Forum Stats

  • 3,752,275 Users
  • 2,250,483 Discussions
  • 7,867,774 Comments

Discussions

Oracle APEX 18.1 Social Sign-In google

jmarc
jmarc Member Posts: 399 Bronze Badge
edited Jun 11, 2018 4:48AM in APEX Discussions

hello,

for the apex.oracle.com ,the Social sign-in google gives the error :

pastedImage_0.png

it works with apexea.oracle.com

regards

jm

Kubilay Tsil Kara

Best Answer

«1

Answers

  • Christian Neumueller-Oracle
    Christian Neumueller-Oracle Member Posts: 844 Employee
    edited Apr 23, 2018 11:53AM

    Hi JM,

    on apex.oracle.com, we are white-listing URLs for REST access and this URL was not yet in the list. Can you please try again?

    Regards,

    Christian

  • jmarc
    jmarc Member Posts: 399 Bronze Badge
    edited Apr 23, 2018 12:05PM

    hello christian,

    yes is works now.

    i have the same issue with microsoft account

    pastedImage_0.png

    best regards

    jm

  • Christian Neumueller-Oracle
    Christian Neumueller-Oracle Member Posts: 844 Employee
    edited Apr 23, 2018 12:15PM Accepted Answer

    Hi JM,

    I just added https://login.microsoftonline.com, too.

    Regards,

    Christian

  • jmarc
    jmarc Member Posts: 399 Bronze Badge
    edited Apr 23, 2018 12:31PM

    hello christian,

    it works perfect now.

    best regards

    jean-marc

  • partlycloudy
    partlycloudy Member Posts: 8,052 Silver Trophy
    edited May 17, 2018 10:16PM

    @Christian Neumueller-Oracle I followed the instructions here (changing the callback to apex.oracle.com instead of apexea.oracle.com of course) to setup Google authentication for application 47682 on apex.oracle.com and I get the Google login screen and I pick my account but APEX throws an error

    An unexpected internal application error has occurred. Please get in contact with your system administrator and provide reference# for further investigation.

    Am I doing something wrong or is this not supported on apex.oracle.com?

    Thanks

  • Christian Neumueller-Oracle
    Christian Neumueller-Oracle Member Posts: 844 Employee
    edited May 18, 2018 5:08AM

    Hi Vikas,

    debug output shows this

    JSON POST https://www.googleapis.com/oauth2/v4/token request got HTTP status 401

    {

    "error": "invalid_client",

    "error_description": "Unauthorized"

    }

    when APEX sends Client ID/Secret to get the access token. I think you must have a typo in the credentials, perhaps additional spaces.

    Regards,

    Christian

  • partlycloudy
    partlycloudy Member Posts: 8,052 Silver Trophy
    edited May 18, 2018 5:43AM

    Yup that's exactly what it was, the secret field is masked so you can't see trailing spaces!

    Follow up question about the Scope attribute in the authentication scheme... The field help says to use profile,email and to use APEX_JSON.GET_* in the post authentication procedure to get data. Not sure I understand what this means. Can you please explain how this works with an example? I'm guessing it's a mechanism to read some data elements from the user's Google profile and display them in the APEX application, right? Where does Google document the full list of values and data elements available for this attribute?

  • Christian Neumueller-Oracle
    Christian Neumueller-Oracle Member Posts: 844 Employee
    edited May 18, 2018 6:02AM

    The scope defines what groups of attributes you want to receive from the authentication provider. OpenID standardizes a few and Google implements OpenID. However, you should check out the documentation of the provider for what is available. Enable LEVEL9 in your session to see the returned JSON for debugging.

    Here is an example from one of my test apps:

    • Scope: profile,email,https://www.googleapis.com/auth/gmail.metadata
    • Username attribute: email
    • Post-authentication procedure:
      procedure post_auth is
      begin
        :G_USER_INFO := 'Authenticated via Google. '||chr(10)||
                        'Profile: '||apex_json.get_varchar2('profile')||chr(10)||
                        'Picture: '||apex_json.get_varchar2('picture')||chr(10)||
                        'Email: '||apex_json.get_varchar2('email')||chr(10)||
                        'ID Token: '||apex_json.get_varchar2('id_token')||chr(10)||
                        'Access Token: '||apex_json.get_varchar2('access_token');
      end post_auth;
    • PL/SQL region to query GMail labels (requires gmail.metadata scope)
      declare
          c clob;
      begin
          c := apex_web_service.make_rest_request (
               p_url                  => 'https://www.googleapis.com/gmail/v1/users/'||:APP_USER||'/labels',
               p_http_method          => 'GET',
               p_credential_static_id => 'GOOGLE' );
          htp.p(apex_escape.html(c));
      end;

    The Social Sign-In Authn saves the OAuth2 access token in the session credentials store, so you can make additional REST calls to the authentication provider, like above. However, the access token's lifetime is different than the APEX session lifetime. We have not implemented automatic refresh yet, so once the access token expires, these calls will fail. You can use them to fetch additional data to set up the APEX session, though.

    Google documentation:

    Regards,

    Christian

  • partlycloudy
    partlycloudy Member Posts: 8,052 Silver Trophy
    edited May 18, 2018 6:34AM

    Thanks that's very helpful. One last question... a) What instance level APEX configuration is needed to allow this? B) what database ACL configuration is needed to allow this?

  • Christian Neumueller-Oracle
    Christian Neumueller-Oracle Member Posts: 844 Employee
    edited May 18, 2018 6:39AM

    Social Sign-In uses APEX_WEB_SERVICE internally (or rather, it's implementation package). You have to set up your ACLs in a way that enables call-outs to the Google URLs (accounts.google.com, www.googleapis.com). If you are using the Authorized URLs feature, you need to white-list them, too.

    Regards,

    Christian

This discussion has been closed.