1. 使用 Oracle Identity Cloud Service 验证 Python 应用
  2. 查看 Python 应用程序和 SDK

查看 Python 应用程序和 SDK

在解决方案的本节中,您将:

  • 检查 Python Web 应用程序的行为和代码

  • 检查与 Python Web 应用程序启动到 Oracle Identity Cloud Service 的成功和不成功登录尝试关联的诊断数据

查看 Python 应用程序的行为

Python Web 应用程序的行为遵循由授权代码授予类型定义的三路验证流。

要验证应用程序和 Oracle Identity Cloud Service 使用 Web 浏览器执行的所有请求、响应和重定向,请为浏览器启用开发人员模式。此解决方案使用 Google Chrome。

  1. 运行 Python Web 应用程序。
  2. 打开 Google Chrome Web 浏览器,访问 http://localhost:8080 URL,然后单击登录
  3. F12 ,选择 Network(网络)选项卡,然后选中 Preserve log(保留日志)复选框。选中此复选框可查看应用程序与 Oracle Identity Cloud Service 之间的所有通信。
  4. 登录页中,单击 Oracle 红色图标。

浏览器的开发者日志应显示以下事件流:

  1. 用户请求 /auth/oracle 资源,Web 浏览器收到来自 Python Web 应用程序的重定向响应。
    Request URL: http://localhost:8000/auth/
Request Method: GET
Status Code: 302 Found

Response Headers
Location: https://idcs-1234.identity.domain.com/oauth2/v1/authorize?client_id=123456789abcdefghij&redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Fcallback&response_type=code&scope=urn:opc:idm:t.user.me+openid&state=1234
  2. Oracle Identity Cloud Service 收到授权代码请求,并显示登录页。
    Request URL: https://idcs-1234.identity.domain.com/oauth2/v1/authorize?client_id=123456789abcdefghij&redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Fcallback&response_type=code&scope=urn:opc:idm:t.user.me+openid&state=1234
Request Method: GET
Status Code: 303 See Other
 
Response Headers
Location:
https://idcs-1234.identity.domain.com/ui/v1/signin
Set-cookie: ORA_OCIS_REQ_1=[value has been omitted for readability]
  3. 用户登录到 Oracle Identity Cloud ServiceOracle Identity Cloud Service 将 Web 浏览器重定向到 Python Web 应用程序的回调 URL。
    Request URL:
http://localhost:8000/callback/&code=[value has been omitted for readability]&state=1234
Request Method: GET
Status Code: 200 OK
 
Response Headers
Set-Cookie: sessionid=[value has been omitted for readability]

    在此示例中,回调 URL 将 Web 浏览器重定向到将用户访问令牌设置为会话属性的主页页面。

分析应用程序和 SDK 日志

应用程序会将信息记录到命令行窗口。您还可以启用 SDK 日志。

默认情况下,示例应用程序在命令行窗口中记录验证流的信息。
Starting development server at http://127.0.0.1:8000/
----------------------------------------
[21/Dec/2018 16:00:42] "GET /login/ HTTP/1.1" 200 2772
...
----------------- def auth(request) ---------------
config.json file = {'logoutSufix': '/oauth2/v1/userlogout', 'ClientSecret': 'abcde-12345-zyxvu-98765-qwerty', 'AudienceServiceUrl': 'https://idcs-abcd1234.identity.domain.com', 'BaseUrl': 'https://idcs-abcd1234.identity.domain.com', 'ClientId': '123456789abcdefghij, 'ConsoleLog': 'True', 'LogLevel': 'INFO', 'scope': 'urn:opc:idm:t.user.me openid', 'redirectURL': 'http://localhost:8000/callback', 'TokenIssuer': 'https://identity.domain.com/'}
[21/Dec/2018 16:00:48] "GET /auth/ HTTP/1.1" 302 0
[21/Dec/2018 16:01:08] "GET /callback?code=[value has been omitted for readability]&state=1234 HTTP/1.1" 301 0
----------------- def callback(request) ------------------
access_token = [value has been omitted for readability]
按照以下步骤打开 Oracle Identity Cloud Service 的 Python SDK 登录,并检查您在开发过程中发现的任何问题。
  1. 打开 config.json 文件并将 LogLevel 的值替换为 DEBUG
  2. 保存文件并重新启动 Python 服务器

检查诊断数据

当 Python Web 应用程序尝试登录 Oracle Identity Cloud Service 时,成功和不成功的尝试都会注册到 Oracle Identity Cloud Service 的诊断日志文件中。

  1. 登录 Oracle Identity Cloud Service 控制台。
  2. 在控制台中,展开导航抽屉,单击设置,然后单击诊断
  3. 选择作业视图作为诊断类型,然后单击保存
  4. 注销 Oracle Identity Cloud Service

Oracle Identity Cloud Service 捕获未来 15 分钟的诊断数据。

  1. 完成此解决方案的“运行 Python 应用程序”主题中的步骤,以显示 Python Web 应用程序的登录页。
  2. 单击 Oracle 红色图标。
  3. 要尝试登录失败,请在 Oracle Identity Cloud Service 登录页上输入不正确的用户名或密码。
  4. 要成功登录,请输入正确的用户名和密码。
  5. 使用 Python Web 应用程序注销 Oracle Identity Cloud Service
  6. 登录 Oracle Identity Cloud Service 控制台。
  7. 在控制台中,展开导航抽屉,单击报表,然后单击诊断数据
  8. 选择 15 分钟的时间范围、活动视图日志类型、 CSV 报表格式,然后单击下载报表

诊断日志文件包括与以下内容类似的信息,这些信息涉及对 Oracle Identity Cloud Service 的登录尝试。 

Message: ID Token will be signed with User Tenant:idcs-abcd1234 Resource Tenant:idcs-abcd1234, clientId=123456789abcdefghij
Component: OAuth
Timestamp: [Date]
Actor ID: your.email@domain.com
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"request":{"tenant":"idcs-abcd1234","grant types":"authorization_code","scopes":["urn:opc:idm:t.user.me"]},"user":{"id":"111111","name":"your.email@domain.com","tenant":"idcs-abcd1234","auth-type":"PASSWORD"},"client":{"id":"123456789abcdefghij","name":"Sample App","tenant":"idcs-abcd1234","auth-type":"PASSWORD"},"environment":{"isCSR":"false","onBehalfOfUser":"false"},"response":{"result":"ALLOWED","scopes":["urn:opc:idm:t.user.me"],"custom-claims":{"clientAppRoles":["Authenticated Client","Me"],"userAppRoles":["Authenticated","Global Viewer","Identity Domain Administrator"],"user_isAdmin":"true"}}}
Component: Authorization/getAllowedScopes
Timestamp: [Date]
Actor ID: your.email@domain.com
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"Message":"SSO SignOn Policy evaluation result for user : 11111  is : effect:ALLOW,authenticationFactor:IDP,allowUserToSkip2FAEnrolment:false,2FAFrequency:SESSION,reAuthenticate:false,trustedDevice2FAFrequency:
Component:
Timestamp:
Actor ID:
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Sign-On Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: uiSignin
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluateRule] Evaluating MFA rule
Component: PolicyEngine
Timestamp: [Date]
Actor ID: uiSignin
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Authentication Target App Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: idcssso
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"password":"********","authFactor":"USERNAME_PASSWORD","device":"{\"currentTime\":\"[date]",\"screenWidth\":1920,\"screenHeight\":1080,\"screenColorDepth\":24,\"screenPixelDepth\":24,\"windowPixelRatio\":1,\"language\":\"en\",\"userAgent\":\"Mozilla\/5.0 (Windows NT 10.0
Component:
Timestamp:
Actor ID:
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"Message":"No session found so need to collect credentials","Redirecting to Login URL: ":https://idcs-abcd1234.identity.oraclecloud.com/ui/v1/signin}
Component: SSO
Timestamp: [Date]
Actor ID: Unauthenticated
---------------------------------------------------------------
...
---------------------------------------------------------------
 
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Identity Provider Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: Unauthenticated
---------------------------------------------------------------
Message: Authorization Request, received parameters: scope[urn:opc:idm:t.user.me openid] response_type[code] state[1234] redirect_uri[http://localhost:8000/callback] client_id[123456789abcdefghij]
Component: OAuth
Timestamp: [Date]
Actor ID: Unauthenticated

最近的日志显示在文件的顶部。