1. 使用Oracle Identity Cloud Service验证Java应用程序
  2. 检查Java应用程序和 SDK

检查Java应用程序和 SDK

在此解决方案部分中,您可以:

  • 检查Java Web 应用程序的行为和代码

  • 检查与Java Web 应用程序启动Oracle Identity Cloud Service的成功登录尝试和失败登录尝试关联的诊断数据。

检查Java应用程序的行为

Java Web 应用程序的行为遵循由授权代码授权类型定义的三路验证流。

启用浏览器的开发人员 模式,以便验证应用程序和Oracle Identity Cloud Service执行的所有请求、响应和重定向。以下示例使用 Google Chrome。

  1. 运行Java Web 应用程序。
  2. 打开 Google Chrome Web 浏览器,访问http://localhost:8080 URL,然后单击登录
  3. F12,选择网络 选项卡,然后选中保留日志 复选框。
    选中此复选框可查看应用程序与Oracle Identity Cloud Service之间的所有通信。
  4. In the Login page, click the red Oracle icon.

浏览器的开发者日志应显示以下事件流:

  1. 您请求/auth/oracle资源,并且 Web 浏览器从Java Web 应用程序接收重定向响应。 

    Request URL: http://localhost:8080/auth
Request Method: GET
Status Code: 302 Found
 
Response Headers
Location: https://idcs-abcd1234.identity.oraclecloud.com/oauth2/v1/authorize?client_id=123456789abcdefghij&redirect_uri= http%3A%2F%2Flocalhost%3A8080%2Fcallback&response_type=code&scope=urn:opc:idm:t.user.me+openid&state=1234

  2. Oracle Identity Cloud Service接收您的授权代码请求并显示登录 页。 

    Request URL: https://idcs-abcd1234.identity.oraclecloud.com/oauth2/v1/authorize?client_id=123456789abcdefghij&redirect_uri= http%3A%2F%2Flocalhost%3A8080%2Fcallback&response_type=code&scope=urn:opc:idm:t.user.me+openid&state=1234
Request Method: GET
Status Code: 303 See Other
 
Response Headers
Location:
https://idcs-abcd1234.identity.oraclecloud.com/ui/v1/signin
Set-cookie: ORA_OCIS_REQ_1=[value has been omitted for readability]

  3. 登录到Oracle Identity Cloud Service,并将 Web 浏览器重定向到Java Web 应用程序的回调 URL。 

    Request URL:
http://localhost:8080/callback?code=[value has been omitted for readability]&state=1234
Request Method: GET
Status Code: 200 OK
 
Response Hearders
Set-Cookie: JSESSIONID=[value has been omitted for readability]

在此示例中,回调 URL 会将 Web 浏览器重定向到 页,其中用户访问标记和 ID 标记设置为会话属性。

检查 SDK 日志

按照以下步骤启用Oracle Identity Cloud Service Java SDK 日志并检查您在开发期间找到的任何问题。

  1. 打开ConnectionOptions.java类文件并编辑getOptions()方法
  2. Constants.LOG_LEVEL值设置为DEBUG

重建应用程序并再次运行。

您可以查看如下日志详细信息:

Fine:   Got token manager
Fine:   using config endpoint: https://idcs-abcd1234.identity.oraclecloud.com:443/.well-known/idcs-configuration
...
Fine:   Got response content: [value has been omitted for readability]
...
Fine:   getAuthorizationCodeUrl returning with url: [value has been omitted for readability]
...
Fine:   authorizationCode with code: [value has been omitted for readability]
...
Fine:   Obtaining access token from: [value has been omitted for readability]
...
Fine:   returning access token
...
Fine:   Token signature verification result: true

检查诊断数据

Java Web 应用程序启动Oracle Identity Cloud Service的成功和不成功登录尝试都在Oracle Identity Cloud Service诊断日志文件中注册。

  1. 登录到Oracle Identity Cloud Service控制台。
  2. 在控制台中,展开导航抽集器,单击设置,然后单击诊断
  3. 选择作为诊断类型的活动视图,然后单击保存
  4. Oracle Identity Cloud Service注销。

Oracle Identity Cloud Service捕获下一15分钟的诊断数据。

  1. Complete the steps in the Run the Java Application topic to display the Login page of the Java web application.

  2. 单击红色的Oracle图标。

  3. 要使登录失败,请 Oracle Identity Cloud Service登录页中输入不正确的用户名或口令。

  4. 要成功登录,请输入正确的用户名和口令。

  5. 使用Java Web 应用程序从Oracle Identity Cloud Service注销。

  6. 重新登录到Oracle Identity Cloud Service控制台。

  7. 在控制台中,展开导航抽集器,单击报告,然后单击诊断数据

  8. 为时间范围选择15-Minute,为日志类型选择活动视图,为报告格式选择 CSV,然后单击下载报告

诊断日志文件包括有关登录到Oracle Identity Cloud Service的用户的以下信息。 

Message: ID Token will be signed with User Tenant:idcs-abcd1234 Resource Tenant:idcs-abcd1234, clientId=123456789abcdefghij
Component: OAuth
Timestamp: [Date]
Actor ID: your.email@example.com
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"request":{"tenant":"idcs-abcd1234","grant types":"authorization_code","scopes":["urn:opc:idm:t.user.me"]},"user":{"id":"111111","name":"your.email@example.com","tenant":"idcs-abcd1234","auth-type":"PASSWORD"},"client":{"id":"123456789abcdefghij","name":"Sample App","tenant":"idcs-abcd1234","auth-type":"PASSWORD"},"environment":{"isCSR":"false","onBehalfOfUser":"false"},"response":{"result":"ALLOWED","scopes":["urn:opc:idm:t.user.me"],"custom-claims":{"clientAppRoles":["Authenticated Client","Me"],"userAppRoles":["Authenticated","Global Viewer","Identity Domain Administrator"],"user_isAdmin":"true"}}}
Component: Authorization/getAllowedScopes
Timestamp: [Date]
Actor ID: your.email@example.com
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"Message":"SSO SignOn Policy evaluation result for user : 11111  is : effect:ALLOW,authenticationFactor:IDP,allowUserToSkip2FAEnrolment:false,2FAFrequency:SESSION,reAuthenticate:false,trustedDevice2FAFrequency:
Component:
Timestamp:
Actor ID:
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Sign-On Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: uiSignin
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluateRule] Evaluating MFA rule
Component: PolicyEngine
Timestamp: [Date]
Actor ID: uiSignin
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Authentication Target App Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: idcssso
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"password":"********","authFactor":"USERNAME_PASSWORD","device":"{\"currentTime\":\"[date]",\"screenWidth\":1920,\"screenHeight\":1080,\"screenColorDepth\":24,\"screenPixelDepth\":24,\"windowPixelRatio\":1,\"language\":\"en\",\"userAgent\":\"Mozilla\/5.0 (Windows NT 10.0
Component:
Timestamp:
Actor ID:
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"Message":"No session found so need to collect credentials","Redirecting to Login URL: ":https://idcs-abcd1234.identity.oraclecloud.com/ui/v1/signin}
Component: SSO
Timestamp: [Date]
Actor ID: Unauthenticated
---------------------------------------------------------------
...
---------------------------------------------------------------
 
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Identity Provider Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: Unauthenticated
---------------------------------------------------------------
Message: Authorization Request, received parameters: scope[urn:opc:idm:t.user.me openid] response_type[code] state[1234] redirect_uri[http://localhost:8080/callback] client_id[123456789abcdefghij]
Component: OAuth
Timestamp: [Date]
Actor ID: Unauthenticated

最近的日志显示在文件顶部。