檢查Node.js應用程式和 SDK
您可以在解決方案的此段落中:
-
檢查Node.js Web 應用程式的行為和程式碼
-
檢查與Node.js Web 應用程式起始至Oracle Identity Cloud Service之成功與失敗登入嘗試關聯的診斷資料
檢查Node.js應用程式的行為
Node.js Web 應用程式的行為遵循授權代碼授權類型定義的三方認證流程。
若要確認應用程式和Oracle Identity Cloud Service使用 Web 瀏覽器執行的所有要求、回應以及重導,請啟用瀏覽器的「開發人員」模式。此解決方案使用 Google Chrome。
瀏覽器的開發人員日誌應顯示下列事件流程:
-
您要求
/auth/oracle
資源,而您的 Web 瀏覽器則收到來自Node.js Web 應用程式的重新導向回應。Request URL: http://localhost:3000/auth/oracle Request Method: GET Status Code: 302 Found Response Headers Location: https://idcs-1234.identity.oraclecloud.com/oauth2/v1/authorize?client_id=123456789abcdefghij&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fcallback&response_type=code&scope=openid&state=1234
-
Oracle Identity Cloud Service收到您的授權碼要求並提供「登入」頁面。
Request URL: https://idcs-1234.identity.oraclecloud.com/oauth2/v1/authorize?client_id=123456789abcdefghij&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fcallback&response_type=code&scope=openid&state=1234Request Method: GET Status Code: 303 See Other Response Headers Location: https://idcs-abcd1234.identity.oraclecloud.com/ui/v1/signin Set-cookie: ORA_OCIS_REQ_1=[value has been omitted for readability]
-
您登入Oracle Identity Cloud Service。Oracle Identity Cloud Service會將您的 Web 瀏覽器重導至Node.js Web 應用程式的回呼 URL。
Request URL: http://localhost:3000/callback?code=[value has been omitted for readability]&state=1234 Request Method: GET Status Code: 302 Found Response Hearders Location: /auth.html Set-Cookie: idcs_user_assertion=[value has been omitted for readability]
在此範例中,回呼 URL 會將您的 Web 瀏覽器以您的使用者存取記號設為 Cookie,重導至/auth.html
頁面。
此時,應用程式會使用passport.authenticate()
方法在本機認證您,然後將您的要求轉送給/home
路由。
Request URL: http://localhost:3000/home
Request Method: GET
Status Code: 200 OK
Response Headers
Cookie:
connect.sid=[value has been omitted for readability]
檢查Node.js應用程式的程式碼
登入Oracle Identity Cloud Service並重新導向至Node.js Web 應用程式的回呼 URL 之後,Node.js Web 應用程式會在命令行視窗中記錄資訊。
req.user={"name":"your.email@domain.com","displayName":"Your Name","id":"111111111111","tenant":"idcs-abcd1234","groups":[{"name":"Group 1","id":"2222222222222","location":"https://idcs-abcd1234.identity.oraclecloud.com/admin/v1/Groups/7787fbab31b34e08b39cdeedf1f4233a"}],"appRoles":[{"name":"Identity Domain Administrator","id":"333333333333333","location":"https://idcs-abcd1234.identity.oraclecloud.com/admin/v1/AppRoles/444444444444444","appName":"SampleApp","appID":"SampleAppId"}],"client":{"client_name":"Sample Apps","client_id":"555555555555","client_tenantname":"idcs-abcd1234","scope":"openid","audience":"https://idcs-abcd1234.identity.oraclecloud.com"}}
ensureAuthenticated()
方法會記錄對於代表您的 JSON 物件 (已登入Oracle Identity Cloud Service) 的相關資訊。
ensureAuthenticated req.user={"name":"your.email@domain.com","displayName":"Your Name","id":"111111111111","tenant":"idcs-abcd1234","groups":[{"name":"Group 1","id":"2222222222222","location":"https://idcs-abcd1234.identity.oraclecloud.com/admin/v1/Groups/7787fbab31b34e08b39cdeedf1f4233a"}],"appRoles":[{"name":"Identity Domain Administrator","id":"333333333333333","location":"https://idcs-abcd1234.identity.oraclecloud.com/admin/v1/AppRoles/444444444444444","appName":"SampleApp","appID":"SampleAppId"}],"client":{"client_name":"Sample Apps","client_id":"555555555555","client_tenantname":"idcs-abcd1234","scope":"openid","audience":"https://idcs-abcd1234.identity.oraclecloud.com"}}
檢查診斷資料
Node.js Web 應用程式起始至Oracle Identity Cloud Service的成功與失敗登入嘗試,均已在Oracle Identity Cloud Service的診斷日誌檔中註冊。
- 登入Oracle Identity Cloud Service。
- 在Identity Cloud Service主控台中,展開「導覽抽屜」,按一下設定值,然後按一下診斷。
- 選取「活動檢視」作為診斷類型,然後按一下儲存。
- 登出Oracle Identity Cloud Service。
Oracle Identity Cloud Service會擷取下一個15分鐘的診斷資料。
-
完成此解決方案之「執行Node.js應用程式」主題中的步驟,以顯示Node.js Web 應用程式的「登入」頁面。
-
按一下右邊顯示的紅色Oracle圖示,或者登入。
-
若要讓登入嘗試失敗,請在Oracle Identity Cloud Service登 入頁面中輸入不正確的使用者名稱或密碼。
-
若要順利登入,請輸入正確的使用者名稱和密碼。
-
使用Node.js Web 應用程式登出Oracle Identity Cloud Service。
-
再次登入Oracle Identity Cloud Service。
-
在Identity Cloud Service主控台中,展開「導覽抽屜」,按一下報表,然後按一下診斷資料。
-
選取時間範圍的15-Minute、日誌類型的活動檢視,以及報表格式的 CSV,然後按一下下載報表。
診斷日誌檔包括下列有關登入Oracle Identity Cloud Service之使用者的資訊。
Message: ID Token will be signed with User Tenant:idcs-abcd1234 Resource Tenant:idcs-abcd1234, clientId=123456789abcdefghij
Component: OAuth
Timestamp: [Date]
Actor ID: your.email@example.com
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"request":{"tenant":"idcs-abcd1234","grant types":"authorization_code","scopes":["urn:opc:idm:t.user.me"]},"user":{"id":"111111","name":"your.email@example.com","tenant":"idcs-abcd1234","auth-type":"PASSWORD"},"client":{"id":"123456789abcdefghij","name":"Sample App","tenant":"idcs-abcd1234","auth-type":"PASSWORD"},"environment":{"isCSR":"false","onBehalfOfUser":"false"},"response":{"result":"ALLOWED","scopes":["urn:opc:idm:t.user.me"],"custom-claims":{"clientAppRoles":["Authenticated Client","Me"],"userAppRoles":["Authenticated","Global Viewer","Identity Domain Administrator"],"user_isAdmin":"true"}}}
Component: Authorization/getAllowedScopes
Timestamp: [Date]
Actor ID: your.email@example.com
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"Message":"SSO SignOn Policy evaluation result for user : 11111 is : effect:ALLOW,authenticationFactor:IDP,allowUserToSkip2FAEnrolment:false,2FAFrequency:SESSION,reAuthenticate:false,trustedDevice2FAFrequency:
Component:
Timestamp:
Actor ID:
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Sign-On Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: uiSignin
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluateRule] Evaluating MFA rule
Component: PolicyEngine
Timestamp: [Date]
Actor ID: uiSignin
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Authentication Target App Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: idcssso
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"password":"********","authFactor":"USERNAME_PASSWORD","device":"{\"currentTime\":\"[date]",\"screenWidth\":1920,\"screenHeight\":1080,\"screenColorDepth\":24,\"screenPixelDepth\":24,\"windowPixelRatio\":1,\"language\":\"en\",\"userAgent\":\"Mozilla\/5.0 (Windows NT 10.0
Component:
Timestamp:
Actor ID:
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"Message":"No session found so need to collect credentials","Redirecting to Login URL: ":https://idcs-abcd1234.identity.oraclecloud.com/ui/v1/signin}
Component: SSO
Timestamp: [Date]
Actor ID: Unauthenticated
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Identity Provider Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: Unauthenticated
---------------------------------------------------------------
Message: Authorization Request, received parameters: scope[urn:opc:idm:t.user.me openid] response_type[code] state[1234] redirect_uri[http://localhost:3000/callback] client_id[123456789abcdefghij]
Component: OAuth
Timestamp: [Date]
Actor ID: Unauthenticated
最新的日誌會顯示在檔案的頂端。