Oracle APEX Social Sign-In with Microsoft Azure

Oracle APEX Social Sign-In with Microsoft Azure

My co-worker Adrian Png has written a few great posts on social sign-in with APEX. I'd like to provide a quick cookbook with some interesting details here. If you get a chance, take a look at Adrian's posts:
fuzziebrain.com/content/id/1709
fuzziebrain.com/content/id/1711

Here is the quick cookbook.

Let's assume your APEX url is
myapex.com/ords

Log in to the Azure registration portal
apps.dev.microsoft.com

and click "Add an app"

Enter a name and click "Create"

Click "Generate New Password"

COPY THAT PASSWORD! You won't have another chance!
hbUChicago1990){(upzadLTF3%

While you're at it, grab the application ID:
dbf9c4ac-a7d1-4885-84c4-5b80777703f3

(Careful readers may see that I altered the secret and application ID in the text. I never saved the pic above on Azure, but figured I'd change it in the text anyway.)

Click "Add Platform" and choose Web

Enter
Redirect URLs
myapex.com/ords/apex_authentication.callback

and here is the magic!! The logout URL can NOT have a ? in it. I tried several times to use something like this:
myapex.com/ords/f?p=logout
and I got a very vague error when trying to save:

There's a temporary problem

There's a temporary problem with the service. Please try again. If you continue to get this message, try again later.

Error Info: Thu, 31 Jan 2019 21:51:42 GMT | 8H3Ce | /P35Z

The problem is the logout URL but it's not at all obvious. So, you'll need to figure out another way to logout. I used an apache rewrite rule, which allows me to do this:
myapex.com/logmeout

Add a home page url if you want:
myapex.com/ords/f?p=myapp

Scroll to the bottom and save your changes.

At this point the Microsoft portion is functional but users will get a notice asking them if they consent to share some information with the application. It's not a big deal, but you can avoid that notice by having an admin consent for everyone in the organization. There is certainly a way to do it within the Azure admin...well, I would guess there is, but I couldn't find it. I did discover this method, though. Go to the following URL:

login.microsoftonline.com/common/adminconse..

in our example

login.microsoftonline.com/common/adminconse..

log in as an admin and consent.

OK, on to the APEX installation portion.

Here's an important item...the client secrete (or password) that we got from the application registration is hbUChicago1990){(upzadLTF3%. That's a great secret, but it won't work just as you see it. You'll get the following error:

AADSTS50012: Invalid client secret is provided. Trace ID: 830c95a3-9bb7-9de1-8a22dcca1600 Correlation ID: 572ef7ea--4329-9674-9e9e3468982a Timestamp: 2019-01-15 22:05:41Z

The problem is that the secret needs to be url encoded. So, let's do that first.

Log into the APEX builder and navigate to SQL Workshop > SQL Commands and do what needs to be done:

select apex_util.url_encode('hbUChicago1990){(upzadLTF3%') the_stuff
from dual

That's the stuff:

hbUChicago1990)%7B(upzadLTF3%25

Now navigate to App Builder > Workspace Utilities > Web Credentials. Create credential.

I put the secret in the comments so you can see it.

Almost there. Now go to your application and create an authentication scheme.

Name: Your Choice
Scheme Type: Social Sign-In
Credential Store: MyAppAzure (the one you created)
Authorization Endpoint URL: login.microsoftonline.com/common/oauth2/v2...
Token Endpoint URL: login.microsoftonline.com/common/oauth2/v2...
User Info Endpoint URL: graph.microsoft.com/v1.0/me
Scope: User.Read
Username Attribute: userPrincipalName

You might be done...if you have the root cert for graph.microsoft.com/v1.0/me already in your wallet. If not get your dba to add the certificate from graph.microsoft.com/v1.0/me to the Oracle wallet.

The other option is to follow Adrian's post (link at the top) to use a reverse proxy instead.

That does it!