Simon Griffiths

Focusing on Data, Architecture and AI

Simon Griffiths architects data-first systems, and is sceptical about the rest.

Drawing on long experience across enterprise data, architecture, and AI, he prefers platforms designed for reality, not just the latest narrative.

Auth0 + ORDS on ADB – Architecture

Why This Pattern Works: Auth0 as Identity Provider, ORDS as Resource Server

[ also see the companion GitHub repo ]

I spent longer than I’d like to admit trying to secure an ORDS endpoint with Auth0 before I realised my mental model was wrong. I kept treating ORDS like it needed to be part of the identity story, and wondering why the pieces didn’t quite click.

The shift that fixed it was small: ORDS isn’t the identity system. It’s the resource server.

That sounds like a pedantic distinction, but it changes how you think about token trust, API authorisation, and who owns which piece of the configuration. It also explains why some integrations fail even when the token itself is completely valid — which was exactly the shape of my problem.

The pattern I settled on is:

  • Auth0 issues the access token
  • ORDS validates the token
  • ADB hosts the protected API logic

Once I stopped asking ORDS to be an identity system and started thinking of it as a resource server sitting close to the data, everything got simpler.

This is the “why” piece. If you want the step-by-step build, there’s a companion tutorial that walks through the Auth0 setup, the ORDS JWT profile, and the endpoint protection in order.

The Architectural Pattern

In this design, Auth0 handles identity and token issuance. ORDS validates tokens and enforces API access. ADB hosts the REST-enabled modules, queries, and business logic behind it all.

The request flow looks like this:

  1. A client (the app backend) asks Auth0 for a machine-to-machine access token.
  2. Auth0 issues an RS256-signed JWT.
  3. The client sends that bearer token to an ORDS endpoint.
  4. ORDS validates issuer, audience, and signature using the public key it retrieves from an auth0 endpoint
  5. ORDS checks whether the token is authorised to hit the protected resource.
  6. ADB executes the handler behind the endpoint.

The reason I like this separation is that each layer gets to do one job well. Auth0 does identity. ORDS does token validation and API enforcement. ADB does data and logic. Nothing is pretending to be something it isn’t.

I’m not looking to use anything set up in auth0 except for the users – any user roles, privileges etc are all handled in ADB.

Why This Is Often Misunderstood

Most examples I found online blurred the line between authentication and authorisation, or mixed older ORDS patterns with newer ones. That’s a big part of why my first attempts didn’t work — I was stitching together advice that wasn’t actually compatible.

Once I pulled it apart, there are really three distinct things that have to line up:

  • token trust — does ORDS know which issuer to trust, which audience to expect, and where to fetch signing keys?
  • token intent — was this token minted for the API I’m protecting, or for something else entirely?
  • API protection — does the ORDS privilege model actually protect the module the token is trying to reach?

If any one of those is off, the integration breaks, even if the other two are perfect. That’s genuinely annoying to debug because everything looks right until you check the one thing that isn’t.

What Must Match Between Auth0 and ORDS

For the trust relationship to work, three values have to match exactly:

  • issuer
  • audience
  • JWKS URL

In my working setup, the token claims ended up as:

  • iss = https://<tenant>.uk.auth0.com/
  • aud = https://api.example.com/ords-api
  • scope = read:demo

The thing I want to flag here, because it caught me out, is that the Auth0 API Identifier becomes the JWT audience. It’s not the ORDS endpoint URL, and it doesn’t need to resolve on the network. It’s just a fixed identifier that both sides agree on.

That distinction sounds small, but it’s one of the most common places I’ve seen configuration drift creep in.

Another issue that crept in to my config and lost me way too much time was a trailing space in one of the strings on auth0 (client_id). This was really tricky to debug – especially as you really don’t see it in the auth0 setup unless you highlight the full value – definitely something to check if you are getting failures that you cannot explain in any other way.

JWT Profiles in Current ORDS

Current ORDS guidance points to the ORDS_SECURITY and ORDS_SECURITY_ADMIN package family for JWT profile management. A lot of older blog posts still use OAUTH and OAUTH_ADMIN — those are legacy and I’d steer away from them for new work, even though they still exist, because I couldn’t get anything to work when using the older packages.

I was using Codex to build my companion GitHub repo and I initially had loads of failures which Codex didn’t pick up. When I dropped Kris Rice’s Oracle Skills into Codex, everything went through smoothly – I can’t recommend their use highly enough.

ORDS gives you two JWT profile modes, and the choice between them is more about ownership than technology:

  • schema-level JWT profile — one REST-enabled schema has its own issuer, audience, and JWK definition.
  • pool-level JWT profile — every schema in the ORDS pool trusts the same external issuer.

That distinction matters operationally, not just implementationally. Schema teams can usually manage their own modules and privileges, but pool-level trust configuration often sits with the ORDS administrator. And on ADB specifically, some controls are exposed through PL/SQL and some aren’t, so you have to know which levers you actually have.

Authorisation Is Not Just JWT Validation

This is the one that cost me the most time.

Even after ORDS trusts the token, it still applies its own authorisation model on top. The token being valid is necessary but not enough — ORDS still needs to decide whether this particular valid token is allowed to hit this particular resource.

In a scope-based JWT profile, that decision is made by comparing the token’s scope (or scp) claim against the ORDS privilege name protecting the resource.

In my working example:

  • Auth0 scope = read:demo
  • ORDS privilege = read:demo

Those names are identical on purpose. That alignment isn’t cosmetic — it’s part of the authorisation decision.

If the token carries read:demo but you’ve protected the resource with a privilege called oauth_demo.read, token validation will succeed and authorisation will still fail. You’ll get a 403, and spend an hour convinced your JWT trust is broken when actually your privilege model and your scope model just aren’t speaking the same language.

This was my problem for an embarrassing stretch of an afternoon.

Why I Like This Pattern

What I like about this architecture is that it avoids unnecessary middleware without weakening the separation between layers. You get:

  • Auth0 for identity and token issuance
  • ORDS for JWT validation and API protection
  • ADB for the data and logic layer

Taken together, that gives you an identity-aware data service layer sitting close to the database, using standard OAuth2 and JWT patterns throughout. No custom auth proxy, no bespoke token verifier, no extra tier to operate.

ORDS isn’t pretending to be the identity provider. It’s acting as a resource server, which is the job it’s actually good at.

What This Means on Autonomous Database

ORDS is managed on ADB, which changes where the security configuration lives and who can apply it.

In practice:

  • REST modules and privileges are typically managed from the application schema
  • schema JWT profile management for another schema may need elevated access
  • some environments lean on pool-level JWT profile configuration outside schema-owned PL/SQL

The reason this matters is diagnostic. A 401 isn’t always an Auth0 problem. Sometimes the token is perfectly valid and the JWT profile was just configured in the wrong place, or with the wrong mode, or in a schema that doesn’t own the resource. If you’re debugging and Auth0 keeps checking out, look here.

Strategic Mistakes I’d Warn About

At the architecture level, these are the recurring mistakes I’ve either made or watched other people make:

  • treating ORDS as if it were the token issuer
  • using the ORDS endpoint URL as the Auth0 audience
  • mixing deprecated ORDS package examples with current guidance
  • not thinking carefully about schema-level vs pool-level JWT trust
  • assuming token validation is the same thing as API authorisation
  • misaligning JWT scopes with ORDS privilege names in a scope-based model

These are design mistakes before they’re coding mistakes. Fixing them in PL/SQL is straightforward once you’ve noticed them — the hard part is noticing.

Conclusion

The real value of the Auth0 + ORDS + ADB pattern isn’t that ORDS can validate an external JWT. It’s that you can keep identity, resource validation, and data access cleanly separated without bolting on extra infrastructure just to bridge the gap.

If I were starting over today, the short version of what I’d tell myself is:

  • use ORDS_SECURITY / ORDS_SECURITY_ADMIN for JWT profile management
  • pick schema-level or pool-level JWT profile mode deliberately, based on ownership
  • make issuer, audience, and JWKS values match exactly
  • align JWT scopes with ORDS privilege names when using the scope-based model

Once those line up, the architecture is simple, secure, and actually coherent to operate.

If you want the implementation details behind all this, the companion tutorial covers the Auth0, ORDS, and ADB setup sequence end to end. I’ll post this very soon.

References

Leave a comment

Navigation

About

Simon Griffiths architects data-first systems, sceptical about the rest. Drawing on long experience across enterprise data, architecture, and AI, he prefers platforms designed for reality, not just the latest narrative.