search

jenkinsci / azure-ad-plugin

Authentication and Authorization with Azure AD
https://plugins.jenkins.io/azure-ad/
MIT License
29 stars 57 forks source link

Login not working on Firefox 96.0.2 Windows 10 #184

Open AdrianFarmadin opened 2 years ago

AdrianFarmadin commented 2 years ago

Jenkins and plugins versions report

Environment Jenkins: 2.319.2 OS: Linux - 5.11.0-43-generic --- ace-editor:1.1 active-directory:2.25.1 analysis-model-api:10.9.1 ansicolor:1.0.1 ant:1.13 antisamy-markup-formatter:2.7 apache-httpcomponents-client-4-api:4.5.13-1.0 artifactory:3.15.2 authentication-tokens:1.4 authorize-project:1.4.0 azure-ad:189.v2da14dccdb43 azure-sdk:84.v53035e83f3c2 basic-branch-build-strategies:1.3.2 bitbucket:214.v2fd4234d0554 blueocean:1.25.2 blueocean-autofavorite:1.2.4 blueocean-bitbucket-pipeline:1.25.2 blueocean-commons:1.25.2 blueocean-config:1.25.2 blueocean-core-js:1.25.2 blueocean-dashboard:1.25.2 blueocean-display-url:2.4.1 blueocean-events:1.25.2 blueocean-git-pipeline:1.25.2 blueocean-github-pipeline:1.25.2 blueocean-i18n:1.25.2 blueocean-jwt:1.25.2 blueocean-personalization:1.25.2 blueocean-pipeline-api-impl:1.25.2 blueocean-pipeline-editor:1.25.2 blueocean-pipeline-scm-api:1.25.2 blueocean-rest:1.25.2 blueocean-rest-impl:1.25.2 blueocean-web:1.25.2 bootstrap4-api:4.6.0-3 bootstrap5-api:5.1.3-4 bouncycastle-api:2.25 branch-api:2.7.0 build-timeout:1.20 build-timestamp:1.0.3 caffeine-api:2.9.2-29.v717aac953ff3 checks-api:1.7.2 cloudbees-bitbucket-branch-source:751.vda_24678a_f781 cloudbees-folder:6.17 cobertura:1.17 code-coverage-api:2.0.4 command-launcher:1.6 conditional-buildstep:1.4.1 config-file-provider:3.8.2 configuration-as-code:1.55.1 credentials:1074.v60e6c29b_b_44b_ credentials-binding:1.27.1 data-tables-api:1.11.3-6 delivery-pipeline-plugin:1.4.2 deployit-plugin:10.0.6 display-url-api:2.3.5 docker-commons:1.18 docker-workflow:1.27 dtkit-api:3.0.0 durable-task:493.v195aefbb0ff2 echarts-api:5.2.2-2 email-ext:2.87 favorite:2.3.3 font-awesome-api:5.15.4-5 forensics-api:1.7.0 git:4.10.3 git-client:3.11.0 git-server:1.10 github:1.34.1 github-api:1.301-378.v9807bd746da5 github-branch-source:2.11.4 google-oauth-plugin:1.0.6 gradle:1.38 greenballs:1.15.1 groovy:2.4 handlebars:3.0.8 handy-uri-templates-2-api:2.1.8-1.0 hashicorp-vault-plugin:336.v182c0fbaaeb7 htmlpublisher:1.28 http_request:1.13 ivy:2.1 jackson2-api:2.13.1-246.va8a9f3eaf46a jacoco:3.3.1 javadoc:1.6 javax-activation-api:1.2.0-2 javax-mail-api:1.6.2-5 jaxb:2.3.0.1 jdk-tool:1.5 jenkins-design-language:1.25.2 jjwt-api:0.11.2-9.c8b45b8bb173 job-dsl:1.78.3 jquery:1.12.4-1 jquery3-api:3.6.0-2 jsch:0.1.55.2 junit:1.53 kubernetes:1.31.3 kubernetes-client-api:5.11.2-182.v0f1cf4c5904e kubernetes-credentials:0.9.0 lockable-resources:2.13 mailer:408.vd726a_1130320 matrix-auth:3.0 matrix-project:1.20 maven-plugin:3.16 mercurial:2.16 metrics:4.0.2.8.1 momentjs:1.1.1 oauth-credentials:0.5 okhttp-api:4.9.3-105.vb96869f8ac3a opentelemetry:0.21 pam-auth:1.6.1 parameterized-trigger:2.43 pipeline-build-step:2.15 pipeline-graph-analysis:188.v3a01e7973f2c pipeline-input-step:446.vf27b_0b_83500e pipeline-milestone-step:1.3.2 pipeline-model-api:1.9.3 pipeline-model-definition:1.9.3 pipeline-model-extensions:1.9.3 pipeline-rest-api:2.20 pipeline-stage-step:291.vf0a8a7aeeb50 pipeline-stage-tags-metadata:1.9.3 pipeline-stage-view:2.20 pipeline-utility-steps:2.12.0 plain-credentials:1.7 plugin-util-api:2.12.0 popper-api:1.16.1-2 popper2-api:2.11.2-1 prism-api:1.25.0-2 pubsub-light:1.16 resource-disposer:0.17 run-condition:1.5 scm-api:595.vd5a_df5eb_0e39 script-security:1131.v8b_b_5eda_c328e skip-notifications-trait:1.0.5 slack:2.49 snakeyaml-api:1.29.1 sse-gateway:1.24 ssh-credentials:1.19 ssh-slaves:1.33.0 sshd:3.1.0 startup-trigger-plugin:2.9.3 statistics-gatherer:2.0.3 structs:308.v852b473a2b8c thinBackup:1.10 timestamper:1.16 token-macro:267.vcdaea6462991 trilead-api:1.0.13 variant:1.4 warnings-ng:9.11.0 workflow-aggregator:2.6 workflow-api:1136.v7f5f1759dc16 workflow-basic-steps:2.24 workflow-cps:2648.va9433432b33c workflow-cps-global-lib:552.vd9cc05b8a2e1 workflow-durable-task-step:1121.va_65b_d2701486 workflow-job:1145.v7f2433caa07f workflow-multibranch:706.vd43c65dec013 workflow-scm-step:2.13 workflow-step-api:622.vb_8e7c15b_c95a_ workflow-support:813.vb_d7c3d2984a_0 ws-cleanup:0.40 xunit:3.0.5

What Operating System are you using (both controller, and any agents involved in the problem)?

Image: jenkins/jenkins:lts

Reproduction steps

  1. Try to log in on Windows 10 with Firefox 96.0.2 and sameSite cookie policy enabled

Expected Results

Working log in

Actual Results

Infinite loop of redirects to Azure authentication

Anything else?

Login is working with disabled sameSite cookie policy in Firefox

Seros commented 2 years ago

So that's because of network.cookie.sameSite.noneRequiresSecure: true in about:config?

AdrianFarmadin commented 2 years ago

Yes, exactly.

timja commented 2 years ago

Some info from Microsoft: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-handle-samesite-cookie-changes-chrome-browser

We shouldn't have any cookies that require cross domain, but I'll check this when I have time.

It works in Chrome's implementation of this just fine