1. 使用 Oracle Identity Cloud Service 認證 Node.js 應用程式
  2. 查看 Node.js 應用程式和 SDK

查看 Node.js 應用程式和 SDK

在解決方案的這個部分,您可以:

  • 檢查 Node.js Web 應用程式的行為和程式碼

  • 檢查與 Node.js Web 應用程式起始至 Oracle Identity Cloud Service 的成功與失敗登入嘗試關聯的診斷資料

檢查 Node.js 應用程式的行為

Node.js Web 應用程式的行為遵循由授權代碼授權類型所定義的三方驗證流程。

若要驗證應用程式與 Oracle Identity Cloud Service 使用 Web 瀏覽器執行的所有要求、回應及重新導向,請啟用瀏覽器的開發人員模式。此解決方案使用 Google Chrome。

  1. 執行 Node.js Web 應用程式。
  2. 開啟 Google Chrome Web 瀏覽器,存取 http://localhost:3000 URL,然後按一下登入
  3. F12 ,選取「網路」頁籤,然後選取「保留日誌」核取方塊。
    選取此核取方塊即可查看應用程式與 Oracle Identity Cloud Service 之間的所有通訊。
  4. 登入頁面中,按一下右邊顯示的紅色 Oracle 圖示,或者您可以使用登入。

瀏覽器的開發人員日誌應顯示下列事件流程:

  1. 您要求 /auth/oracle 資源,而您的 Web 瀏覽器會收到來自 Node.js Web 應用程式的重新導向回應。 

    Request URL: http://localhost:3000/auth/oracle
Request Method: GET
Status Code: 302 Found
 
Response Headers
Location: https://idcs-1234.identity.domain.com/oauth2/v1/authorize?client_id=123456789abcdefghij&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fcallback&response_type=code&scope=openid&state=1234

  2. Oracle Identity Cloud Service 會收到您的授權碼要求,並顯示登入頁面。 

    Request URL: https://idcs-1234.identity.domain.com/oauth2/v1/authorize?client_id=123456789abcdefghij&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fcallback&response_type=code&scope=openid&state=1234Request Method: GET
Status Code: 303 See Other
 
Response Headers
Location:
https://idcs-abcd1234.identity.domain.com/ui/v1/signin
Set-cookie: ORA_OCIS_REQ_1=[value has been omitted for readability]

  3. 您登入 Oracle Identity Cloud ServiceOracle Identity Cloud Service 會將您的 Web 瀏覽器重新導向至 Node.js Web 應用程式的回呼 URL。 

    Request URL:
http://localhost:3000/callback?code=[value has been omitted for readability]&state=1234
Request Method: GET
Status Code: 302 Found
 
Response Hearders
Location: /auth.html
Set-Cookie: idcs_user_assertion=[value has been omitted for readability]

在此範例中,回呼 URL 會將您的 Web 瀏覽器重導至存取記號設為 Cookie 的 /auth.html 頁面。

此時,應用程式會使用 passport.authenticate() 方法在本機認證您,然後將您的要求轉送至 /home 路由。 

Request URL: http://localhost:3000/home
Request Method: GET
Status Code: 200 OK
 
Response Headers
Cookie:
connect.sid=[value has been omitted for readability]

查看應用程式和 SDK 日誌

應用程式會將資訊記錄到指令行視窗。您也可以啟用 SDK 日誌。

依照預設,範例應用程式會在命令行視窗中記錄認證流程的資訊。
Using ClientId=123456789abcdefghij
Server started on port 3000

---Resource: /auth/oracle -- Logging in ----------------------------------

authZurl=https://idcs-abcd1234.identity.domain.com/oauth2/v1/authorize?client_id=123456789abcdefghij&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Fcallback&response_type=code&scope=urn%3Aopc%3Aidm%3At.user.me%20openid&state=1234

---Resource: /callback -- Exchanging authzcode for a token ---------------------

authZcode=[value has been omitted for readability]
result.access_token = [value has been omitted for readability]
result.id_token = [value has been omitted for readability]

---Resource: /auth -- passport.authenticate ---------------------

---function ensureAuthenticated() -- Validating user logged in ---------------------
req.user=[The JSON object as String - value has been omitted for readability]

---Resource: /home -- Rendering home ---------------------
請依照下列步驟開啟 Oracle Identity Cloud Service 的 Node.js SDK 登入,並檢查您在開發期間發現的任何問題。
  1. 開啟 auth.js 檔案,然後視需要將 LogLevel 的值取代成 debugtrace
  2. 儲存檔案並重新啟動 Node.js 伺服器

檢查診斷資料

Node.js Web 應用程式起始至 Oracle Identity Cloud Service 的成功與失敗登入嘗試都已在 Oracle Identity Cloud Service 的診斷日誌檔中註冊。

  1. 登入 Oracle Identity Cloud Service 主控台。
  2. 在主控台中,依序展開導覽側邊功能表設定值,然後按一下診斷
  3. 選取活動檢視作為診斷類型,然後按一下儲存
  4. 登出 Oracle Identity Cloud Service

Oracle Identity Cloud Service 會擷取接下來 15 分鐘的診斷資料。

  1. 完成此解決方案之「執行 Node.js 應用程式」主題中的步驟,以顯示 Node.js Web 應用程式的登入頁面。

  2. 按一下紅色的 Oracle 圖示。

  3. 若要嘗試登入失敗,請在 Oracle Identity Cloud Service登入頁面中輸入不正確的使用者名稱或密碼。

  4. 若要成功登入,請輸入正確的使用者名稱和密碼。

  5. 使用 Node.js Web 應用程式登出 Oracle Identity Cloud Service

  6. 再次登入 Oracle Identity Cloud Service 主控台。

  7. Oracle Identity Cloud Service 主控台中,展開抽屜,按一下報表,然後按一下診斷資料

  8. 針對時間範圍選取 15 分鐘、針對日誌類型選取活動檢視、針對報表格式選取 CSV ,然後按一下下載報表

診斷日誌檔包含登入 Oracle Identity Cloud Service 之使用者的資訊,如下所示。 

Message: ID Token will be signed with User Tenant:idcs-abcd1234 Resource Tenant:idcs-abcd1234, clientId=123456789abcdefghij
Component: OAuth
Timestamp: [Date]
Actor ID: your.email@domain.com
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"request":{"tenant":"idcs-abcd1234","grant types":"authorization_code","scopes":["urn:opc:idm:t.user.me"]},"user":{"id":"111111","name":"your.email@domain.com","tenant":"idcs-abcd1234","auth-type":"PASSWORD"},"client":{"id":"123456789abcdefghij","name":"Sample App","tenant":"idcs-abcd1234","auth-type":"PASSWORD"},"environment":{"isCSR":"false","onBehalfOfUser":"false"},"response":{"result":"ALLOWED","scopes":["urn:opc:idm:t.user.me"],"custom-claims":{"clientAppRoles":["Authenticated Client","Me"],"userAppRoles":["Authenticated","Global Viewer","Identity Domain Administrator"],"user_isAdmin":"true"}}}
Component: Authorization/getAllowedScopes
Timestamp: [Date]
Actor ID: your.email@domain.com
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"Message":"SSO SignOn Policy evaluation result for user : 11111  is : effect:ALLOW,authenticationFactor:IDP,allowUserToSkip2FAEnrolment:false,2FAFrequency:SESSION,reAuthenticate:false,trustedDevice2FAFrequency:
Component:
Timestamp:
Actor ID:
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Sign-On Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: uiSignin
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluateRule] Evaluating MFA rule
Component: PolicyEngine
Timestamp: [Date]
Actor ID: uiSignin
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Authentication Target App Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: idcssso
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"password":"********","authFactor":"USERNAME_PASSWORD","device":"{\"currentTime\":\"[date]",\"screenWidth\":1920,\"screenHeight\":1080,\"screenColorDepth\":24,\"screenPixelDepth\":24,\"windowPixelRatio\":1,\"language\":\"en\",\"userAgent\":\"Mozilla\/5.0 (Windows NT 10.0
Component:
Timestamp:
Actor ID:
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"Message":"No session found so need to collect credentials","Redirecting to Login URL: ":https://idcs-abcd1234.identity.domain.com/ui/v1/signin}
Component: SSO
Timestamp: [Date]
Actor ID: Unauthenticated
---------------------------------------------------------------
...
---------------------------------------------------------------
 
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Identity Provider Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: Unauthenticated
---------------------------------------------------------------
Message: Authorization Request, received parameters: scope[urn:opc:idm:t.user.me openid] response_type[code] state[1234] redirect_uri[http://localhost:3000/callback] client_id[123456789abcdefghij]
Component: OAuth
Timestamp: [Date]
Actor ID: Unauthenticated

最近的日誌會顯示在檔案頂端。