Testing the Accessibility of the Entra ID Endpoint

You must ensure that your Oracle Database can access the Entra ID endpoint.

If your database client is configured to get Microsoft Entra ID OAuth2 tokens, then the database client must be able to access the Entra ID endpoint. Run the following command to check if you have internet access:
curl https://login.windows.net/common/discovery/keys
A status code of 200 indicates success.

Check with your IT help desk for the proxy information if you weren't successful running this command.

For an Oracle database to accept Entra ID OAuth2 tokens, the database must request the public key from the Microsoft Entra ID endpoint.
  • Run the following test to determine if the database can connect with the Microsoft Entra ID endpoint:
    SET SERVEROUTPUT ON SIZE 40000
    DECLARE
      req UTL_HTTP.REQ;
      resp UTL_HTTP.RESP;
    BEGIN
      UTL_HTTP.SET_WALLET(path => 'system:');
      req := UTL_HTTP.BEGIN_REQUEST('https://login.windows.net/common/discovery/keys');
      resp := UTL_HTTP.GET_RESPONSE(req);
      DBMS_OUTPUT.PUT_LINE('HTTP response status code: ' || resp.status_code);
      UTL_HTTP.END_RESPONSE(resp);
    END;
    /

    If this test is successful, then a PL/SQL procedure successfully completed message appears.

    If the following messages appear, then it means that a database network access control list (ACL) policy blocked your test and you will need to temporarily set an access control list policy to allow you to test this:

    ORA-29273: HTTP request failed
    ORA-24247: network access denied by access control list (ACL)
    1. Set the ACL as follows:
      BEGIN
      DBMS_NETWORK_ACL_ADMIN.APPEND_HOST_ACE(
        host => '*',
        ace  =>  xs$ace_type(privilege_list => xs$name_list('connect'),
                             principal_name => 'username_placeholder',
                             principal_type => xs_acl.ptype_db));
      END;
      /

      Replace username_placeholder with the user name of the database user who is running the test. For example:

      BEGIN
      DBMS_NETWORK_ACL_ADMIN.APPEND_HOST_ACE(
        host => '*',
        ace  =>  xs$ace_type(privilege_list => xs$name_list('connect'),
                             principal_name => 'DBA_DEBRA',
                             principal_type => xs_acl.ptype_db));
      END;
      /
    2. Try running the test again.
    3. Remove the ACL, because you now no longer need it. For example, assuming your user name is dba_debra:
      BEGIN
      DBMS_NETWORK_ACL_ADMIN.REMOVE_HOST_ACE(
        host => '*',
        ace  =>  xs$ace_type(privilege_list => xs$name_list('connect'),
                             principal_name => 'DBA_DEBRA',
                             principal_type => xs_acl.ptype_db));
      END;
      /
If the database cannot connect with the Microsoft Entra ID endpoint, even after you set the ACL policy, you will most likely need to set the HTTP_PROXY package for your database. Review the topics listed in Related Topics, depending if you are using a default Oracle Database environment or an Oracle Real Application Clusters RAC environment. Your network administrator should be able to tell you what the correct HTTP_PROXY setting should be.