- Interactive authentication flow for the humans connecting from devices that support pop-up browser
- Device code authentication flow for humans connecting through jump hosts that do not support pop-up browser
- Client credential authentication flow for service accounts
- Entra ID
- New app role in the target database
- Service account app registration
- Service account pre-shared credential
- Add service account to target database allow app ingress rules
- Database Server
- Add service account
- Apply grants to service account
- Database Client
- Create wallet with pre-shared credential
- Add TNS entry for service account with AZURE_CREDENTIALS
Entra ID Configuration
1.1 Login to Entra at https://entra.microsoft.com1.2 Navigate to Applications —> App registrations —> target database (hrdb) —> App roles1.3 Click on “Create app role” and fill out form as follows followed by clicking “Apply”
Display name: app_hr.roleAllowed member types: ApplicationsValue: app_hr.roleDescription: HR Application RoleDo you want to enable this app role? Yes (checked)
1.4 Click on “Owners” and confirm that your authenticated user is in the list of owners for this database (hrdb) web app registration1.4.1 If your user is not listed, click on “Add owners”, search on your name, click checkbox next to yourself, and click “Select”
2.1 Register Oracle database client service account in Entra ID app registration
2.1.1 Login to Entra at https://entra.microsoft.com2.1.2 Navigate to Applications —> App registrations —> New registration2.1.3 Enter the following and then click “Register”
Name: dbclient_service_hrSupported account types: (Default) Single tenantRedirect URI: Leave blank as this is not used by client credential flow
2.2 Capture the app ID of the dbclient_service_hr app registration by clicking on “Overview” and copy the app id:
Application (client) ID: 186f231c-830e-4513-9b64-34f341848050
2.3 Add app ID to database API permissions
2.3.1 Navigate to Applications —> App registrations —> target database (hrdb) —> Expose an API2.3.2 Click on “Add a client application”, paste the app ID from step 2.2, check all “Authorized scopes” listed, and click “Add application”
2.4 Create client secret
2.4.1 Navigate to Applications —> App registrations —> dbclient_service_hr
2.4.2 Click on “Add a certificate or secret” under Client credentials
2.4.3 Click on “New client secret” and fill out form as follows followed by clicking “Add”
Description: hrapp_secretExpires: Select value that aligns with your corporate standard. In this example, I selected 24 months.
2.4.4 Capture the secret for future use by clicking on “Copy to clipboard” of the hrapp_secrret valuehrapp_secret value: tb58Q~eDEfE.2ambJAg4qrTzDExq2Lqcw3cjebfy
2.5 Add App role
2.5.1 Click on “App roles”2.5.2 Click on “Create app role” and fill out form as follows followed by clicking “Apply”
Display name: app_hr.roleAllowed member types: ApplicationsValue: app_hr.roleDescription: HR Application RoleDo you want to enable this app role? Yes (checked)
2.6 Add application permission and grant admin consent for the domain
2.6.1. Click on API permissions2.6.2 Click on “Add a permission”2.6.3 Click on “My APIs” tab and click on target database (hrdb) to which this service account will be connecting2.6.4 Click on “Application Permission”2.6.5 Check the box of the app_hr.role “App role” created in step 1.32.6.6 Click on “Add permissions”2.6.7 Click on “Grant admin consent for <domain>” and click on “Yes”
Oracle Database Server Configuration
sqlplus system/Oracle123@pdb1
SQL> CREATE USER app_hr IDENTIFIED GLOBALLY AS 'AZURE_ROLE=app_hr.role';
sqlplus system/Oracle123@pdb1
SQL> ALTER USER app_hr IDENTIFIED GLOBALLY AS 'AZURE_ROLE=app_hr.role';
SQL> GRANT CREATE SESSION TO app_hr;
Oracle Database Client Configuration
C:
mkdir \u01\app\dbclient_service_hr
cd \u01\app\dbclient_service_hr
orapki wallet create -wallet . -pwd Oracle123 -auto_login
orapki secretstore create_entry -wallet . -pwd Oracle123 -alias oracle.security.azure.credential.<hrapp_id> -secret "<hrapp_secret_value>"
cd \u01\app\dbclient_service_hr
orapki wallet display -wallet . -complete
orapki secretstore view_entry -wallet . -pwd Oracle123 -alias oracle.security.azure.credential.<hrapp_id>
HRDB_PDB1_APP_HR =
(DESCRIPTION=
(ADDRESS=(PROTOCOL=TCPS)(HOST=hrdb.dbauthdemo.com)(PORT=2484))
(SECURITY=
(SSL_SERVER_DN_MATCH=TRUE)
(SSL_SERVER_CERT_DN="CN=hrdb.dbauthdemo.com")
(WALLET_LOCATION=SYSTEM)
(TOKEN_AUTH=AZURE_SERVICE_PRINCIPAL)
(AZURE_CREDENTIALS=C:\u01\app\dbclient_service_hr)
(TENANT_ID=7f4c6e3e-a1e0-43fe-14c5-c2f051a0a3a1)
(CLIENT_ID=186f231c-830e-4513-9b64-34f341848050)
(AZURE_DB_APP_ID_URI=https://dbauthdemo.com/16736175-ca41-8f33-af0d-4616ade17621)
)
(CONNECT_DATA=
(SERVER=DEDICATED)
(SERVICE_NAME=pdb1)
)
)
No comments:
Post a Comment