1. 使用Oracle Identity Cloud Service認證Java應用程式
  2. 檢查Java應用程式和 SDK

檢查Java應用程式和 SDK

您可以在解決方案的此段落中:

  • 檢查Java Web 應用程式的行為和程式碼

  • 檢查與Java Web 應用程式起始至Oracle Identity Cloud Service之成功與失敗登入嘗試關聯的診斷資料。

檢查Java應用程式的行為

Java Web 應用程式的行為遵循授權代碼授權類型定義的三方認證流程。

啟用瀏覽器的「開發人員」模式,以驗證應用程式和Oracle Identity Cloud Service執行的所有要求、回應以及重導。下列範例使用 Google Chrome。

  1. 執行Java Web 應用程式。
  2. 開啟 Google Chrome Web 瀏覽器,存取http://localhost:8080 URL,然後按一下登入
  3. F12,接著選取網 頁籤,然後選取保留日誌 核取方塊。
    選取此核取方塊可查看應用程式與Oracle Identity Cloud Service之間的所有通訊。
  4. 在「登入」頁面中,按一下紅色的Oracle圖示。

瀏覽器的開發人員日誌應顯示下列事件流程:

  1. 您要求/auth/oracle資源,而您的 Web 瀏覽器則收到來自Java Web 應用程式的重新導向回應。 

    Request URL: http://localhost:8080/auth
Request Method: GET
Status Code: 302 Found
 
Response Headers
Location: https://idcs-abcd1234.identity.oraclecloud.com/oauth2/v1/authorize?client_id=123456789abcdefghij&redirect_uri= http%3A%2F%2Flocalhost%3A8080%2Fcallback&response_type=code&scope=urn:opc:idm:t.user.me+openid&state=1234

  2. Oracle Identity Cloud Service收到您的授權碼要求並提供「登入」頁面。 

    Request URL: https://idcs-abcd1234.identity.oraclecloud.com/oauth2/v1/authorize?client_id=123456789abcdefghij&redirect_uri= http%3A%2F%2Flocalhost%3A8080%2Fcallback&response_type=code&scope=urn:opc:idm:t.user.me+openid&state=1234
Request Method: GET
Status Code: 303 See Other
 
Response Headers
Location:
https://idcs-abcd1234.identity.oraclecloud.com/ui/v1/signin
Set-cookie: ORA_OCIS_REQ_1=[value has been omitted for readability]

  3. 登入Oracle Identity Cloud Service,然後將您的 Web 瀏覽器重導至Java Web 應用程式的回呼 URL。 

    Request URL:
http://localhost:8080/callback?code=[value has been omitted for readability]&state=1234
Request Method: GET
Status Code: 200 OK
 
Response Hearders
Set-Cookie: JSESSIONID=[value has been omitted for readability]

在此範例中,回呼 URL 會將您的 Web 瀏覽器重導至 頁,並將您的使用者存取記號和 ID 記號設為階段作業屬性。

檢查 SDK 日誌

依照下列步驟開啟Oracle Identity Cloud Service的Java SDK 登入,並檢查開發期間發現的任何問題。

  1. 開啟ConnectionOptions.java類別檔案並編輯getOptions()方法
  2. Constants.LOG_LEVEL值設為DEBUG

重新建立應用程式,然後重新執行.

您會看到日誌詳細資訊,例如:

Fine:   Got token manager
Fine:   using config endpoint: https://idcs-abcd1234.identity.oraclecloud.com:443/.well-known/idcs-configuration
...
Fine:   Got response content: [value has been omitted for readability]
...
Fine:   getAuthorizationCodeUrl returning with url: [value has been omitted for readability]
...
Fine:   authorizationCode with code: [value has been omitted for readability]
...
Fine:   Obtaining access token from: [value has been omitted for readability]
...
Fine:   returning access token
...
Fine:   Token signature verification result: true

檢查診斷資料

Java Web 應用程式起始至Oracle Identity Cloud Service的成功與不成功日誌都會在Oracle Identity Cloud Service診斷日誌檔中註冊。

  1. 登入Oracle Identity Cloud Service主控台。
  2. 在主控台中,展開「導覽」抽屜,按一下設定值,然後按一下診斷
  3. 選取「活動檢視」作為診斷類型,然後按一下儲存
  4. 登出Oracle Identity Cloud Service

Oracle Identity Cloud Service會擷取下一個15分鐘的診斷資料。

  1. 完成執行Java應用程式主題中的步驟,以顯示Java Web 應用程式的「登入」頁面。

  2. 按一下紅色Oracle圖示。

  3. 若要讓登入嘗試失敗,請Oracle Identity Cloud Service 入頁面中輸入不正確的使用者名稱或密碼。

  4. 若要順利登入,請輸入正確的使用者名稱和密碼。

  5. 使用Java Web 應用程式登出Oracle Identity Cloud Service

  6. 再次登入Oracle Identity Cloud Service主控台。

  7. 在主控台中,展開「導覽下拉式清單」,按一下報表,然後按一下診斷資料

  8. 選取時間範圍的15-Minute、日誌類型的活動檢視,以及報表格式的 CSV,然後按一下下載報表

診斷日誌檔包括下列有關登入Oracle Identity Cloud Service之使用者的資訊。 

Message: ID Token will be signed with User Tenant:idcs-abcd1234 Resource Tenant:idcs-abcd1234, clientId=123456789abcdefghij
Component: OAuth
Timestamp: [Date]
Actor ID: your.email@example.com
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"request":{"tenant":"idcs-abcd1234","grant types":"authorization_code","scopes":["urn:opc:idm:t.user.me"]},"user":{"id":"111111","name":"your.email@example.com","tenant":"idcs-abcd1234","auth-type":"PASSWORD"},"client":{"id":"123456789abcdefghij","name":"Sample App","tenant":"idcs-abcd1234","auth-type":"PASSWORD"},"environment":{"isCSR":"false","onBehalfOfUser":"false"},"response":{"result":"ALLOWED","scopes":["urn:opc:idm:t.user.me"],"custom-claims":{"clientAppRoles":["Authenticated Client","Me"],"userAppRoles":["Authenticated","Global Viewer","Identity Domain Administrator"],"user_isAdmin":"true"}}}
Component: Authorization/getAllowedScopes
Timestamp: [Date]
Actor ID: your.email@example.com
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"Message":"SSO SignOn Policy evaluation result for user : 11111  is : effect:ALLOW,authenticationFactor:IDP,allowUserToSkip2FAEnrolment:false,2FAFrequency:SESSION,reAuthenticate:false,trustedDevice2FAFrequency:
Component:
Timestamp:
Actor ID:
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Sign-On Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: uiSignin
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluateRule] Evaluating MFA rule
Component: PolicyEngine
Timestamp: [Date]
Actor ID: uiSignin
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Authentication Target App Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: idcssso
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"password":"********","authFactor":"USERNAME_PASSWORD","device":"{\"currentTime\":\"[date]",\"screenWidth\":1920,\"screenHeight\":1080,\"screenColorDepth\":24,\"screenPixelDepth\":24,\"windowPixelRatio\":1,\"language\":\"en\",\"userAgent\":\"Mozilla\/5.0 (Windows NT 10.0
Component:
Timestamp:
Actor ID:
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"Message":"No session found so need to collect credentials","Redirecting to Login URL: ":https://idcs-abcd1234.identity.oraclecloud.com/ui/v1/signin}
Component: SSO
Timestamp: [Date]
Actor ID: Unauthenticated
---------------------------------------------------------------
...
---------------------------------------------------------------
 
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Identity Provider Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: Unauthenticated
---------------------------------------------------------------
Message: Authorization Request, received parameters: scope[urn:opc:idm:t.user.me openid] response_type[code] state[1234] redirect_uri[http://localhost:8080/callback] client_id[123456789abcdefghij]
Component: OAuth
Timestamp: [Date]
Actor ID: Unauthenticated

最新的日誌會顯示在檔案的頂端。