1. Authenticate a Node.js application with Oracle Identity Cloud Service
  2. Examine the Node.js Application and SDK

Examine the Node.js Application and SDK

In this section of the solution, you:

  • Examine the behavior and code of the Node.js web application

  • Check diagnostic data associated with successful and unsuccessful login attempts that the Node.js web application initiates to Oracle Identity Cloud Service

Examine the Node.js Application's Behavior

The Node.js web application's behavior follows the three-legged authentication flow that’s defined by the authorization code grant type.

To verify all of the requests, responses, and redirects that the application and Oracle Identity Cloud Service perform using the web browser, enable the Developer mode of your browser. This solution uses Google Chrome.

  1. Run the Node.js web application.
  2. Open a Google Chrome web browser, access the http://localhost:3000 URL, and click Log in.
  3. Press F12, select the Network tab, and select the Preserve log check box.
    Select this check box to see all communication between the application and Oracle Identity Cloud Service.
  4. In the Login page, click the red Oracle icon, which appears to the right of or You can log in with.

The browser’s developer log should show the following flow of events:

  1. You request the /auth/oracle resource, and your web browser receives a redirect response from the Node.js web application. 

    Request URL: http://localhost:3000/auth/oracle
Request Method: GET
Status Code: 302 Found
 
Response Headers
Location: https://idcs-1234.identity.oraclecloud.com/oauth2/v1/authorize?client_id=123456789abcdefghij&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fcallback&response_type=code&scope=openid&state=1234

  2. Oracle Identity Cloud Service receives your authorization code request and presents the Sign In page. 

    Request URL: https://idcs-1234.identity.oraclecloud.com/oauth2/v1/authorize?client_id=123456789abcdefghij&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fcallback&response_type=code&scope=openid&state=1234Request Method: GET
Status Code: 303 See Other
 
Response Headers
Location:
https://idcs-abcd1234.identity.oraclecloud.com/ui/v1/signin
Set-cookie: ORA_OCIS_REQ_1=[value has been omitted for readability]

  3. You sign in to Oracle Identity Cloud Service. Oracle Identity Cloud Service redirects your web browser to the Node.js web application's callback URL.

    Request URL:
http://localhost:3000/callback?code=[value has been omitted for readability]&state=1234
Request Method: GET
Status Code: 302 Found
 
Response Hearders
Location: /auth.html
Set-Cookie: idcs_user_assertion=[value has been omitted for readability]

In this example, the callback URL redirects your web browser to the /auth.html page with your user access token set as a cookie.

At this point, the application authenticates you locally using the passport.authenticate() method, and then forwards your request to the /home route. 

Request URL: http://localhost:3000/home
Request Method: GET
Status Code: 200 OK
 
Response Headers
Cookie:
connect.sid=[value has been omitted for readability]

Examine the Node.js Application's Code

After you sign in to Oracle Identity Cloud Service and are redirected to the Node.js web application's callback URL, the Node.js web application logs information in the command line window.

req.user={"name":"your.email@domain.com","displayName":"Your Name","id":"111111111111","tenant":"idcs-abcd1234","groups":[{"name":"Group 1","id":"2222222222222","location":"https://idcs-abcd1234.identity.oraclecloud.com/admin/v1/Groups/7787fbab31b34e08b39cdeedf1f4233a"}],"appRoles":[{"name":"Identity Domain Administrator","id":"333333333333333","location":"https://idcs-abcd1234.identity.oraclecloud.com/admin/v1/AppRoles/444444444444444","appName":"SampleApp","appID":"SampleAppId"}],"client":{"client_name":"Sample Apps","client_id":"555555555555","client_tenantname":"idcs-abcd1234","scope":"openid","audience":"https://idcs-abcd1234.identity.oraclecloud.com"}}

The ensureAuthenticated() method logs information about the JSON object representing you, who are signed in to Oracle Identity Cloud Service. 

ensureAuthenticated req.user={"name":"your.email@domain.com","displayName":"Your Name","id":"111111111111","tenant":"idcs-abcd1234","groups":[{"name":"Group 1","id":"2222222222222","location":"https://idcs-abcd1234.identity.oraclecloud.com/admin/v1/Groups/7787fbab31b34e08b39cdeedf1f4233a"}],"appRoles":[{"name":"Identity Domain Administrator","id":"333333333333333","location":"https://idcs-abcd1234.identity.oraclecloud.com/admin/v1/AppRoles/444444444444444","appName":"SampleApp","appID":"SampleAppId"}],"client":{"client_name":"Sample Apps","client_id":"555555555555","client_tenantname":"idcs-abcd1234","scope":"openid","audience":"https://idcs-abcd1234.identity.oraclecloud.com"}}

Check the Diagnostic Data

Both successful and unsuccessful login attempts that the Node.js web application initiates to Oracle Identity Cloud Service are registered in Oracle Identity Cloud Service's diagnostic log files.

  1. Sign in to Oracle Identity Cloud Service.
  2. In the Identity Cloud Service console, expand the Navigation Drawer, click Settings, and then click Diagnostics.
  3. Select Activity View as the diagnostic type, and then click Save.
  4. Sign out of Oracle Identity Cloud Service.

Oracle Identity Cloud Service captures diagnostic data for the next 15 minutes.

  1. Complete the steps in the Run the Node.js Application topic of this solution to display the Login page of the Node.js web application.

  2. Click the red Oracle icon, which appears to the right of or You can log in with.

  3. To make an unsuccessful sign-in attempt, enter an incorrect user name or password in the Oracle Identity Cloud Service Sign In page.

  4. To sign in successfully, enter your correct user name and password.

  5. Use the Node.js web application to sign out of Oracle Identity Cloud Service.

  6. Sign in again to Oracle Identity Cloud Service.

  7. In the Identity Cloud Service console, expand the Navigation Drawer, click Reports, and then click Diagnostic Data.

  8. Select 15-Minute for the time range, Activity View for the log type, and CSV for the report format, and then click Download Report.

The diagnostic log file includes information like the following about the user signing in to Oracle Identity Cloud Service.

Message: ID Token will be signed with User Tenant:idcs-abcd1234 Resource Tenant:idcs-abcd1234, clientId=123456789abcdefghij
Component: OAuth
Timestamp: [Date]
Actor ID: your.email@example.com
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"request":{"tenant":"idcs-abcd1234","grant types":"authorization_code","scopes":["urn:opc:idm:t.user.me"]},"user":{"id":"111111","name":"your.email@example.com","tenant":"idcs-abcd1234","auth-type":"PASSWORD"},"client":{"id":"123456789abcdefghij","name":"Sample App","tenant":"idcs-abcd1234","auth-type":"PASSWORD"},"environment":{"isCSR":"false","onBehalfOfUser":"false"},"response":{"result":"ALLOWED","scopes":["urn:opc:idm:t.user.me"],"custom-claims":{"clientAppRoles":["Authenticated Client","Me"],"userAppRoles":["Authenticated","Global Viewer","Identity Domain Administrator"],"user_isAdmin":"true"}}}
Component: Authorization/getAllowedScopes
Timestamp: [Date]
Actor ID: your.email@example.com
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"Message":"SSO SignOn Policy evaluation result for user : 11111  is : effect:ALLOW,authenticationFactor:IDP,allowUserToSkip2FAEnrolment:false,2FAFrequency:SESSION,reAuthenticate:false,trustedDevice2FAFrequency:
Component:
Timestamp:
Actor ID:
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Sign-On Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: uiSignin
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluateRule] Evaluating MFA rule
Component: PolicyEngine
Timestamp: [Date]
Actor ID: uiSignin
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Authentication Target App Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: idcssso
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"password":"********","authFactor":"USERNAME_PASSWORD","device":"{\"currentTime\":\"[date]",\"screenWidth\":1920,\"screenHeight\":1080,\"screenColorDepth\":24,\"screenPixelDepth\":24,\"windowPixelRatio\":1,\"language\":\"en\",\"userAgent\":\"Mozilla\/5.0 (Windows NT 10.0
Component:
Timestamp:
Actor ID:
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"Message":"No session found so need to collect credentials","Redirecting to Login URL: ":https://idcs-abcd1234.identity.oraclecloud.com/ui/v1/signin}
Component: SSO
Timestamp: [Date]
Actor ID: Unauthenticated
---------------------------------------------------------------
...
---------------------------------------------------------------
 
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Identity Provider Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: Unauthenticated
---------------------------------------------------------------
Message: Authorization Request, received parameters: scope[urn:opc:idm:t.user.me openid] response_type[code] state[1234] redirect_uri[http://localhost:3000/callback] client_id[123456789abcdefghij]
Component: OAuth
Timestamp: [Date]
Actor ID: Unauthenticated

The most recent logs appear at the top of the file.