1. 使用Oracle Identity Cloud Service認證 Python 應用程式
  2. 檢查 Python 應用程式和 SDK

檢查 Python 應用程式和 SDK

您可以在解決方案的此段落中:

  • 檢查 Python Web 應用程式的行為和程式碼

  • 檢查 Python Web 應用程式起始至Oracle Identity Cloud Service時,與成功與失敗登入嘗試相關的診斷資料

檢查 Python 應用程式的行為

Python Web 應用程式的行為遵循授權代碼授權類型定義的三方認證流程。

若要確認應用程式和Oracle Identity Cloud Service使用 Web 瀏覽器執行的所有要求、回應以及重導,請為您的瀏覽器啟用「開發人員」模式。此解決方案使用 Google Chrome。

  1. 執行 Python Web 應用程式。
  2. 開啟 Google Chrome Web 瀏覽器,存取http://localhost:8080 URL,然後按一下登入
  3. F12,接著選取網 頁籤,然後選取保留日誌 核取方塊。選取此核取方塊可查看應用程式與Oracle Identity Cloud Service之間的所有通訊。
  4. 在「登入」頁面中,按一下右側顯示的Oracle紅色圖示,或者登入。

瀏覽器的開發人員日誌應顯示下列事件流程:

  1. 使用者要求/auth/oracle資源,而 Web 瀏覽器會收到 Python Web 應用程式的重新導向回應。
    Request URL: http://localhost:8000/auth/
Request Method: GET
Status Code: 302 Found

Response Headers
Location: https://idcs-1234.identity.oraclecloud.com/oauth2/v1/authorize?client_id=123456789abcdefghij&redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Fcallback&response_type=code&scope=urn:opc:idm:t.user.me+openid&state=1234
  2. Oracle Identity Cloud Service收到授權碼要求並提供「登入」頁面。
    Request URL: https://idcs-1234.identity.oraclecloud.com/oauth2/v1/authorize?client_id=123456789abcdefghij&redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Fcallback&response_type=code&scope=urn:opc:idm:t.user.me+openid&state=1234
Request Method: GET
Status Code: 303 See Other
 
Response Headers
Location:
https://idcs-1234.identity.oraclecloud.com/ui/v1/signin
Set-cookie: ORA_OCIS_REQ_1=[value has been omitted for readability]
  3. 使用者登入Oracle Identity Cloud Service。Oracle Identity Cloud Service會將 Web 瀏覽器重導至 Python Web 應用程式的回呼 URL。
    Request URL:
http://localhost:8000/callback/&code=[value has been omitted for readability]&state=1234
Request Method: GET
Status Code: 200 OK
 
Response Headers
Set-Cookie: sessionid=[value has been omitted for readability]

    在此範例中,回呼 URL 會將 Web 瀏覽器重導至「 頁」,並將使用者存取記號設為階段作業屬性。

檢查 Python 應用程式的程式碼

登入Oracle Identity Cloud Service並重導至 Python Web 應用程式的回呼 URL 之後,Python Web 應用程式就會在命令行視窗中顯示資訊。

[Date] "GET / HTTP/1.1" 200 2520
[Date] "GET /login/ HTTP/1.1" 200 3489
[Date] "GET /auth/ HTTP/1.1" 302 0
[Date] "GET /callback?code=[value has been omitted for readability]&state=1234 HTTP/1.1" 301 0
[Date] "GET /callback/?code=[value has been omitted for readability]&state=1234 HTTP/1.1" 200 2690

檢查診斷資料

Python Web 應用程式嘗試登入Oracle Identity Cloud Service時,會在Oracle Identity Cloud Service的診斷日誌檔中同時註冊成功和失敗的嘗試。

  1. 登入Oracle Identity Cloud Service。
  2. 在Identity Cloud Service主控台中,展開「導覽抽屜」,按一下設定值,然後按一下診斷
  3. 選取「活動檢視」作為診斷類型,然後按一下儲存
  4. 登出Oracle Identity Cloud Service。

Oracle Identity Cloud Service會擷取下一個15分鐘的診斷資料。

  1. 完成此解決方案之「執行 Python 應用程式」主題中的步驟,以顯示 Python Web 應用程式的「登入」頁面。
  2. 按一下右側顯示的Oracle紅色圖示,或者登入。
  3. 若要讓登入失敗,請在Oracle Identity Cloud Service登 入頁面輸入不正確的使用者名稱或密碼。
  4. 若要順利登入,請輸入正確的使用者名稱和密碼。
  5. 使用 Python Web 應用程式登出Oracle Identity Cloud Service。
  6. 登入Oracle Identity Cloud Service。
  7. 在Identity Cloud Service主控台中,展開「導覽抽屜」,按一下報表,然後按一下診斷資料
  8. 選取15-Minute時間範圍、活動檢視 日誌類型、CSV 報表格式,然後按一下下載報表

診斷日誌檔內含類似下列與Oracle Identity Cloud Service登入嘗試相關的資訊。

Message: ID Token will be signed with User Tenant:idcs-abcd1234 Resource Tenant:idcs-abcd1234, clientId=123456789abcdefghij
Component: OAuth
Timestamp: [Date]
Actor ID: your.email@domain.com
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"request":{"tenant":"idcs-abcd1234","grant types":"authorization_code","scopes":["urn:opc:idm:t.user.me"]},"user":{"id":"111111","name":"your.email@domain.com","tenant":"idcs-abcd1234","auth-type":"PASSWORD"},"client":{"id":"123456789abcdefghij","name":"Sample App","tenant":"idcs-abcd1234","auth-type":"PASSWORD"},"environment":{"isCSR":"false","onBehalfOfUser":"false"},"response":{"result":"ALLOWED","scopes":["urn:opc:idm:t.user.me"],"custom-claims":{"clientAppRoles":["Authenticated Client","Me"],"userAppRoles":["Authenticated","Global Viewer","Identity Domain Administrator"],"user_isAdmin":"true"}}}
Component: Authorization/getAllowedScopes
Timestamp: [Date]
Actor ID: your.email@domain.com
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"Message":"SSO SignOn Policy evaluation result for user : 11111  is : effect:ALLOW,authenticationFactor:IDP,allowUserToSkip2FAEnrolment:false,2FAFrequency:SESSION,reAuthenticate:false,trustedDevice2FAFrequency:
Component:
Timestamp:
Actor ID:
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Sign-On Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: uiSignin
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluateRule] Evaluating MFA rule
Component: PolicyEngine
Timestamp: [Date]
Actor ID: uiSignin
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Authentication Target App Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: idcssso
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"password":"********","authFactor":"USERNAME_PASSWORD","device":"{\"currentTime\":\"[date]",\"screenWidth\":1920,\"screenHeight\":1080,\"screenColorDepth\":24,\"screenPixelDepth\":24,\"windowPixelRatio\":1,\"language\":\"en\",\"userAgent\":\"Mozilla\/5.0 (Windows NT 10.0
Component:
Timestamp:
Actor ID:
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"Message":"No session found so need to collect credentials","Redirecting to Login URL: ":https://idcs-abcd1234.identity.oraclecloud.com/ui/v1/signin}
Component: SSO
Timestamp: [Date]
Actor ID: Unauthenticated
---------------------------------------------------------------
...
---------------------------------------------------------------
 
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Identity Provider Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: Unauthenticated
---------------------------------------------------------------
Message: Authorization Request, received parameters: scope[urn:opc:idm:t.user.me openid] response_type[code] state[1234] redirect_uri[http://localhost:8000/callback] client_id[123456789abcdefghij]
Component: OAuth
Timestamp: [Date]
Actor ID: Unauthenticated

最新的日誌會顯示在檔案的頂端。