on apex.oracle.com, we are white-listing URLs for REST access and this URL was not yet in the list. Can you please try again?
it works perfect now.
Christian Neumueller-Oracle I followed the instructions here (changing the callback to apex.oracle.com instead of apexea.oracle.com of course) to setup Google authentication for application 47682 on apex.oracle.com and I get the Google login screen and I pick my account but APEX throws an error
An unexpected internal application error has occurred. Please get in contact with your system administrator and provide reference# for further investigation.
Am I doing something wrong or is this not supported on apex.oracle.com?
debug output shows this
JSON POST https://www.googleapis.com/oauth2/v4/token request got HTTP status 401
when APEX sends Client ID/Secret to get the access token. I think you must have a typo in the credentials, perhaps additional spaces.
Yup that's exactly what it was, the secret field is masked so you can't see trailing spaces!
Follow up question about the Scope attribute in the authentication scheme... The field help says to use profile,email and to use APEX_JSON.GET_* in the post authentication procedure to get data. Not sure I understand what this means. Can you please explain how this works with an example? I'm guessing it's a mechanism to read some data elements from the user's Google profile and display them in the APEX application, right? Where does Google document the full list of values and data elements available for this attribute?
The scope defines what groups of attributes you want to receive from the authentication provider. OpenID standardizes a few and Google implements OpenID. However, you should check out the documentation of the provider for what is available. Enable LEVEL9 in your session to see the returned JSON for debugging.
Here is an example from one of my test apps:
- Scope: profile,email,https://www.googleapis.com/auth/gmail.metadata
- Username attribute: email
- Post-authentication procedure:
procedure post_auth is
:G_USER_INFO := 'Authenticated via Google. '||chr(10)||
'ID Token: '||apex_json.get_varchar2('id_token')||chr(10)||
'Access Token: '||apex_json.get_varchar2('access_token');
- PL/SQL region to query GMail labels (requires gmail.metadata scope)
c := apex_web_service.make_rest_request (
p_url => 'https://www.googleapis.com/gmail/v1/users/'||:APP_USER||'/labels',
p_http_method => 'GET',
p_credential_static_id => 'GOOGLE' );
The Social Sign-In Authn saves the OAuth2 access token in the session credentials store, so you can make additional REST calls to the authentication provider, like above. However, the access token's lifetime is different than the APEX session lifetime. We have not implemented automatic refresh yet, so once the access token expires, these calls will fail. You can use them to fetch additional data to set up the APEX session, though.
Thanks that's very helpful. One last question... a) What instance level APEX configuration is needed to allow this? B) what database ACL configuration is needed to allow this?
Social Sign-In uses APEX_WEB_SERVICE internally (or rather, it's implementation package). You have to set up your ACLs in a way that enables call-outs to the Google URLs (accounts.google.com, www.googleapis.com). If you are using the Authorized URLs feature, you need to white-list them, too.
Christian - After fixing the client secret, I was able to successfully login but now it is throwing the same error. How did you see the debug output? Typically you run the page and click on the Debug link on the dev toolbar but for login issues the page doesn't render. I tried using the LEVEL9 keyword in the debug position and queried apex_debug_messages for messages in the past 1 hour using the SQL Workshop on apex.oracle.com but couldn't see any errors. Help?
Since I was using your app for the 1st time, Google displayed a consent page before redirecting back. I used this to enable LEVEL9 debug for the session via Workspace Admin. You could go to a public page first or, for fun, change your app to use multiple authentication schemes for testing. Make APEX Authn the default scheme and Google Authn the secondary, where you enable the new "Switch in Session" attribute. On the APEX login page, add an additional button that redirects to your app's start page and switches authentication, i.e. "f?p=&APP_ID.:1:&APP_SESSION.:APEX_AUTHENTICATION=Google" (where "Google" is your secondary Authn scheme's name).
I used this to enable LEVEL9 debug for the session via Workspace Admin.
Ah, I forgot you have keys to the kingdom on the hosted site :-) Turns out that when I pasted your code snippet into the Post Auth. I didn't actually define the G_USER_INFO application item, my bad. But shouldn't this error be clearly logged (no such item) in the LEVEL9 debug messages?
Didn't realize that multiple authentication schemes could be used for an app, very nice feature! Can't wait for the 18.1 GA release!