1. Administration Guide
  2. Oracle APEX Administration Services
  3. Configuring Security
  4. Configuring Authentication Controls for an Instance
  5. Configuring Authentication Schemes for an Instance
  6. Editing Social Sign-In

3.4.7.3.7 Editing Social Sign-In

Edit the Social Sign-In authentication scheme for an instance.

Social Sign-In supports authentication with Google, Facebook, and other social networks and enterprise identity providers that support OpenID Connect or OAuth2 standards.

To edit Social Sign-In:

  1. Sign in to APEX Administration Services.
  2. Click Manage Instance.
  3. Under Instance Settings, click Security.
  4. Scroll down to Development Environment Authentication Schemes.
    The Status column indicates the authentication scheme designated as Current.
  5. Find Social Sign-In and click Edit.
    The Edit Scheme page appears.
  6. Click Make Current Scheme to have applications identify and verify the user using this authentication scheme.
  7. Under Edit Authentication Scheme:
    • PL/SQL Code - Enter a PL/SQL anonymous block of code that contains procedures for pre- and post-authentication entry points. To improve performance, you can also store this code in a PL/SQL package in the database.
    • Pre-Authentication Procedure Name - Specify the name of a procedure to be executed after the login page is submitted and just before credentials verification is performed. The procedure can be defined in the PL/SQL Code attribute or within the database.

      Authentication schemes where user credentials checking is done outside of APEX typically do not execute the Pre-Authentiation procedure. Examples include HTTP Header Variable, Oracle Application Server Single Sign-On and custom authentication schemes that use APEX_AUTHENTICATION.POST_LOGIN instead of APEX_AUTHENTICATION.LOGIN.

    • Post-Authentication Procedure Name - Specify the name of a procedure to be executed by the APEX LOGIN procedure after the authentication step (login credentials verification). The LOGIN procedure will execute this code after it performs its normal duties, which include setting a cookie and registering the session, but before it redirects to the desired application page. The procedure can be defined in the PL/SQL Code attribute or within the database.
  8. Under OAuth2 Credentials:
    • Client ID - Enter the client ID of your authentication provider.
    • Client Secret - Enter the client secret of your authentication provider.
    • Confirm Client Secret - Enter the client secret of your authentication provider.
  9. Under Authentication Scheme Attributes:

    Tip:

    To learn more about an attribute, see field-level Help.
    • Authentication Provider - Select a provider.
    • Discovery URL - Enter the OpenID Connect provider's discovery URL. Example:

      https://accounts.example.com/.well-known/openid-configuration

    • Scope - Enter a comma separated list of permissions to request for the user who is logging in. The acceptable values depend on your authentication provider. For OpenID Connect and Google, APEX automatically adds the "openid" scope. The authentication provider returns user attributes based on these permissions. You can use a Post Authentication procedure to process these attributes, using the APEX_JSON.GET_% functions.
    • Authentication URI Parameters - Enter optional parameters for the authentication URI. Consult the authentication provider's documentation for supported parameters.
    • Username Attribute - Enter the attribute which contains the username. Consult the authentication provider's documentation for supported attributes.
    • Verify Username - If enabled, APEX will look for an attribute "#username#_verified" (for example, "email_verified" for Username Attribute "email"). If this is set to false, the username will not be accepted.
    • Additional User Attributes - Enter a comma separated list of additional user data attributes. Consult the authentication provider's documentation for supported attributes.
    • Logout URL - Use this attribute to specify a URL to log out from your authentication provider. For OpenID Connect, APEX automatically uses the end_session endpoint, if that is defined in the Discovery URL. For others, you can use #ID_TOKEN# and #REDIRECT_URI# in the URL, to substitute the ID token that was returned when logging in and the full URL to /apex on your instance (for example, https://www.example.com/apex/apex). Note that the redirect URI often has to be registered with your authentication provider.
  10. To save your changes, click Apply Changes.

Parent topic: Configuring Authentication Schemes for an Instance