The combination of a reverse proxy, ORDS in standalone and APEX Social Sign-In gave me a headache.
ORDS, APEX, and Social Sign-In
If you have the following setup you may need an extra parameter in the global ORDS configuration:
- ORDS running in standalone with HTTP (non-TLS) on port 8080
- ORDS behind a reverse proxy with TLS terminated in reverse proxy
- APEX served by ORDS
- You want to use authentication scheme Social Sign-In and OpenID Connect (OIDC) or OAuth 2.0
In this case you need to add one line to the file global/settings.xml in the ORDS configuration directory:
<entry key="security.forceHTTPS">true</entry>
As far as I can see, this parameter is not mentioned in the ORDS installation manual as of today, but on Oracle Support in Doc ID 2139195.1.
One symptom that this parameter is needed is that APEX works OK, but the redirect_uri that APEX sends as a parameter in the request to your OpenID Connect provider contains port 80 in an URI that starts with https://.
You can also check the environment in APEX as shown in Show CGI Environment in APEX If it shows HTTP_PORT=80, then the redirect_uri may be wrong.
I don’t know if this is a bug in APEX; this has been tested with APEX 22.2 and ORDS 22.3.3.