检查Node.js应用程序和 SDK

在此解决方案部分中,您可以:

  • 检查Node.js Web 应用程序的行为和代码

  • 检查与Node.js Web 应用程序启动Oracle Identity Cloud Service的成功登录尝试和失败登录尝试关联的诊断数据

检查Node.js应用程序的行为

Node.js Web 应用程序的行为遵循由授权代码授权类型定义的三路验证流。

要使用 Web 浏览器验证应用程序和Oracle Identity Cloud Service执行的所有请求、响应和重定向,请启用浏览器的开发人员 模式。此解决方案使用 Google Chrome。

  1. 运行Node.js Web 应用程序。
  2. 打开 Google Chrome Web 浏览器,访问http://localhost:3000 URL,然后单击登录
  3. F12,选择网络选项卡,然后选中保留日志 复选框。
    选中此复选框可查看应用程序与Oracle Identity Cloud Service之间的所有通信。
  4. In the Login page, click the red Oracle icon, which appears to the right of or You can log in with.

浏览器的开发者日志应显示以下事件流:

  1. 您请求/auth/oracle资源,并且 Web 浏览器从Node.js Web 应用程序接收重定向响应。

    Request URL: http://localhost:3000/auth/oracle
    Request Method: GET
    Status Code: 302 Found
     
    Response Headers
    Location: https://idcs-1234.identity.oraclecloud.com/oauth2/v1/authorize?client_id=123456789abcdefghij&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fcallback&response_type=code&scope=openid&state=1234
  2. Oracle Identity Cloud Service接收您的授权代码请求并显示登录 页。

    Request URL: https://idcs-1234.identity.oraclecloud.com/oauth2/v1/authorize?client_id=123456789abcdefghij&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fcallback&response_type=code&scope=openid&state=1234Request Method: GET
    Status Code: 303 See Other
     
    Response Headers
    Location:
    https://idcs-abcd1234.identity.oraclecloud.com/ui/v1/signin
    Set-cookie: ORA_OCIS_REQ_1=[value has been omitted for readability]
  3. 您登录到Oracle Identity Cloud Service。Oracle Identity Cloud Service将 Web 浏览器重定向到Node.js Web 应用程序的回调 URL。

    Request URL:
    http://localhost:3000/callback?code=[value has been omitted for readability]&state=1234
    Request Method: GET
    Status Code: 302 Found
     
    Response Hearders
    Location: /auth.html
    Set-Cookie: idcs_user_assertion=[value has been omitted for readability]

在此示例中,回调 URL 会将 Web 浏览器重定向到/auth.html页,并将用户访问标记设置为 cookie。

此时,应用程序使用passport.authenticate()方法在本地进行验证,然后将您的请求转发到/home路由。

Request URL: http://localhost:3000/home
Request Method: GET
Status Code: 200 OK
 
Response Headers
Cookie:
connect.sid=[value has been omitted for readability]

检查Node.js应用程序的代码

在您登录到Oracle Identity Cloud Service并重定向到Node.js Web 应用程序的回调 URL 后,Node.js Web 应用程序将在命令行窗口中记录信息。

req.user={"name":"your.email@domain.com","displayName":"Your Name","id":"111111111111","tenant":"idcs-abcd1234","groups":[{"name":"Group 1","id":"2222222222222","location":"https://idcs-abcd1234.identity.oraclecloud.com/admin/v1/Groups/7787fbab31b34e08b39cdeedf1f4233a"}],"appRoles":[{"name":"Identity Domain Administrator","id":"333333333333333","location":"https://idcs-abcd1234.identity.oraclecloud.com/admin/v1/AppRoles/444444444444444","appName":"SampleApp","appID":"SampleAppId"}],"client":{"client_name":"Sample Apps","client_id":"555555555555","client_tenantname":"idcs-abcd1234","scope":"openid","audience":"https://idcs-abcd1234.identity.oraclecloud.com"}}

ensureAuthenticated()方法将记录有关表示您的 JSON 对象的信息,这些对象已登录到Oracle Identity Cloud Service。

ensureAuthenticated req.user={"name":"your.email@domain.com","displayName":"Your Name","id":"111111111111","tenant":"idcs-abcd1234","groups":[{"name":"Group 1","id":"2222222222222","location":"https://idcs-abcd1234.identity.oraclecloud.com/admin/v1/Groups/7787fbab31b34e08b39cdeedf1f4233a"}],"appRoles":[{"name":"Identity Domain Administrator","id":"333333333333333","location":"https://idcs-abcd1234.identity.oraclecloud.com/admin/v1/AppRoles/444444444444444","appName":"SampleApp","appID":"SampleAppId"}],"client":{"client_name":"Sample Apps","client_id":"555555555555","client_tenantname":"idcs-abcd1234","scope":"openid","audience":"https://idcs-abcd1234.identity.oraclecloud.com"}}

检查诊断数据

Node.js Web 应用程序启动Oracle Identity Cloud Service的成功和失败登录尝试都在Oracle Identity Cloud Service的诊断日志文件中注册。

  1. 登录到Oracle Identity Cloud Service。
  2. 在Identity Cloud Service控制台中,展开导航提取器,单击设置,然后单击诊断
  3. 选择作为诊断类型的活动视图,然后单击保存
  4. 从Oracle Identity Cloud Service注销。

Oracle Identity Cloud Service捕获下一15分钟的诊断数据。

  1. Complete the steps in the Run the Node.js Application topic of this solution to display the Login page of the Node.js web application.

  2. 单击显示在右侧的红色Oracle图标,或者您可以用来登录

  3. 要使登录失败,请 Oracle Identity Cloud Service登录页中输入不正确的用户名或口令。

  4. 要成功登录,请输入正确的用户名和口令。

  5. 使用Node.js Web 应用程序从Oracle Identity Cloud Service注销。

  6. 重新登录到Oracle Identity Cloud Service。

  7. 在Identity Cloud Service控制台中,展开导航提取器,单击报告,然后单击诊断数据

  8. 为时间范围选择15-Minute,为日志类型选择活动视图,为报告格式选择 CSV,然后单击下载报告

诊断日志文件包括有关登录到Oracle Identity Cloud Service的用户的以下信息。

Message: ID Token will be signed with User Tenant:idcs-abcd1234 Resource Tenant:idcs-abcd1234, clientId=123456789abcdefghij
Component: OAuth
Timestamp: [Date]
Actor ID: your.email@example.com
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"request":{"tenant":"idcs-abcd1234","grant types":"authorization_code","scopes":["urn:opc:idm:t.user.me"]},"user":{"id":"111111","name":"your.email@example.com","tenant":"idcs-abcd1234","auth-type":"PASSWORD"},"client":{"id":"123456789abcdefghij","name":"Sample App","tenant":"idcs-abcd1234","auth-type":"PASSWORD"},"environment":{"isCSR":"false","onBehalfOfUser":"false"},"response":{"result":"ALLOWED","scopes":["urn:opc:idm:t.user.me"],"custom-claims":{"clientAppRoles":["Authenticated Client","Me"],"userAppRoles":["Authenticated","Global Viewer","Identity Domain Administrator"],"user_isAdmin":"true"}}}
Component: Authorization/getAllowedScopes
Timestamp: [Date]
Actor ID: your.email@example.com
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"Message":"SSO SignOn Policy evaluation result for user : 11111  is : effect:ALLOW,authenticationFactor:IDP,allowUserToSkip2FAEnrolment:false,2FAFrequency:SESSION,reAuthenticate:false,trustedDevice2FAFrequency:
Component:
Timestamp:
Actor ID:
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Sign-On Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: uiSignin
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluateRule] Evaluating MFA rule
Component: PolicyEngine
Timestamp: [Date]
Actor ID: uiSignin
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Authentication Target App Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: idcssso
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"password":"********","authFactor":"USERNAME_PASSWORD","device":"{\"currentTime\":\"[date]",\"screenWidth\":1920,\"screenHeight\":1080,\"screenColorDepth\":24,\"screenPixelDepth\":24,\"windowPixelRatio\":1,\"language\":\"en\",\"userAgent\":\"Mozilla\/5.0 (Windows NT 10.0
Component:
Timestamp:
Actor ID:
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"Message":"No session found so need to collect credentials","Redirecting to Login URL: ":https://idcs-abcd1234.identity.oraclecloud.com/ui/v1/signin}
Component: SSO
Timestamp: [Date]
Actor ID: Unauthenticated
---------------------------------------------------------------
...
---------------------------------------------------------------
 
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Identity Provider Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: Unauthenticated
---------------------------------------------------------------
Message: Authorization Request, received parameters: scope[urn:opc:idm:t.user.me openid] response_type[code] state[1234] redirect_uri[http://localhost:3000/callback] client_id[123456789abcdefghij]
Component: OAuth
Timestamp: [Date]
Actor ID: Unauthenticated

最近的日志显示在文件顶部。