1. App Builder User's Guide
  2. Managing Application Security
  3. Establishing User Identity Through Authentication
  4. Understanding Preconfigured Authentication Schemes
  5. Social Sign-In

20.4.3.10 Social Sign-In

Social Sign-In supports authentication with Google, Facebook, and other social network that supports OpenID Connect or OAuth2 standards.

Parent topic: Understanding Preconfigured Authentication Schemes

20.4.3.10.1 About Social Sign-In

Social Sign-In authentication is primarily useful for the following use cases:

  • Your application is internet facing and you expect an unknown number of users from social networks to use your application.

  • Your company has standardized on one of these identity providers for authentication: Oracle Identity Cloud Service, an internal OpenID Connect or OAuth2.

    Since these identity providers perform user credential verification, be aware that anyone who registers with the provider can use your application, unless you use authorization schemes for protection.

When registering your application with the identity provider, you need to use the full URI for one of the predefined Oracle Application Express callback URLs. For example, suppose your application URI is:
https://www.example.com/apex/f?p=100

Then, you can register one of the following:

https://www.example.com/apex/apex_authentication.callback

or 

https://www.example.com/apex/apex_authentication.callback2

Social network authentication providers store a multitude of information about users. You can configure the Social Login authentication scheme to request this information, using the Scope attribute (see Item Help). In the authentication scheme's Post-Authentication procedure, you can access this information using APEX_JSON.GET_% function calls.

You can use multiple authentication schemes in your application, to support more than one Social Login provider and other schemes.

See Also:

"Authorization" for the authentication scheme attribute Switch in Session for details.

Parent topic: Social Sign-In

20.4.3.10.2 Setting Up Social Sign-In Authentication

Note:

As a prerequisite for creating the Social Sign-In Authentication , you have to request OAuth2 credentials from the authentication provider and configure your account to support redirects to your application. Check your authentication provider's documentation for the details. The steps below assume that this has been done and that you saved the OAuth2 credentials in the application's shared components.

To set up Social Sign-In Authentication:

  1. On the Workspace home page, click the App Builder icon.
  2. Select an application.
  3. On the Application home page, click Shared Components.

    The Shared Components page appears.

  4. Under Security, select Authentication Schemes.
  5. On the Authentication Schemes page, click Create.
  6. Select Based on a pre-configured scheme from the gallery and click Next.
  7. Under Name:
    1. Name - Enter the name used to reference the authentication scheme by other application developers.
    2. Scheme Type - Select Social Sign-In.
  8. Under Settings:
    1. Credential Store - Select the credential store which contains Client ID and Secret for the Authentication Provider.
    2. Authentication Provider - Options include:

      • OpenID Connect Provider - Use an OpenID Connect based authentication provider. You have to enter the provider's OpenID Discovery URL below.

      • Generic OAuth2 - Provider Use an OAuth2 authentication provider. You have to enter URLs for the authorization, token and userinfo endpoints below.

      • Google - Use pre-defined settings for Google Login.

      • Facebook - Use pre-defined settings for Facebook Login.

    3. Discovery URL - Enter the OpenID Connect provider's discovery URL.

      Example:

      https://accounts.example.com/.well-known/openid-configuration

    4. Scope - Enter a comma separated list of permissions to request for the user who is logging in. The acceptable values depend on your authentication provider. For OpenID Connect and Google, Application Express automatically adds the "openid" scope. The authentication provider returns user attributes based on these permissions. You can map the attributes to application items, or use a Post Authentication procedure to process them, using the APEX_JSON.GET_% functions.

      OpenID Connect scopes and attributes (also called claims) are listed here: https://openid.net/specs/openid-connect-basic-1_0.html#Scopes%20Examples%20email,profile

    5. Authentication URI Parameters - Enter optional parameters for the authentication URI. Consult the authentication provider's documentation for supported parameters.
      Example:

      prompt=consent

    6. Username - Enter the attribute which contains the username, or free text with one or more attribute substitutions that are enclosed by "#". You can reference the authentication scheme's name with #APEX_AUTH_NAME#. For example, #email# (#APEX_AUTH_NAME#) will result in a username that consists of the email address, followed by " (", followed by the authentication scheme name, followed by ")", like "jane.doe@example.com (Google)".

      Consult the authentication provider's documentation for supported attributes. Note that you need to set the required Scope, otherwise the authentication provider will not send all attributes. OpenID Connect scopes and attributes (also called claims) are listed here:

      Examples:

      #sub# (#APEX_AUTH_NAME#)

    7. Convert Username To Upper Case - Configure whether the attribute values for the username should be converted to upper case.
    8. Additional User Attributes - Enter a comma separated list of additional user data attributes.

      Consult the authentication provider's documentation for supported attributes. Note that you need to set the required Scope, otherwise the authentication provider will not send all attributes. OpenID Connect scopes and attributes (also called claims) are listed here:

      https://openid.net/specs/openid-connect-basic-1_0.html#Scopes

    9. Map Additional User Attributes - Provide a comma-separated list of application item names that the Additional User Attributes map to.

      For example, if you set the following attributes, then Application Express automatically saves the attribute values in session state for the corresponding items.:

      • Additional User Attributes - email,profile,picture

      • Map Additional User Attributes To - G_EMAIL,G_PROFILE,G_PICTURE

    10. Verify Attributes - If enabled, Application Express looks for an attribute "#name#_verified" (for example, "email_verified" for Attribute "email"). OpenID defines that the identity provider sends "#name#_verified":false for unverified "email" and "phone_number" attributes. Application Express ignores such unverified attributes. This will result in a failed authentication if "#name#" is the Username attribute. If the identity provider lets attackers enter unverified data that the application uses for authentication, they could impersonate other users in the application. The Verify Attributes check prevents this.
  9. Click Create Authentication Scheme.

Parent topic: Social Sign-In