search

jenkinsci / oic-auth-plugin

A Jenkins plugin which lets you login to Jenkins using your own, self-hosted or public openid connect server.
https://plugins.jenkins.io/oic-auth
MIT License
73 stars 94 forks source link

Issue with the cognito attribute: "cognito:groups" #330

Closed rsareth closed 5 months ago

rsareth commented 5 months ago

Jenkins and plugins versions report

Environment ```text Jenkins: 2.440.2 OS: Linux - 5.15.0-1056-aws Java: 17.0.10 - Private Build (OpenJDK 64-Bit Server VM) --- Parameterized-Remote-Trigger:3.2.0 PrioritySorter:5.1.0 amazon-ecr:1.114.vfd22430621f5 ansicolor:1.0.4 ant:497.v94e7d9fffa_b_9 antisamy-markup-formatter:162.v0e6ec0fcfcf6 apache-httpcomponents-client-4-api:4.5.14-208.v438351942757 apache-httpcomponents-client-5-api:5.3.1-1.0 asm-api:9.7-33.v4d23ef79fcc8 atlassian-jira-software-cloud:2.0.14 authentication-tokens:1.113.v81215a_241826 authorize-project:1.7.1 aws-codebuild:0.59 aws-credentials:231.v08a_59f17d742 aws-java-sdk:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-api-gateway:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-autoscaling:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-cloudformation:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-cloudfront:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-codebuild:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-codedeploy:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-ec2:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-ecr:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-ecs:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-efs:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-elasticbeanstalk:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-elasticloadbalancingv2:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-iam:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-kinesis:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-lambda:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-logs:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-minimal:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-organizations:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-secretsmanager:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-sns:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-sqs:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-ssm:1.12.696-451.v0651a_da_9ca_ec aws-parameter-store:1.2.2 aws-secrets-manager-credentials-provider:1.214.va_0a_d8268d068 aws-secrets-manager-secret-source:1.72.v61781b_35c542 badge:1.12 basic-branch-build-strategies:81.v05e333931c7d blueocean:1.27.12 blueocean-autofavorite:1.2.5 blueocean-bitbucket-pipeline:1.27.12 blueocean-commons:1.27.12 blueocean-config:1.27.12 blueocean-core-js:1.27.12 blueocean-dashboard:1.27.12 blueocean-display-url:2.4.2 blueocean-events:1.27.12 blueocean-git-pipeline:1.27.12 blueocean-github-pipeline:1.27.12 blueocean-i18n:1.27.12 blueocean-jira:1.27.12 blueocean-jwt:1.27.12 blueocean-personalization:1.27.12 blueocean-pipeline-api-impl:1.27.12 blueocean-pipeline-editor:1.27.12 blueocean-pipeline-scm-api:1.27.12 blueocean-rest:1.27.12 blueocean-rest-impl:1.27.12 blueocean-web:1.27.12 bootstrap5-api:5.3.3-1 bouncycastle-api:2.30.1.77-225.v26ea_c9455fd9 branch-api:2.1169.va_f810c56e895 build-name-setter:2.4.2 build-timeout:1.32 build-with-parameters:76.v9382db_f78962 caffeine-api:3.1.8-133.v17b_1ff2e0599 checks-api:2.2.0 cloud-stats:336.v788e4055508b_ cloudbees-bitbucket-branch-source:886.v44cf5e4ecec5 cloudbees-folder:6.901.vb_4c7a_da_75da_3 cobertura:1.17 code-coverage-api:4.99.0 command-launcher:107.v773860566e2e commons-lang3-api:3.13.0-62.v7d18e55f51e2 commons-text-api:1.11.0-109.vfe16c66636eb_ conditional-buildstep:1.4.3 config-file-provider:973.vb_a_80ecb_9a_4d0 configuration-as-code:1810.v9b_c30a_249a_4c coverage:1.14.0 credentials:1337.v60b_d7b_c7b_c9f credentials-binding:677.vdc9d38cb_254d data-tables-api:2.0.7-1 dependency-check-jenkins-plugin:5.5.0 dependency-track:4.3.1 disk-usage:1.2 display-url-api:2.204.vf6fddd8a_8b_e9 docker-commons:439.va_3cb_0a_6a_fb_29 docker-java-api:3.3.4-86.v39b_a_5ede342c docker-plugin:1.6.1 docker-workflow:580.vc0c340686b_54 durable-task:555.v6802fe0f0b_82 echarts-api:5.5.0-1 email-ext:1814.v404722f34263 envinject:2.908.v66a_774b_31d93 envinject-api:1.199.v3ce31253ed13 extended-read-permission:53.v6499940139e5 external-monitor-job:215.v2e88e894db_f8 favorite:2.208.v91d65b_7792a_c folder-auth:1.4 folder-properties:1.2.1 font-awesome-api:6.5.2-1 forensics-api:2.4.0 git:5.2.2 git-client:4.7.0 git-parameter:0.9.19 git-push:34.vd474e0fe7b_ec git-server:117.veb_68868fa_027 github:1.39.0 github-api:1.318-461.v7a_c09c9fa_d63 github-autostatus:3.6.2 github-branch-source:1789.v5b_0c0cea_18c3 github-checks:554.vb_ee03a_000f65 global-build-stats:293.vd7b_d6e361475 gradle:2.12 groovy:457.v99900cb_85593 groovy-postbuild:228.vcdb_cf7265066 gson-api:2.10.1-15.v0d99f670e0a_7 handy-uri-templates-2-api:2.1.8-30.v7e777411b_148 htmlpublisher:1.33 http_request:1.18 instance-identity:185.v303dc7c645f9 ionicons-api:74.v93d5eb_813d5f jackson2-api:2.17.0-379.v02de8ec9f64c jacoco:3.3.6 jakarta-activation-api:2.1.3-1 jakarta-mail-api:2.1.3-1 javadoc:243.vb_b_503b_b_45537 javax-activation-api:1.2.0-7 javax-mail-api:1.6.2-10 jaxb:2.3.9-1 jdk-tool:73.vddf737284550 jenkins-design-language:1.27.12 jersey2-api:2.42-147.va_28a_44603b_d5 jira:3.13 jjwt-api:0.11.5-112.ve82dfb_224b_a_d jnr-posix-api:3.1.19-2 job-dsl:1.87 jobcacher:481.v15f51ca_4c6b_7 joda-time-api:2.12.7-29.v5a_b_e3a_82269a_ jquery:1.12.4-1 jquery3-api:3.7.1-2 jsch:0.2.16-86.v42e010d9484b_ json-api:20240303-41.v94e11e6de726 json-path-api:2.9.0-58.v62e3e85b_a_655 junit:1265.v65b_14fa_f12f0 lockable-resources:1255.vf48745da_35d0 mailer:472.vf7c289a_4b_420 mapdb-api:1.0.9-40.v58107308b_7a_7 matrix-auth:3.2.2 matrix-project:822.824.v14451b_c0fd42 maven-plugin:3.23 mercurial:1260.vdfb_723cdcc81 mina-sshd-api-common:2.12.1-101.v85b_e08b_780dd mina-sshd-api-core:2.12.1-101.v85b_e08b_780dd monitoring:1.98.0 naginator:1.449.ve19751d70eb_0 nested-view:1.19.2 node-iterator-api:55.v3b_77d4032326 oic-auth:4.269.va_7526f34f306 okhttp-api:4.11.0-172.vda_da_1feeb_c6e pam-auth:1.10 parameter-separator:166.vd0120849b_386 parameterized-trigger:806.vf6fff3e28c3e pipeline-aws:1.45 pipeline-build-step:540.vb_e8849e1a_b_d8 pipeline-github:2.8-159.09e4403bc62f pipeline-github-lib:61.v629f2cc41d83 pipeline-graph-analysis:216.vfd8b_ece330ca_ pipeline-groovy-lib:710.v4b_94b_077a_808 pipeline-input-step:495.ve9c153f6067b_ pipeline-milestone-step:119.vdfdc43fc3b_9a_ pipeline-model-api:2.2198.v41dd8ef6dd56 pipeline-model-definition:2.2198.v41dd8ef6dd56 pipeline-model-extensions:2.2198.v41dd8ef6dd56 pipeline-rest-api:2.34 pipeline-stage-step:312.v8cd10304c27a_ pipeline-stage-tags-metadata:2.2198.v41dd8ef6dd56 pipeline-stage-view:2.34 pipeline-utility-steps:2.16.2 plain-credentials:182.v468b_97b_9dcb_8 plugin-util-api:4.1.0 postbuildscript:3.2.0-550.v88192b_d3e922 prism-api:1.29.0-15 pubsub-light:1.18 rebuild:332.va_1ee476d8f6d remote-file:1.24 resource-disposer:0.23 role-strategy:717.v6a_69a_fe98974 run-condition:1.7 scm-api:690.vfc8b_54395023 script-security:1336.vf33a_a_9863911 simple-theme-plugin:176.v39740c03a_a_f5 slack:715.v1cfed1b_9c63c slsa:40.v733b_0005fa_fd snakeyaml-api:2.2-111.vc6598e30cc65 sonar:2.17.2 sse-gateway:1.26 ssh-agent:367.vf9076cd4ee21 ssh-credentials:337.v395d2403ccd4 ssh-slaves:2.948.vb_8050d697fec sshd:3.322.v159e91f6a_550 structs:337.v1b_04ea_4df7c8 throttle-concurrents:2.14 timestamper:1.27 token-macro:400.v35420b_922dcb_ trilead-api:2.142.v748523a_76693 uno-choice:2.8.3 variant:60.v7290fc0eb_b_cd view-job-filters:377.v66f4b_796e5fa_ workflow-aggregator:596.v8c21c963d92d workflow-api:1312.ve804c2f2d51e workflow-basic-steps:1058.vcb_fc1e3a_21a_9 workflow-cps:3894.3896.vca_2c931e7935 workflow-durable-task-step:1353.v1891a_b_01da_18 workflow-job:1400.v7fd111b_ec82f workflow-multibranch:773.vc4fe1378f1d5 workflow-scm-step:427.v4ca_6512e7df1 workflow-step-api:657.v03b_e8115821b_ workflow-support:907.v6713a_ed8a_573 ws-cleanup:0.46 ```

What Operating System are you using (both controller, and any agents involved in the problem)?

Ubuntu 22.04

Reproduction steps

In the config.xml, at securityRealm / groupsFieldName, I put cognito:groups to get the groups of an user. Since you are using JMESPATH, it prevents us from using jenkins because we are not allowed. I had to rollback the plugin the version 4.224.

I tried this syntax by updating manually 'cognito:groups' but after a restart, it converts the simple quotes in html code. So in the file, I see this: \'cognito:groups\'. Even if I want to add a custom attribute to have the groups, cognito prefixes it with "custom:" according to the documentation.

This is the error log with the original value cognito:groups:

2024-05-27 17:58:39.138+0000 [id=46]    WARNING o.j.plugins.oic.OicSecurityRealm#compileJMESPath: groups field config failed io.burt.jmespath.parser.ParseException: Unable to compile expression "cognito:groups": syntax error mismatched input ':' expecting {<EOF>, '.', '&&', '||', '|', '[', '[?', COMPARATOR} at position 7

I don't understand the syntax error. Do you have an idea on how to set properly this field, please ?

Thank you, Rasmey

Expected Results

I should be able to log in as usual.

Actual Results

On the Jenkins web ui after logging in, I see this:

Access Denied
rasmey@domain.com is missing the Overall/Read permission

Anything else?

No response

Are you interested in contributing a fix?

No response

eva-mueller-coremedia commented 5 months ago

Please try to set "cognito:groups" including the double quotes. This works for me. No JSMesPath error and everything's correctly mapped.

See also Breaking Change 4.225.v03326773b44b

cognito-jmespath
rsareth commented 5 months ago

Thank you, @eva-mueller-coremedia When I read the documentation, I understood that I need to use the simple quotes for that.