Discussions
Categories
- 381.9K All Categories
- 2.1K Data
- 207 Big Data Appliance
- 1.9K Data Science
- 447.4K Databases
- 220.8K General Database Discussions
- 3.7K Java and JavaScript in the Database
- 23 Multilingual Engine
- 516 MySQL Community Space
- 464 NoSQL Database
- 7.8K Oracle Database Express Edition (XE)
- 2.9K ORDS, SODA & JSON in the Database
- 471 SQLcl
- 3.9K SQL Developer Data Modeler
- 185.9K SQL & PL/SQL
- 20.9K SQL Developer
- 292.7K Development
- 7 Developer Projects
- 124 Programming Languages
- 289.4K Development Tools
- 95 DevOps
- 3K QA/Testing
- 645.5K Java
- 23 Java Learning Subscription
- 36.9K Database Connectivity
- 150 Java Community Process
- 104 Java 25
- 22.1K Java APIs
- 137.8K Java Development Tools
- 165.3K Java EE (Java Enterprise Edition)
- 16 Java Essentials
- 143 Java 8 Questions
- 85.9K Java Programming
- 79 Java Puzzle Ball
- 65.1K New To Java
- 1.7K Training / Learning / Certification
- 13.8K Java HotSpot Virtual Machine
- 94.2K Java SE
- 13.8K Java Security
- 197 Java User Groups
- 24 JavaScript - Nashorn
- Programs
- 243 LiveLabs
- 35 Workshops
- 10.2K Software
- 6.7K Berkeley DB Family
- 3.5K JHeadstart
- 5.8K Other Languages
- 2.3K Chinese
- 166 Deutsche Oracle Community
- 1.2K Español
- 1.9K Japanese
- 225 Portuguese
Oracle APEX 18.1 Social Sign-In google
Answers
-
Christian - After fixing the client secret, I was able to successfully login but now it is throwing the same error. How did you see the debug output? Typically you run the page and click on the Debug link on the dev toolbar but for login issues the page doesn't render. I tried using the LEVEL9 keyword in the debug position and queried apex_debug_messages for messages in the past 1 hour using the SQL Workshop on apex.oracle.com but couldn't see any errors. Help?
-
Since I was using your app for the 1st time, Google displayed a consent page before redirecting back. I used this to enable LEVEL9 debug for the session via Workspace Admin. You could go to a public page first or, for fun, change your app to use multiple authentication schemes for testing. Make APEX Authn the default scheme and Google Authn the secondary, where you enable the new "Switch in Session" attribute. On the APEX login page, add an additional button that redirects to your app's start page and switches authentication, i.e. "f?p=&APP_ID.:1:&APP_SESSION.:APEX_AUTHENTICATION=Google" (where "Google" is your secondary Authn scheme's name).
Regards,
Christian
-
I used this to enable LEVEL9 debug for the session via Workspace Admin.
Ah, I forgot you have keys to the kingdom on the hosted site :-) Turns out that when I pasted your code snippet into the Post Auth. I didn't actually define the G_USER_INFO application item, my bad. But shouldn't this error be clearly logged (no such item) in the LEVEL9 debug messages?
Didn't realize that multiple authentication schemes could be used for an app, very nice feature! Can't wait for the 18.1 GA release!
Thanks
-
https://apex.oracle.com/pls/apex/f?p=47682:18
Hmm G_USER_INFO doesn't contain the profile information, just the ID and Access tokens. I checked my Google account and all looks well. Mind taking a look?
-
No "keys to the kingdom" required for this one :-)
- Open app
-> Google Sign in page shows - In separate tab, go to Workspace Admin > Monitor Activity > Active Sessions
- Select session with "nobody" user and set Debug Level to APEX Trace, then save changes
- In 1st tab, sign in
- In 2nd tab, reload Page Views report
- Click on Debug ID for Authentication Callback request
The additional values are all empty in post_auth because APEX takes a shortcut. Between all the debug gibberish are these lines:
Authenticating via JWT, email="..."
requesting userinfo
Skipping userinfo endpoint, no other user attrs requested and username in JWT
execute_login p_username=>...Based on the declarative information in your authentication scheme, you only need the email address. That is already available in the ID token, which we get back together with the access token. Hence, APEX does not even send the request for additional userinfo data. Just add the other attributes (minus id_token and access_token, they are always available and merged in from the first request) to the "Additional User Attributes", to let APEX know that it needs to make sure that they are populated. I must have copied the post_auth from an older version of that sample app, sorry.
Regards,
Christian
- Open app
-
Very helpful explanation to understand how all this works, appreciate it. I got it all working on my sample application. It authenticates using Google and clicking on the username in the nav bar goes to a page which displays the public profile picture. Very impressive, lots of potential, great work!
I know this is not related to APEX, per se, but if you could indulge me for a little longer...Google has a nice interactive playground to experiment with their various APIs, I find it is a bit faster/easier to play with this to try different APIs instead of digging through APEX debug/trace logs. So, silly question but when I set it up, which API/endpoint are we talking about here that APEX POSTs to get the profile & email?
Thanks
-
Thanks!
The APEX_WEB_SERVICE requests plus request parameters and responses are all in the LEVEL9 debug output. Not sure if you can use the userinfo endpoint https://www.googleapis.com/oauth2/v3/userinfo with the playground app. You could also convert the parsed JSON values back to a session bind variable and display that, e.g. (untested):
apex_json.initialize_clob_output;
apex_json.write(apex_json.g_values);
:MY_JSON_STRING := apex_json.get_clob_output;Regards,
Christian
-
Hi Christian
Your answers are very helpful! Social sign in is a great feature!
I was reading about the Backend-auth in Google Docs here https://developers.google.com/identity/sign-in/web/backend-auth
If I understand this correctly, It says that if you want to store / authenticate the Google signed in user with a backend server (database), you shouldn't just get the user info values returned from the Auth service and store them in the database. Before you store anything from the response you should crosscheck the values (CLIENT_ID etc...) in the id_token with what you have on the backend server. It seems you need another network call after the response via https://www.googleapis.com/oauth2/v3/tokeninfo?id_token= or programmatically, as it explains.
Do we have to do this round trip before storing anything from the response or does the Apex built in social authentication takes care of it?
Many thanks!
Kubilay
-
Hi Kubilay,
APEX does not implement Google's Browser-based login flow. The requests which return the ID token and other user information are sent from the DB server to Google, not from the client. Taken from https://developers.google.com/identity/protocols/OpenIDConnect:
5. Obtain user information from the ID token
An ID Token is a JWT (JSON Web Token), that is, a cryptographically signed Base64-encoded JSON object. Normally, it is critical that you validate an ID token before you use it, but since you are communicating directly with Google over an intermediary-free HTTPS channel and using your client secret to authenticate yourself to Google, you can be confident that the token you receive really comes from Google and is valid. If your server passes the ID token to other components of your app, it is extremely important that the other components validate the token before using it.
Regards,
Christian
