This question came up twice in 3 days, so of course it meant it was time to write a blog post.

What is ‘:current_user’ when it comes to ORDS?

ORDS Docs & Implicit Binds

Who are you?

So in a database query or anonymous block backing an ORDS API Handler (GET, PUT, POST…) you can refer to :current_user and get the Authenticated USER on the session.

You might have several things you want to do with this information….I’ll leave that up to your imagination, but one general idea is you would have an additional layer of security. Yes, you have the ORDS Role, BUT…

Now, our developer/architect Colm has talked about :current_user before, but in his example, he showed it with BASIC Auth.

The question has been…

…but what about OAuth2 Clients?

What I’ve been telling people is that you should expect to get the Client ID, or –

In this case, this is the ‘who’ that ORDS associates with your session/visit.

Ok, so how do I test this?

Much like Colm did, I’ll have GET handler that prints the user’s name, via

select :current_user from dual
In the latest update to ORDS, we added :binds to your Code Editor for easier selection.

Ok, now I have created a priv, role, and said Client with required role. And the ‘who’ API is being protected by the same priv.

Let’s run it.

Ta-da! It returns just what I would expect.

Or, if I want to make this a little bit more user-friendly, I’ll just “Alias” the :current_user column in my SELECT handler.

P.S. I love The Who.
thatjeffsmith
Author

I'm a Distinguished Product Manager at Oracle. My mission is to help you and your company be more efficient with our database tools.

1 Comment

  1. Avatar
    Rodolfo Cartas Reply

    Though it’s true you get the client-id when using Client Credentials, the Authorization Code or the Implicit flows will actually return the authenticated user name and not the client id.

Write A Comment