Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add custom parameters to authorize and logout endpoints #480

Open
wants to merge 15 commits into
base: master
Choose a base branch
from

Conversation

eva-mueller-coremedia
Copy link
Contributor

@eva-mueller-coremedia eva-mueller-coremedia commented Dec 14, 2024

This PR

Additionally, some housekeeping (fixing typos, simplify statements) has been done.

The main change has been done in eb0d2ba:

  • Add new input fields for login resp. logout query parameters in the Jenkins management backend
  • maybeOpenIdLogoutEndpoint has been refactored when it comes to combining all parameters
  • Login query parameters are not allowed to overwrite keys as defined in org.pac4j.oidc.config.OidcConfiguration
  • Logout query parameters are not allowed to overwrite keys as set in maybeOpenIdLogoutEndpoint like id_token_hint, state, post_logout_redirect_uri

Testing done

This change has been tested by unit tests as well as local testing agains AWS Cognito.

Submitter checklist

  • Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or Jira
  • Link to relevant pull requests, esp. upstream and downstream changes
  • Ensure you have provided tests - that demonstrates feature works or fixes the issue

@eva-mueller-coremedia eva-mueller-coremedia requested a review from a team as a code owner December 14, 2024 23:08
Copy link

codecov bot commented Dec 14, 2024

Codecov Report

Attention: Patch coverage is 87.20930% with 11 lines in your changes missing coverage. Please review.

Project coverage is 73.70%. Comparing base (84359ac) to head (a2de73e).
Report is 8 commits behind head on master.

Files with missing lines Patch % Lines
...va/org/jenkinsci/plugins/oic/OicSecurityRealm.java 88.33% 5 Missing and 2 partials ⚠️
...ci/plugins/oic/OicQueryParameterConfiguration.java 80.95% 1 Missing and 3 partials ⚠️
Additional details and impacted files
@@             Coverage Diff              @@
##             master     #480      +/-   ##
============================================
+ Coverage     71.73%   73.70%   +1.97%     
- Complexity      222      252      +30     
============================================
  Files            17       18       +1     
  Lines          1033     1084      +51     
  Branches        148      155       +7     
============================================
+ Hits            741      799      +58     
+ Misses          201      195       -6     
+ Partials         91       90       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@eva-mueller-coremedia eva-mueller-coremedia changed the title Add custom parameters to authorize and logout endpoint Add custom parameters to authorize and logout endpoints Dec 15, 2024
Copy link
Member

@jtnord jtnord left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @eva-mueller-coremedia thanks for this.

I have had a quick look and have a few comments around the UX side.

The extra parameters would IIUC not be needed in the majority of conformant IDPs, as such do you thing they should be hidden behind an advanced section?

the use of a single string for multiple keyvalue pairs (and the encoding /splitting shenaningans) would seem to be error prone (and it lacks good warnings on invalid input). (a value may need to encode & and then you need to escape it)
Would making the KeyValue a Describable and using a repeatable option using repeatableProperty or the like (which can then perform individual valuation of the key and the value). NB not sur how this would look in CasC.

@eva-mueller-coremedia
Copy link
Contributor Author

@jtnord Thanks for the feedback, will try to follow a key value pair pattern.

If you don't mind, I would like to remove the UI at all - only provide it to be set via CasC resp. Java/Groovy code. Any objections?

@jtnord
Copy link
Member

jtnord commented Dec 24, 2024

@jtnord Thanks for the feedback, will try to follow a key value pair pattern.

If you don't mind, I would like to remove the UI at all - only provide it to be set via CasC resp. Java/Groovy code. Any objections?

it's generally considered bad to have something exposed in the UI and not CasC and vice versa. Not exposing in the UI can lead to it getting overridden if someone saves the Jenkins form in the UI (which I say you should never do as if you manage by code you should have a read only system UI, but it is useful on test systems where you want to make changes in the UI and then export the config for applying to a different server).

@eva-mueller-coremedia
Copy link
Contributor Author

@jtnord Thanks for the feedback, will try to follow a key value pair pattern.
If you don't mind, I would like to remove the UI at all - only provide it to be set via CasC resp. Java/Groovy code. Any objections?

it's generally considered bad to have something exposed in the UI and not CasC and vice versa. Not exposing in the UI can lead to it getting overridden if someone saves the Jenkins form in the UI (which I say you should never do as if you manage by code you should have a read only system UI, but it is useful on test systems where you want to make changes in the UI and then export the config for applying to a different server).

Understood. 👍 I will have a look to implement it the way you described initially. Thanks for the explanation!


private static final long serialVersionUID = 1L;

private String key;

Check warning

Code scanning / Jenkins Security Scan

Jenkins: Plaintext password storage Warning

Field should be reviewed whether it stores a password and is serialized to disk: key
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants