[REGRESSION] After updating from 2.5 to 2.6 my user do not detect any groups provided by Oic Application

[DuMaM]

Jenkins and plugins versions report

Environment

```text Jenkins: 2.375.4 Java: 11.0.16 - Eclipse Adoptium (OpenJDK 64-Bit Server VM) --- Office-365-Connector:4.18.0 Parameterized-Remote-Trigger:3.1.6.3 allure-jenkins-plugin:2.30.3 amazon-ecr:1.114.vfd22430621f5 analysis-model-api:10.23.1 ansicolor:1.0.2 antisamy-markup-formatter:159.v25b_c67cd35fb_ apache-httpcomponents-client-4-api:4.5.14-150.v7a_b_9d17134a_5 audit-trail:333.vb_e1b_b_0f1238c authentication-tokens:1.4 aws-credentials:191.vcb_f183ce58b_9 aws-java-sdk:1.12.481-392.v8b_291cfcda_09 aws-java-sdk-cloudformation:1.12.481-392.v8b_291cfcda_09 aws-java-sdk-codebuild:1.12.481-392.v8b_291cfcda_09 aws-java-sdk-ec2:1.12.481-392.v8b_291cfcda_09 aws-java-sdk-ecr:1.12.481-392.v8b_291cfcda_09 aws-java-sdk-ecs:1.12.481-392.v8b_291cfcda_09 aws-java-sdk-efs:1.12.481-392.v8b_291cfcda_09 aws-java-sdk-elasticbeanstalk:1.12.481-392.v8b_291cfcda_09 aws-java-sdk-iam:1.12.481-392.v8b_291cfcda_09 aws-java-sdk-kinesis:1.12.481-392.v8b_291cfcda_09 aws-java-sdk-logs:1.12.481-392.v8b_291cfcda_09 aws-java-sdk-minimal:1.12.481-392.v8b_291cfcda_09 aws-java-sdk-sns:1.12.481-392.v8b_291cfcda_09 aws-java-sdk-sqs:1.12.481-392.v8b_291cfcda_09 aws-java-sdk-ssm:1.12.481-392.v8b_291cfcda_09 basic-branch-build-strategies:71.vc1421f89888e bootstrap5-api:5.2.1-3 bouncycastle-api:2.28 branch-api:2.1105.v472604208c55 build-discarder:139.v05696a_7fe240 build-failure-analyzer:2.4.1 build-name-setter:2.2.0 build-timeout:1.31 build-token-root:151.va_e52fe3215fc build-user-vars-plugin:1.9 caffeine-api:3.1.6-115.vb_8b_b_328e59d8 checks-api:1.8.1 cloudbees-disk-usage-simple:182.v62ca_0c992a_f3 cloudbees-folder:6.815.v0dd5a_cb_40e0e cobertura:1.17 code-coverage-api:3.5.0 command-launcher:100.v2f6722292ee8 commons-httpclient3-api:3.1-3 commons-lang3-api:3.12.0-36.vd97de6465d5b_ commons-text-api:1.10.0-36.vc008c8fcda_7b_ config-file-provider:938.ve2b_8a_591c596 configuration-as-code:1625.v27444588cc3d confluence-publisher:156.vf3597ca_9cf27 copyartifact:705.v5295cffec284 credentials:1224.vc23ca_a_9a_2cb_0 credentials-binding:604.vb_64480b_c56ca_ cucumber-reports:5.7.5 data-tables-api:1.12.1-4 declarative-pipeline-migration-assistant:1.5.6 declarative-pipeline-migration-assistant-api:1.5.6 display-url-api:2.3.7 docker-commons:419.v8e3cd84ef49c docker-workflow:563.vd5d2e5c4007f durable-task:507.v050055d0cb_dd ec2:2.0.7 echarts-api:5.4.0-1 email-ext:2.98 envinject:2.901.v0038b_6471582 envinject-api:1.199.v3ce31253ed13 extended-choice-parameter:373.v1a_ecea_fdf2a_a_ extended-read-permission:3.2 external-monitor-job:203.v683c09d993b_9 favorite:2.4.2 file-leak-detector:1.11 file-operations:1.11 font-awesome-api:6.2.1-1 forensics-api:1.17.0 git:5.0.2 git-client:4.3.0 git-parameter:0.9.18 github:1.37.1 github-api:1.314-431.v78d72a_3fe4c3 github-branch-source:1728.v859147241f49 github-checks:545.v79a_a_68b_ca_682 gradle:2.8 groovy:453.vcdb_a_c5c99890 h2-api:1.4.199 htmlpublisher:1.31 http_request:1.16 ignore-committer-strategy:1.0.4 instance-identity:173.va_37c494ec4e5 ionicons-api:56.v1b_1c8c49374e jackson2-api:2.15.2-350.v0c2f3f8fc595 jacoco:3.3.3 jakarta-activation-api:2.0.1-3 jakarta-mail-api:2.0.1-3 javadoc:233.vdc1a_ec702cff javax-activation-api:1.2.0-6 javax-mail-api:1.6.2-9 jaxb:2.3.8-1 jdk-tool:66.vd8fa_64ee91b_d jersey2-api:2.39.1-2 jira:3.10 jjwt-api:0.11.5-77.v646c772fddb_0 job-dsl:1.82 job-import-plugin:3.6 jobConfigHistory:1212.vd4470d08ff12 jquery:1.12.4-1 jquery3-api:3.6.1-2 jsch:0.2.8-65.v052c39de79b_2 junit:1202.v79a_986785076 kubernetes-client-api:6.4.1-215.v2ed17097a_8e9 kubernetes-credentials:0.10.0 lockable-resources:1131.vb_7c3d377e723 mailer:457.v3f72cb_e015e5 mapdb-api:1.0.9-28.vf251ce40855d mask-passwords:150.vf80d33113e80 matrix-auth:3.1.8 matrix-project:789.v57a_725b_63c79 maven-plugin:3.22 metrics:4.2.18-439.v86a_20b_a_8318b_ mina-sshd-api-common:2.10.0-69.v28e3e36d18eb_ mina-sshd-api-core:2.10.0-69.v28e3e36d18eb_ monitoring:1.94.1 nexus-artifact-uploader:2.14 node-iterator-api:49.v58a_8b_35f8363 nodejs:1.6.0 nodelabelparameter:1.11.0 oic-auth:2.6 okhttp-api:4.11.0-145.vcb_8de402ef81 opentelemetry:2.13.0 pam-auth:1.10 parameter-separator:1.3 parameterized-trigger:2.45 pipeline-aws:1.43 pipeline-build-step:491.v1fec530da_858 pipeline-github-lib:42.v0739460cda_c4 pipeline-graph-analysis:202.va_d268e64deb_3 pipeline-graph-view:191.vc6da_9d3eb_70a pipeline-groovy-lib:656.va_a_ceeb_6ffb_f7 pipeline-input-step:468.va_5db_051498a_4 pipeline-maven:1298.v43b_82f220a_e9 pipeline-milestone-step:111.v449306f708b_7 pipeline-model-api:2.2133.ve46a_6113dfc3 pipeline-model-definition:2.2133.ve46a_6113dfc3 pipeline-model-extensions:2.2133.ve46a_6113dfc3 pipeline-rest-api:2.32 pipeline-stage-step:305.ve96d0205c1c6 pipeline-stage-tags-metadata:2.2133.ve46a_6113dfc3 pipeline-stage-view:2.32 pipeline-utility-steps:2.15.4 plain-credentials:143.v1b_df8b_d3b_e48 plugin-usage-plugin:4.0 plugin-util-api:2.20.0 popper2-api:2.11.6-2 postbuildscript:3.2.0-460.va_fda_0fa_26720 prism-api:1.29.0-2 pubsub-light:1.17 purge-build-queue-plugin:88.v23b_97b_f2c7a_d purge-job-history:1.6 rebuild:320.v5a_0933a_e7d61 resource-disposer:0.22 s3:0.12.3445.vda_704535b_5a_d scm-api:672.v64378a_b_20c60 script-security:1251.vfe552ed55f8d slack:664.vc9a_90f8b_c24a_ snakeyaml-api:1.33-95.va_b_a_e3e47b_fa_4 sonar:2.15 sse-gateway:1.26 ssh-agent:333.v878b_53c89511 ssh-credentials:305.v8f4381501156 ssh-slaves:2.877.v365f5eb_a_b_eec sshd:3.303.vefc7119b_ec23 strict-crumb-issuer:2.1.1 structs:324.va_f5d6774f3a_d subversion:2.17.2 sumologic-publisher:2.2.1 testng-plugin:789.vfc860d1de85a_ throttle-concurrents:2.13 timestamper:1.25 token-macro:359.vb_cde11682e0c trilead-api:2.84.v72119de229b_7 uno-choice:2.6.5 validating-string-parameter:2.8 variant:59.vf075fe829ccb versioncolumn:145.va_e3ca_f8a_a_d23 view-job-filters:2.3 warnings-ng:9.23.1 workflow-aggregator:596.v8c21c963d92d workflow-api:1213.v646def1087f9 workflow-basic-steps:1017.vb_45b_302f0cea_ workflow-cps:3673.v5b_dd74276262 workflow-durable-task-step:1247.v7f9dfea_b_4fd0 workflow-job:1308.v58d48a_763b_31 workflow-multibranch:746.v05814d19c001 workflow-scm-step:408.v7d5b_135a_b_d49 workflow-step-api:639.v6eca_cd8c04a_a_ workflow-support:839.v35e2736cfd5c ws-cleanup:0.45 ```

Reproduction steps

Upgrade from 2.5 to 2.6

Expected Results

The application should be able to fetch user data

Actual Results

I was able to log in thanks to the okta session token, but I lost management access. Only user ID was correct, and any okta group was detected, like it lost connection with OicApplication.

Anything else?

I guess those new fields broke a serialization structure.

  <securityRealm>
    <pkceEnabled>false</pkceEnabled>
    <nonceDisabled>false</nonceDisabled>
  </securityRealm>

Removing and re-typing whole oic config fixed the problem.

[DuMaM]

https://github.com/jenkinsci/oic-auth-plugin/pull/191 https://github.com/jenkinsci/oic-auth-plugin/pull/110 https://github.com/jenkinsci/oic-auth-plugin/pull/192 Possible culprits

[DuMaM]

cc: @michael-doubez @jglick

[michael-doubez]

@Madball777123 thanks. Do you mean that you lost the whole configuration ?

[Madball777123]

Lost Jenkins admin access after update to 2.6. Is it possible to return by deleting the lines and re-reading the config?

 <securityRealm>
   <pkceEnabled>false</pkceEnabled>
   <nonceDisabled>false</nonceDisabled>
 </securityRealm>

[Madball777123]

@Madball777123 thanks. Do you mean that you lost the whole configuration ?

No, the configuration is present. Only new lines have been added with 2.6. And perhaps for some reason the clientSecret has changed (I can’t say for sure, the config backup is old and there may be an old key there)

[michael-doubez]

I'll try to reproduce but it would help if there was something in the logs.

[michael-doubez]

Did you try to set nonceDisabled to true ? Okta may mistake it with an implicit flow

https://developer.okta.com/docs/reference/api/oidc/

[DuMaM]

@Madball777123 thanks. Do you mean that you lost the whole configuration ?

No, I didn't lose it, it just didn't load properly. That's my guess. Config.xml contained correct data, but without mentioned fields.

[Madball777123]

Sorry, I missed an important point. I use keycloak. Not Okta

[DuMaM]

Did you try to set nonceDisabled to true ? Okta may mistake it with an implicit flow

https://developer.okta.com/docs/reference/api/oidc/

I will check it tomorrow morning.

[DuMaM]

Did you try to set nonceDisabled to true ? Okta may mistake it with an implicit flow

https://developer.okta.com/docs/reference/api/oidc/

@michael-doubez by default, it's false, and I wasn't able to login to the admin panel to change it. When I retype my config, I also set it to false and it works.

[ixycoder]

Same problem as you. After updating, Losted all groups in Jenkins. We use keycloak 16

[FHannes]

Same issue here with keycloak. Changing nonceDisabled to true did not resolve the issue either.

[jim-kirisame]

Same issue with authelia, disable nonce does not solve the issue either.

[andybotting]

We just hit this issue too. I'm not certain this was the fix, but I did notice that the Token Authentication Method setting (which is a pair of radio buttons) didn't have anything chosen.

I ticked on 'POST' and after saving the settings, I was able to see my group membership from my profile page again.

[fabian-kramer]

I also just experienced this issue with Keycloak and Jenkins. My only luck was, that permissions for the user directly still worked. Therefore I can tell, all permissions load as far as displaying them in the admin panel. I've checked the log as well, there is no message from the oicd plugin. For me it worked then to just roll back to 2.5, and without any issue everybody who relies on roles to get access now has access again.

I'm on Jenkins: 2.387.3 and Keycloak: 17

[cafuego]

Whoops, another victim. We use Drupal with oauth2_server as oidc provider. Happily checking the Disable Nonce verification box did resolve the issue for us.

[AndreVirtimo]

Same here. Had to rollback to version 2.5

[jbgomond]

Hi, same problem here, I had to revert to 2.5 as I found no solution to the issue :( Could it be something here ? #198

[dR3b]

Had to rollback to version 2.5 too!

[eesprit]

Hi,

I had the same problem, and it was fixed by forcing the config.xml (securityRealm part) to be regenerated. It added the <simpleGroupsFieldName>XXX</simpleGroupsFieldName> parameter with the same value then <groupsFieldName>XXX</groupsFieldName> and groups started working again.

So yes, probably a consequence of #198

Funny thing is that I first disabled Nonce verification as suggested here on a test server, which made it work (I did it through the GUI / secuirty settings), but then I edited the config.xml directly on another server, and it was still broken. That's when I edited something else in the security settings through the GUI that it started working and it made me understood that it was probably related to some new parameter. So after diffing the config.xml, I saw that this was this specific parameter that I needed.

People who disabled Nonce verification can probably activate it again.

Hope this helps ;)

[Reamer]

People who disabled Nonce verification can probably activate it again.

Hope this helps ;)

Thank you for your research. You are correct in your statement. For me it did not cause any problems to reactivate the Nonce verification.

[FHannes]

I had the same problem, and it was fixed by forcing the config.xml (securityRealm part) to be regenerated. It added the <simpleGroupsFieldName>XXX</simpleGroupsFieldName> parameter with the same value then <groupsFieldName>XXX</groupsFieldName> and groups started working again.

This solved the issue for me. Thanks!

[stavros-k]

Same issue with authelia, disable nonce does not solve the issue either.

Sorry for hijacking this issue, but trying to setup jenkins + authelia. Would you be so kind to send me the configs of authelia + jenkins please?

Currently when I try to login, I see in the logs

The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The authorization code has already been used.

Thanks

EDIT: nvm, figured it out. I was missing

      userNameField: preferred_username
      fullNameFieldName: name
      groupsFieldName: groups
      emailFieldName: email

[AndreVirtimo]

I had the same problem, and it was fixed by forcing the config.xml (securityRealm part) to be regenerated. It added the <simpleGroupsFieldName>XXX</simpleGroupsFieldName> parameter with the same value then <groupsFieldName>XXX</groupsFieldName> and groups started working again.

This solved the issue for me. Thanks!

For me too. Thank you