This question came up twice in 3 days, so of course it meant it was time to write a blog post.
What is ‘:current_user’ when it comes to ORDS?
So in a database query or anonymous block backing an ORDS API Handler (GET, PUT, POST…) you can refer to :current_user and get the Authenticated USER on the session.
You might have several things you want to do with this information….I’ll leave that up to your imagination, but one general idea is you would have an additional layer of security. Yes, you have the ORDS Role, BUT…
Now, our developer/architect Colm has talked about :current_user before, but in his example, he showed it with BASIC Auth.
The question has been…
…but what about OAuth2 Clients?
What I’ve been telling people is that you should expect to get the Client ID, or –
Ok, so how do I test this?
Much like Colm did, I’ll have GET handler that prints the user’s name, via
select :current_user from dual
Ok, now I have created a priv, role, and said Client with required role. And the ‘who’ API is being protected by the same priv.
Let’s run it.
Or, if I want to make this a little bit more user-friendly, I’ll just “Alias” the :current_user column in my SELECT handler.
Though it’s true you get the client-id when using Client Credentials, the Authorization Code or the Implicit flows will actually return the authenticated user name and not the client id.