1. 使用 Oracle Identity Cloud Service 验证 Node.js 应用程序
  2. 查看 Node.js 应用程序和 SDK

查看 Node.js 应用程序和 SDK

在解决方案的本节中,您将:

  • 检查 Node.js Web 应用程序的行为和代码

  • 检查与 Node.js Web 应用程序启动到 Oracle Identity Cloud Service 的成功和不成功登录尝试关联的诊断数据

查看 Node.js 应用程序的行为

Node.js Web 应用程序的行为遵循由授权代码授权类型定义的三路验证流。

要验证应用程序和 Oracle Identity Cloud Service 使用 Web 浏览器执行的所有请求、响应和重定向,请启用浏览器的开发人员模式。此解决方案使用 Google Chrome。

  1. 运行 Node.js Web 应用程序。
  2. 打开 Google Chrome Web 浏览器,访问 http://localhost:3000 URL,然后单击登录
  3. F12 ,选择 "Network"(网络)选项卡,然后选中 Preserve log(保留日志)复选框。
    选中此复选框可查看应用程序与 Oracle Identity Cloud Service 之间的所有通信。
  4. 登录页中,单击红色 Oracle 图标,该图标显示在或者您可以登录的右侧。

浏览器的开发者日志应显示以下事件流:

  1. 您请求 /auth/oracle 资源,并且 Web 浏览器收到来自 Node.js Web 应用程序的重定向响应。 

    Request URL: http://localhost:3000/auth/oracle
Request Method: GET
Status Code: 302 Found
 
Response Headers
Location: https://idcs-1234.identity.domain.com/oauth2/v1/authorize?client_id=123456789abcdefghij&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fcallback&response_type=code&scope=openid&state=1234

  2. Oracle Identity Cloud Service 收到您的授权代码请求,并显示登录页。 

    Request URL: https://idcs-1234.identity.domain.com/oauth2/v1/authorize?client_id=123456789abcdefghij&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fcallback&response_type=code&scope=openid&state=1234Request Method: GET
Status Code: 303 See Other
 
Response Headers
Location:
https://idcs-abcd1234.identity.domain.com/ui/v1/signin
Set-cookie: ORA_OCIS_REQ_1=[value has been omitted for readability]

  3. 您登录到 Oracle Identity Cloud ServiceOracle Identity Cloud Service 将 Web 浏览器重定向到 Node.js Web 应用程序的回调 URL。 

    Request URL:
http://localhost:3000/callback?code=[value has been omitted for readability]&state=1234
Request Method: GET
Status Code: 302 Found
 
Response Hearders
Location: /auth.html
Set-Cookie: idcs_user_assertion=[value has been omitted for readability]

在此示例中,回调 URL 将 Web 浏览器重定向到访问令牌设置为 Cookie 的 /auth.html 页面。

此时,应用程序使用 passport.authenticate() 方法在本地验证您,然后将请求转发到 /home 路由。 

Request URL: http://localhost:3000/home
Request Method: GET
Status Code: 200 OK
 
Response Headers
Cookie:
connect.sid=[value has been omitted for readability]

分析应用程序和 SDK 日志

应用程序会将信息记录到命令行窗口。您还可以启用 SDK 日志。

默认情况下,示例应用程序在命令行窗口中记录验证流的信息。
Using ClientId=123456789abcdefghij
Server started on port 3000

---Resource: /auth/oracle -- Logging in ----------------------------------

authZurl=https://idcs-abcd1234.identity.domain.com/oauth2/v1/authorize?client_id=123456789abcdefghij&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fcallback&response_type=code&scope=urn%3Aopc%3Aidm%3At.user.me%20openid&state=1234

---Resource: /callback -- Exchanging authzcode for a token ---------------------

authZcode=[value has been omitted for readability]
result.access_token = [value has been omitted for readability]
result.id_token = [value has been omitted for readability]

---Resource: /auth -- passport.authenticate ---------------------

---function ensureAuthenticated() -- Validating user logged in ---------------------
req.user=[The JSON object as String - value has been omitted for readability]

---Resource: /home -- Rendering home ---------------------
按照以下步骤打开 Oracle Identity Cloud Service 的 Node.js SDK 登录,并检查您在开发过程中发现的任何问题。
  1. 打开 auth.js 文件,然后根据您的需要将 LogLevel 的值替换为 debugtrace
  2. 保存文件并重新启动 Node.js 服务器

检查诊断数据

Node.js Web 应用程序启动到 Oracle Identity Cloud Service 的成功登录尝试和不成功登录尝试都在 Oracle Identity Cloud Service 的诊断日志文件中注册。

  1. 登录 Oracle Identity Cloud Service 控制台。
  2. 在控制台中,展开导航抽屉,单击设置,然后单击诊断
  3. 选择作业视图作为诊断类型,然后单击保存
  4. 注销 Oracle Identity Cloud Service

Oracle Identity Cloud Service 捕获未来 15 分钟的诊断数据。

  1. 完成此解决方案的“运行 Node.js 应用程序”主题中的步骤,以显示 Node.js Web 应用程序的登录页。

  2. 单击红色 Oracle 图标。

  3. 要尝试登录失败,请在 Oracle Identity Cloud Service 登录页面中输入不正确的用户名或密码。

  4. 要成功登录,请输入正确的用户名和密码。

  5. 使用 Node.js Web 应用程序注销 Oracle Identity Cloud Service

  6. 再次登录 Oracle Identity Cloud Service 控制台。

  7. Oracle Identity Cloud Service 控制台中,展开导航抽屉,单击报告,然后单击诊断数据

  8. 为时间范围选择 15 分钟,为日志类型选择 Activity View ,为报表格式选择 CSV ,然后单击 Download Report(下载报表)

诊断日志文件包括以下有关用户登录到 Oracle Identity Cloud Service 的信息。 

Message: ID Token will be signed with User Tenant:idcs-abcd1234 Resource Tenant:idcs-abcd1234, clientId=123456789abcdefghij
Component: OAuth
Timestamp: [Date]
Actor ID: your.email@domain.com
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"request":{"tenant":"idcs-abcd1234","grant types":"authorization_code","scopes":["urn:opc:idm:t.user.me"]},"user":{"id":"111111","name":"your.email@domain.com","tenant":"idcs-abcd1234","auth-type":"PASSWORD"},"client":{"id":"123456789abcdefghij","name":"Sample App","tenant":"idcs-abcd1234","auth-type":"PASSWORD"},"environment":{"isCSR":"false","onBehalfOfUser":"false"},"response":{"result":"ALLOWED","scopes":["urn:opc:idm:t.user.me"],"custom-claims":{"clientAppRoles":["Authenticated Client","Me"],"userAppRoles":["Authenticated","Global Viewer","Identity Domain Administrator"],"user_isAdmin":"true"}}}
Component: Authorization/getAllowedScopes
Timestamp: [Date]
Actor ID: your.email@domain.com
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"Message":"SSO SignOn Policy evaluation result for user : 11111  is : effect:ALLOW,authenticationFactor:IDP,allowUserToSkip2FAEnrolment:false,2FAFrequency:SESSION,reAuthenticate:false,trustedDevice2FAFrequency:
Component:
Timestamp:
Actor ID:
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Sign-On Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: uiSignin
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluateRule] Evaluating MFA rule
Component: PolicyEngine
Timestamp: [Date]
Actor ID: uiSignin
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Authentication Target App Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: idcssso
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"password":"********","authFactor":"USERNAME_PASSWORD","device":"{\"currentTime\":\"[date]",\"screenWidth\":1920,\"screenHeight\":1080,\"screenColorDepth\":24,\"screenPixelDepth\":24,\"windowPixelRatio\":1,\"language\":\"en\",\"userAgent\":\"Mozilla\/5.0 (Windows NT 10.0
Component:
Timestamp:
Actor ID:
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"Message":"No session found so need to collect credentials","Redirecting to Login URL: ":https://idcs-abcd1234.identity.domain.com/ui/v1/signin}
Component: SSO
Timestamp: [Date]
Actor ID: Unauthenticated
---------------------------------------------------------------
...
---------------------------------------------------------------
 
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Identity Provider Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: Unauthenticated
---------------------------------------------------------------
Message: Authorization Request, received parameters: scope[urn:opc:idm:t.user.me openid] response_type[code] state[1234] redirect_uri[http://localhost:3000/callback] client_id[123456789abcdefghij]
Component: OAuth
Timestamp: [Date]
Actor ID: Unauthenticated

最近的日志显示在文件的顶部。