Configure IAM Proxy Authentication

Proxy authentication allows an IAM user to proxy to a database schema for tasks such as application maintenance.

About Configuring IAM Proxy Authentication

IAM users can connect to Oracle DBaaS by using proxy authentication.

Proxy authentication is typically used to authenticate the real user and then authorize them to use a database schema with the schema privileges and roles in order to manage an application. Alternatives such as sharing the application schema password are considered insecure and unable to audit which actual user performed an action.

A use case can be in an environment in which a named IAM user who is an application database administrator can authenticate by using their credentials and then proxy to a database schema user (for example, hrapp). This authentication enables the IAM administrator to use the hrapp privileges and roles as user hrapp in order to perform application maintenance, yet still use their IAM credentials for authentication. An application database administrator can sign in to the database and then proxy to an application schema to manage this schema.

You can configure proxy authentication for both the password authentication and token authentication methods.

Configure Proxy Authentication for the IAM User

To configure proxy authentication for an IAM user, the IAM user must already have a mapping to a global schema (exclusive or shared mapping). A separate database schema for the IAM user to proxy to must also be available.

After you ensure that you have this type of user, alter the database user to allow the IAM user to proxy to it.
  1. Log in to the Autonomous Database instance as a user who has the ALTER USER system privileges.
  2. Grant permission for the IAM user to proxy to the local database user account.
    An IAM user cannot be referenced in the command so the proxy must be created between the database global user (mapped to the IAM user) and the target database user.
    In the following example, hrapp is the database schema to proxy to, and peterfitch_schema is the database global user exclusively mapped to user peterfitch.
    ALTER USER hrapp GRANT CONNECT THROUGH peterfitch_schema;
At this stage, the IAM user can log in to the database instance using the proxy. For example, to connect using a password verifier:
CONNECT peterfitch[hrapp]@connect_string
Enter password: password

To connect using a token:

CONNECT [hrapp]/@connect_string

Validate the IAM User Proxy Authentication

You can validate the IAM user proxy configuration for both password and token authentication methods.

  1. Log in to the Autonomous Database instance as a user who has the CREATE USER and ALTER USER system privileges.
  2. Connect as the IAM user and run the SHOW USER and SELECT SYS_CONTEXT commands.
    For example, suppose you want to check the proxy authentication of the IAM user peterfitch when they proxy to database user hrapp. Run the following queries after you proxy to the database using an IAM user. Depending on how you authenticate and access the database, you will get different values for these queries.
    • For password authentication, assuming the IAM user is in the default domain:
      CONNECT peterfitch[hrapp]/password\!@connect_string
      SHOW USER;
      --The output should be USER is "HRAPP"
      SELECT SYS_CONTEXT('USERENV','AUTHENTICATION_METHOD') FROM DUAL;
      --The output should be "PASSWORD_GLOBAL_PROXY"
      SELECT SYS_CONTEXT('USERENV','PROXY_USER') FROM DUAL;
      --The output should be "PETERFITCH_SCHEMA"
      SELECT SYS_CONTEXT('USERENV','CURRENT_USER') FROM DUAL;
      --The output should be "HRAPP"
    • For token authentication, for a user who is in a non-default domain, sales_domain:
      CONNECT [hrapp]/@connect_string
      SHOW USER;
      --The output should be USER is "HRAPP"
      SELECT SYS_CONTEXT('USERENV','AUTHENTICATION_METHOD') FROM DUAL;
      --The output should be "TOKEN_GLOBAL_PROXY"
      SELECT SYS_CONTEXT('USERENV','PROXY_USER') FROM DUAL;
      --The output should be "PETERFITCH_SCHEMA"
      SELECT SYS_CONTEXT('USERENV','CURRENT_USER') FROM DUAL;
      --The output should be "HRAPP"