Examine the Java Application and SDK
In this section of the solution, you:
-
Examine the behavior and code of the Java web application
-
Check diagnostic data associated with successful and unsuccessful login attempts that the Java web application initiates to Oracle Identity Cloud Service.
Examine the Java Application's Behavior
The Java web application's behavior follows the three-legged authentication flow that’s defined by the authorization code grant type.
Enable the Developer mode of your browser so that you can verify all requests, responses, and redirects that both the application and Oracle Identity Cloud Service perform. The following example uses Google Chrome.
The browser’s developer log should show the following flow of events:
-
You request the
/auth/oracle
resource, and your web browser receives a redirect response from the Java web application.Request URL: http://localhost:8080/auth Request Method: GET Status Code: 302 Found Response Headers Location: https://idcs-abcd1234.identity.oraclecloud.com/oauth2/v1/authorize?client_id=123456789abcdefghij&redirect_uri= http%3A%2F%2Flocalhost%3A8080%2Fcallback&response_type=code&scope=urn:opc:idm:t.user.me+openid&state=1234
-
Oracle Identity Cloud Service receives your authorization code request and presents the Sign In page.
Request URL: https://idcs-abcd1234.identity.oraclecloud.com/oauth2/v1/authorize?client_id=123456789abcdefghij&redirect_uri= http%3A%2F%2Flocalhost%3A8080%2Fcallback&response_type=code&scope=urn:opc:idm:t.user.me+openid&state=1234 Request Method: GET Status Code: 303 See Other Response Headers Location: https://idcs-abcd1234.identity.oraclecloud.com/ui/v1/signin Set-cookie: ORA_OCIS_REQ_1=[value has been omitted for readability]
-
You sign in to Oracle Identity Cloud Service, and it redirects your web browser to the Java web application's callback URL.
Request URL: http://localhost:8080/callback?code=[value has been omitted for readability]&state=1234 Request Method: GET Status Code: 200 OK Response Hearders Set-Cookie: JSESSIONID=[value has been omitted for readability]
In this example, the callback URL redirects your web browser to the Home page with your user access token and id token set as session attributes.
Examine the SDK Logs
Follow the below steps to turn Oracle Identity Cloud Service's Java SDK log on and examine any issue you find during development.
- Open the
ConnectionOptions.java
class file and edit thegetOptions()
method - Set the
Constants.LOG_LEVEL
value toDEBUG
.
Rebuild the application and run it again.
You see log details such as below:
Fine: Got token manager
Fine: using config endpoint: https://idcs-abcd1234.identity.oraclecloud.com:443/.well-known/idcs-configuration
...
Fine: Got response content: [value has been omitted for readability]
...
Fine: getAuthorizationCodeUrl returning with url: [value has been omitted for readability]
...
Fine: authorizationCode with code: [value has been omitted for readability]
...
Fine: Obtaining access token from: [value has been omitted for readability]
...
Fine: returning access token
...
Fine: Token signature verification result: true
Check the Diagnostic Data
Both successful and unsuccessful log in attempts that the Java web application initiates to Oracle Identity Cloud Service are registered in the Oracle Identity Cloud Service diagnostic log files.
- Sign in to Oracle Identity Cloud Service console.
- In the console, expand the Navigation Drawer, click Settings, and then click Diagnostics.
- Select Activity View as the diagnostic type, and then click Save.
- Sign out of Oracle Identity Cloud Service.
Oracle Identity Cloud Service captures diagnostic data for the next 15 minutes.
-
Complete the steps in the Run the Java Application topic to display the Login page of the Java web application.
-
Click the red Oracle icon.
-
To make an unsuccessful sign-in attempt, enter an incorrect user name or password in the Oracle Identity Cloud Service Sign In page.
-
To sign in successfully, enter your correct user name and password.
-
Use the Java web application to sign out of Oracle Identity Cloud Service.
-
Sign in again to Oracle Identity Cloud Service console.
-
In the console, expand the Navigation Drawer, click Reports, and then click Diagnostic Data.
-
Select 15-Minute for the time range, Activity View for the log type, and CSV for the report format, and then click Download Report.
The diagnostic log file includes information like the following about the user signing in to Oracle Identity Cloud Service.
Message: ID Token will be signed with User Tenant:idcs-abcd1234 Resource Tenant:idcs-abcd1234, clientId=123456789abcdefghij
Component: OAuth
Timestamp: [Date]
Actor ID: your.email@example.com
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"request":{"tenant":"idcs-abcd1234","grant types":"authorization_code","scopes":["urn:opc:idm:t.user.me"]},"user":{"id":"111111","name":"your.email@example.com","tenant":"idcs-abcd1234","auth-type":"PASSWORD"},"client":{"id":"123456789abcdefghij","name":"Sample App","tenant":"idcs-abcd1234","auth-type":"PASSWORD"},"environment":{"isCSR":"false","onBehalfOfUser":"false"},"response":{"result":"ALLOWED","scopes":["urn:opc:idm:t.user.me"],"custom-claims":{"clientAppRoles":["Authenticated Client","Me"],"userAppRoles":["Authenticated","Global Viewer","Identity Domain Administrator"],"user_isAdmin":"true"}}}
Component: Authorization/getAllowedScopes
Timestamp: [Date]
Actor ID: your.email@example.com
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"Message":"SSO SignOn Policy evaluation result for user : 11111 is : effect:ALLOW,authenticationFactor:IDP,allowUserToSkip2FAEnrolment:false,2FAFrequency:SESSION,reAuthenticate:false,trustedDevice2FAFrequency:
Component:
Timestamp:
Actor ID:
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Sign-On Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: uiSignin
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluateRule] Evaluating MFA rule
Component: PolicyEngine
Timestamp: [Date]
Actor ID: uiSignin
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Authentication Target App Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: idcssso
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"password":"********","authFactor":"USERNAME_PASSWORD","device":"{\"currentTime\":\"[date]",\"screenWidth\":1920,\"screenHeight\":1080,\"screenColorDepth\":24,\"screenPixelDepth\":24,\"windowPixelRatio\":1,\"language\":\"en\",\"userAgent\":\"Mozilla\/5.0 (Windows NT 10.0
Component:
Timestamp:
Actor ID:
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"Message":"No session found so need to collect credentials","Redirecting to Login URL: ":https://idcs-abcd1234.identity.oraclecloud.com/ui/v1/signin}
Component: SSO
Timestamp: [Date]
Actor ID: Unauthenticated
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Identity Provider Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: Unauthenticated
---------------------------------------------------------------
Message: Authorization Request, received parameters: scope[urn:opc:idm:t.user.me openid] response_type[code] state[1234] redirect_uri[http://localhost:8080/callback] client_id[123456789abcdefghij]
Component: OAuth
Timestamp: [Date]
Actor ID: Unauthenticated
The most recent logs appear at the top of the file.