Skip to main content

Dynamically Switch Authentication in Oracle APEX Using the Configuration Procedure

Oracle APEX PL/SQL Authentication

One app. Two servers. Zero hardcoded auth logic.

Dasshini Ravi  ·  April 16, 2026

The Authentication Configuration Procedure is the most underused feature in Oracle APEX. Here's how to use it to run one codebase across environments with completely different auth schemes — automatically.

I once maintained two copies of the same APEX application — one for testing with custom PL/SQL auth, one for production with LDAP. Every bug fix, every UI tweak, every feature had to be applied twice. It was the kind of thing you accept as normal until someone shows you there's a better way.

The better way is the Authentication Configuration Procedure — a PL/SQL hook that fires before the user even sees the login page, letting you switch auth schemes at runtime based on any data you want. No manual switching. No duplicate apps.

What actually happens at session start

When a new APEX session begins, before the login page renders, APEX looks for a registered configuration procedure and calls it. You receive a record of type apex_authentication.t_configuration passed in and out by reference. Whatever you write into that record becomes the session's auth configuration.

The procedure signature is fixed — you cannot change it:

procedure my_auth_config (
  p_conf IN OUT NOCOPY apex_authentication.t_configuration
)

Three attributes on that record do the work:

authentication_name — switches the active auth scheme by name
tenant_id — stamps a tenant identity on the session for row-level isolation
substitutions — injects values into OAuth token placeholders

All three are optional. In most cases you'll only need the first two.

The problem, made concrete

Testing server

test-server.company.com:1234

Custom PL/SQL auth

Tenant: TENANT_TEST

Production server

prod-server.company.com:4321

LDAP / Active Directory

Tenant: TENANT_PROD

Same application export. Different behavior — driven entirely by the hostname the request arrives on. The configuration procedure reads the runtime hostname and picks the right scheme from a table. All the logic is in data, not code.

Implementation

  • 1

    Create the config table

    One row per server. The procedure queries this at runtime. Keep it simple — hostname, tenant code, and the exact auth scheme name as it appears in APEX.

    CREATE TABLE app_tenants (
  hostname    VARCHAR2(200) PRIMARY KEY,
  tenant_code VARCHAR2(50)  NOT NULL,
  auth_scheme VARCHAR2(100) NOT NULL
);

-- Testing server row
INSERT INTO app_tenants VALUES (
  'test-server.company.com:1234',
  'TENANT_TEST',
  'Custom Auth'
);

-- Production server row
INSERT INTO app_tenants VALUES (
  'prod-server.company.com:4321',
  'TENANT_PROD',
  'LDAP Auth'
);
    ⚠ The auth_scheme value must match the Name field in Shared Components exactly — including capitalization. A mismatch silently falls through to the default scheme with no error raised.
  • 2

    Create the procedure

    Deploy identical code on both servers. The different behavior comes entirely from the table, not the procedure itself.

    CREATE OR REPLACE PROCEDURE my_auth_config (
  p_conf IN OUT NOCOPY apex_authentication.t_configuration
)
IS
  l_host        VARCHAR2(200);
  l_auth_scheme VARCHAR2(100);
  l_tenant_id   VARCHAR2(100);
BEGIN
  -- Read hostname from the HTTP request
  l_host := sys.owa_util.get_cgi_env('HTTP_HOST');

  -- Look up auth scheme and tenant for this server
  SELECT auth_scheme, tenant_code
    INTO l_auth_scheme, l_tenant_id
    FROM app_tenants
   WHERE LOWER(hostname) = LOWER(l_host);

  -- Switch the auth scheme at runtime
  p_conf.authentication_name := l_auth_scheme;
  p_conf.tenant_id            := l_tenant_id;

  apex_debug.info(
    'Auth config: host=%s scheme=%s tenant=%s',
    l_host, l_auth_scheme, l_tenant_id
  );

EXCEPTION
  WHEN NO_DATA_FOUND THEN
    apex_debug.error('No config found for host: %s', l_host);
END my_auth_config;
    That single assignment — p_conf.authentication_name := l_auth_scheme — is the entire switch. Everything else is lookup and logging.
  • 3

    Register in Security Attributes

    Navigate to Shared Components → Security Attributes → Authentication Configuration Procedure. Enter my_auth_config and click Apply Changes. APEX will invoke your procedure on every new session from this point forward.

    [ Screenshot: Security Attributes page — "Authentication Configuration Procedure" field highlighted ]

Five things that will burn you if you skip them

1
Enable "Switch in Session" on every target scheme. Without this checkbox, the switch is silently ignored. This is the single most common reason the feature appears to do nothing.
2
Always use LOWER() on both sides of the hostname comparison. Some servers return mixed-case values — Test-Server instead of test-server — and the lookup quietly fails.
3
URL-based scheme switching stops working once you register a config procedure. The APEX_AUTHENTICATION=xxx URL parameter is intentionally disabled — this is a security feature, not a bug.
4
The procedure must be deterministic. APEX may call it more than once per session. Always return the same values for the same hostname — no randomness, no side effects.
5
Grant execute explicitly. The APEX parsing schema must have execute privilege on the procedure, or it fails silently at session start with no useful error.
Pro tip: Add the apex_debug.info() call inside the procedure before anything goes to production. Enable View Debug in the developer toolbar and confirm the procedure fires and resolves the correct scheme. It takes ten seconds and will save you an hour of head-scratching.

What you end up with

One application export. One codebase. Deploy it to as many servers as you need — each one reads its own row from the config table and gets the right authentication scheme, the right tenant identity, and no manual intervention required.

Once you build this once, hardcoding auth schemes in APEX becomes genuinely unthinkable. The Authentication Configuration Procedure is one of those features that pays back its setup cost on the very first deployment.

Comments

Post a Comment

Popular posts from this blog

Generate Custom PDFs in Oracle APEX with jsPDF

Generate Custom PDFs in Oracle APEX with jsPDF A complete step-by-step guide to building a client-side PDF generator with profile image embedding and PL/SQL database persistence. 📄 Step-by-step guide Oracle APEX jsPDF Dynamic Actions PL/SQL JavaScript "Picture this: your Oracle APEX application is polished, your users love it — but when they ask for a downloadable report with a profile picture and custom styling, you realize vanilla APEX isn't built for that out of the box. What if a single JavaScript library and one Dynamic Action could change everything?" Welcome to the world of jsPDF inside Oracle APEX . In this tutorial, we wire up a PDF generator that captures a user's name, email, phone number, and profile picture — renders them into a beautiful PDF layout — and saves everything to Oracle, all in one button click. ⓘ What you'll build: A dynamic PDF generat...
Post a Comment
Read more

APEX Custom Auth Settings, Decoded!

Oracle APEX Security PL/SQL APEX Custom Auth Settings, Decoded Why I Build this I was building an internal APEX app — strictly for people on our corporate network. The default authentication worked, but it had a few things that kept bothering me. Anyone with valid credentials could log in from anywhere. Sessions expired with a useless error page. There was no audit trail — no way to know who logged in, when, or from where. And passwords were stored in plain text, which I just couldn't leave alone. So I did what any developer does — I built it myself. Custom authentication, from scratch, in PL/SQL. Turned out to be one of the best learning experiences I've had with APEX. Here's exactly how I did it. Img 1 : Head to Shared Components → Authentication Schemes → Create, choose Custom as the Scheme Type, and plug in your function and procedure names. Quick note before we get into the code — the s...
Post a Comment
Read more

Record, Preview, Save — Video Recording in Oracle APEX

Oracle APEX · Video Recording Record Video Directly in Oracle APEX 🎬 Have you ever wished your users could say it instead of type it? In many modern applications, we've seen the ability to record a short video clip directly in the browser — no file uploads, no external tools. Just hit record, watch it back, and decide — save it or try again. Today, we're bringing that same experience into Oracle APEX: record, pause/resume, preview, save to DB, or retry. Let's build it. 1 Step 1 : Start by creating a Static Content Region on your APEX page. This will act as the container for our entire video recorder UI.Paste the provided HTML code into the region source. This gives you two video panels — one for the live camera preview and one for the recorded playback — along with your action buttons: Start, Pause, Resume, Stop, Save, and Retry. Copy <!-- Recorder UI --> < div id= "recorderUI...
Post a Comment
Read more