Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to login if iDP sends a blank ("") refresh token #461

Open
caichao1103 opened this issue Nov 12, 2024 · 15 comments
Open

Unable to login if iDP sends a blank ("") refresh token #461

caichao1103 opened this issue Nov 12, 2024 · 15 comments

Comments

@caichao1103
Copy link

caichao1103 commented Nov 12, 2024

Jenkins and plugins versions report

Jenkins version : 2.452.4
plugin version: 4.418.vccc7061f5b_6d

What Operating System are you using (both controller, and any agents involved in the problem)?

Ubuntu 22.04.3 LTS

Reproduction steps

Our openid Provider does not provide group info. It caused login to jenkins failed. The error messages were below:

Nov 12 02:23:36 fcai-vm-01 jenkins[161716]: 2024-11-12 02:23:36.226+0000 [id=5809]	WARNING	o.j.plugins.oic.OicSecurityRealm#compileJMESPath: groups field config failed io.burt.jmespath.parser.ParseException: Unable to compile expression "": syntax error mismatched input '<EOF>' expecting {'!', '(', '*', '[', '{', '[?', '@', '`', RAW_STRING, JSON_CONSTANT, NAME, STRING} at position 0
2024-11-12 02:24:08.913+0000 [id=5809]	WARNING	o.e.j.s.h.ContextHandler$Context#log: Error while serving http://fcai-vm-01:8080/securityRealm/finishLogin
java.lang.IllegalArgumentException: The value must not be null or empty string
	 at com.nimbusds.oauth2.sdk.id.Identifier.<init>(Identifier.java:95)
	 at com.nimbusds.oauth2.sdk.token.Token.<init>(Token.java:52)
	 at com.nimbusds.oauth2.sdk.token.RefreshToken.<init>(RefreshToken.java:79)
	 at com.nimbusds.oauth2.sdk.token.RefreshToken.parse(RefreshToken.java:121)
	 at com.nimbusds.openid.connect.sdk.token.OIDCTokens.parse(OIDCTokens.java:205)
	 at com.nimbusds.openid.connect.sdk.OIDCTokenResponse.parse(OIDCTokenResponse.java:164)
	 at com.nimbusds.openid.connect.sdk.OIDCTokenResponse.parse(OIDCTokenResponse.java:196)
	 at com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser.parse(OIDCTokenResponseParser.java:78)
	 at org.pac4j.oidc.credentials.authenticator.OidcAuthenticator.executeTokenRequest(OidcAuthenticator.java:202)
	 at org.pac4j.oidc.credentials.authenticator.OidcAuthenticator.validate(OidcAuthenticator.java:165)
	 at org.pac4j.core.client.BaseClient.lambda$retrieveCredentials$0(BaseClient.java:75)
	 at java.base/java.util.Optional.ifPresent(Optional.java:183)
	 at org.pac4j.core.client.BaseClient.retrieveCredentials(BaseClient.java:72)
	 at org.pac4j.core.client.IndirectClient.getCredentials(IndirectClient.java:145)
	 at org.jenkinsci.plugins.oic.OicSecurityRealm.doFinishLogin(OicSecurityRealm.java:1272)
	 at java.base/java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:710)
	 at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:397)
Caused: java.lang.reflect.InvocationTargetException
	 at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:401)
	 at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:409)
	 at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:207)
	 at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:140)
	 at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:558)
	 at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:59)
	 at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:770)
	 at org.kohsuke.stapler.Stapler.invoke(Stapler.java:900)
	 at org.kohsuke.stapler.MetaClass$2.doDispatch(MetaClass.java:224)
	 at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:59)
	 at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:770)
	 at org.kohsuke.stapler.Stapler.invoke(Stapler.java:900)
	 at org.kohsuke.stapler.Stapler.invoke(Stapler.java:698)
	 at org.kohsuke.stapler.Stapler.service(Stapler.java:248)
	 at javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
	 at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:764)
	 at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1665)
	 at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:163)
	 at io.jenkins.blueocean.ResourceCacheControl.doFilter(ResourceCacheControl.java:134)
	 at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:160)
	 at io.jenkins.blueocean.auth.jwt.impl.JwtAuthenticationFilter.doFilter(JwtAuthenticationFilter.java:60)
	 at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:160)
	 at jenkins.metrics.impl.MetricsFilter.doFilter(MetricsFilter.java:125)
	 at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:160)
	 at jenkins.util.HttpServletFilter$1.doFilter(HttpServletFilter.java:76)
	 at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:160)
	 at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:166)
	 at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	 at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	 at jenkins.ErrorAttributeFilter.doFilter(ErrorAttributeFilter.java:29)
	 at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	 at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	 at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:160)
	 at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	 at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:94)
	 at org.jenkinsci.plugins.oic.OicSecurityRealm$1.doFilter(OicSecurityRealm.java:863)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:94)
	 at jenkins.security.AcegiSecurityExceptionFilter.doFilter(AcegiSecurityExceptionFilter.java:52)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	 at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:54)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	 at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126)
	 at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	 at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	 at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:145)
	 at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:101)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	 at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:227)
	 at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:221)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	 at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:97)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	 at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:117)
	 at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
	 at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:63)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	 at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:111)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	 at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:111)
	 at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:172)
	 at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	 at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	 at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:53)
	 at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	 at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	 at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:86)
	 at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	 at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	 at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
	 at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	 at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	 at jenkins.security.SuspiciousRequestFilter.doFilter(SuspiciousRequestFilter.java:38)
	 at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	 at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	 at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:527)
	 at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:131)
	 at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:569)
	 at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
	 at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:223)
	 at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1580)
	 at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221)
	 at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1384)
	 at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:176)
	 at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:484)
	 at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1553)
	 at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:174)
	 at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1306)
	 at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129)
	 at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
	 at org.eclipse.jetty.server.Server.handle(Server.java:563)
	 at org.eclipse.jetty.server.HttpChannel$RequestDispatchable.dispatch(HttpChannel.java:1598)
	 at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:753)
	 at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:501)
	 at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:287)
	 at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:314)
	 at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
	 at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
	 at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:421)
	 at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:390)
	 at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:277)
	 at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.run(AdaptiveExecutionStrategy.java:199)
	 at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:411)
	 at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:969)
	 at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1194)
	 at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1149)
	 at java.base/java.lang.Thread.run(Thread.java:829)
2024-11-12 02:24:08.919+0000 [id=5809]	WARNING	h.i.i.InstallUncaughtExceptionHandler#handleException: Caught unhandled exception with ID 43575e6e-eaca-40d4-95ac-545fed58f74f
java.lang.IllegalArgumentException: The value must not be null or empty string
	 at com.nimbusds.oauth2.sdk.id.Identifier.<init>(Identifier.java:95)
	 at com.nimbusds.oauth2.sdk.token.Token.<init>(Token.java:52)
	 at com.nimbusds.oauth2.sdk.token.RefreshToken.<init>(RefreshToken.java:79)
	 at com.nimbusds.oauth2.sdk.token.RefreshToken.parse(RefreshToken.java:121)
	 at com.nimbusds.openid.connect.sdk.token.OIDCTokens.parse(OIDCTokens.java:205)
	 at com.nimbusds.openid.connect.sdk.OIDCTokenResponse.parse(OIDCTokenResponse.java:164)
	 at com.nimbusds.openid.connect.sdk.OIDCTokenResponse.parse(OIDCTokenResponse.java:196)
	 at com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser.parse(OIDCTokenResponseParser.java:78)
	 at org.pac4j.oidc.credentials.authenticator.OidcAuthenticator.executeTokenRequest(OidcAuthenticator.java:202)
	 at org.pac4j.oidc.credentials.authenticator.OidcAuthenticator.validate(OidcAuthenticator.java:165)
	 at org.pac4j.core.client.BaseClient.lambda$retrieveCredentials$0(BaseClient.java:75)
	 at java.base/java.util.Optional.ifPresent(Optional.java:183)
	 at org.pac4j.core.client.BaseClient.retrieveCredentials(BaseClient.java:72)
	 at org.pac4j.core.client.IndirectClient.getCredentials(IndirectClient.java:145)
	 at org.jenkinsci.plugins.oic.OicSecurityRealm.doFinishLogin(OicSecurityRealm.java:1272)
	 at java.base/java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:710)
	 at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:397)
	 at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:409)
	 at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:207)
	 at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:140)
	 at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:558)
	 at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:59)
	 at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:770)
Caused: javax.servlet.ServletException
	 at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:818)
	 at org.kohsuke.stapler.Stapler.invoke(Stapler.java:900)
	 at org.kohsuke.stapler.MetaClass$2.doDispatch(MetaClass.java:224)
	 at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:59)
	 at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:770)
	 at org.kohsuke.stapler.Stapler.invoke(Stapler.java:900)
	 at org.kohsuke.stapler.Stapler.invoke(Stapler.java:698)
	 at org.kohsuke.stapler.Stapler.service(Stapler.java:248)
	 at javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
	 at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:764)
	 at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1665)
	 at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:163)
	 at io.jenkins.blueocean.ResourceCacheControl.doFilter(ResourceCacheControl.java:134)
	 at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:160)
	 at io.jenkins.blueocean.auth.jwt.impl.JwtAuthenticationFilter.doFilter(JwtAuthenticationFilter.java:60)
	 at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:160)
	 at jenkins.metrics.impl.MetricsFilter.doFilter(MetricsFilter.java:125)
	 at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:160)
	 at jenkins.util.HttpServletFilter$1.doFilter(HttpServletFilter.java:76)
	 at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:160)
	 at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:166)
	 at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	 at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	 at jenkins.ErrorAttributeFilter.doFilter(ErrorAttributeFilter.java:29)
	 at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	 at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	 at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:160)
	 at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	 at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:94)
	 at org.jenkinsci.plugins.oic.OicSecurityRealm$1.doFilter(OicSecurityRealm.java:863)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:94)
	 at jenkins.security.AcegiSecurityExceptionFilter.doFilter(AcegiSecurityExceptionFilter.java:52)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	 at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:54)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	 at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126)
	 at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	 at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	 at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:145)
	 at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:101)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	 at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:227)
	 at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:221)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	 at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:97)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	 at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:117)
	 at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
	 at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:63)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	 at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:111)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	 at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:111)
	 at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:172)
	 at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	 at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	 at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:53)
	 at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	 at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	 at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:86)
	 at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	 at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	 at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
	 at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	 at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	 at jenkins.security.SuspiciousRequestFilter.doFilter(SuspiciousRequestFilter.java:38)
	 at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	 at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	 at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:527)
	 at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:131)
	 at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:569)
	 at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
	 at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:223)
	 at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1580)
	 at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221)
	 at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1384)
	 at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:176)
	 at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:484)
	 at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1553)
	 at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:174)
	 at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1306)
	 at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129)
	 at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
	 at org.eclipse.jetty.server.Server.handle(Server.java:563)
	 at org.eclipse.jetty.server.HttpChannel$RequestDispatchable.dispatch(HttpChannel.java:1598)
	 at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:753)
	 at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:501)
	 at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:287)
	 at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:314)
	 at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
	 at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
	 at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:421)
	 at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:390)
	 at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:277)
	 at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.run(AdaptiveExecutionStrategy.java:199)
	 at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:411)
	 at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:969)
	 at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1194)
	 at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1149)
	 at java.base/java.lang.Thread.run(Thread.java:829)

Expected Results

login jenkins successfully

Actual Results

failed to login jenkins

Anything else?

No response

Are you interested in contributing a fix?

No response

@biru-codeastromer
Copy link

@caichao1103 hey sir can i work on this issue?

@eva-mueller-coremedia
Copy link
Contributor

@caichao1103 What did you specify as Groups field name in the configuration backend? Did you specify "" or did you leave the field empty?

@caichao1103
Copy link
Author

@caichao1103 What did you specify as Groups field name in the configuration backend? Did you specify "" or did you leave the field empty?

I left it empty @eva-mueller-coremedia

@eva-mueller-coremedia
Copy link
Contributor

@caichao1103

  • Which provider do you use?
  • What is the field/config name, in which your provider stores the groups of a user?

@caichao1103
Copy link
Author

@caichao1103

* Which provider do you use?

* What is the field/config name, in which your provider stores the groups of a user?

@eva-mueller-coremedia
The provider is developed by our own team and used internally only.
The config detail is as below.

Image

@eva-mueller-coremedia
Copy link
Contributor

For me, it seems that the warning

Nov 12 02:23:36 fcai-vm-01 jenkins[161716]: 2024-11-12 02:23:36.226+0000 [id=5809]#011WARNING#011o.j.plugins.oic.OicSecurityRealm#compileJMESPath: groups field config failed io.burt.jmespath.parser.ParseException: Unable to compile expression "": syntax error mismatched input '<EOF>' expecting {'!', '(', '*', '[', '{', '[?', '@', '', RAW_STRING, JSON_CONSTANT, NAME, STRING} at position 0

is not the root cause of your problem. See https://github.com/jenkinsci/oic-auth-plugin/blob/4.418.vccc7061f5b_6d/src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java#L722

The main problem seems to be the Refresh Token:

Nov 12 02:24:08 fcai-vm-01 jenkins[161716]: 2024-11-12 02:24:08.913+0000 [id=5809]#011WARNING#011o.e.j.s.h.ContextHandler$Context#log: Error while serving http://fcai-vm-01:8080/securityRealm/finishLogin
Nov 12 02:24:08 fcai-vm-01 jenkins[161716]: java.lang.IllegalArgumentException: The value must not be null or empty string
Nov 12 02:24:08 fcai-vm-01 jenkins[161716]: #011at com.nimbusds.oauth2.sdk.id.Identifier.(Identifier.java:95)
Nov 12 02:24:08 fcai-vm-01 jenkins[161716]: #011at com.nimbusds.oauth2.sdk.token.Token.(Token.java:52)
Nov 12 02:24:08 fcai-vm-01 jenkins[161716]: #011at com.nimbusds.oauth2.sdk.token.RefreshToken.(RefreshToken.java:79)
[...]
Nov 12 02:24:08 fcai-vm-01 jenkins[161716]: #011at org.jenkinsci.plugins.oic.OicSecurityRealm.doFinishLogin(OicSecurityRealm.java:1272)

@caichao1103

  • Can you ensure that your internally developed provider is a conformant OIDC provider?
  • When you login via your provider, does it return an ID token, access token, and refresh token?
    • If your provider does not support refresh token, did you disable the config "Enable Token Refresh using Refresh Tokens?"
  • Did you try to update to the latest version of the oic-auth plugin?

@caichao1103
Copy link
Author

For me, it seems that the warning

Nov 12 02:23:36 fcai-vm-01 jenkins[161716]: 2024-11-12 02:23:36.226+0000 [id=5809]#011WARNING#011o.j.plugins.oic.OicSecurityRealm#compileJMESPath: groups field config failed io.burt.jmespath.parser.ParseException: Unable to compile expression "": syntax error mismatched input '<EOF>' expecting {'!', '(', '*', '[', '{', '[?', '@', '', RAW_STRING, JSON_CONSTANT, NAME, STRING} at position 0

is not the root cause of your problem. See https://github.com/jenkinsci/oic-auth-plugin/blob/4.418.vccc7061f5b_6d/src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java#L722

The main problem seems to be the Refresh Token:

Nov 12 02:24:08 fcai-vm-01 jenkins[161716]: 2024-11-12 02:24:08.913+0000 [id=5809]#011WARNING#011o.e.j.s.h.ContextHandler$Context#log: Error while serving http://fcai-vm-01:8080/securityRealm/finishLogin
Nov 12 02:24:08 fcai-vm-01 jenkins[161716]: java.lang.IllegalArgumentException: The value must not be null or empty string
Nov 12 02:24:08 fcai-vm-01 jenkins[161716]: #011at com.nimbusds.oauth2.sdk.id.Identifier.(Identifier.java:95)
Nov 12 02:24:08 fcai-vm-01 jenkins[161716]: #011at com.nimbusds.oauth2.sdk.token.Token.(Token.java:52)
Nov 12 02:24:08 fcai-vm-01 jenkins[161716]: #011at com.nimbusds.oauth2.sdk.token.RefreshToken.(RefreshToken.java:79)
[...]
Nov 12 02:24:08 fcai-vm-01 jenkins[161716]: #011at org.jenkinsci.plugins.oic.OicSecurityRealm.doFinishLogin(OicSecurityRealm.java:1272)

@caichao1103

* Can you ensure that your internally developed provider is a conformant OIDC provider?

* When you login via your provider, does it return an ID token, access token, and refresh token?
  
  * If your provider does not support refresh token, did you disable the config "Enable Token Refresh using Refresh Tokens?"

* Did you try to update to the latest version of the oic-auth plugin?

@eva-mueller-coremedia
Our production jenkins is using oic-auth 4.303.v84089a_708ea_7, everything is OK. When we tried to update oic-auth to 4.418.vccc7061f5b_6d on our dev jenkins, we ran into the issue.
How to disable the config - "Enable Token Refresh using Refresh Tokens" please?

@eva-mueller-coremedia
Copy link
Contributor

How to disable the config - "Enable Token Refresh using Refresh Tokens" please?

I get this option when using the manual configuration mode. Does not seem to be present when using the well-known endpoint.

@caichao1103
Copy link
Author

How to disable the config - "Enable Token Refresh using Refresh Tokens" please?

I get this option when using the manual configuration mode. Does not seem to be present when using the well-known endpoint.

@eva-mueller-coremedia
I just updated oic plugin version to the latest version 4.438.v6e62f6782770 on jenkins dev environment, and did not enable "Enable Token Refresh using Refresh Tokens" option, but I still get the same error.

@eva-mueller-coremedia
Copy link
Contributor

When you login via your provider, does it return an ID token, access token, and refresh token?

@caichao1103
Copy link
Author

When you login via your provider, does it return an ID token, access token, and refresh token?

it returns ID token.

@eva-mueller-coremedia
Copy link
Contributor

Did you check for breaking changes in https://github.com/jenkinsci/oic-auth-plugin/releases since 4.303.v84089a_708ea_7?

Like

If you consider all changes necessary due to the breaking changes and it still does not work, this is likely something for @jtnord

@caichao1103
Copy link
Author

Did you check for breaking changes in https://github.com/jenkinsci/oic-auth-plugin/releases since 4.303.v84089a_708ea_7?

Like

* https://github.com/jenkinsci/oic-auth-plugin/releases/tag/4.388.v4f73328eb_d2c

* https://github.com/jenkinsci/oic-auth-plugin/releases/tag/4.350.v347c3b_8b_9d95

If you consider all changes necessary due to the breaking changes and it still does not work, this is likely something for @jtnord

Yes, I DID check for these breaking changes.

@eva-mueller-coremedia
Copy link
Contributor

It seems, when OicSecurityRealm#doFinishLogin requests the credentials

Credentials credentials = client.getCredentials(webContext, sessionStore)
                    .orElseThrow(() -> new Failure("Could not extract credentials from request"));

in the end OIDCTokens wants to parse the Access Token as well the Refresh Token (at least in version oauth2-oidc-sdk-10.1.jar)

Maybe @jtnord can dig deeper here?

@jtnord
Copy link
Member

jtnord commented Dec 23, 2024

the JMESPath shouldn't be compiled if the string is a blank string or null (I think that bug has been there for a while). #492


the exception says the IdP is returning an invalid refresh token https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/src/86c059d5ec7efd024f0f0e730cce3c20c69d9d7c/src/main/java/com/nimbusds/oauth2/sdk/token/RefreshToken.java#lines-79 implies the value is null

and yet there is a null defence in the method that calls this. -> https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/src/86c059d5ec7efd024f0f0e730cce3c20c69d9d7c/src/main/java/com/nimbusds/oauth2/sdk/token/RefreshToken.java#lines-117:121

https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.1.3.3

However peeking further we see https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/src/86c059d5ec7efd024f0f0e730cce3c20c69d9d7c/src/main/java/com/nimbusds/oauth2/sdk/id/Identifier.java#lines-92:97

so the IDP is sending a blank (empty) refresh token.

https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.13.3

Omitted parameters and parameters with no value SHOULD be omitted from the object and not represented by a JSON null value, unless otherwise specified

so whilst this is SHOULD and not a MUST I would say the developers of the IDP implementation have not understood the ramifications of this.

https://www.ietf.org/rfc/rfc2119.txt

  1. SHOULD This word, or the adjective "RECOMMENDED", mean that there
    may exist valid reasons in particular circumstances to ignore a
    particular item, but the full implications must be understood and
    carefully weighed before choosing a different course.

This is in the underlying libraries that we use, the reason that the previous version worked was that it was non complaint to the spec (it was based on an early draft) and you got lucky.

The latest version of the libraries has the same behaviour.

I would suggest that you go back to your OpenID provider and open a defect with them so that they do not send a blank string for a refresh token (which is completely nonsensical!).

You may be able to work around this by disabling refresh token support, which the IDP claims it supports from the well known config otherwise we should not even be requesting it! (grant_types_supported)

You may also be able to persuade the maintainers of the nimbus SDK that they should be tolerant of blank strings as well as null values, and then we would pick that fix up when compatable with a future pac4j version in the future.

@jtnord jtnord changed the title login to jenkins failed if openid provider not return group info Unable to login if IDP sends a blank ("") refresh token Dec 23, 2024
@jtnord jtnord changed the title Unable to login if IDP sends a blank ("") refresh token Unable to login if iDP sends a blank ("") refresh token Dec 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants