generated from oracle/template-repo
-
Notifications
You must be signed in to change notification settings - Fork 6
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #61 from kgustafs123/main
Vijay's blog for Azure AD OAuth 2 token connection
- Loading branch information
Showing
33 changed files
with
225 additions
and
0 deletions.
There are no files selected for viewing
Binary file not shown.
104 changes: 104 additions & 0 deletions
104
vijay-blog-1/Oracle-database-access-with-azure-AD OAuth2-Integration.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,104 @@ | ||
| # Oracle Database Access with Azure AD OAuth2 Integration | ||
|
|
||
| In the world of database management and security, connecting Azure Active Directory (AD) with OAuth2 token to Oracle Database offers a robust authentication method, ensuring secure access control while streamlining user management. This integration leverages Azure AD’s powerful identity and access management features to authenticate users accessing Oracle Database through OAuth2 tokens. | ||
|
|
||
| ## Understanding OAuth2 and Azure AD Integration: | ||
|
|
||
| OAuth2 stands as an authorization framework facilitating secure and controlled access to resources. Azure AD, as an OAuth2 identity provider, enables users to obtain access tokens that validate their identities and permissions. | ||
|
|
||
| Integrating Azure AD with Oracle Database through OAuth2 grants users access based on their Azure AD credentials, strengthening security measures and simplifying access control. | ||
|
|
||
| The blog is part of a 3 part series of blogs. Part 1 is the setup. [Part 2](https://medium.com/@vbalebai/accessing-azure-ad-oauth-token-via-python-and-connecting-to-autonomous-database-adb-using-sql-5c4f77da71d9) is to get an access token in an interactive way and test the connection to Oracle ADB. Part 3 is use of Oracle development in java, python, .NET. | ||
|
|
||
| ## Steps to Connect Azure AD with OAuth2 Token to Oracle Database: | ||
|
|
||
| ### Prerequisite: | ||
|
|
||
| A login username/password and tenant domain in Azure. | ||
|
|
||
| Oracle Autonomous data. — This can have a wallet using mTLS or without it. | ||
|
|
||
| ### Step 1 : Azure AD setup: | ||
|
|
||
| Azure Portal Access: Log in to the Azure portal ([https://portal.azure.com](https://portal.azure.com/)) using the provided username/password. Navigate to Azure Active Directory > App registrations > New registration. | ||
|
|
||
|  | ||
|
|
||
| - *Register Your Application:* Enter essential details like name, redirect URIs, etc., to complete the application registration. | ||
|
|
||
|  | ||
|
|
||
| Click Register. | ||
|
|
||
|  | ||
|
|
||
| - *Add App URI:* Post registering the new App, proceed to add an Application ID URI, crucial for the Database configuration. The Client id is already in the URI in the format of api://Client_id. replace api:// with your tenant domain name and “SAVE” it.. | ||
|
|
||
|  | ||
|
|
||
| - *Create Scope :* Generate the required Scope by selecting ‘Expose an API’ and setting values like oracle_ADB_access. Ensure that **‘Admins and Users’** toggle is selected and **Enabled**. | ||
|
|
||
|  | ||
|
|
||
| - Create App Roles (e.g., admin_role, hr_role) to request the necessary scope for database authorization. | ||
|
|
||
|  | ||
|
|
||
| ## Step 2: Assign role Privilages in Enterprise App. | ||
|
|
||
| From the portal home , access the enterprise app by searching for the registered app name. In the user section, map Azure user IDs with respective roles (e.g., admin_role, hr_role). | ||
|
|
||
|  | ||
|
|
||
|  | ||
|
|
||
| In the user section, search for the Azure user id you logged into portal. This is the user id for role mapping. From the portal home , access the enterprise app by searching for the registered app name. In the user section, map Azure user IDs with respective roles (e.g., admin_role, hr_role). | ||
|
|
||
|  | ||
|
|
||
| Next, map the role admin_role to it. Repeat the steps for hr_role. | ||
|
|
||
|  | ||
|
|
||
|  | ||
|
|
||
| ### Step 3: Oracle Database Configuration | ||
|
|
||
| - Log in to Oracle Database with administrative privileges. | ||
|
|
||
|  | ||
|
|
||
| - *Create OAuth2 Authentication Profile:* Utilize the DBMS_CLOUD_ADMIN.ENABLE_EXTERNAL_AUTHENTICATION procedure, specifying Azure AD parameters, such as tenant ID, application ID, and application ID URI. | ||
|
|
||
|  | ||
|
|
||
| - *Configure Database Authentication:* Verify the Azure AD configuration within the database by checking the identity_provider_type parameter. | ||
|
|
||
|  | ||
|
|
||
| *Create Users and Roles:* Establish users and roles that align with Azure AD roles, allowing access to the database solely through valid tokens. | ||
|
|
||
|  | ||
|
|
||
| ### Step 4: Registering the Oracle DB Client App with Azure AD | ||
|
|
||
| To get the token from Azure, we need to register a client. For other ways to access the token, checkout the [documentation.](https://docs.oracle.com/en/database/oracle/oracle-database/19/dbseg/authenticating-and-authorizing-microsoft-azure-active-directory-users-oracle-databases.html#GUID-B2F6E625-F004-4FA3-9F36-ECD9DDCB30E3) | ||
|
|
||
| Azure AD Admin Access: Log in to the Azure portal as an administrator with Microsoft Azure AD privileges from https://portal.azure.com. | ||
|
|
||
| 1. Register Database Instance: In the Azure Active Directory admin center, select “App registrations” and create a new registration for the Oracle Database Client App. | ||
|
|
||
|  | ||
|
|
||
| Set this application as public and set the url to [http://localhost](http://localhost/). | ||
|
|
||
| Setting API Permissions: Navigate to “API Permissions,” allowing the required permissions for the registered database. | ||
|
|
||
|  | ||
|
|
||
| This robust integration of Azure AD with Oracle Database through OAuth2 tokens not only fortifies security but also streamlines user access and management. With this method, managing user roles and permissions becomes more efficient, ensuring secure and controlled access to critical databases. | ||
|
|
||
| [Part 2](https://medium.com/@vbalebai/accessing-azure-ad-oauth-token-via-python-and-connecting-to-autonomous-database-adb-using-sql-5c4f77da71d9) : Get token and validate and test DB connection using sql*dev | ||
|
|
||
| Part 3 : run a Java, Python, OCI function connections. | ||
|
|
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Binary file not shown.
61 changes: 61 additions & 0 deletions
61
...-token-via-python-and-connecting-to-autonomous-database-using -sql-developer.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,61 @@ | ||
| # Accessing Azure AD OAuth token via Python and Connecting to Autonomous Database (ADB) Using SQL Developer | ||
|
|
||
| In today’s technological landscape, integrating applications with Azure Active Directory (AD) is becoming increasingly common. This blog post is part 2 and aims to guide you through the process of accessing Azure AD using Python, acquiring access tokens interactively, and subsequently connecting to an Autonomous Database (ADB) using SQL Developer. | ||
|
|
||
| ## Interactive Access Token Acquisition | ||
|
|
||
| To begin, let’s focus on acquiring an access token interactively through a Python program. This demonstration assumes you have the necessary prerequisites and have registered your application within Azure as described[in Part 1.](https://medium.com/@vbalebai/oracle-database-access-with-azure-ad-oauth2-integration-7cfce8e9da54) | ||
|
|
||
| ## Prerequisites: | ||
|
|
||
| Before starting, ensure you have the following information ready: | ||
|
|
||
| - Tenant ID: Directory (tenant) ID for your registered application in Microsoft Azure portal. | ||
| - Client ID: Application (client) ID associated with your registered application. | ||
| - Redirect URI: Set as ‘[http://localhost](http://localhost/)' for your application in Microsoft Azure portal. | ||
| - Install the MSAL Python SDK on your local machine by running `pip install msal`. | ||
| - Save the provided [Python code snippet](https://github.com/vijaybalebail/AzOAuth2ADB) as `get-tokens.py` on your local machine. | ||
|
|
||
| ## Running the Program: | ||
|
|
||
| Execute the Python program `get-tokens.py` as follows: | ||
|
|
||
|  | ||
|
|
||
| This program will prompt a browser window where you’ll enter your Azure user ID and password. Upon successful validation, the access token will be displayed. | ||
|
|
||
|  | ||
|
|
||
| ## Validating the Access Token: | ||
|
|
||
| To validate the access token, copy and paste it into [https://jwt.io](https://jwt.io/) and ensure that the ‘app roles’ mapped to the ADB are visible. | ||
|
|
||
|  | ||
|
|
||
| ## Connecting to ADB Using SQL Developer | ||
|
|
||
| Now, let’s proceed with connecting to an Autonomous Database (ADB) using SQL Developer. | ||
|
|
||
| ## Steps: | ||
|
|
||
| 1. Download the Latest SQL Developer: Ensure you have [SQL Developer 23c, ](https://www.thatjeffsmith.com/archive/2023/04/oracle-sql-developer-23-1-is-now-available/)which supports Azure OAUTH2 tokens and necessary JDBC thin drivers. | ||
| 2. Prepare Token and ADB Wallet: Save the obtained token in a file, e.g., `F:/t1/token`. If ADB is configured using mTLS, download and extract the wallet zip file into a directory. | ||
| 3. Create Connection in SQL Developer: | ||
|
|
||
| - Choose “Custom JDBC” when creating a new connection. | ||
| - Configure the JDBC URL similar to the example below: `jdbc:oracle:thin:@(description=(retry_count=2)(retry_delay=3)(address=(protocol=tcps)(port=1522)(host=adb.us-phoenix-1.oraclecloud.com))(connect_data=(service_name=bk8uwrvkgqzvi2h_k0mu7kr1pye5zn6w_low.adb.oraclecloud.com))(security=(ssl_server_dn_match=yes)(TOKEN_AUTH=OAUTH)(TOKEN_LOCATION=F:\t1\token)(my_wallet_directory=F:\t1\oauth_mtls)))` | ||
| - Include `(TOKEN_AUTH=OAUTH)(TOKEN_LOCATION=F:\t1\token)` to point to the token file. | ||
| - Include `(my_wallet_directory=F:\t1\oauth_mtls)` to point to the directory where the ADB wallet file is extracted. | ||
| - set connection type to OS | ||
|
|
||
|  | ||
|
|
||
| Connect to ADB: Once configured, establish the connection. Execute queries to check the connected username using SQL Developer: | ||
|
|
||
|  | ||
|
|
||
| ### Conclusion: | ||
|
|
||
| With these steps completed, you should now be successfully connected to your Autonomous Database (ADB) using SQL Developer, leveraging Azure AD access tokens acquired through Python. Explore the database, execute queries, and ensure seamless connectivity to your ADB. | ||
|
|
||
| Happy coding! |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file not shown.
Binary file not shown.
Binary file not shown.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file not shown.
Binary file not shown.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,60 @@ | ||
| # Understanding Azure AD Authentication: Interactive vs. Non-Interactive Token Acquisition | ||
|
|
||
|  | ||
|
|
||
| In the realm of Azure Active Directory (Azure AD), obtaining authentication tokens is a pivotal aspect of securing access to resources. Two primary methods — Interactive and Non-Interactive — facilitate this process. In this blog post, we delve into the distinctions between these methods and shed light on when Non-Interactive methods prove particularly advantageous. | ||
|
|
||
| ## Interactive Token Acquisition: A User-Centric Approach | ||
|
|
||
| The Interactive method involves user interaction, typically in the form of a login prompt. When an application initiates the authentication process, users are redirected to a new browser tab and prompted to provide their credentials interactively. This scenario is common in applications with a user interface, such as web applications or those executed on a device where user interaction is feasible. | ||
|
|
||
| ### Pros: | ||
|
|
||
| 1. User-Friendly: Allows for a seamless user experience and a browser redirection to login into Azure AD. | ||
| 2. Multi-Factor Authentication (MFA): Supports MFA for enhanced security. -> Leverages Azure AD MFA for user login | ||
|
|
||
| ### Cons: | ||
|
|
||
| 1. User Presence Required: Implies that user presence is necessary for token acquisition. | ||
| 2. Automated Scenarios: Can only run when a browser can run on that server and not possible to integrate into any automated process. | ||
|
|
||
| ## Non-Interactive Token Acquisition: Automation and Service Principals | ||
|
|
||
| In contrast, Non-Interactive methods called “Client Credential flow” are designed for scenarios where user interaction is impractical or unnecessary. This method is often employed in automated processes, background tasks, or services that don’t have a user interface. Service principals, representing applications rather than users, play a central role in Non-Interactive token acquisition. | ||
|
|
||
| ### Pros: | ||
|
|
||
| 1. Automation-Friendly: Suited for scenarios where user interaction is not possible or desired. | ||
| 2. Background Tasks: Ideal for tasks running in the background, devoid of user intervention. | ||
| 3. The server need not have a browser as connect to applications | ||
|
|
||
| ### Cons: | ||
|
|
||
| 1. Multi-Factor Authentication Challenges: Might face challenges when dealing with MFA due to the absence of a user. | ||
|
|
||
| ## When Non-Interactive is Useful: Scenarios and Considerations | ||
|
|
||
| 1. Automation and Scripting: Non-Interactive methods are indispensable when scripting or automating tasks that require access to Azure AD-secured resources. This is prevalent in scenarios such as scheduled jobs or data synchronization processes. | ||
| 2. Service-to-Service Communication: Applications communicating with each other, especially in a microservices architecture, benefit from Non-Interactive methods. Service principals authenticate the applications without user involvement. | ||
| 3. Backend Services: Backend services, devoid of user interfaces, often rely on Non-Interactive methods for acquiring tokens securely. | ||
| 4. Resource Access without User Presence: In scenarios where resource access is required without the need for direct user interaction, such as background data processing or API access. | ||
|
|
||
| ## Microsoft Authentication Library (MSAL) | ||
|
|
||
| Microsoft provides us with libraries to interact with Azure AD and get the token. Below are some sample program that connect to Azure using MSAL to get tokens. These tokens, once obtained, can be securely stored in a directory and configure Oracle Database connection strings. This opens up connection to Oracle databases, whether residing in the cloud or on-premises, with enhanced authentication and security. This demonstration assumes you have the necessary prerequisites and have registered your application within Azure as described[ in Part 1.](https://medium.com/@vbalebai/oracle-database-access-with-azure-ad-oauth2-integration-7cfce8e9da54) | ||
|
|
||
| ## Python Example: | ||
|
|
||
| ### Interactive Token Acquisition: | ||
|
|
||
|  | ||
|
|
||
| ### Non-Interactive Token Acquisition: | ||
|
|
||
|  | ||
|
|
||
| ## Java Example: | ||
|
|
||
| ### Non-Interactive Token Acquisition: | ||
|
|
||
|  |