API Token expired too quickly since 4.299.v5ca_eb_6a_f3e6d

[slabre-conecteo]

Jenkins and plugins versions report

Environment

``` Jenkins: 2.443 OS: Linux - 6.1.0-12-amd64 Java: 17.0.8 - Debian (OpenJDK 64-Bit Server VM) --- analysis-model-api:12.4.0 ansicolor:1.0.4 ant:497.v94e7d9fffa_b_9 antisamy-markup-formatter:162.v0e6ec0fcfcf6 apache-httpcomponents-client-4-api:4.5.14-208.v438351942757 apache-httpcomponents-client-5-api:5.3.1-110.v77252fb_d4da_5 asm-api:9.7-33.v4d23ef79fcc8 authentication-tokens:1.119.v50285141b_7e1 bootstrap5-api:5.3.3-1 bouncycastle-api:2.30.1.78.1-248.ve27176eb_46cb_ branch-api:2.1169.va_f810c56e895 build-timeout:1.33 caffeine-api:3.1.8-133.v17b_1ff2e0599 checks-api:2.2.0 cloudbees-folder:6.901.vb_4c7a_da_75da_3 command-launcher:107.v773860566e2e commons-compress-api:1.26.1-2 commons-lang3-api:3.14.0-76.vda_5591261cfe commons-text-api:1.12.0-119.v73ef73f2345d credentials:1371.vfee6b_095f0a_3 credentials-binding:681.vf91669a_32e45 data-tables-api:2.0.8-1 display-url-api:2.204.vf6fddd8a_8b_e9 docker-commons:439.va_3cb_0a_6a_fb_29 docker-workflow:580.vc0c340686b_54 dtkit-api:3.0.2 durable-task:555.v6802fe0f0b_82 echarts-api:5.5.0-1 eddsa-api:0.3.0-4.v84c6f0f4969e email-ext:1814.v404722f34263 file-operations:266.v9d4e1eb_235b_a_ font-awesome-api:6.5.2-1 forensics-api:2.4.0 git:5.2.2 git-client:5.0.0 github:1.39.0 github-api:1.318-461.v7a_c09c9fa_d63 github-branch-source:1790.v5a_7859812c8d gitlab-api:5.3.0-91.v1f9a_fda_d654f gitlab-branch-source:704.vc7f1202d7e14 google-chat-notification:147.v68a_27a_f15577 gradle:2.12 gson-api:2.11.0-41.v019fcf6125dc handy-uri-templates-2-api:2.1.8-30.v7e777411b_148 instance-identity:185.v303dc7c645f9 ionicons-api:74.v93d5eb_813d5f jackson2-api:2.17.0-379.v02de8ec9f64c jakarta-activation-api:2.1.3-1 jakarta-mail-api:2.1.3-1 javax-activation-api:1.2.0-7 javax-mail-api:1.6.2-10 jaxb:2.3.9-1 jdk-tool:73.vddf737284550 jersey2-api:2.42-147.va_28a_44603b_d5 jjwt-api:0.11.5-112.ve82dfb_224b_a_d joda-time-api:2.12.7-29.v5a_b_e3a_82269a_ jquery3-api:3.7.1-2 jsch:0.2.16-86.v42e010d9484b_ json-api:20240303-41.v94e11e6de726 json-path-api:2.9.0-58.v62e3e85b_a_655 junit:1265.v65b_14fa_f12f0 last-changes:2.7.11 ldap:725.v3cb_b_711b_1a_ef mailer:472.vf7c289a_4b_420 mapdb-api:1.0.9-40.v58107308b_7a_7 matrix-auth:3.2.2 matrix-project:832.va_66e270d2946 metrics:4.2.21-451.vd51df8df52ec mina-sshd-api-common:2.13.1-117.v2f1a_b_66ff91d mina-sshd-api-core:2.13.1-117.v2f1a_b_66ff91d msbuild:1.33 oic-auth:4.299.v5ca_eb_6a_f3e6d okhttp-api:4.11.0-172.vda_da_1feeb_c6e pam-auth:1.11 pipeline-build-step:540.vb_e8849e1a_b_d8 pipeline-github-lib:61.v629f2cc41d83 pipeline-graph-analysis:216.vfd8b_ece330ca_ pipeline-graph-view:243.vc9e11fec486a_ pipeline-groovy-lib:727.ve832a_9244dfa_ pipeline-input-step:495.ve9c153f6067b_ pipeline-milestone-step:119.vdfdc43fc3b_9a_ pipeline-model-api:2.2205.vc9522a_9d5711 pipeline-model-definition:2.2205.vc9522a_9d5711 pipeline-model-extensions:2.2205.vc9522a_9d5711 pipeline-rest-api:2.34 pipeline-stage-step:312.v8cd10304c27a_ pipeline-stage-tags-metadata:2.2205.vc9522a_9d5711 pipeline-stage-view:2.34 pipeline-utility-steps:2.17.0 plain-credentials:183.va_de8f1dd5a_2b_ plugin-util-api:4.1.0 prism-api:1.29.0-15 publish-over:0.22 publish-over-ssh:1.25 resource-disposer:0.23 scm-api:690.vfc8b_54395023 script-security:1341.va_2819b_414686 snakeyaml-api:2.2-111.vc6598e30cc65 sonar:2.17.2 ssh-credentials:341.vf31377f30378 ssh-slaves:2.973.v0fa_8c0dea_f9f sshd:3.330.vc866a_8389b_58 structs:338.v848422169819 subversion:1269.v53185011cd9f timestamper:1.27 token-macro:400.v35420b_922dcb_ trilead-api:2.147.vb_73cc728a_32e variant:60.v7290fc0eb_b_cd warnings-ng:11.3.0 workflow-aggregator:600.vb_57cdd26fdd7 workflow-api:1322.v857eeeea_9902 workflow-basic-steps:1058.vcb_fc1e3a_21a_9 workflow-cps:3908.vd6b_b_5a_a_54010 workflow-durable-task-step:1360.v82d13453da_a_f workflow-job:1400.v7fd111b_ec82f workflow-multibranch:773.vc4fe1378f1d5 workflow-scm-step:427.v4ca_6512e7df1 workflow-step-api:678.v3ee58b_469476 workflow-support:920.v59f71ce16f04 ws-cleanup:0.46 xunit:3.1.4 ```

What Operating System are you using (both controller, and any agents involved in the problem)?

Linux for controller, some agents on windows, others on linux

Reproduction steps

1. Create an API Token from any user before updating the plugin.
2. Make some requests to API using this token, you should not see any problem
3. Update the plugin to 4.299.v5ca_eb_6a_f3e6d
4. Wait a few minutes / hours
5. Make other requests to API using the created token, you will get a 401 Token Expired response
6. Generate a nex API Token
7. It should work for a couple of hours then you'll get a 401 Token expired response

Expected Results

The API Tokens created from interface and used by external apps should still work until they are deleted/revoked.

Actual Results

The API Tokens ar unusable after a relatively short period of time (few hours)

Anything else?

We also had infinite redirections between IdC and Jenkins as described in https://github.com/jenkinsci/oic-auth-plugin/pull/357, so we tried rolling back the plugin to previous version, the token worked back instantly, then reapplying the new plugin version broke the tokens again.

Are you interested in contributing a fix?

Not good enough in Java nor in Jenkins technical environnement to help.

[mikecirioli]

Did you enable the use of Refresh Tokens when you were seeing this issue?

[slabre-conecteo]

No, our configuration is in Automatic mode, and if i switch to manual, refresh tokens are not enabled. Should i enable it ?

[mikecirioli]

No, our configuration is in Automatic mode, and if i switch to manual, refresh tokens are not enabled. Should i enable it ?

no, i was just curious as i was going to do some local testing

[michael-doubez]

@slabre-conecteo does v4.303.v84089a_708ea_7 solve your issue ?

[slabre-conecteo]

After a few days testing, i can confirm, it seems to have solved it. Thank you !