Thinking Anew

Authenticate using OAuth2 - Now Available in APEX 5.2 EA

ICYMI, early access for Oracle Application Express was opened for workspace requests erlier this month. Like every other APEX fan out there, I was of course eager to get my hands dirty. Guess what was the first upcoming feature I took for a test drive?

You may have read my recent my blog post on using SAML2 for enabling single sign-on with cloud platforms like Microsoft Office 365 and Google G Suite. Well, this new authentication scheme available out of the box might just make the prescribed method obsolete. If you’re interested to try it out yourself, here’s an account of what I needed to do to enable Google sign-on. Hopefully it will provide you some guidance.

  • The first thing you ought to do is to sign up for a Google account.
  • Next, login to Google’s Developers console.
  • Create a project in order to enable the APIs you need to perform the OAuth2 login process. Click Create Project (see figure 1).
Figure 1: Create a Project - step 1
  • Click Create (see figure 2) to continue.
Figure 2: Create a Project - step 2
  • Enter a project name and then click Create to complete the process
Figure 3: Create a Project - step 3
  • Once the project is created, you will be returned to the console dashboard, and the new project should be selected automatically. You should see this at the top-left of the page, right next to the Google APIs page banner.
Figure 4: Console dashboard with project selected
  • Click the third link Credentials and then select to create an OAuth client ID credential.
Figure 5: Create a OAuth client ID credential
  • Next, click Configure consent screen.
Figure 6: Configure the consent screen first
  • Enter a product name and then click Save on the bottom of the page.
Figure 7: Enter the product name
  • When returned to the previous page, select Web application. Additional fields will be displayed.
  • Enter the Name of the application and enter https://apexea.oracle.com/pls/apex/apex_authentication.callback under the list of Authorized redirect URIs.
  • Click Create.
Figure 8: Create the client ID
  • Take note of the client ID and client secret and then click OK to close the modal dialog.
  • Return to the APEX App Builder and create an application.
  • Go to Shared Components and then click Credentials.
Figure 9: Manage Credentials
  • Click Create.
Figure 10: Create a Credential
  • Enter a name for the credential you are about to store.
  • Select the OAuth2 Client Credentials Flow for the Authentication Type.
  • Enter the Client ID and Client Secret obtained from the Google Developers console.
  • Click Create.
Figure 11: Setup the Credential
  • Create a new Authentication Scheme.
  • Select Social Sign-In for the Scheme Type.
  • Select the credential you created earlier and then Google for the Authentication Provider.
  • Enter profile,email in the Scope field, and email for the Username Attribute.

The email address of the user will be username (a.k.a. APP_USER) in your APEX application.

Figure 12: Create the Social Sign-In authentication scheme

Run the application. If everything was configured correctly, you will be prompted to login with your (any) Google Account.

Figure 13: Login with a Google Account Figure 14: Application Homepage

You might observe that the application’s logout link has no effect. However, take a closer look and you will see that the session identifier changes. Logging out only terminates your APEX session, but since your Google sign-on session is still valid, you are automatically authenticated back into the application. To ensure a proper logout, set the post-logout URL. For Google, this is https://account.google.com/logout.

Figure 15: Set the Post-Logout URL

Unfortunately, Google does not allow post-logout, third-party site redirects, so users will need to re-enter your site’s URL again to access the application.

In the absence of official documentation, this is my best guess on how to set this up. As we progress towards the final release, we should get better clarity on the correctness of this article.

Meanwhile, HAPPY NEW YEAR and HAPPY AUTHENTICATING!