Oracle REST Data Services: Determining the Authenticated User

Introduction

Oracle REST Data Services (ORDS) has a number of implicit parameters which may be bound into Resource Module Handlers. One of which is :current_user which provides the identity of the user authenticated for the current request. If a user has not been authenticated then value of :current_user will be null.

Example

We can bind the value of :current_user into the context of a query as shown below:

begin
  ords.define_service(
    p_module_name => 'current.user.example',
    p_base_path => '/greetings/',
    p_pattern => 'example',
    p_source_type => ords.source_type_collection_item,
    p_source => 'select ''Hello '' || :current_user "greeting" from dual'
  );
  commit;
end;

This example will produce output like the following:

{
 "greeting": "Hello ",
 "links": [
  {"rel": "collection", "href": "https://oow17.dbtools.local:8443/ords/tickets/greetings/"}
 ]
}

Note how the value of the greeting property is just Hello , the value of the :current_user implicit parameter is null because no user has been authenticated, since this resource is currently public.

Let’s make the resource protected, by defining a privilege to protect it:

declare
 l_priv_roles owa.vc_arr;
 l_priv_patterns owa.vc_arr;
begin
  l_priv_patterns(1) := '/greetings/*';

  ords.define_privilege(
      p_privilege_name     => 'protected.greetings',
      p_roles              => l_priv_roles,
      p_patterns           => l_priv_patterns
  );
  commit;
end;

• We declare two arrays to hold the role name and privilege patterns respectively.
• We want any authenticated user to be able to access the protected resource so we leave the roles array (l_priv_roles) empty. An empty role set implies any authenticated user can access a privilege.
• We want any resource under /greetings/ to be protected so we add a single pattern: /greetings/* to the privilege patterns array.

Let’s try accessing the protected resource again:

https://server:port/ords/<schema>/greetings/example

This time we access the resource we see a 401 Unauthorized status and a prompt to sign in. If we sign in the resource we see will look like the following:

{
 "greeting": "Hello Colm",
 "links": [
  { "rel": "collection", "href": "https://oow17.dbtools.local:8443/ords/tickets/greetings/"}
 ]
}

This time there is an authenticated user - Colm in this case - and this value is bound to the :current_user implicit parameter, producing the greeting: Hello Colm.