search

jenkinsci / oic-auth-plugin

A Jenkins plugin which lets you login to Jenkins using your own, self-hosted or public openid connect server.
https://plugins.jenkins.io/oic-auth
MIT License
70 stars 87 forks source link

Wrong protocol in redirect_url using v2.1 #151

Closed DavidRayner closed 1 year ago

DavidRayner commented 1 year ago

Jenkins and plugins versions report

Jenkins

jenkins/jenkins:2.361.2-lts docker image

Plugins

Output from "jenkins-plugin-cli --list" in working setup ``` Installed plugins: ace-editor 1.1 ansicolor 1.0.2 antisamy-markup-formatter 2.7 apache-httpcomponents-client-4-api 4.5.13-138.v4e7d9a_7b_a_e61 atlassian-bitbucket-server-integration 3.3.1 authentication-tokens 1.4 authorize-project 1.4.0 aws-credentials 191.vcb_f183ce58b_9 aws-java-sdk-ec2 1.12.287-357.vf82d85a_6eefd aws-java-sdk-minimal 1.12.287-357.vf82d85a_6eefd bitbucket 223.vd12f2bca5430 blueocean 1.25.8 blueocean-autofavorite 1.2.5 blueocean-bitbucket-pipeline 1.25.8 blueocean-commons 1.25.8 blueocean-config 1.25.8 blueocean-core-js 1.25.8 blueocean-dashboard 1.25.8 blueocean-display-url 2.4.1 blueocean-events 1.25.8 blueocean-git-pipeline 1.25.8 blueocean-github-pipeline 1.25.8 blueocean-i18n 1.25.8 blueocean-jwt 1.25.8 blueocean-personalization 1.25.8 blueocean-pipeline-api-impl 1.25.8 blueocean-pipeline-editor 1.25.8 blueocean-pipeline-scm-api 1.25.8 blueocean-rest 1.25.8 blueocean-rest-impl 1.25.8 blueocean-web 1.25.8 bootstrap5-api 5.2.1-3 bouncycastle-api 2.26 branch-api 2.1046.v0ca_37783ecc5 build-timeout 1.24 build-timestamp 1.0.3 caffeine-api 2.9.3-65.v6a_47d0f4d1fe checks-api 1.7.5 cloudbees-bitbucket-branch-source 791.vb_eea_a_476405b cloudbees-folder 6.758.vfd75d09eea_a_1 cobertura 1.17 code-coverage-api 3.2.0 command-launcher 90.v669d7ccb_7c31 commons-lang3-api 3.12.0-36.vd97de6465d5b_ commons-text-api 1.9-19.v8df45c678366 configuration-as-code 1512.vb_79d418d5fc8 copyartifact 1.47 credentials 1189.vf61b_a_5e2f62e credentials-binding 523.vd859a_4b_122e6 data-tables-api 1.12.1-4 display-url-api 2.3.6 docker-commons 1.21 docker-workflow 521.v1a_a_dd2073b_2e durable-task 501.ve5d4fc08b0be ec2 2.0.3 echarts-api 5.4.0-1 favorite 2.4.1 font-awesome-api 6.2.0-3 forensics-api 1.16.0 git 4.12.1 git-client 3.12.1 github 1.35.0 github-api 1.303-400.v35c2d8258028 github-branch-source 1695.v88de84e9f6b_9 gitlab-plugin 1.5.35 handy-uri-templates-2-api 2.1.8-22.v77d5b_75e6953 hidden-parameter 0.0.5 htmlpublisher 1.31 instance-identity 116.vf8f487400980 ionicons-api 28.va_f3a_84439e5f jackson2-api 2.13.4-293.vee957901b_6fb jakarta-activation-api 2.0.1-2 jakarta-mail-api 2.0.1-2 javadoc 226.v71211feb_e7e9 javax-activation-api 1.2.0-5 jaxb 2.3.6-2 jenkins-design-language 1.25.8 jersey2-api 2.37-1 jjwt-api 0.11.5-77.v646c772fddb_0 job-restrictions 0.8 jquery3-api 3.6.1-2 jsch 0.1.55.61.va_e9ee26616e7 junit 1150.v5c2848328b_60 kubernetes 3724.v0920c1e0ec69 kubernetes-client-api 5.12.2-193.v26a_6078f65a_9 kubernetes-credentials 0.9.0 mailer 438.v02c7f0a_12fa_4 matrix-auth 3.1.5 matrix-project 785.v06b_7f47b_c631 maven-plugin 3.19 mercurial 1251.va_b_121f184902 metrics 4.2.10-389.v93143621b_050 momentjs 1.1.1 multibranch-scan-webhook-trigger 1.0.9 node-iterator-api 49.v58a_8b_35f8363 oic-auth 2.0.0 okhttp-api 4.9.3-108.v0feda04578cf pipeline-build-step 2.18 pipeline-graph-analysis 195.v5812d95a_a_2f9 pipeline-groovy-lib 612.v84da_9c54906d pipeline-input-step 451.vf1a_a_4f405289 pipeline-milestone-step 101.vd572fef9d926 pipeline-model-api 2.2114.v2654ca_721309 pipeline-model-definition 2.2114.v2654ca_721309 pipeline-model-extensions 2.2114.v2654ca_721309 pipeline-rest-api 2.26 pipeline-stage-step 296.v5f6908f017a_5 pipeline-stage-tags-metadata 2.2114.v2654ca_721309 pipeline-stage-view 2.26 plain-credentials 139.ved2b_9cf7587b plugin-util-api 2.18.0 popper2-api 2.11.6-2 prism-api 1.29.0-1 pubsub-light 1.17 s3 0.12.2 scm-api 621.vda_a_b_055e58f7 script-security 1183.v774b_0b_0a_a_451 snakeyaml-api 1.32-86.ve3f030a_75631 sonar 2.14 sse-gateway 1.26 ssh-credentials 305.v8f4381501156 stashNotifier 1.28 strict-crumb-issuer 2.1.0 structs 324.va_f5d6774f3a_d testng-plugin 700.va_ea_5873a_3399 timestamper 1.20 token-macro 308.v4f2b_ed62b_b_16 trilead-api 2.72.v2a_3236754f73 validating-string-parameter 2.8 variant 59.vf075fe829ccb workflow-aggregator 590.v6a_d052e5a_a_b_5 workflow-api 1198.v4596ea_5329b_6 workflow-basic-steps 994.vd57e3ca_46d24 workflow-cps 2802.v5ea_628154b_c2 workflow-durable-task-step 1199.v02b_9244f8064 workflow-job 1239.v71b_b_a_124a_725 workflow-multibranch 716.vc692a_e52371b_ workflow-scm-step 400.v6b_89a_1317c9a_ workflow-step-api 639.v6eca_cd8c04a_a_ workflow-support 838.va_3a_087b_4055b ```
Output from "jenkins-plugin-cli --list" in broken setup ``` Installed plugins: ace-editor 1.1 ansicolor 1.0.2 antisamy-markup-formatter 2.7 apache-httpcomponents-client-4-api 4.5.13-138.v4e7d9a_7b_a_e61 atlassian-bitbucket-server-integration 3.3.1 authentication-tokens 1.4 authorize-project 1.4.0 aws-credentials 191.vcb_f183ce58b_9 aws-java-sdk-ec2 1.12.287-357.vf82d85a_6eefd aws-java-sdk-minimal 1.12.287-357.vf82d85a_6eefd bitbucket 223.vd12f2bca5430 blueocean 1.25.8 blueocean-autofavorite 1.2.5 blueocean-bitbucket-pipeline 1.25.8 blueocean-commons 1.25.8 blueocean-config 1.25.8 blueocean-core-js 1.25.8 blueocean-dashboard 1.25.8 blueocean-display-url 2.4.1 blueocean-events 1.25.8 blueocean-git-pipeline 1.25.8 blueocean-github-pipeline 1.25.8 blueocean-i18n 1.25.8 blueocean-jwt 1.25.8 blueocean-personalization 1.25.8 blueocean-pipeline-api-impl 1.25.8 blueocean-pipeline-editor 1.25.8 blueocean-pipeline-scm-api 1.25.8 blueocean-rest 1.25.8 blueocean-rest-impl 1.25.8 blueocean-web 1.25.8 bootstrap5-api 5.2.1-3 bouncycastle-api 2.26 branch-api 2.1046.v0ca_37783ecc5 build-timeout 1.24 build-timestamp 1.0.3 caffeine-api 2.9.3-65.v6a_47d0f4d1fe checks-api 1.7.5 cloudbees-bitbucket-branch-source 791.vb_eea_a_476405b cloudbees-folder 6.758.vfd75d09eea_a_1 cobertura 1.17 code-coverage-api 3.2.0 command-launcher 90.v669d7ccb_7c31 commons-lang3-api 3.12.0-36.vd97de6465d5b_ commons-text-api 1.10.0-27.vb_fa_3896786a_7 configuration-as-code 1559.v38a_b_2e3b_6b_b_7 copyartifact 1.47 credentials 1189.vf61b_a_5e2f62e credentials-binding 523.vd859a_4b_122e6 data-tables-api 1.12.1-4 display-url-api 2.3.6 docker-commons 1.21 docker-workflow 521.v1a_a_dd2073b_2e durable-task 501.ve5d4fc08b0be ec2 2.0.3 echarts-api 5.4.0-1 favorite 2.4.1 font-awesome-api 6.2.0-3 forensics-api 1.16.0 git 4.12.1 git-client 3.12.1 github 1.35.0 github-api 1.303-400.v35c2d8258028 github-branch-source 1695.v88de84e9f6b_9 gitlab-plugin 1.5.36 handy-uri-templates-2-api 2.1.8-22.v77d5b_75e6953 hidden-parameter 0.0.5 htmlpublisher 1.31 instance-identity 116.vf8f487400980 ionicons-api 31.v4757b_6987003 jackson2-api 2.13.4.20221013-295.v8e29ea_354141 jakarta-activation-api 2.0.1-2 jakarta-mail-api 2.0.1-2 javadoc 226.v71211feb_e7e9 javax-activation-api 1.2.0-5 jaxb 2.3.7-1 jenkins-design-language 1.25.8 jersey2-api 2.37-1 jjwt-api 0.11.5-77.v646c772fddb_0 job-restrictions 0.8 jquery3-api 3.6.1-2 jsch 0.1.55.61.va_e9ee26616e7 junit 1153.v1c24f1a_d2553 kubernetes 3724.v0920c1e0ec69 kubernetes-client-api 5.12.2-193.v26a_6078f65a_9 kubernetes-credentials 0.9.0 mailer 438.v02c7f0a_12fa_4 matrix-auth 3.1.5 matrix-project 785.v06b_7f47b_c631 maven-plugin 3.20 mercurial 1260.vdfb_723cdcc81 metrics 4.2.10-389.v93143621b_050 momentjs 1.1.1 multibranch-scan-webhook-trigger 1.0.9 node-iterator-api 49.v58a_8b_35f8363 oic-auth 2.1 okhttp-api 4.9.3-108.v0feda04578cf pipeline-build-step 2.18 pipeline-graph-analysis 195.v5812d95a_a_2f9 pipeline-groovy-lib 613.v9c41a_160233f pipeline-input-step 456.vd8a_957db_5b_e9 pipeline-milestone-step 101.vd572fef9d926 pipeline-model-api 2.2118.v31fd5b_9944b_5 pipeline-model-definition 2.2118.v31fd5b_9944b_5 pipeline-model-extensions 2.2118.v31fd5b_9944b_5 pipeline-rest-api 2.27 pipeline-stage-step 296.v5f6908f017a_5 pipeline-stage-tags-metadata 2.2118.v31fd5b_9944b_5 pipeline-stage-view 2.27 plain-credentials 139.ved2b_9cf7587b plugin-util-api 2.18.0 popper2-api 2.11.6-2 prism-api 1.29.0-1 pubsub-light 1.17 s3 0.12.3436.v674b_46258039 scm-api 621.vda_a_b_055e58f7 script-security 1189.vb_a_b_7c8fd5fde snakeyaml-api 1.32-86.ve3f030a_75631 sonar 2.14 sse-gateway 1.26 ssh-credentials 305.v8f4381501156 stashNotifier 1.28 strict-crumb-issuer 2.1.0 structs 324.va_f5d6774f3a_d testng-plugin 700.va_ea_5873a_3399 timestamper 1.20 token-macro 308.v4f2b_ed62b_b_16 trilead-api 2.72.v2a_3236754f73 validating-string-parameter 2.8 variant 59.vf075fe829ccb workflow-aggregator 590.v6a_d052e5a_a_b_5 workflow-api 1200.v8005c684b_a_c6 workflow-basic-steps 994.vd57e3ca_46d24 workflow-cps 2803.v1a_f77ffcc773 workflow-durable-task-step 1206.v8a_d5f86e336b workflow-job 1249.v7d974144cc14 workflow-multibranch 716.vc692a_e52371b_ workflow-scm-step 400.v6b_89a_1317c9a_ workflow-step-api 639.v6eca_cd8c04a_a_ workflow-support 839.v35e2736cfd5c ```

Reproduction steps

Visit login page

Expected Results

You are logged in

Actual Results

The wrong protocol is used in the redirect_url included in the request to the authorization server (AWS Cognito in my case). This results in a redirect_mismatch error from authorization server

Screenshot from 2022-10-21 14-06-05

Anything else?

Working request (with plugin version 2.0.0): https://example.amazoncognito.com/oauth2/authorize?client_id=example&redirect_uri=https://example/securityRealm/finishLogin...

Bad request (http used instead of https): https://example.amazoncognito.com/oauth2/authorize?client_id=example&redirect_uri=http://example/securityRealm/finishLogin...

michael-doubez commented 1 year ago

I guess it is a side effect of #85. How is your ingress configured ?

You may need to add the X-Forwarded-Proto header

DavidRayner commented 1 year ago

I do have an alert that says It appears that your reverse proxy set up is broken. on the Manage Jenkins page, I'll take a look on Monday.

michael-doubez commented 1 year ago

@DavidRayner were you able to fix the issue ?

happenedIn commented 1 year ago

I have this same issue after upgrading from version 1.8 to 2.2. My redirect uses http.

I downgraded back to 1.8 and the redirect works fine.

michael-doubez commented 1 year ago

@jshergill are you behind a reverse proxy ?

If this is the case, please check the x-forwarded headers.

michael-doubez commented 1 year ago

@jshergill I've release version 2.3 which makes usage of proxy headers configurable. The default is to use configuration from Jenkins which was the behavior before 2.2.

happenedIn commented 1 year ago

@michael-doubez thanks, I will hopefully test soon. I am running my services behind ambassador io, so I think I never configured the x-forwarded-proto for the Module kind manifest. https://www.getambassador.io/docs/edge-stack/latest/topics/using/redirects#x-forwarded-proto-redirect