检查Node.js应用程序和 SDK
在此解决方案部分中,您可以:
-
检查Node.js Web 应用程序的行为和代码
-
检查与Node.js Web 应用程序启动Oracle Identity Cloud Service的成功登录尝试和失败登录尝试关联的诊断数据
检查Node.js应用程序的行为
Node.js Web 应用程序的行为遵循由授权代码授权类型定义的三路验证流。
要使用 Web 浏览器验证应用程序和Oracle Identity Cloud Service执行的所有请求、响应和重定向,请启用浏览器的开发人员 模式。此解决方案使用 Google Chrome。
浏览器的开发者日志应显示以下事件流:
-
您请求
/auth/oracle
资源,并且 Web 浏览器从Node.js Web 应用程序接收重定向响应。Request URL: http://localhost:3000/auth/oracle Request Method: GET Status Code: 302 Found Response Headers Location: https://idcs-1234.identity.oraclecloud.com/oauth2/v1/authorize?client_id=123456789abcdefghij&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fcallback&response_type=code&scope=openid&state=1234
-
Oracle Identity Cloud Service接收您的授权代码请求并显示登录 页。
Request URL: https://idcs-1234.identity.oraclecloud.com/oauth2/v1/authorize?client_id=123456789abcdefghij&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fcallback&response_type=code&scope=openid&state=1234Request Method: GET Status Code: 303 See Other Response Headers Location: https://idcs-abcd1234.identity.oraclecloud.com/ui/v1/signin Set-cookie: ORA_OCIS_REQ_1=[value has been omitted for readability]
-
您登录到Oracle Identity Cloud Service。Oracle Identity Cloud Service将 Web 浏览器重定向到Node.js Web 应用程序的回调 URL。
Request URL: http://localhost:3000/callback?code=[value has been omitted for readability]&state=1234 Request Method: GET Status Code: 302 Found Response Hearders Location: /auth.html Set-Cookie: idcs_user_assertion=[value has been omitted for readability]
在此示例中,回调 URL 会将 Web 浏览器重定向到/auth.html
页,并将用户访问标记设置为 cookie。
此时,应用程序使用passport.authenticate()
方法在本地进行验证,然后将您的请求转发到/home
路由。
Request URL: http://localhost:3000/home
Request Method: GET
Status Code: 200 OK
Response Headers
Cookie:
connect.sid=[value has been omitted for readability]
检查Node.js应用程序的代码
在您登录到Oracle Identity Cloud Service并重定向到Node.js Web 应用程序的回调 URL 后,Node.js Web 应用程序将在命令行窗口中记录信息。
req.user={"name":"your.email@domain.com","displayName":"Your Name","id":"111111111111","tenant":"idcs-abcd1234","groups":[{"name":"Group 1","id":"2222222222222","location":"https://idcs-abcd1234.identity.oraclecloud.com/admin/v1/Groups/7787fbab31b34e08b39cdeedf1f4233a"}],"appRoles":[{"name":"Identity Domain Administrator","id":"333333333333333","location":"https://idcs-abcd1234.identity.oraclecloud.com/admin/v1/AppRoles/444444444444444","appName":"SampleApp","appID":"SampleAppId"}],"client":{"client_name":"Sample Apps","client_id":"555555555555","client_tenantname":"idcs-abcd1234","scope":"openid","audience":"https://idcs-abcd1234.identity.oraclecloud.com"}}
ensureAuthenticated()
方法将记录有关表示您的 JSON 对象的信息,这些对象已登录到Oracle Identity Cloud Service。
ensureAuthenticated req.user={"name":"your.email@domain.com","displayName":"Your Name","id":"111111111111","tenant":"idcs-abcd1234","groups":[{"name":"Group 1","id":"2222222222222","location":"https://idcs-abcd1234.identity.oraclecloud.com/admin/v1/Groups/7787fbab31b34e08b39cdeedf1f4233a"}],"appRoles":[{"name":"Identity Domain Administrator","id":"333333333333333","location":"https://idcs-abcd1234.identity.oraclecloud.com/admin/v1/AppRoles/444444444444444","appName":"SampleApp","appID":"SampleAppId"}],"client":{"client_name":"Sample Apps","client_id":"555555555555","client_tenantname":"idcs-abcd1234","scope":"openid","audience":"https://idcs-abcd1234.identity.oraclecloud.com"}}
检查诊断数据
Node.js Web 应用程序启动Oracle Identity Cloud Service的成功和失败登录尝试都在Oracle Identity Cloud Service的诊断日志文件中注册。
- 登录到Oracle Identity Cloud Service。
- 在Identity Cloud Service控制台中,展开导航提取器,单击设置,然后单击诊断。
- 选择作为诊断类型的活动视图,然后单击保存。
- 从Oracle Identity Cloud Service注销。
Oracle Identity Cloud Service捕获下一15分钟的诊断数据。
-
Complete the steps in the Run the Node.js Application topic of this solution to display the Login page of the Node.js web application.
-
单击显示在右侧的红色Oracle图标,或者您可以用来登录。
-
要使登录失败,请在 Oracle Identity Cloud Service登录页中输入不正确的用户名或口令。
-
要成功登录,请输入正确的用户名和口令。
-
使用Node.js Web 应用程序从Oracle Identity Cloud Service注销。
-
重新登录到Oracle Identity Cloud Service。
-
在Identity Cloud Service控制台中,展开导航提取器,单击报告,然后单击诊断数据。
-
为时间范围选择15-Minute,为日志类型选择活动视图,为报告格式选择 CSV,然后单击下载报告。
诊断日志文件包括有关登录到Oracle Identity Cloud Service的用户的以下信息。
Message: ID Token will be signed with User Tenant:idcs-abcd1234 Resource Tenant:idcs-abcd1234, clientId=123456789abcdefghij
Component: OAuth
Timestamp: [Date]
Actor ID: your.email@example.com
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"request":{"tenant":"idcs-abcd1234","grant types":"authorization_code","scopes":["urn:opc:idm:t.user.me"]},"user":{"id":"111111","name":"your.email@example.com","tenant":"idcs-abcd1234","auth-type":"PASSWORD"},"client":{"id":"123456789abcdefghij","name":"Sample App","tenant":"idcs-abcd1234","auth-type":"PASSWORD"},"environment":{"isCSR":"false","onBehalfOfUser":"false"},"response":{"result":"ALLOWED","scopes":["urn:opc:idm:t.user.me"],"custom-claims":{"clientAppRoles":["Authenticated Client","Me"],"userAppRoles":["Authenticated","Global Viewer","Identity Domain Administrator"],"user_isAdmin":"true"}}}
Component: Authorization/getAllowedScopes
Timestamp: [Date]
Actor ID: your.email@example.com
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"Message":"SSO SignOn Policy evaluation result for user : 11111 is : effect:ALLOW,authenticationFactor:IDP,allowUserToSkip2FAEnrolment:false,2FAFrequency:SESSION,reAuthenticate:false,trustedDevice2FAFrequency:
Component:
Timestamp:
Actor ID:
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Sign-On Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: uiSignin
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluateRule] Evaluating MFA rule
Component: PolicyEngine
Timestamp: [Date]
Actor ID: uiSignin
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Authentication Target App Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: idcssso
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"password":"********","authFactor":"USERNAME_PASSWORD","device":"{\"currentTime\":\"[date]",\"screenWidth\":1920,\"screenHeight\":1080,\"screenColorDepth\":24,\"screenPixelDepth\":24,\"windowPixelRatio\":1,\"language\":\"en\",\"userAgent\":\"Mozilla\/5.0 (Windows NT 10.0
Component:
Timestamp:
Actor ID:
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"Message":"No session found so need to collect credentials","Redirecting to Login URL: ":https://idcs-abcd1234.identity.oraclecloud.com/ui/v1/signin}
Component: SSO
Timestamp: [Date]
Actor ID: Unauthenticated
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Identity Provider Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: Unauthenticated
---------------------------------------------------------------
Message: Authorization Request, received parameters: scope[urn:opc:idm:t.user.me openid] response_type[code] state[1234] redirect_uri[http://localhost:3000/callback] client_id[123456789abcdefghij]
Component: OAuth
Timestamp: [Date]
Actor ID: Unauthenticated
最近的日志显示在文件顶部。