1. 使用Oracle Identity Cloud Service验证 Python 应用程序
  2. 检查 Python 应用程序和 SDK

检查 Python 应用程序和 SDK

在此解决方案部分中,您可以:

  • 检查 Python Web 应用程序的行为和代码

  • 检查与Python Web应用程序启动Oracle Identity Cloud Service的成功登录尝试和失败登录尝试相关联的诊断数据

检查 Python 应用程序的行为

Python Web 应用程序的行为遵循授权代码授权类型定义的三路验证流。

要使用 Web 浏览器验证应用程序和Oracle Identity Cloud Service执行的所有请求、响应和重定向,请启用浏览器的开发人员 模式。此解决方案使用 Google Chrome。

  1. 运行 Python Web 应用程序。
  2. 打开 Google Chrome Web 浏览器,访问http://localhost:8080 URL,然后单击登录
  3. F12,选择网络 选项卡,然后选中保留日志 复选框。选中此复选框可查看应用程序与Oracle Identity Cloud Service之间的所有通信。
  4. In the Login page, click the Oracle red icon, which appears to the right of or You can log in with.

浏览器的开发者日志应显示以下事件流:

  1. 用户请求/auth/oracle资源,Web 浏览器从 Python Web 应用程序接收重定向响应。
    Request URL: http://localhost:8000/auth/
Request Method: GET
Status Code: 302 Found

Response Headers
Location: https://idcs-1234.identity.oraclecloud.com/oauth2/v1/authorize?client_id=123456789abcdefghij&redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Fcallback&response_type=code&scope=urn:opc:idm:t.user.me+openid&state=1234
  2. Oracle Identity Cloud Service接收授权代码请求并显示登录 页。
    Request URL: https://idcs-1234.identity.oraclecloud.com/oauth2/v1/authorize?client_id=123456789abcdefghij&redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Fcallback&response_type=code&scope=urn:opc:idm:t.user.me+openid&state=1234
Request Method: GET
Status Code: 303 See Other
 
Response Headers
Location:
https://idcs-1234.identity.oraclecloud.com/ui/v1/signin
Set-cookie: ORA_OCIS_REQ_1=[value has been omitted for readability]
  3. 用户登录到Oracle Identity Cloud Service。Oracle Identity Cloud Service将 Web 浏览器重定向到 Python Web 应用程序的回调 URL。
    Request URL:
http://localhost:8000/callback/&code=[value has been omitted for readability]&state=1234
Request Method: GET
Status Code: 200 OK
 
Response Headers
Set-Cookie: sessionid=[value has been omitted for readability]

    在此示例中,回调 URL 会将 Web 浏览器重定向到 页,其中用户访问标记设置为会话属性。

检查 Python 应用程序的代码

在您登录到Oracle Identity Cloud Service并重定向到 Python Web 应用程序的回调 URL 之后,Python Web 应用程序将在命令行窗口中显示信息。

[Date] "GET / HTTP/1.1" 200 2520
[Date] "GET /login/ HTTP/1.1" 200 3489
[Date] "GET /auth/ HTTP/1.1" 302 0
[Date] "GET /callback?code=[value has been omitted for readability]&state=1234 HTTP/1.1" 301 0
[Date] "GET /callback/?code=[value has been omitted for readability]&state=1234 HTTP/1.1" 200 2690

检查诊断数据

当 Python Web 应用程序尝试登录Oracle Identity Cloud Service时,成功尝试和未成功尝试都会注册到Oracle Identity Cloud Service诊断日志文件中。

  1. 登录到Oracle Identity Cloud Service。
  2. 在Identity Cloud Service控制台中,展开导航提取器,单击设置,然后单击诊断
  3. 选择作为诊断类型的活动视图,然后单击保存
  4. 从Oracle Identity Cloud Service注销。

Oracle Identity Cloud Service捕获下一15分钟的诊断数据。

  1. 完成此解决方案的“运行 Python 应用程序”主题中的步骤,以显示 Python Web 应用程序的登录 页。
  2. 单击显示在右侧的Oracle红色图标,或者您可以用来登录。
  3. 要使登录失败,请在Oracle Identity Cloud Service登录 页上输入不正确的用户名或口令。
  4. 要成功登录,请输入正确的用户名和口令。
  5. 使用 Python Web 应用程序从Oracle Identity Cloud Service中注销。
  6. 登录到Oracle Identity Cloud Service。
  7. 在Identity Cloud Service控制台中,展开导航提取器,单击报告,然后单击诊断数据
  8. 选择15-Minute时间范围、活动视图 日志类型、CSV 报告格式,然后单击下载报告

诊断日志文件包括与Oracle Identity Cloud Service登录尝试相似的以下信息。

Message: ID Token will be signed with User Tenant:idcs-abcd1234 Resource Tenant:idcs-abcd1234, clientId=123456789abcdefghij
Component: OAuth
Timestamp: [Date]
Actor ID: your.email@domain.com
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"request":{"tenant":"idcs-abcd1234","grant types":"authorization_code","scopes":["urn:opc:idm:t.user.me"]},"user":{"id":"111111","name":"your.email@domain.com","tenant":"idcs-abcd1234","auth-type":"PASSWORD"},"client":{"id":"123456789abcdefghij","name":"Sample App","tenant":"idcs-abcd1234","auth-type":"PASSWORD"},"environment":{"isCSR":"false","onBehalfOfUser":"false"},"response":{"result":"ALLOWED","scopes":["urn:opc:idm:t.user.me"],"custom-claims":{"clientAppRoles":["Authenticated Client","Me"],"userAppRoles":["Authenticated","Global Viewer","Identity Domain Administrator"],"user_isAdmin":"true"}}}
Component: Authorization/getAllowedScopes
Timestamp: [Date]
Actor ID: your.email@domain.com
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"Message":"SSO SignOn Policy evaluation result for user : 11111  is : effect:ALLOW,authenticationFactor:IDP,allowUserToSkip2FAEnrolment:false,2FAFrequency:SESSION,reAuthenticate:false,trustedDevice2FAFrequency:
Component:
Timestamp:
Actor ID:
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Sign-On Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: uiSignin
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluateRule] Evaluating MFA rule
Component: PolicyEngine
Timestamp: [Date]
Actor ID: uiSignin
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Authentication Target App Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: idcssso
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"password":"********","authFactor":"USERNAME_PASSWORD","device":"{\"currentTime\":\"[date]",\"screenWidth\":1920,\"screenHeight\":1080,\"screenColorDepth\":24,\"screenPixelDepth\":24,\"windowPixelRatio\":1,\"language\":\"en\",\"userAgent\":\"Mozilla\/5.0 (Windows NT 10.0
Component:
Timestamp:
Actor ID:
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"Message":"No session found so need to collect credentials","Redirecting to Login URL: ":https://idcs-abcd1234.identity.oraclecloud.com/ui/v1/signin}
Component: SSO
Timestamp: [Date]
Actor ID: Unauthenticated
---------------------------------------------------------------
...
---------------------------------------------------------------
 
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Identity Provider Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: Unauthenticated
---------------------------------------------------------------
Message: Authorization Request, received parameters: scope[urn:opc:idm:t.user.me openid] response_type[code] state[1234] redirect_uri[http://localhost:8000/callback] client_id[123456789abcdefghij]
Component: OAuth
Timestamp: [Date]
Actor ID: Unauthenticated

最近的日志显示在文件顶部。