href="https://spendolini.blog/series/who-are-you" style="pointer-events: none">here</a>.</div>
</div>

*Photo by* [*Chang Duong*](https://unsplash.com/@iamchang?utm_source=Hashnode&utm_medium=referral) *on Unsplash*

### Navigating to the IDCS Console

IDCS has its own console - unlike IAM, whose console is integrated into the OCI Console. Thus, finding it is a little tricky.

1. From the OCI Cloud Console main page, select the "hamburger" menu and click **Identity & Security**.
    
2. Under the Identity heading, click **Federation**.
    
3. Click **OracleIdentityCloudService**.
    
4. Next, click the URL next to **Oracle Identity Cloud Service Console** to activate the IDCS Console. It will open up in a new window and looks like this:
    

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1688406353337/5087ad7f-e180-444e-b34b-9afba0405456.png align="center")

### Creating an Application in IDCS

The first thing we'll need to do is create an application. This will map to our APEX application and provide both AuthN and AuthZ services.

1. From the "hamburger" menu, select **Applications**.
    
2. Click **Add**.
    
3. Click **Confidential Application**.
    
4. Enter `IDCS Demo` for the Name.
    
5. Enter the application's home page as the Application URL.
    
6. Click **Next**.
    
7. Select **Configure this application as a client now**
    
8. Check the box for **Authorization Code**
    
9. Enter the following for the **Redirect URL**, replacing \[your-apex-server-name\] with your actual APEX server name:
    
    `https://[your-apex-server-name]/ords/apex_authentication.callback`
    
10. Enter the URL to your APEX application for the **Post Logout Redirect URL**. This URL should not include anything after the word "home".
    
11. Click **Next**.
    
12. Ensure **Skip for later** is selected and click **Next**.
    
13. Ensure **Skip for later** is selected and click **Next** again.
    
14. Click **Finish**.
    

On the next page, the Client ID & Client Secret will be displayed. Make note of these as we will need them to create a Web Credential in APEX.

1. Once you dismiss the window with the credentials, be sure to click **Activate** to activate your application.
    

### Integrating an IDCS Application with APEX

Let's switch back to APEX and configure our application to talk to IDCS. We'll start by creating the web credential that will store the Client ID & Secret.

1. Edit the **Shared Components** of your APEX application.
    
2. Click **Credentials**.
    
3. Click **Create**.
    
4. Enter `IDCS` for both the name and Static ID and then paste in your Client ID and Client Secret into the corresponding fields and click **Create**.
    

Next, we'll create a new Authentication Scheme and make it current.

1. Edit the **Shared Components** of your APEX application.
    
2. Click **Authentication Schemes**.
    
3. Click **Create**.
    
4. Click **Next**.
    
5. Set or enter the following values:  
    Notice: for the **Discovery URL**, replace \[xxx\] with the first portion of the URL from the IDCS console. It will look something like this:  
    `idcs-daef12b436e472f3b6aa4ddf463e5760`
    

| **Name** | IDCS |
| --- | --- |
| **Scheme Type** | Social Sign-In |
| **Credential Store** | IDCS |
| **Authentication Provider** | OpenID Connect Provider |
| **Discovery URL** | `https://[xxx].identity.oraclecloud.com/.well-known/openid-configuration/` |
| **Scope** | `profile,groups` |
| **Username** | `#sub#` |
| **Additional User Attributes** | `groups` |

1. Click **Create Authentication Scheme.**
    

At this point, the integration is technically set up, but there are a few more things we want to change in the APEX Authentication Scheme to make things smoother - such as being able to read IDCS groups and provide a proper logout URL.

1. Edit the **IDCS - Current** Authentication Scheme.
    
2. Enter the following code in the **PL/SQL Code** field under Source:
    

```sql
procedure group_setup
as  
  l_this_group_name varchar2(255);
  l_group_count number;
  l_group_membership_list apex_t_varchar2;
begin
  l_group_count := apex_json.get_count('groups');
  if l_group_count is not null then
    for i in 1..l_group_count
    loop
      l_this_group_name := apex_json.get_varchar2(p_path => 'groups[%d].name', p0 => i);
      apex_string.push(p_table => l_group_membership_list, p_value => l_this_group_name);
    end loop;
    apex_authorization.enable_dynamic_groups(p_group_names => l_group_membership_list);
  end if;
end group_setup;
```

1. In the Login Processing region, enter `group_setup` for the **Post-Authentication Procedure Name**.
    
2. In the Post-Logout URL section, set Go To to **URL** and enter the application URL in the **URL** field. This is the same value that was entered into the IDCS Application and should end with `/home`.
    
3. Click **Apply Changes.**
    

We need to make one last change. This will allow the APEX Authorization Scheme "is in Role or Group" to look at the Dynamic Groups that IDCS populates.

1. Edit the **Shared Components** of your APEX application.
    
2. Click **Security Attributes**.
    
3. In the Authorization region, set Source for Role of Group Schemes to **Custom Code**.
    

At this point, you should be able to run your APEX application and use your IDCS credentials to log in successfully.

### Viewing Dynamic Group Membership

Before we start to integrate groups, let's add a simple report on Page 1 of our application. This report will return the list of groups that IDCS sends back to APEX. Displaying this list will be helpful when troubleshooting/developing your integration between APEX & IDCS.

1. Edit **Page 1** of your application.
    
2. Create a new **Classic Report** region.
    
3. Use the following **SQL** as the source of the report:
    

```sql
select WORKSPACE_ID,
       WORKSPACE_NAME,
       WORKSPACE_DISPLAY_NAME,
       APEX_SESSION_ID,
       USER_NAME,
       GROUP_NAME
  from APEX_WORKSPACE_SESSION_GROUPS
 where apex_session_id = :APP_SESSION
```

1. Log out and then log in to your application to see the values populated in the report. Note that some of them could be non-APEX related, as IDCS is shared across all of OCI.
    

### Integrating IDCS Groups with APEX

Next, we'll create a group in IDCS and integrate that with APEX. Since we've done most of the groundwork already, this won't take long at all.

1. Login to the IDCS Console.
    
2. Click on the "hamburger" menu and select **Groups**.
    
3. Click **Add**.
    
4. Enter `users` for the Name and click **Finish**.
    
5. Click on the **Users** tab.
    
6. Click **Assign Users**.
    
7. Select your user and click **OK**.
    
8. Click on the **Access** tab.
    
9. Click **Assign Applications**.
    
10. Select **IDCS Demo** by clicking Assign.
    
11. Click **OK**.
    

If you switch back to your APEX application and log out and then log in again, you should see a row that contains the group `users`, as well as any other groups your user belongs to.

While in APEX, let's map an Authorization Scheme to this group.

1. Edit the **Shared Components** of your application.
    
2. Click **Authorization Schemes**.
    
3. Click **Create**.
    
4. Select From Scratch and click **Next**.
    
5. Enter or select the following options:
    

| **Name** | `users` |
| --- | --- |
| **Scheme Type** | Is In Role or Group |
| **Type** | Custom |
| **Name(s)** | `users` |
| **Validate Authorization Scheme** | Oner per page view |

1. Click **Create Authorization Scheme**.
    

Now that we have a new Authorization Scheme mapped to IDCS, let's associate it with a new region.

1. Edit **Page 1** of your application.
    
2. Create a new Static Content region called `Users`.
    
3. In the Security section, set the Authorization Scheme to **users**.
    
4. Save your changes and run Page 1.
    

Since your user is in the `users` group on IDCS, you should see this new region called Users.

Next, let's revoke the Users group from your user on IDCS.

1. Switch to the **IDCS Console**.
    
2. From the "hamburger" menu, select **Groups**.
    
3. Select **Users**.
    
4. Click on the **Users** tab.
    
5. Select your user and click on the **Revoke** button.
    
6. Click **OK** to confirm the removal.
    

Switch back to APEX, log out and log back in, and you should no longer see the Users region.

This technique can be used to create any number of roles and associate them with any APEX component. It's as easy as creating an Authorization Scheme that points to the corresponding IDCS role.

### Controlling Application Access

As it stands, any authenticated user in your IDCS stripe will be able to access the APEX application that we integrated. This is because APEX is merely checking to ensure that the user has a valid IDCS session and nothing else.

In many cases, we will want to restrict access to a sub-set of users. Fortunately, that's trivial to do with IDCS.

1. Switch to the **IDCS Console**.
    
2. From the "hamburger" menu, select **Applications**.
    
3. Select **IDCS Demo**.
    
4. Select the **Configuration** tab.
    
5. Expand the **Authentication and Authorization** section.
    
6. Check the box next to **Enforce Grants as Authorization**.
    
7. Click **Save**.
    

Remove your user from any role associated with this application, and then sign out and sign in again. You should see the following message:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1688434767642/a2a069b5-aef4-49fd-8bf1-8c83192c7541.png align="center")

### Summary

It's pretty trivial to create an application and groups in IDCS and map them to your Oracle APEX applications. This keeps access control consolidated in a single place that is monitored and logged automatically. It also ensures that APEX applications are seen as on par with other commercial SaaS applications when it comes to integration.

---

Next up: **Multi-Factor Authentication**