-
Notifications
You must be signed in to change notification settings - Fork 95
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Unable to login if iDP sends a blank ("") refresh token #461
Comments
@caichao1103 hey sir can i work on this issue? |
@caichao1103 What did you specify as Groups field name in the configuration backend? Did you specify |
I left it empty @eva-mueller-coremedia |
|
@eva-mueller-coremedia |
For me, it seems that the warning
is not the root cause of your problem. See https://github.com/jenkinsci/oic-auth-plugin/blob/4.418.vccc7061f5b_6d/src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java#L722 The main problem seems to be the Refresh Token:
|
@eva-mueller-coremedia |
I get this option when using the manual configuration mode. Does not seem to be present when using the well-known endpoint. |
@eva-mueller-coremedia |
When you login via your provider, does it return an ID token, access token, and refresh token? |
it returns ID token. |
Did you check for breaking changes in https://github.com/jenkinsci/oic-auth-plugin/releases since 4.303.v84089a_708ea_7? Like
If you consider all changes necessary due to the breaking changes and it still does not work, this is likely something for @jtnord |
Yes, I DID check for these breaking changes. |
It seems, when
in the end Maybe @jtnord can dig deeper here? |
the JMESPath shouldn't be compiled if the string is a blank string or the exception says the IdP is returning an invalid and yet there is a https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.1.3.3 However peeking further we see https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/src/86c059d5ec7efd024f0f0e730cce3c20c69d9d7c/src/main/java/com/nimbusds/oauth2/sdk/id/Identifier.java#lines-92:97 so the IDP is sending a blank (empty) refresh token. https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.13.3
so whilst this is SHOULD and not a MUST I would say the developers of the IDP implementation have not understood the ramifications of this. https://www.ietf.org/rfc/rfc2119.txt
This is in the underlying libraries that we use, the reason that the previous version worked was that it was non complaint to the spec (it was based on an early draft) and you got lucky. The latest version of the libraries has the same behaviour. I would suggest that you go back to your OpenID provider and open a defect with them so that they do not send a blank string for a refresh token (which is completely nonsensical!). You may be able to work around this by disabling refresh token support, which the IDP claims it supports from the well known config otherwise we should not even be requesting it! ( You may also be able to persuade the maintainers of the nimbus SDK that they should be tolerant of blank strings as well as |
Jenkins and plugins versions report
Jenkins version : 2.452.4
plugin version: 4.418.vccc7061f5b_6d
What Operating System are you using (both controller, and any agents involved in the problem)?
Ubuntu 22.04.3 LTS
Reproduction steps
Our openid Provider does not provide group info. It caused login to jenkins failed. The error messages were below:
Expected Results
login jenkins successfully
Actual Results
failed to login jenkins
Anything else?
No response
Are you interested in contributing a fix?
No response
The text was updated successfully, but these errors were encountered: