Google Sign-In (SSO) with Oracle APEX: Full Step-by-Step Integration
This guide walks through every single step of wiring up Google Sign-In for an Oracle APEX app on apex.oracle.com — starting from creating the Google Cloud project, all the way through configuring the APEX Authentication Scheme. No steps are combined or skipped.
🏗️ Architecture Overview
User BrowserClicks "Sign in with Google"
→
APEX AppRedirects to Google OAuth2
→
Google Consent ScreenUser authenticates
→
APEX Callback URLapex_authentication.callback
→
APEX Session CreatedUser logged into app
Part 1 — Google Cloud Console
PROJECT SETUP1
Sign in to Google Cloud Console
Go to
Go to
console.cloud.google.com and sign in with the Google account that will own this OAuth integration.2
Create a new project
Click the project dropdown (top bar) → New Project → give it a name (e.g.
Click the project dropdown (top bar) → New Project → give it a name (e.g.
apex-google-sso) → Create. Wait for the project to finish provisioning, then select it.3
Open OAuth consent screen settings
Left menu → APIs & Services → OAuth consent screen.
Left menu → APIs & Services → OAuth consent screen.
4
Choose User Type
Select External (unless this app is strictly for internal Google Workspace users, in which case choose Internal) → Create.
Select External (unless this app is strictly for internal Google Workspace users, in which case choose Internal) → Create.
5
Fill in App Information
Enter App name, User support email, and Developer contact email. Save and continue.
Enter App name, User support email, and Developer contact email. Save and continue.
6
Add scopes
Click Add or Remove Scopes → select
Click Add or Remove Scopes → select
openid, .../auth/userinfo.email, and .../auth/userinfo.profile → Update → Save and continue.7
Add test users (if app is in Testing status)
Add the Google account emails of anyone who needs to log in while the app isn't published/verified. Save and continue.
Add the Google account emails of anyone who needs to log in while the app isn't published/verified. Save and continue.
8
Open Credentials
Left menu → APIs & Services → Credentials.
Left menu → APIs & Services → Credentials.
9
Create OAuth Client ID
Click Create Credentials → OAuth client ID → Application type: Web application → name it (e.g.
Click Create Credentials → OAuth client ID → Application type: Web application → name it (e.g.
APEX Google SSO).10
Add the Authorized redirect URI
Under Authorized redirect URIs, click Add URI and enter:
Under Authorized redirect URIs, click Add URI and enter:
https://apex.oracle.com/pls/apex/apex_authentication.callback
11
Save and copy credentials
Click Create. A dialog shows your Client ID and Client Secret — copy both somewhere safe; you'll need them in APEX next.
Click Create. A dialog shows your Client ID and Client Secret — copy both somewhere safe; you'll need them in APEX next.
Note: If unsure of your exact host, run any page of your app, copy the URL up through the
/apex/ (or /ords/) segment, and append apex_authentication.callback.
Part 2 — Oracle APEX Workspace
WEB CREDENTIAL12
Open Web Credentials
In App Builder, go to Workspace Utilities → Web Credentials.
In App Builder, go to Workspace Utilities → Web Credentials.
13
Create a new Web Credential
Click Create → Name it (e.g.
Click Create → Name it (e.g.
GOOGLE_SSO_CRED) → assign a Static ID.14
Set the Authentication Type
Choose OAuth2 Client Credentials → paste in the Client ID and Client Secret copied from Google → Create/Save.
Choose OAuth2 Client Credentials → paste in the Client ID and Client Secret copied from Google → Create/Save.
15
Open Authentication Schemes
Open your application → Shared Components → Authentication Schemes → Create.
Open your application → Shared Components → Authentication Schemes → Create.
16
Select the scheme source
Choose "Based on a pre-configured scheme from the gallery" → Next.
Choose "Based on a pre-configured scheme from the gallery" → Next.
17
Name the scheme and set type
Give it a name (e.g.
Give it a name (e.g.
Google Sign-In) → Scheme Type: Social Sign-In.18
Select the Credential Store
Choose the Web Credential you created in Step 13/14.
Choose the Web Credential you created in Step 13/14.
19
Set Authentication Provider
Select Google from the dropdown — APEX auto-fills Google's authorization, token, and userinfo endpoints.
Select Google from the dropdown — APEX auto-fills Google's authorization, token, and userinfo endpoints.
20
Set Scope
Enter:
Enter:
openid, email, profile21
Set Username Attribute
Enter:
Enter:
email — keep Verify Attributes enabled.22
Create the scheme
Click Create Authentication Scheme to save it.
Click Create Authentication Scheme to save it.
23
Make it the current scheme
On the Authentication Schemes list, select your new scheme → click Make Current so the app actually uses it for login.
On the Authentication Schemes list, select your new scheme → click Make Current so the app actually uses it for login.
24
Test the login
Run the application. You should be redirected to Google's login/consent screen, then back into your APEX app as an authenticated user.
Run the application. You should be redirected to Google's login/consent screen, then back into your APEX app as an authenticated user.
Part 3 — Optional: Capture User Info
25
Add a Post-Authentication procedure
On the scheme, add PL/SQL to log user details into your own table after login:
On the scheme, add PL/SQL to log user details into your own table after login:
-- Example: log user info after Google login
DECLARE
l_user VARCHAR2(255) := APEX_APPLICATION.G_USER;
l_name VARCHAR2(255) := APEX_JSON.GET_VARCHAR2(p_path => 'name');
BEGIN
INSERT INTO app_users_log (username, full_name, login_time)
VALUES (l_user, l_name, SYSTIMESTAMP);
END;
26
Add an Authorization Scheme (recommended)
Since any Google account can now log in, restrict access — check email against an allow-list table, or assign roles based on domain (
Since any Google account can now log in, restrict access — check email against an allow-list table, or assign roles based on domain (
@yourcompany.com).⚠️ Common Gotchas
| Issue | What's Happening |
|---|---|
| Redirect URI mismatch | Must match exactly (protocol, host, path) what's registered in Google Cloud Console — the #1 failure point. |
| "Access blocked" error | App is in Testing publishing status and the user isn't added as a test user. |
| Wrong hostname in callback | apex.oracle.com is a shared instance — double-check your app's actual URL/workspace path. |
| Login rejected unexpectedly | email_verified=false from Google combined with Username Attribute = email triggers APEX's Verify Attributes security check. |
Key takeaway: The entire integration hinges on two things matching exactly — the redirect URI in Google Cloud Console, and the callback URL APEX expects. Get those aligned first, then the rest of the configuration is straightforward.
Comments
Post a Comment