1. 使用 Oracle Identity Cloud Service 認證 Java 應用程式
  2. 查看 Java 應用程式與 SDK

查看 Java 應用程式與 SDK

在解決方案的這個部分,您可以:

  • 檢查 Java Web 應用程式的行為和程式碼

  • 檢查與 Java Web 應用程式起始至 Oracle Identity Cloud Service 的成功與失敗登入嘗試關聯的診斷資料。

檢查 Java 應用程式的行為

Java Web 應用程式的行為遵循由授權代碼授權類型所定義的三方驗證流程。

啟用瀏覽器的開發人員模式,以便驗證應用程式和 Oracle Identity Cloud Service 執行的所有要求、回應和重新導向。下列範例使用 Google Chrome。

  1. 執行 Java Web 應用程式。
  2. 開啟 Google Chrome Web 瀏覽器,存取 http://localhost:8080 URL,然後按一下登入
  3. F12 ,選取 [ 網路 ] 頁籤,然後選取 [ 保留日誌 ] 核取方塊。
    選取此核取方塊即可查看應用程式與 Oracle Identity Cloud Service 之間的所有通訊。
  4. 登入頁面中,按一下紅色的 Oracle 圖示。

瀏覽器的開發人員日誌應顯示下列事件流程:

  1. 您要求 /auth/oracle 資源,而您的 Web 瀏覽器會收到來自 Java Web 應用程式的重新導向回應。 

    Request URL: http://localhost:8080/auth
Request Method: GET
Status Code: 302 Found
 
Response Headers
Location: https://idcs-abcd1234.identity.domain.com/oauth2/v1/authorize?client_id=123456789abcdefghij&redirect_uri= http%3A%2F%2Flocalhost%3A8080%2Fcallback&response_type=code&scope=urn:opc:idm:t.user.me+openid&state=1234

  2. Oracle Identity Cloud Service 會收到您的授權碼要求,並顯示登入頁面。 

    Request URL: https://idcs-abcd1234.identity.domain.com/oauth2/v1/authorize?client_id=123456789abcdefghij&redirect_uri= http%3A%2F%2Flocalhost%3A8080%2Fcallback&response_type=code&scope=urn:opc:idm:t.user.me+openid&state=1234
Request Method: GET
Status Code: 303 See Other
 
Response Headers
Location:
https://idcs-abcd1234.identity.domain.com/ui/v1/signin
Set-cookie: ORA_OCIS_REQ_1=[value has been omitted for readability]

  3. 您登入 Oracle Identity Cloud Service ,它會將您的 Web 瀏覽器重新導向至 Java Web 應用程式的回呼 URL。 

    Request URL:
http://localhost:8080/callback?code=[value has been omitted for readability]&state=1234
Request Method: GET
Status Code: 200 OK
 
Response Hearders
Set-Cookie: JSESSIONID=[value has been omitted for readability]

在此範例中,回呼 URL 會將您的 Web 瀏覽器重導至首頁,並將您的使用者存取權杖和 ID 權杖設為階段作業屬性。

查看 SDK 日誌

請依照下列步驟開啟 Oracle Identity Cloud Service 的 Java SDK 登入,並檢查您在開發期間發現的任何問題。

  1. 開啟 ConnectionOptions.java 類別檔案並編輯 getOptions() 方法
  2. Constants.LOG_LEVEL 值設為 DEBUG

重新建立應用程式並重新執行。

您會看到日誌詳細資訊,如下所示:

Fine:   Got token manager
Fine:   using config endpoint: https://idcs-abcd1234.identity.domain.com:443/.well-known/idcs-configuration
...
Fine:   Got response content: [value has been omitted for readability]
...
Fine:   getAuthorizationCodeUrl returning with url: [value has been omitted for readability]
...
Fine:   authorizationCode with code: [value has been omitted for readability]
...
Fine:   Obtaining access token from: [value has been omitted for readability]
...
Fine:   returning access token
...
Fine:   Token signature verification result: true

檢查診斷資料

Java Web 應用程式起始至 Oracle Identity Cloud Service 的成功與失敗登入嘗試都已在 Oracle Identity Cloud Service 診斷日誌檔中註冊。

  1. 登入 Oracle Identity Cloud Service 主控台。
  2. 在主控台中,依序展開導覽側邊功能表設定值,然後按一下診斷
  3. 選取活動檢視作為診斷類型,然後按一下儲存
  4. 登出 Oracle Identity Cloud Service

Oracle Identity Cloud Service 會擷取接下來 15 分鐘的診斷資料。

  1. 完成「執行 Java 應用程式」主題中的步驟,以顯示 Java Web 應用程式的登入頁面。

  2. 按一下紅色的 Oracle 圖示。

  3. 若要嘗試登入失敗,請在 Oracle Identity Cloud Service登入頁面中輸入不正確的使用者名稱或密碼。

  4. 若要成功登入,請輸入正確的使用者名稱和密碼。

  5. 使用 Java Web 應用程式登出 Oracle Identity Cloud Service

  6. 再次登入 Oracle Identity Cloud Service 主控台。

  7. 在主控台中,展開導覽側邊功能表,按一下報表,然後按一下診斷資料

  8. 針對時間範圍選取 15 分鐘、針對日誌類型選取活動檢視、針對報表格式選取 CSV ,然後按一下下載報表

診斷日誌檔包含登入 Oracle Identity Cloud Service 之使用者的資訊,如下所示。 

Message: ID Token will be signed with User Tenant:idcs-abcd1234 Resource Tenant:idcs-abcd1234, clientId=123456789abcdefghij
Component: OAuth
Timestamp: [Date]
Actor ID: your.email@example.com
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"request":{"tenant":"idcs-abcd1234","grant types":"authorization_code","scopes":["urn:opc:idm:t.user.me"]},"user":{"id":"111111","name":"your.email@example.com","tenant":"idcs-abcd1234","auth-type":"PASSWORD"},"client":{"id":"123456789abcdefghij","name":"Sample App","tenant":"idcs-abcd1234","auth-type":"PASSWORD"},"environment":{"isCSR":"false","onBehalfOfUser":"false"},"response":{"result":"ALLOWED","scopes":["urn:opc:idm:t.user.me"],"custom-claims":{"clientAppRoles":["Authenticated Client","Me"],"userAppRoles":["Authenticated","Global Viewer","Identity Domain Administrator"],"user_isAdmin":"true"}}}
Component: Authorization/getAllowedScopes
Timestamp: [Date]
Actor ID: your.email@example.com
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"Message":"SSO SignOn Policy evaluation result for user : 11111  is : effect:ALLOW,authenticationFactor:IDP,allowUserToSkip2FAEnrolment:false,2FAFrequency:SESSION,reAuthenticate:false,trustedDevice2FAFrequency:
Component:
Timestamp:
Actor ID:
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Sign-On Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: uiSignin
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluateRule] Evaluating MFA rule
Component: PolicyEngine
Timestamp: [Date]
Actor ID: uiSignin
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Authentication Target App Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: idcssso
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"password":"********","authFactor":"USERNAME_PASSWORD","device":"{\"currentTime\":\"[date]",\"screenWidth\":1920,\"screenHeight\":1080,\"screenColorDepth\":24,\"screenPixelDepth\":24,\"windowPixelRatio\":1,\"language\":\"en\",\"userAgent\":\"Mozilla\/5.0 (Windows NT 10.0
Component:
Timestamp:
Actor ID:
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"Message":"No session found so need to collect credentials","Redirecting to Login URL: ":https://idcs-abcd1234.identity.oraclecloud.com/ui/v1/signin}
Component: SSO
Timestamp: [Date]
Actor ID: Unauthenticated
---------------------------------------------------------------
...
---------------------------------------------------------------
 
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Identity Provider Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: Unauthenticated
---------------------------------------------------------------
Message: Authorization Request, received parameters: scope[urn:opc:idm:t.user.me openid] response_type[code] state[1234] redirect_uri[http://localhost:8080/callback] client_id[123456789abcdefghij]
Component: OAuth
Timestamp: [Date]
Actor ID: Unauthenticated

最近的日誌會顯示在檔案頂端。