Oracle Cloud Infrastructure Documentation

Use Proxy Authentication with IAM Authentication

You can use proxy authentication with IAM authentication. In this setup:

  • IAM authenticates the proxy user (for example, proxy_user@example.com).
  • Oracle Database establishes the session as a proxy client user (proxy_client1 or proxy_client2), based on your database and connection settings.

Database Setup

  1. Create the proxy client users.

    CREATE USER proxy_client1 IDENTIFIED BY 'password';
CREATE USER proxy_client2 IDENTIFIED BY 'password';

  2. Create the proxy user authenticated by IAM.

    CREATE USER proxy_user_iam IDENTIFIED GLOBALLY AS 'IAM_PRINCIPAL_NAME=proxy_user@example.com';

  3. Allow the proxy user to connect through to a proxy client user.

    ALTER USER proxy_client1 GRANT CONNECT THROUGH proxy_user_iam;

  4. (Optional) Require the proxy client to authenticate and restrict enabled roles when connecting through the proxy.

    ALTER USER proxy_client2 GRANT CONNECT THROUGH proxy_user_iam WITH ROLE role1, role2 AUTHENTICATION REQUIRED;

Database Tools Connection Setup

Choose the option that matches your use case.

  • Option 1: Specify the proxy client user

    Use this option when you already know the proxy client user name that the session must use.

    Add the following advanced connection property:

    oracle.jdbc.proxyClientName = <proxy_client_user>
  • Option 2: Provide proxy client credentials and control roles

    Use this option when the database requires the proxy client to authenticate (for example, AUTHENTICATION REQUIRED) and you need to control which roles are enabled.

    In the Create connection page in Database Tools, enter the Proxy authentication values (proxy client user name and password) and select role options as needed. See Creating a Connection for details about creating a connection.

  • Option 3: Auto-detect the proxy client (double session)

    Use this option when the proxy user is allowed to connect to a proxy client user without requiring proxy client authentication, and you want Database Tools to automatically determine the correct proxy client user.

    In this setup, the proxy client user is granted CONNECT THROUGH without the AUTHENTICATION REQUIRED clause.

    1. In the Create connection page, expand Advanced options and then expand Authentication.

    2. For Proxy authentication type, select Double session (auto detect user, roles).

    Database Tools checks the database view USER_PROXIES to determine which proxy client is mapped to the proxy user. If exactly one proxy client user is found, Database Tools selects it automatically.

For more information about IAM authentication and Proxy authentication, see Authenticating and Authorizing IAM Users for Oracle AI Database