分析 Java 应用程序和 SDK

在解决方案的本节中，您将：

• 分析 Java Web 应用程序的行为和代码

• 检查与 Java Web 应用程序启动到 Oracle Identity Cloud Service 的成功和不成功登录尝试关联的诊断数据。

分析 Java 应用程序的行为

Java Web 应用程序的行为遵循由授权代码授权类型定义的三路验证流。

启用浏览器的开发人员模式，以便您可以验证应用程序和 Oracle Identity Cloud Service 执行的所有请求、响应和重定向。以下示例使用 Google Chrome。

1. 运行 Java Web 应用程序。
2. 打开 Google Chrome Web 浏览器，访问 http://localhost:8080 URL，然后单击登录。
3. 按 F12 ，选择 Network（网络）选项卡，然后选中 Preserve log（保留日志）复选框。
   选中此复选框可查看应用程序与 Oracle Identity Cloud Service 之间的所有通信。
4. 在登录页中，单击红色 Oracle 图标。

浏览器的开发者日志应显示以下事件流：

1. 您请求 /auth/oracle 资源，Web 浏览器将收到来自 Java Web 应用程序的重定向响应。

   Request URL: http://localhost:8080/auth
   Request Method: GET
   Status Code: 302 Found
    
   Response Headers
   Location: https://idcs-abcd1234.identity.domain.com/oauth2/v1/authorize?client_id=123456789abcdefghij&redirect_uri= http%3A%2F%2Flocalhost%3A8080%2Fcallback&response_type=code&scope=urn:opc:idm:t.user.me+openid&state=1234

2. Oracle Identity Cloud Service 收到您的授权代码请求，并显示登录页。

   Request URL: https://idcs-abcd1234.identity.domain.com/oauth2/v1/authorize?client_id=123456789abcdefghij&redirect_uri= http%3A%2F%2Flocalhost%3A8080%2Fcallback&response_type=code&scope=urn:opc:idm:t.user.me+openid&state=1234
   Request Method: GET
   Status Code: 303 See Other
    
   Response Headers
   Location:
   https://idcs-abcd1234.identity.domain.com/ui/v1/signin
   Set-cookie: ORA_OCIS_REQ_1=[value has been omitted for readability]

3. 您登录到 Oracle Identity Cloud Service ，它会将 Web 浏览器重定向到 Java Web 应用程序的回调 URL。

   Request URL:
   http://localhost:8080/callback?code=[value has been omitted for readability]&state=1234
   Request Method: GET
   Status Code: 200 OK
    
   Response Hearders
   Set-Cookie: JSESSIONID=[value has been omitted for readability]

在此示例中，回调 URL 将 Web 浏览器重定向到 Home（主页）页面，将用户访问令牌和 ID 令牌设置为会话属性。

检查 SDK 日志

按照以下步骤打开 Oracle Identity Cloud Service 的 Java SDK 登录，并检查您在开发过程中发现的任何问题。

1. 打开 ConnectionOptions.java 类文件并编辑 getOptions() 方法
2. 将 Constants.LOG_LEVEL 值设置为 DEBUG。

重新构建应用程序并再次运行它。

您可以看到日志详细信息，如下所示：

Fine:   Got token manager
Fine:   using config endpoint: https://idcs-abcd1234.identity.domain.com:443/.well-known/idcs-configuration
...
Fine:   Got response content: [value has been omitted for readability]
...
Fine:   getAuthorizationCodeUrl returning with url: [value has been omitted for readability]
...
Fine:   authorizationCode with code: [value has been omitted for readability]
...
Fine:   Obtaining access token from: [value has been omitted for readability]
...
Fine:   returning access token
...
Fine:   Token signature verification result: true

检查诊断数据

Java Web 应用程序启动到 Oracle Identity Cloud Service 的成功登录尝试和不成功登录尝试都在 Oracle Identity Cloud Service 诊断日志文件中注册。

1. 登录 Oracle Identity Cloud Service 控制台。
2. 在控制台中，展开导航抽屉，单击设置，然后单击诊断。
3. 选择作业视图作为诊断类型，然后单击保存。
4. 注销 Oracle Identity Cloud Service 。

Oracle Identity Cloud Service 捕获未来 15 分钟的诊断数据。

1. 完成“运行 Java 应用程序”主题中的步骤以显示 Java Web 应用程序的登录页。

2. 单击红色 Oracle 图标。

3. 要尝试登录失败，请在 Oracle Identity Cloud Service 登录页面中输入不正确的用户名或密码。

4. 要成功登录，请输入正确的用户名和密码。

5. 使用 Java Web 应用程序注销 Oracle Identity Cloud Service 。

6. 再次登录 Oracle Identity Cloud Service 控制台。

7. 在控制台中，展开 Navigation Drawer（导航抽屉），单击 Reports（报表），然后单击 Diagnostic Data（诊断数据）。

8. 为时间范围选择 15 分钟，为日志类型选择 Activity View ，为报表格式选择 CSV ，然后单击 Download Report（下载报表）。

诊断日志文件包括以下有关用户登录到 Oracle Identity Cloud Service 的信息。

Message: ID Token will be signed with User Tenant:idcs-abcd1234 Resource Tenant:idcs-abcd1234, clientId=123456789abcdefghij
Component: OAuth
Timestamp: [Date]
Actor ID: your.email@example.com
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"request":{"tenant":"idcs-abcd1234","grant types":"authorization_code","scopes":["urn:opc:idm:t.user.me"]},"user":{"id":"111111","name":"your.email@example.com","tenant":"idcs-abcd1234","auth-type":"PASSWORD"},"client":{"id":"123456789abcdefghij","name":"Sample App","tenant":"idcs-abcd1234","auth-type":"PASSWORD"},"environment":{"isCSR":"false","onBehalfOfUser":"false"},"response":{"result":"ALLOWED","scopes":["urn:opc:idm:t.user.me"],"custom-claims":{"clientAppRoles":["Authenticated Client","Me"],"userAppRoles":["Authenticated","Global Viewer","Identity Domain Administrator"],"user_isAdmin":"true"}}}
Component: Authorization/getAllowedScopes
Timestamp: [Date]
Actor ID: your.email@example.com
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"Message":"SSO SignOn Policy evaluation result for user : 11111  is : effect:ALLOW,authenticationFactor:IDP,allowUserToSkip2FAEnrolment:false,2FAFrequency:SESSION,reAuthenticate:false,trustedDevice2FAFrequency:
Component:
Timestamp:
Actor ID:
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Sign-On Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: uiSignin
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluateRule] Evaluating MFA rule
Component: PolicyEngine
Timestamp: [Date]
Actor ID: uiSignin
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Authentication Target App Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: idcssso
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"password":"********","authFactor":"USERNAME_PASSWORD","device":"{\"currentTime\":\"[date]",\"screenWidth\":1920,\"screenHeight\":1080,\"screenColorDepth\":24,\"screenPixelDepth\":24,\"windowPixelRatio\":1,\"language\":\"en\",\"userAgent\":\"Mozilla\/5.0 (Windows NT 10.0
Component:
Timestamp:
Actor ID:
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"Message":"No session found so need to collect credentials","Redirecting to Login URL: ":https://idcs-abcd1234.identity.oraclecloud.com/ui/v1/signin}
Component: SSO
Timestamp: [Date]
Actor ID: Unauthenticated
---------------------------------------------------------------
...
---------------------------------------------------------------
 
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Identity Provider Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: Unauthenticated
---------------------------------------------------------------
Message: Authorization Request, received parameters: scope[urn:opc:idm:t.user.me openid] response_type[code] state[1234] redirect_uri[http://localhost:8080/callback] client_id[123456789abcdefghij]
Component: OAuth
Timestamp: [Date]
Actor ID: Unauthenticated

最近的日志显示在文件的顶部。