1. Authenticate a Java application with Oracle Identity Cloud Service
  2. Examine the Java Application and SDK

Examine the Java Application and SDK

In this section of the solution, you:

  • Examine the behavior and code of the Java web application

  • Check diagnostic data associated with successful and unsuccessful login attempts that the Java web application initiates to Oracle Identity Cloud Service.

Examine the Java Application's Behavior

The Java web application's behavior follows the three-legged authentication flow that’s defined by the authorization code grant type.

Enable the Developer mode of your browser so that you can verify all requests, responses, and redirects that both the application and Oracle Identity Cloud Service perform. The following example uses Google Chrome.

  1. Run the Java web application.
  2. Open a Google Chrome web browser, access the http://localhost:8080 URL, and click Log in.
  3. Press F12, select the Network tab, and select the Preserve log check box.
    Select this check box to see all communication between the application and Oracle Identity Cloud Service.
  4. In the Login page, click the red Oracle icon.

The browser’s developer log should show the following flow of events:

  1. You request the /auth/oracle resource, and your web browser receives a redirect response from the Java web application. 

    Request URL: http://localhost:8080/auth
Request Method: GET
Status Code: 302 Found
 
Response Headers
Location: https://idcs-abcd1234.identity.oraclecloud.com/oauth2/v1/authorize?client_id=123456789abcdefghij&redirect_uri= http%3A%2F%2Flocalhost%3A8080%2Fcallback&response_type=code&scope=urn:opc:idm:t.user.me+openid&state=1234

  2. Oracle Identity Cloud Service receives your authorization code request and presents the Sign In page. 

    Request URL: https://idcs-abcd1234.identity.oraclecloud.com/oauth2/v1/authorize?client_id=123456789abcdefghij&redirect_uri= http%3A%2F%2Flocalhost%3A8080%2Fcallback&response_type=code&scope=urn:opc:idm:t.user.me+openid&state=1234
Request Method: GET
Status Code: 303 See Other
 
Response Headers
Location:
https://idcs-abcd1234.identity.oraclecloud.com/ui/v1/signin
Set-cookie: ORA_OCIS_REQ_1=[value has been omitted for readability]

  3. You sign in to Oracle Identity Cloud Service, and it redirects your web browser to the Java web application's callback URL. 

    Request URL:
http://localhost:8080/callback?code=[value has been omitted for readability]&state=1234
Request Method: GET
Status Code: 200 OK
 
Response Hearders
Set-Cookie: JSESSIONID=[value has been omitted for readability]

In this example, the callback URL redirects your web browser to the Home page with your user access token and id token set as session attributes.

Examine the SDK Logs

Follow the below steps to turn Oracle Identity Cloud Service's Java SDK log on and examine any issue you find during development.

  1. Open the ConnectionOptions.java class file and edit the getOptions() method
  2. Set the Constants.LOG_LEVEL value to DEBUG.

Rebuild the application and run it again.

You see log details such as below:

Fine:   Got token manager
Fine:   using config endpoint: https://idcs-abcd1234.identity.oraclecloud.com:443/.well-known/idcs-configuration
...
Fine:   Got response content: [value has been omitted for readability]
...
Fine:   getAuthorizationCodeUrl returning with url: [value has been omitted for readability]
...
Fine:   authorizationCode with code: [value has been omitted for readability]
...
Fine:   Obtaining access token from: [value has been omitted for readability]
...
Fine:   returning access token
...
Fine:   Token signature verification result: true

Check the Diagnostic Data

Both successful and unsuccessful log in attempts that the Java web application initiates to Oracle Identity Cloud Service are registered in the Oracle Identity Cloud Service diagnostic log files.

  1. Sign in to Oracle Identity Cloud Service console.
  2. In the console, expand the Navigation Drawer, click Settings, and then click Diagnostics.
  3. Select Activity View as the diagnostic type, and then click Save.
  4. Sign out of Oracle Identity Cloud Service.

Oracle Identity Cloud Service captures diagnostic data for the next 15 minutes.

  1. Complete the steps in the Run the Java Application topic to display the Login page of the Java web application.

  2. Click the red Oracle icon.

  3. To make an unsuccessful sign-in attempt, enter an incorrect user name or password in the Oracle Identity Cloud Service Sign In page.

  4. To sign in successfully, enter your correct user name and password.

  5. Use the Java web application to sign out of Oracle Identity Cloud Service.

  6. Sign in again to Oracle Identity Cloud Service console.

  7. In the console, expand the Navigation Drawer, click Reports, and then click Diagnostic Data.

  8. Select 15-Minute for the time range, Activity View for the log type, and CSV for the report format, and then click Download Report.

The diagnostic log file includes information like the following about the user signing in to Oracle Identity Cloud Service. 

Message: ID Token will be signed with User Tenant:idcs-abcd1234 Resource Tenant:idcs-abcd1234, clientId=123456789abcdefghij
Component: OAuth
Timestamp: [Date]
Actor ID: your.email@example.com
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"request":{"tenant":"idcs-abcd1234","grant types":"authorization_code","scopes":["urn:opc:idm:t.user.me"]},"user":{"id":"111111","name":"your.email@example.com","tenant":"idcs-abcd1234","auth-type":"PASSWORD"},"client":{"id":"123456789abcdefghij","name":"Sample App","tenant":"idcs-abcd1234","auth-type":"PASSWORD"},"environment":{"isCSR":"false","onBehalfOfUser":"false"},"response":{"result":"ALLOWED","scopes":["urn:opc:idm:t.user.me"],"custom-claims":{"clientAppRoles":["Authenticated Client","Me"],"userAppRoles":["Authenticated","Global Viewer","Identity Domain Administrator"],"user_isAdmin":"true"}}}
Component: Authorization/getAllowedScopes
Timestamp: [Date]
Actor ID: your.email@example.com
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"Message":"SSO SignOn Policy evaluation result for user : 11111  is : effect:ALLOW,authenticationFactor:IDP,allowUserToSkip2FAEnrolment:false,2FAFrequency:SESSION,reAuthenticate:false,trustedDevice2FAFrequency:
Component:
Timestamp:
Actor ID:
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Sign-On Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: uiSignin
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluateRule] Evaluating MFA rule
Component: PolicyEngine
Timestamp: [Date]
Actor ID: uiSignin
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Authentication Target App Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: idcssso
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"password":"********","authFactor":"USERNAME_PASSWORD","device":"{\"currentTime\":\"[date]",\"screenWidth\":1920,\"screenHeight\":1080,\"screenColorDepth\":24,\"screenPixelDepth\":24,\"windowPixelRatio\":1,\"language\":\"en\",\"userAgent\":\"Mozilla\/5.0 (Windows NT 10.0
Component:
Timestamp:
Actor ID:
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"Message":"No session found so need to collect credentials","Redirecting to Login URL: ":https://idcs-abcd1234.identity.oraclecloud.com/ui/v1/signin}
Component: SSO
Timestamp: [Date]
Actor ID: Unauthenticated
---------------------------------------------------------------
...
---------------------------------------------------------------
 
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Identity Provider Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: Unauthenticated
---------------------------------------------------------------
Message: Authorization Request, received parameters: scope[urn:opc:idm:t.user.me openid] response_type[code] state[1234] redirect_uri[http://localhost:8080/callback] client_id[123456789abcdefghij]
Component: OAuth
Timestamp: [Date]
Actor ID: Unauthenticated

The most recent logs appear at the top of the file.