1. 使用Oracle Identity Cloud Service認證Node.js應用程式
  2. 檢查Node.js應用程式和 SDK

檢查Node.js應用程式和 SDK

您可以在解決方案的此段落中:

  • 檢查Node.js Web 應用程式的行為和程式碼

  • 檢查與Node.js Web 應用程式起始至Oracle Identity Cloud Service之成功與失敗登入嘗試關聯的診斷資料

檢查Node.js應用程式的行為

Node.js Web 應用程式的行為遵循授權代碼授權類型定義的三方認證流程。

若要確認應用程式和Oracle Identity Cloud Service使用 Web 瀏覽器執行的所有要求、回應以及重導,請啟用瀏覽器的「開發人員」模式。此解決方案使用 Google Chrome。

  1. 執行Node.js Web 應用程式。
  2. 開啟 Google Chrome Web 瀏覽器,存取http://localhost:3000 URL,然後按一下登入
  3. F12,接著選取網路頁籤,然後選取保留日誌 核取方塊。
    選取此核取方塊可查看應用程式與Oracle Identity Cloud Service之間的所有通訊。
  4. 在「登入」頁面中,按一下右側顯示的紅色Oracle圖示,或者登入。

瀏覽器的開發人員日誌應顯示下列事件流程:

  1. 您要求/auth/oracle資源,而您的 Web 瀏覽器則收到來自Node.js Web 應用程式的重新導向回應。 

    Request URL: http://localhost:3000/auth/oracle
Request Method: GET
Status Code: 302 Found
 
Response Headers
Location: https://idcs-1234.identity.oraclecloud.com/oauth2/v1/authorize?client_id=123456789abcdefghij&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fcallback&response_type=code&scope=openid&state=1234

  2. Oracle Identity Cloud Service收到您的授權碼要求並提供「登入」頁面。 

    Request URL: https://idcs-1234.identity.oraclecloud.com/oauth2/v1/authorize?client_id=123456789abcdefghij&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fcallback&response_type=code&scope=openid&state=1234Request Method: GET
Status Code: 303 See Other
 
Response Headers
Location:
https://idcs-abcd1234.identity.oraclecloud.com/ui/v1/signin
Set-cookie: ORA_OCIS_REQ_1=[value has been omitted for readability]

  3. 您登入Oracle Identity Cloud Service。Oracle Identity Cloud Service會將您的 Web 瀏覽器重導至Node.js Web 應用程式的回呼 URL。

    Request URL:
http://localhost:3000/callback?code=[value has been omitted for readability]&state=1234
Request Method: GET
Status Code: 302 Found
 
Response Hearders
Location: /auth.html
Set-Cookie: idcs_user_assertion=[value has been omitted for readability]

在此範例中,回呼 URL 會將您的 Web 瀏覽器以您的使用者存取記號設為 Cookie,重導至/auth.html頁面。

此時,應用程式會使用passport.authenticate()方法在本機認證您,然後將您的要求轉送給/home路由。 

Request URL: http://localhost:3000/home
Request Method: GET
Status Code: 200 OK
 
Response Headers
Cookie:
connect.sid=[value has been omitted for readability]

檢查Node.js應用程式的程式碼

登入Oracle Identity Cloud Service並重新導向至Node.js Web 應用程式的回呼 URL 之後,Node.js Web 應用程式會在命令行視窗中記錄資訊。

req.user={"name":"your.email@domain.com","displayName":"Your Name","id":"111111111111","tenant":"idcs-abcd1234","groups":[{"name":"Group 1","id":"2222222222222","location":"https://idcs-abcd1234.identity.oraclecloud.com/admin/v1/Groups/7787fbab31b34e08b39cdeedf1f4233a"}],"appRoles":[{"name":"Identity Domain Administrator","id":"333333333333333","location":"https://idcs-abcd1234.identity.oraclecloud.com/admin/v1/AppRoles/444444444444444","appName":"SampleApp","appID":"SampleAppId"}],"client":{"client_name":"Sample Apps","client_id":"555555555555","client_tenantname":"idcs-abcd1234","scope":"openid","audience":"https://idcs-abcd1234.identity.oraclecloud.com"}}

ensureAuthenticated()方法會記錄對於代表您的 JSON 物件 (已登入Oracle Identity Cloud Service) 的相關資訊。 

ensureAuthenticated req.user={"name":"your.email@domain.com","displayName":"Your Name","id":"111111111111","tenant":"idcs-abcd1234","groups":[{"name":"Group 1","id":"2222222222222","location":"https://idcs-abcd1234.identity.oraclecloud.com/admin/v1/Groups/7787fbab31b34e08b39cdeedf1f4233a"}],"appRoles":[{"name":"Identity Domain Administrator","id":"333333333333333","location":"https://idcs-abcd1234.identity.oraclecloud.com/admin/v1/AppRoles/444444444444444","appName":"SampleApp","appID":"SampleAppId"}],"client":{"client_name":"Sample Apps","client_id":"555555555555","client_tenantname":"idcs-abcd1234","scope":"openid","audience":"https://idcs-abcd1234.identity.oraclecloud.com"}}

檢查診斷資料

Node.js Web 應用程式起始至Oracle Identity Cloud Service的成功與失敗登入嘗試,均已在Oracle Identity Cloud Service的診斷日誌檔中註冊。

  1. 登入Oracle Identity Cloud Service。
  2. 在Identity Cloud Service主控台中,展開「導覽抽屜」,按一下設定值,然後按一下診斷
  3. 選取「活動檢視」作為診斷類型,然後按一下儲存
  4. 登出Oracle Identity Cloud Service。

Oracle Identity Cloud Service會擷取下一個15分鐘的診斷資料。

  1. 完成此解決方案之「執行Node.js應用程式」主題中的步驟,以顯示Node.js Web 應用程式的「登入」頁面。

  2. 按一下右邊顯示的紅色Oracle圖示,或者登入

  3. 若要讓登入嘗試失敗,請在Oracle Identity Cloud Service登 入頁面中輸入不正確的使用者名稱或密碼。

  4. 若要順利登入,請輸入正確的使用者名稱和密碼。

  5. 使用Node.js Web 應用程式登出Oracle Identity Cloud Service。

  6. 再次登入Oracle Identity Cloud Service。

  7. 在Identity Cloud Service主控台中,展開「導覽抽屜」,按一下報表,然後按一下診斷資料

  8. 選取時間範圍的15-Minute、日誌類型的活動檢視,以及報表格式的 CSV,然後按一下下載報表

診斷日誌檔包括下列有關登入Oracle Identity Cloud Service之使用者的資訊。

Message: ID Token will be signed with User Tenant:idcs-abcd1234 Resource Tenant:idcs-abcd1234, clientId=123456789abcdefghij
Component: OAuth
Timestamp: [Date]
Actor ID: your.email@example.com
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"request":{"tenant":"idcs-abcd1234","grant types":"authorization_code","scopes":["urn:opc:idm:t.user.me"]},"user":{"id":"111111","name":"your.email@example.com","tenant":"idcs-abcd1234","auth-type":"PASSWORD"},"client":{"id":"123456789abcdefghij","name":"Sample App","tenant":"idcs-abcd1234","auth-type":"PASSWORD"},"environment":{"isCSR":"false","onBehalfOfUser":"false"},"response":{"result":"ALLOWED","scopes":["urn:opc:idm:t.user.me"],"custom-claims":{"clientAppRoles":["Authenticated Client","Me"],"userAppRoles":["Authenticated","Global Viewer","Identity Domain Administrator"],"user_isAdmin":"true"}}}
Component: Authorization/getAllowedScopes
Timestamp: [Date]
Actor ID: your.email@example.com
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"Message":"SSO SignOn Policy evaluation result for user : 11111  is : effect:ALLOW,authenticationFactor:IDP,allowUserToSkip2FAEnrolment:false,2FAFrequency:SESSION,reAuthenticate:false,trustedDevice2FAFrequency:
Component:
Timestamp:
Actor ID:
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Sign-On Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: uiSignin
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluateRule] Evaluating MFA rule
Component: PolicyEngine
Timestamp: [Date]
Actor ID: uiSignin
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Authentication Target App Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: idcssso
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"password":"********","authFactor":"USERNAME_PASSWORD","device":"{\"currentTime\":\"[date]",\"screenWidth\":1920,\"screenHeight\":1080,\"screenColorDepth\":24,\"screenPixelDepth\":24,\"windowPixelRatio\":1,\"language\":\"en\",\"userAgent\":\"Mozilla\/5.0 (Windows NT 10.0
Component:
Timestamp:
Actor ID:
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"Message":"No session found so need to collect credentials","Redirecting to Login URL: ":https://idcs-abcd1234.identity.oraclecloud.com/ui/v1/signin}
Component: SSO
Timestamp: [Date]
Actor ID: Unauthenticated
---------------------------------------------------------------
...
---------------------------------------------------------------
 
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Identity Provider Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: Unauthenticated
---------------------------------------------------------------
Message: Authorization Request, received parameters: scope[urn:opc:idm:t.user.me openid] response_type[code] state[1234] redirect_uri[http://localhost:3000/callback] client_id[123456789abcdefghij]
Component: OAuth
Timestamp: [Date]
Actor ID: Unauthenticated

最新的日誌會顯示在檔案的頂端。