Enable Azure AD Authentication on Autonomous Database

An Azure AD administrator and an Autonomous Database administrator perform steps to configure Azure AD authentication on Autonomous Database.

Enabling Microsoft Entra ID v2 Access Tokens

Oracle Database supports integration with the v1 and v2 Azure AD OAuth2 access token.

Oracle Database supports the Entra ID v2 token as well as the default v1 token. However, to use the Entra ID v2 token, you must perform some additional steps to ensure it works with the Oracle Database. You can use this token with applications that are registered in the Azure portal using the App registrations experience.
When you use the Azure AD v2 OAuth2 access token, the credential flow continues to work as it did before without any changes. However, the upn: claim must be added when you use v2 tokens with the interactive flow.
  1. Check the version of the Entra ID access token that you are using.
  2. Log in to the Microsoft Entra ID portal.
  3. Search for and select Entra ID.
  4. Under Manage, select App registrations.
  5. Choose the application for which you want to configure optional claims based on your scenario and desired outcome.
  6. Under Manage, select Token configuration.
  7. Click Add optional claim and select upn.
When you use v2 tokens, the aud: claim only reflects the APP ID value. You do not need to set the https:domain prefix to the APP ID URI when v2 tokens are being used. This simplifies the configuration for the database because the default APP ID URI can be used.

Checking the Entra ID Access Token Version

You can check the version of the Entra ID access token that your site uses by using the JSON Web Tokens web site.

By default, Entra ID v1 access token, but your site may have chosen to use v2. Oracle Database supports v1 tokens and Autonomous Database Serverless supports v2 tokens, as well. If you want to use the v2 access tokens, then you can enable their use for the Oracle database. To find the version of the Entra ID access token that you are using, you can either check with your Entra ID administrator, or confirm the version from the JSON Web Tokens website, as follows.
  1. Go to the JSON Web Tokens website.
    https://jwt.io/
  2. Copy and paste the token string into the Encoded field.
  3. Check the Decoded field, which displays information about the token string.
    Near or at the bottom of the field, you will see a claim entitled ver, which indicates either of the following versions:
    • "ver": "1.0"
    • "ver": "2.0"

Configuring Azure AD as an External Identity Provider for Autonomous Database

An Autonomous Database administrator can enable Azure AD as an external identity provider on an Autonomous Database instance.

To enable Azure AD as an external identity provider:

  1. Log in to the Autonomous Database instance as a user who has the EXECUTE privilege on the DBMS_CLOUD_ADMIN PL/SQL package. The ADMIN user has this privilege.
  2. Run the DBMS_CLOUD_ADMIN.ENABLE_EXTERNAL_AUTHENTICATION procedure with the Azure AD required parameters.
    BEGIN
      DBMS_CLOUD_ADMIN.ENABLE_EXTERNAL_AUTHENTICATION(
          type   =>'AZURE_AD',
          params => JSON_OBJECT('tenant_id' VALUE 'tenant_id',
                                'application_id' VALUE 'application_id',
                                'application_id_uri' VALUE 'application_id_uri'),
          force => TRUE
      );
    END;

    In this procedure the Azure AD parameters are:

    • type: Specifies the external authentication provider. For Azure AD, as shown, use 'AZURE_AD'.
    • params: Values for the required Azure AD parameters are available from the Azure portal on the app registration Overview pane for Azure Active Directory. The required params for Azure AD are:
      • tenant_id: Tenant ID of the Azure Account. Tenant Id specifies the Autonomous Database instance's Azure AD application registration.
      • application_id: Azure Application ID created in Azure AD to assign roles/schema mappings for external authentication in the Autonomous Database instance.
      • application_id_uri: Unique URI assigned to the Azure Application.

        This it the identifier for the Autonomous Database instance. The name must be domain qualified (this supports cross tenancy resource access).

        The maximum length for this parameter is 256 characters.

    • force: Set this parameter to TRUE if another EXTERNAL AUTHENTICATION method is configured for the Autonomous Database instance and you want to disable it.

    For example:

    BEGIN
      DBMS_CLOUD_ADMIN.ENABLE_EXTERNAL_AUTHENTICATION(
          type   =>'AZURE_AD',
          params => JSON_OBJECT('tenant_id' VALUE '29981886-6fb3-44e3-82',
                                'application_id' VALUE '11aa1a11-aaa',
                                'application_id_uri' VALUE 'https://example.com/111aa1aa'),
          force  => TRUE
      );
    END;

    This sets the IDENTITY_PROVIDER_TYPE system parameter.

    For example, you can use the following to verify IDENTITY_PROVIDER_TYPE:

    SELECT NAME, VALUE FROM V$PARAMETER WHERE NAME='identity_provider_type';
     
    NAME                   VALUE   
    ---------------------- -------- 
    identity_provider_type AZURE_AD

    See ENABLE_EXTERNAL_AUTHENTICATION Procedure for more information.