查看 Python 應用程式和 SDK

在解決方案的這個部分中,您可以:

  • 檢查 Python Web 應用程式的行為和程式碼

  • 檢查與 Python Web 應用程式起始至 Oracle Identity Cloud Service 的成功和失敗登入嘗試關聯的診斷資料

檢查 Python 應用程式的行為

Python Web 應用程式的行為遵循授權碼授權類型所定義的三方認證流程。

若要驗證應用程式和 Oracle Identity Cloud Service 使用 Web 瀏覽器執行的所有要求、回應和重新導向,請為您的瀏覽器啟用開發人員模式。此解決方案使用 Google Chrome。

  1. 執行 Python Web 應用程式。
  2. 開啟 Google Chrome Web 瀏覽器,存取 http://localhost:8080 URL,然後按一下登入
  3. F12 ,選取 [ 網路 ] 頁籤,然後選取 [ 保留日誌 ] 核取方塊。選取此核取方塊即可查看應用程式與 Oracle Identity Cloud Service 之間的所有通訊。
  4. 登入頁面中,按一下 Oracle 紅色圖示。

瀏覽器的開發人員日誌應顯示下列事件流程:

  1. 使用者要求 /auth/oracle 資源,而 Web 瀏覽器收到來自 Python Web 應用程式的重新導向回應。
    Request URL: http://localhost:8000/auth/
    Request Method: GET
    Status Code: 302 Found
    
    Response Headers
    Location: https://idcs-1234.identity.domain.com/oauth2/v1/authorize?client_id=123456789abcdefghij&redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Fcallback&response_type=code&scope=urn:opc:idm:t.user.me+openid&state=1234
  2. Oracle Identity Cloud Service 會收到授權碼要求,並顯示登入頁面。
    Request URL: https://idcs-1234.identity.domain.com/oauth2/v1/authorize?client_id=123456789abcdefghij&redirect_uri=http%3A%2F%2Flocalhost%3A8000%2Fcallback&response_type=code&scope=urn:opc:idm:t.user.me+openid&state=1234
    Request Method: GET
    Status Code: 303 See Other
     
    Response Headers
    Location:
    https://idcs-1234.identity.domain.com/ui/v1/signin
    Set-cookie: ORA_OCIS_REQ_1=[value has been omitted for readability]
  3. 使用者登入 Oracle Identity Cloud ServiceOracle Identity Cloud Service 會將 Web 瀏覽器重新導向至 Python Web 應用程式的回呼 URL。
    Request URL:
    http://localhost:8000/callback/&code=[value has been omitted for readability]&state=1234
    Request Method: GET
    Status Code: 200 OK
     
    Response Headers
    Set-Cookie: sessionid=[value has been omitted for readability]

    在此範例中,回呼 URL 會將 Web 瀏覽器重導至首頁,並將使用者存取權杖設為階段作業屬性。

查看應用程式和 SDK 日誌

應用程式會將資訊記錄到指令行視窗。您也可以啟用 SDK 日誌。

依照預設,範例應用程式會在命令行視窗中記錄認證流程的資訊。
Starting development server at http://127.0.0.1:8000/
----------------------------------------
[21/Dec/2018 16:00:42] "GET /login/ HTTP/1.1" 200 2772
...
----------------- def auth(request) ---------------
config.json file = {'logoutSufix': '/oauth2/v1/userlogout', 'ClientSecret': 'abcde-12345-zyxvu-98765-qwerty', 'AudienceServiceUrl': 'https://idcs-abcd1234.identity.domain.com', 'BaseUrl': 'https://idcs-abcd1234.identity.domain.com', 'ClientId': '123456789abcdefghij, 'ConsoleLog': 'True', 'LogLevel': 'INFO', 'scope': 'urn:opc:idm:t.user.me openid', 'redirectURL': 'http://localhost:8000/callback', 'TokenIssuer': 'https://identity.domain.com/'}
[21/Dec/2018 16:00:48] "GET /auth/ HTTP/1.1" 302 0
[21/Dec/2018 16:01:08] "GET /callback?code=[value has been omitted for readability]&state=1234 HTTP/1.1" 301 0
----------------- def callback(request) ------------------
access_token = [value has been omitted for readability]

請依照下列步驟開啟 Oracle Identity Cloud Service 的 Python SDK 登入,並檢查您在開發期間發現的任何問題。
  1. 開啟 config.json 檔案,並將 LogLevel 的值取代為 DEBUG
  2. 儲存檔案並重新啟動 Python 伺服器

檢查診斷資料

當 Python Web 應用程式嘗試登入 Oracle Identity Cloud Service 時,成功和失敗的嘗試都會在 Oracle Identity Cloud Service 的診斷日誌檔中註冊。

  1. 登入 Oracle Identity Cloud Service 主控台。
  2. 在主控台中,依序展開導覽側邊功能表設定值,然後按一下診斷
  3. 選取活動檢視作為診斷類型,然後按一下儲存
  4. 登出 Oracle Identity Cloud Service

Oracle Identity Cloud Service 會擷取接下來 15 分鐘的診斷資料。

  1. 完成此解決方案之「執行 Python 應用程式」主題中的步驟,以顯示 Python Web 應用程式的登入頁面。
  2. 按一下 Oracle 紅色圖示。
  3. 若要嘗試登入失敗,請在 Oracle Identity Cloud Service 的登入頁面中輸入不正確的使用者名稱或密碼。
  4. 若要成功登入,請輸入正確的使用者名稱和密碼。
  5. 使用 Python Web 應用程式登出 Oracle Identity Cloud Service
  6. 登入 Oracle Identity Cloud Service 主控台。
  7. 在主控台中,展開導覽側邊功能表,按一下報表,然後按一下診斷資料
  8. 選取 15 分鐘時間範圍、活動檢視日誌類型、 CSV 報告格式,然後按一下下載報表

診斷日誌檔包含與下列有關 Oracle Identity Cloud Service 登入嘗試的資訊類似。

Message: ID Token will be signed with User Tenant:idcs-abcd1234 Resource Tenant:idcs-abcd1234, clientId=123456789abcdefghij
Component: OAuth
Timestamp: [Date]
Actor ID: your.email@domain.com
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"request":{"tenant":"idcs-abcd1234","grant types":"authorization_code","scopes":["urn:opc:idm:t.user.me"]},"user":{"id":"111111","name":"your.email@domain.com","tenant":"idcs-abcd1234","auth-type":"PASSWORD"},"client":{"id":"123456789abcdefghij","name":"Sample App","tenant":"idcs-abcd1234","auth-type":"PASSWORD"},"environment":{"isCSR":"false","onBehalfOfUser":"false"},"response":{"result":"ALLOWED","scopes":["urn:opc:idm:t.user.me"],"custom-claims":{"clientAppRoles":["Authenticated Client","Me"],"userAppRoles":["Authenticated","Global Viewer","Identity Domain Administrator"],"user_isAdmin":"true"}}}
Component: Authorization/getAllowedScopes
Timestamp: [Date]
Actor ID: your.email@domain.com
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"Message":"SSO SignOn Policy evaluation result for user : 11111  is : effect:ALLOW,authenticationFactor:IDP,allowUserToSkip2FAEnrolment:false,2FAFrequency:SESSION,reAuthenticate:false,trustedDevice2FAFrequency:
Component:
Timestamp:
Actor ID:
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Sign-On Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: uiSignin
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluateRule] Evaluating MFA rule
Component: PolicyEngine
Timestamp: [Date]
Actor ID: uiSignin
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Authentication Target App Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: idcssso
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"password":"********","authFactor":"USERNAME_PASSWORD","device":"{\"currentTime\":\"[date]",\"screenWidth\":1920,\"screenHeight\":1080,\"screenColorDepth\":24,\"screenPixelDepth\":24,\"windowPixelRatio\":1,\"language\":\"en\",\"userAgent\":\"Mozilla\/5.0 (Windows NT 10.0
Component:
Timestamp:
Actor ID:
---------------------------------------------------------------
...
---------------------------------------------------------------
Message: {"Message":"No session found so need to collect credentials","Redirecting to Login URL: ":https://idcs-abcd1234.identity.oraclecloud.com/ui/v1/signin}
Component: SSO
Timestamp: [Date]
Actor ID: Unauthenticated
---------------------------------------------------------------
...
---------------------------------------------------------------
 
Message: [PolicyEngineUtil.evaluatePolicy] Evaluating Default Identity Provider Policy
Component: PolicyEngine
Timestamp: [Date]
Actor ID: Unauthenticated
---------------------------------------------------------------
Message: Authorization Request, received parameters: scope[urn:opc:idm:t.user.me openid] response_type[code] state[1234] redirect_uri[http://localhost:8000/callback] client_id[123456789abcdefghij]
Component: OAuth
Timestamp: [Date]
Actor ID: Unauthenticated

最近的日誌會顯示在檔案頂端。