ORDS secure restful service (with SSL and without SSL)

Working with rest services is the way of building SOA environment with Oracle ApEx.  In this blog I will show step by step how to create a rest service and also how to secure this rest service using a token. (I’m using DHC chrome extension to test).

– Create a rest service

1- Create a GET request to get all employees from the employee table.

  • goto SQL Workshop–> RESTful Service


Test rest service to see the results; the rest is a Json document. (for now make it sure the Requires Secure Access is set to NO).


To POST, create an new Resource Handler: with POST as method.

Put this quest to insert a record into the emp table.


About the above part you can find a lot of blog’s and Now the most important part: Secured rest service.

To let a 3rd party application access the API of your rest service you have to secure them. ORDS lets 3rd party applications get access by registering itself in ORDS and ORDS provides a secure token for it.
– you need two users: One to create the rest service client oauth2 reference and one to login as 3rd party application user.

Assign OAuth2 Client Developer group to the first user, and assign RESTful service role to the second user

4 5

  • create a security group from the REST service page and add your “employees” module to the protected modules.


NOTE: now if you request the GET service the response will be “401 Unauthorized”

  • Now you can start the ORDS client authentication page to generate a code for secure access.
  •  login into http://server.com:port/workspace/ui/oauth2/clients
  • fill in the info as in the screen below. MAKE SURE that you have CODE selected and not TOKEN


  • After clicking “Register” you will get a URL just like in the below screenshot.


NOTE: remember the “Client Identifier” and the “Client Secret” you will be needing them to get the TOKEN later on.

  • Click the the URL, you will be redirected to login with second created user.


  • Allow access, the you will be redirected to another page with a URL with: &code=gjcMeQGYxBnQOVotKOM71A..” including the .. at the end. you will get the URL even if the page display says “Not Found” (check the URL).

Now start the command line. type the following in terminal to get the access TOKEN.

curl -i -d “grant_type=authorization_code&code=code_from_the_URL” –user Client Identifier:Client Secret  http://localhost:8081/apex/lab/oauth2/token

curl -i -d “grant_type=authorization_code&code=gjcMeQGYxBnQOVotKOM71A..” –user 1xBmPezTADp5YJYMr8kGFw..:tyNSwyO-o5GQ009M7SxyAA.. http://localhost:8081/apex/lab/oauth2/token

  • The response will be like :


  • From now on, you use the refresh_token to get new token and not the code anymore. this because the code gets expired if the server is restarted, but the refresh token not.
  • in this URL the validity of the token is 3600 sec (1 hour). after it is expired you have to request a new one. The expiration can be changed in the default.xml of your ORDS config.
  • The request with refresh_token should be like :

curl -i -d “grant_type=refresh_token&refresh_token=hbtsEx9vsBFIdZwPjME44A..” –user OAWGPQXol6Kr3GAQgTe4Gg..:_WYbjFH2gTsB7ycgN_HSrw.. http://localhost:8081/apex/lab/oauth2/token

  • response will be exactly the same as the first one, with a new TOEKN and a new refresh_token.

In a HTTPS (SSL) environment, the only change in the request will be curl -k -i -d instead of curl -i -d and of course https in the token URL.

That is it. If you don’t get it and have any question, please let me know. I have an environment up and running on this.

12 Replies to “ORDS secure restful service (with SSL and without SSL)”

  1. Good article. It’s gotten me past a few hurdles.

    I’m using apex.oracle.com to host an application and am trying to configure an OAuth2 client. I’m trying to retrieve a token using the Postman REST client but it requires an Access Token URL as well as the Auth URL. Any ideas on what this should be for ORDS?

    1. Hi Dave,

      Normally you need to get the token from the ORDS page “http://server.com:port/workspace/ui/oauth2/clients” (login with cerated use in ApEx) the token gets expired once you request a new one (with the new one you will receive a refresh token, that you can you again to request a new token).. But I don’t think you have access to admin part of “apex.oracle.com” to create uses and to configure the user access.

      1. Hi Mazin,

        Thanks for the speedy response. I have managed to configure the relevant users via apex.oracle.com as your article suggests. I am managing to get an access code from the auth URL. But, I’m just not sure what the Access Token URL is so that I can exchange my Access Code for a Token. In your example, you use “http://localhost:8081/apex/lab/oauth2/token”. I am trying something similar (“https://apex.oracle.com/pls/apex/workspace/oauth2/token”) but am getting a 404 not found, so wither the URL isn’t right or apex.oracle.com doesn’t provide an Access Token URL.


  2. Hi Dave,

    Please see the steps I have above… you need to use the command line to get the Token first time, to get it you need the “Client Identifier” and the “Client Secret”..

    *** NOTE: remember the “Client Identifier” and the “Client Secret” you will be needing them to get the TOKEN later on.
    Now start the command line. type the following in terminal to get the access TOKEN.

    *** curl -i -d “grant_type=authorization_code&code=code_from_the_URL” –user Client Identifier:Client Secret http://localhost:8081/apex/lab/oauth2/token

    let me know if you can not figure it out, I will try to make some time to have a Skype call.

  3. Hi Mazin,
    Really good article, I couldn’t find much information or steps on how to do this otherwise and the 404 not found errors kept driving me nuts. My question is the same as Dave above, in your example you used, “http://localhost:8081/apex/lab/oauth2/token”. I am having problems getting my access token. I am assuming this URL is a separate APEX environment you have setup, one other than the environment in which you created the API?

    Also apart from the ORDS documentation which hasn’t brought me too much luck what other sources of information can I look at to give me more help with this?


    1. Hi Darry, sorry for the delay in response, The URL is actually the same environment. ‘lab’ in my case is the workspace name. Please let me know if you have not figured it out yet. I will be there to help you with it.

      1. hi mazinabdulah ,
        Thanks for the reply, actually i want to generate client id and client secret programmatically i.e all the process involved in the step “registering oauth2 client”. i want to automate all the manual process through java code.can we achieve that through code..

  4. Hi Abhishek,
    Check the below code, it does exactly what you want I think.
    it is from “http://www.seleniumtests.com/2016/09/use-curl-in-java-without-third-party.html”

    import java.io.BufferedReader;
    import java.io.IOException;
    import java.io.InputStream;
    import java.io.InputStreamReader;
    import java.net.URL;
    import java.net.URLConnection;

    public class CurlTest {
    public static void main(final String[] args) throws IOException {
    URL url = new URL(“https://token.xxx.com/”);
    URLConnection uc = url.openConnection();

    String userPass = “tarun” + “:” + “xxx”;
    String basicAuth = “Basic ” + javax.xml.bind.DatatypeConverter.printBase64Binary(userPass.getBytes());
    uc.setRequestProperty(“Authorization”, basicAuth);
    InputStream in = uc.getInputStream();
    BufferedReader reader = new BufferedReader(new InputStreamReader(in, “UTF-8”)))

    for (String line; (line = reader.readLine()) != null;) {

  5. Hi!
    I’m trying to retrieve a token using the Postman REST client but it requires an Access Token URL as well as the Auth URL….

    How do I remove the authorization page?

Leave a Reply

Your email address will not be published. Required fields are marked *