Examine the Python Application and SDK

Examine the Python Application's Behavior

The Python web application's behavior follows the three-legged authentication flow defined by the authorization code grant type.

To verify all of the requests, responses, and redirects that the application and Oracle Identity Cloud Service perform using the web browser, enable the Developer mode for your browser. This solution uses Google Chrome.

Run the Python web application.
Open a Google Chrome web browser, access the http://localhost:8080 URL, and click Log in.
Press F12, select the Network tab, and select the Preserve log check box. Select this check box to see all communication between the application and Oracle Identity Cloud Service.
In the Login page, click the Oracle red icon, which appears to the right of or You can log in with.

The browser’s developer log should show the following flow of events:

The user requests the /auth/oracle resource, and the web browser receives a redirect response from the Python web application.

Request URL: http://localhost:8000/auth/
Request Method: GET
Status Code: 302 Found

Response Headers
Location: https://idcs-1234.identity.oraclecloud.com/oauth2/v1/authorize?client_id=123456789abcdefghij&redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Fcallback&response_type=code&scope=urn:opc:idm:t.user.me+openid&state=1234

Oracle Identity Cloud Service receives the authorization code request and presents the Sign In page.

Request URL: https://idcs-1234.identity.oraclecloud.com/oauth2/v1/authorize?client_id=123456789abcdefghij&redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Fcallback&response_type=code&scope=urn:opc:idm:t.user.me+openid&state=1234
Request Method: GET
Status Code: 303 See Other
 
Response Headers
Location:
https://idcs-1234.identity.oraclecloud.com/ui/v1/signin
Set-cookie: ORA_OCIS_REQ_1=[value has been omitted for readability]

The user signs in to Oracle Identity Cloud Service. Oracle Identity Cloud Service redirects the web browser to the Python web application's callback URL.
```
Request URL:
http://localhost:8000/callback/&code=[value has been omitted for readability]&state=1234
Request Method: GET
Status Code: 200 OK
 
Response Headers
Set-Cookie: sessionid=[value has been omitted for readability]
```
In this example, the callback URL redirects the web browser to the Home page with the user access token set as a session attribute.

Examine the Python Application's Code

After you sign in to Oracle Identity Cloud Service and is redirected to the Python web application's callback URL, the Python web application displays information in the command line window.

[Date] "GET / HTTP/1.1" 200 2520
[Date] "GET /login/ HTTP/1.1" 200 3489
[Date] "GET /auth/ HTTP/1.1" 302 0
[Date] "GET /callback?code=[value has been omitted for readability]&state=1234 HTTP/1.1" 301 0
[Date] "GET /callback/?code=[value has been omitted for readability]&state=1234 HTTP/1.1" 200 2690

Check the Diagnostic Data

When the Python web application attempts to sign in to Oracle Identity Cloud Service, both successful and unsuccessful attempts are registered in Oracle Identity Cloud Service's diagnostic log files.

Sign in to Oracle Identity Cloud Service.
In the Identity Cloud Service console, expand the Navigation Drawer, click Settings, and then click Diagnostics.
Select Activity View as the diagnostic type, and then click Save.
Sign out of Oracle Identity Cloud Service.

Oracle Identity Cloud Service captures diagnostic data for the next 15 minutes.

Complete the steps in the Run the Python Application topic of this solution to display the Login page of the Python web application.
Click the Oracle red icon, which appears to the right of or You can log in with.
To make an unsuccessful sign in attempt, enter an incorrect user name or password on the Oracle Identity Cloud Service Sign In page.
To sign in successfully, enter your correct user name and password.
Use the Python web application to sign out of Oracle Identity Cloud Service.
Sign in to Oracle Identity Cloud Service.
In the Identity Cloud Service console, expand the Navigation Drawer, click Reports, and then click Diagnostic Data.
Select a 15-Minute time range, the Activity View log type, the CSV report format, and then click Download Report.

The diagnostic log file includes information similar to the following about the sign in attempts to Oracle Identity Cloud Service.

Message: ID Token will be signed with User Tenant:idcs-abcd1234 Resource Tenant:idcs-abcd1234, clientId=123456789abcdefghij
Component: OAuth
Timestamp: [Date]
Actor ID: your.email@domain.com
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"request":{"tenant":"idcs-abcd1234","grant types":"authorization_code","scopes":["urn:opc:idm:t.user.me"]},"user":{"id":"111111","name":"your.email@domain.com","tenant":"idcs-abcd1234","auth-type":"PASSWORD"},"client":{"id":"123456789abcdefghij","name":"Sample App","tenant":"idcs-abcd1234","auth-type":"PASSWORD"},"environment":{"isCSR":"false","onBehalfOfUser":"false"},"response":{"result":"ALLOWED","scopes":["urn:opc:idm:t.user.me"],"custom-claims":{"clientAppRoles":["Authenticated Client","Me"],"userAppRoles":["Authenticated","Global Viewer","Identity Domain Administrator"],"user_isAdmin":"true"}}}
Component: Authorization/getAllowedScopes
Timestamp: [Date]
Actor ID: your.email@domain.com
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"Message":"SSO SignOn Policy evaluation result for user : 11111  is : effect:ALLOW,authenticationFactor:IDP,allowUserToSkip2FAEnrolment:false,2FAFrequency:SESSION,reAuthenticate:false,trustedDevice2FAFrequency:
Component:
Timestamp:
Actor ID:
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Sign-On Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: uiSignin
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluateRule] Evaluating MFA rule
Component: PolicyEngine
Timestamp: [Date]
Actor ID: uiSignin
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Authentication Target App Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: idcssso
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"password":"********","authFactor":"USERNAME_PASSWORD","device":"{\"currentTime\":\"[date]",\"screenWidth\":1920,\"screenHeight\":1080,\"screenColorDepth\":24,\"screenPixelDepth\":24,\"windowPixelRatio\":1,\"language\":\"en\",\"userAgent\":\"Mozilla\/5.0 (Windows NT 10.0
Component:
Timestamp:
Actor ID:
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"Message":"No session found so need to collect credentials","Redirecting to Login URL: ":https://idcs-abcd1234.identity.oraclecloud.com/ui/v1/signin}
Component: SSO
Timestamp: [Date]
Actor ID: Unauthenticated
---------------------------------------------------------------
...
---------------------------------------------------------------
 
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Identity Provider Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: Unauthenticated
---------------------------------------------------------------
Message: Authorization Request, received parameters: scope[urn:opc:idm:t.user.me openid] response_type[code] state[1234] redirect_uri[http://localhost:8000/callback] client_id[123456789abcdefghij]
Component: OAuth
Timestamp: [Date]
Actor ID: Unauthenticated

The most recent logs appear at the top of the file.