ORDS 25.1 is now available, here are the highlights 😀
JWT roles-based scopes
You are probably well aware of our current JWTs authentication and authorization support. But shortly after releasing this functionality, one of our long-time customers asked us to enhance ORDS JWT Profiles so they could also support roles “claims” (and scopes). So now, when creating your ORDS JWT Profile, you can set your p_role_claim_name => '/roles'. This setting would “point” to the roles you have configured within your identity provider (like IAM, IDCS, Auth0, etc.).1
🛎️ Come back to my blog in about two days, and you’ll see a new updated tutorial illustrating this new functionality (with JSON Pointers for the roles-based claim).
In the meantime, be sure to check out my current JWT-related blog posts:
- Configuring OCI IAM Domain JWTs to use with ORDS OAuth2.0 protected APIs
- Microsoft Entra OAuth2.0 JWTs and ORDS secure APIs Tutorial: Configuration and Testing
- 401 Unauthorized invalid_token – troubleshooting Oracle Cloud IAM JWTs with ORDS
ORDS_EXPORT and ORDS_EXPORT_ADMIN
The most significant changes are available options for users you’ve granted the ORDS_ADMINISTRATOR_ROLE.2 Now, you can export another user’s entire schema, including the details for their JWT Profile. In the screenshots below, you’ll see examples of the ORDS_EXPORT_ADMIN.EXPORT_SCHEMA procedure, using various optional parameters.
You have a lot of flexibility here; you can choose which optional parameters to include. Can you spot the differences?
ENABLE_SCHEMA and RUNNABLE_AS_ADMIN parameters.
SCHEMA parameter but turns off the RUNNABLE_AS_ADMIN parameter.
INCLUDE_JWT_PROFILES parameter.ORDS_SECURITY updates
The next time you create an ORDS OAuth client, you might notice some changes to the UI. Under the covers, this action is made possible by the ORDS_SECURITY PL/SQL package. You can still use the older, now deprecated OAUTH packages, but we now default to these newer ORDS_SECURITY procedures and functions.
One of the most notable changes is that these procedures now follow the standard convention (you’ve probably seen elsewhere) of showing a Client’s Secret once and only once. The procedure is now more succinct, organized, and secure.
💡When you need a new Client Secret, you can “rotate” it with the new ROTATE_CLIENT_SECRET functions (using the Client Name, Client Id, ORDS/internal Id).
Dark mode
Dark mode is activated. You can set SQL Developer Web (aka Database Actions) to Light, Dark, or Same as browser. I quite like the third option, as it makes shifting from Apple’s Light to Dark Mode seamless.
DBA_ORDS views
These views aren’t new for this release, but I don’t think we’ve mentioned them recently. Any of your REST-enabled schemas can access these DBA_ORDS_[View Name] views (for their respective schemas), and they are really helpful when you need to quickly view your most important configurations.
Like always, you can drag and drop “objects” into the SQL Worksheet. After dropping, a modal will appear with different options (depending on the object type), allowing you to choose an action.
Important links
And finally, the important links:
That’s all for now. I am working on a JWT-using-roles tutorial, which should be out by Friday this week. I’ll update this post when it is live.
And I have another new ORDS plug-in tutorial that I’d like to share; this one is Java-based. My friend Reydan from the Oracle Health (via Cerner) side is integrating the heck out of their stuff with ORDS, and this example is something he came up with as an exploratory exercise. It’s nothing fancy, but I thought it would be great for the beginner.
And that’s all for now!
References
- This is known as a JavaScript Object Notation Pointer (JSON Pointer). An upcoming JWT tutorial using role-based claims will provide more details. The technical specifications for the JSON Pointer can be found here. ↩︎
- If you are using the Autonomous Database (ADB, ATP, JSON), then you’ll know this ORDS Administrator as your “
ADMIN” user. ↩︎
