search

jenkinsci / oic-auth-plugin

A Jenkins plugin which lets you login to Jenkins using your own, self-hosted or public openid connect server.
https://plugins.jenkins.io/oic-auth
MIT License
71 stars 88 forks source link

API Token stops working when user logout #365

Closed pnowy closed 3 weeks ago

pnowy commented 1 month ago

Jenkins and plugins versions report

Environment ```text Jenkins: 2.452.3 OS: Linux - 5.15.146+ Java: 17.0.11 - Eclipse Adoptium (OpenJDK 64-Bit Server VM) --- Office-365-Connector:4.21.5 Parameterized-Remote-Trigger:3.2.0 ace-editor:1.1 ansicolor:1.0.4 antisamy-markup-formatter:162.v0e6ec0fcfcf6 apache-httpcomponents-client-4-api:4.5.14-208.v438351942757 apache-httpcomponents-client-5-api:5.3.1-110.v77252fb_d4da_5 appscan:1.4.1 asm-api:9.7-33.v4d23ef79fcc8 authentication-tokens:1.119.v50285141b_7e1 autocancel:1.0.5 basic-branch-build-strategies:81.v05e333931c7d bitbucket-build-status-notifier:1.4.2 blueocean:1.27.14 blueocean-bitbucket-pipeline:1.27.14 blueocean-commons:1.27.14 blueocean-config:1.27.14 blueocean-core-js:1.27.14 blueocean-dashboard:1.27.14 blueocean-display-url:2.4.3 blueocean-events:1.27.14 blueocean-git-pipeline:1.27.14 blueocean-github-pipeline:1.27.14 blueocean-i18n:1.27.14 blueocean-jwt:1.27.14 blueocean-personalization:1.27.14 blueocean-pipeline-api-impl:1.27.14 blueocean-pipeline-editor:1.27.14 blueocean-pipeline-scm-api:1.27.14 blueocean-rest:1.27.14 blueocean-rest-impl:1.27.14 blueocean-web:1.27.14 bootstrap5-api:5.3.3-1 bouncycastle-api:2.30.1.78.1-248.ve27176eb_46cb_ branch-api:2.1178.v969d9eb_c728e build-history-metrics-plugin:112.v476124de7dfc caffeine-api:3.1.8-133.v17b_1ff2e0599 checks-api:2.2.0 cloud-stats:336.v788e4055508b_ cloudbees-bitbucket-branch-source:888.v8e6d479a_1730 cloudbees-folder:6.928.v7c780211d66e command-launcher:107.v773860566e2e commons-compress-api:1.26.1-2 commons-httpclient3-api:3.1-3 commons-lang3-api:3.14.0-76.vda_5591261cfe commons-text-api:1.12.0-129.v99a_50df237f7 configuration-as-code:1836.vccda_4a_122a_a_e credentials:1371.vfee6b_095f0a_3 credentials-binding:681.vf91669a_32e45 dark-theme:439.vdef09f81f85e display-url-api:2.204.vf6fddd8a_8b_e9 docker-commons:439.va_3cb_0a_6a_fb_29 docker-java-api:3.3.6-90.ve7c5c7535ddd docker-plugin:1.6.2 docker-workflow:580.vc0c340686b_54 durable-task:568.v8fb_5c57e8417 echarts-api:5.5.0-1 eddsa-api:0.3.0-4.v84c6f0f4969e email-ext:1814.v404722f34263 emailext-template:1.5 favorite:2.218.vd60382506538 flatpickr-api:4.6.13-5.v534d8025a_a_59 folder-properties:1.2.1 font-awesome-api:6.5.2-1 git:5.3.0 git-client:5.0.0 github:1.39.0 github-api:1.321-468.v6a_9f5f2d5a_7e github-branch-source:1793.v1831e9c68d77 global-build-stats:304.ve03f19d5969e google-chat-notification:147.v68a_27a_f15577 gson-api:2.11.0-41.v019fcf6125dc handy-uri-templates-2-api:2.1.8-30.v7e777411b_148 htmlpublisher:1.36 instance-identity:185.v303dc7c645f9 ionicons-api:74.v93d5eb_813d5f jackson2-api:2.17.0-379.v02de8ec9f64c jakarta-activation-api:2.1.3-1 jakarta-mail-api:2.1.3-1 javax-activation-api:1.2.0-7 javax-mail-api:1.6.2-10 jaxb:2.3.9-1 jdk-tool:73.vddf737284550 jenkins-design-language:1.27.14 jjwt-api:0.11.5-112.ve82dfb_224b_a_d job-dsl:1.87 joda-time-api:2.12.7-29.v5a_b_e3a_82269a_ jquery3-api:3.7.1-2 jsch:0.2.16-86.v42e010d9484b_ json-api:20240303-41.v94e11e6de726 json-path-api:2.9.0-58.v62e3e85b_a_655 junit:1280.v310a_78b_9a_1e0 kubernetes:4280.vd919fa_528c7e kubernetes-client-api:6.10.0-240.v57880ce8b_0b_2 kubernetes-credentials:174.va_36e093562d9 kubernetes-credentials-provider:1.262.v2670ef7ea_0c5 mailer:472.vf7c289a_4b_420 matrix-auth:3.2.2 matrix-project:832.va_66e270d2946 mercurial:1260.vdfb_723cdcc81 metrics:4.2.21-451.vd51df8df52ec mina-sshd-api-common:2.13.1-117.v2f1a_b_66ff91d mina-sshd-api-core:2.13.1-117.v2f1a_b_66ff91d momentjs:1.1.1 multiple-scms:0.8 oic-auth:4.303.v84089a_708ea_7 okhttp-api:4.11.0-172.vda_da_1feeb_c6e parameter-separator:166.vd0120849b_386 parameterized-trigger:806.vf6fff3e28c3e pipeline-build-step:540.vb_e8849e1a_b_d8 pipeline-graph-analysis:216.vfd8b_ece330ca_ pipeline-groovy-lib:727.ve832a_9244dfa_ pipeline-input-step:495.ve9c153f6067b_ pipeline-milestone-step:119.vdfdc43fc3b_9a_ pipeline-model-api:2.2205.vc9522a_9d5711 pipeline-model-definition:2.2205.vc9522a_9d5711 pipeline-model-extensions:2.2205.vc9522a_9d5711 pipeline-rest-api:2.34 pipeline-stage-step:312.v8cd10304c27a_ pipeline-stage-tags-metadata:2.2205.vc9522a_9d5711 pipeline-stage-view:2.34 pipeline-utility-steps:2.17.0 plain-credentials:183.va_de8f1dd5a_2b_ plugin-util-api:4.1.0 popper2-api:2.11.6-5 prism-api:1.29.0-15 prometheus:780.v7c50a_d288424 pubsub-light:1.18 pyenv-pipeline:2.1.2 role-strategy:727.vd344b_eec783d scm-api:696.v778d637b_a_762 script-security:1341.va_2819b_414686 snakeyaml-api:2.2-111.vc6598e30cc65 sonar:2.17.2 sse-gateway:1.27 ssh-agent:376.v8933585c69d3 ssh-credentials:343.v884f71d78167 ssh-slaves:2.973.v0fa_8c0dea_f9f sshd:3.330.vc866a_8389b_58 structs:338.v848422169819 test-results-analyzer:0.4.1 theme-manager:262.vc57ee4a_eda_5d timestamper:1.27 token-macro:400.v35420b_922dcb_ trilead-api:2.147.vb_73cc728a_32e variant:60.v7290fc0eb_b_cd view-job-filters:382.vdf2d5e3f02f0 workflow-aggregator:600.vb_57cdd26fdd7 workflow-api:1322.v857eeeea_9902 workflow-basic-steps:1058.vcb_fc1e3a_21a_9 workflow-cps:3922.va_f73b_7c4246b_ workflow-durable-task-step:1364.v2fd76fb_6fd41 workflow-job:1400.v7fd111b_ec82f workflow-multibranch:783.787.v50539468395f workflow-scm-step:427.v4ca_6512e7df1 workflow-step-api:678.v3ee58b_469476 workflow-support:920.v59f71ce16f04 ```

What Operating System are you using (both controller, and any agents involved in the problem)?

Official Jenkins Helm chart

name: jenkins
version: 5.5.2
repository: https://charts.jenkins.io

Reproduction steps

Hi, after latest Jenkins upgrade (to 2.452.3) and related plugins update (oic-auth:4.303.v84089a_708ea_7) we noticed the problem on one of our Jenkins instances which using oic-auth plugin.

The problem is that the API token stopped working immediately after user logout or user OIDC token expires which shouldn't be related (API tokens should still work and we didn't have a problem with earlier version).

We are integrated with Keycloak and have a dedicated user where those tokens are registered. Unfortunately it looks like in latest plugin version API tokens are somehow related to user session. We have another Jenkins instance where we not using the OIC plugin but LDAP integration and there the problem with expiring API tokens doesn't exist so we suspect it could be a problem with a plugin (for API tokens server returns HTTP ERROR 401 Token expired immediately after user logout).

It seems related to https://github.com/jenkinsci/oic-auth-plugin/issues/358 but problem still exists with latest plugin version.

Expected Results

API tokens independent from user session where token is registered

Actual Results

API tokens stop working when user session is invalidated

Anything else?

Please let me know if you need additional details - I will try to provide them. Thanks.

Are you interested in contributing a fix?

No response

weifan01 commented 1 month ago

I have the same problem, I use casdoor as the authentication service. But my plugin version is 4.290.v6f5e8da_e98b_2 and I plan to upgrade jenkins and plugin to the latest version when I am free, the latest changelog says that this issue has been fixed

ZIRAKrezovic commented 3 weeks ago

Hello @pnowy, @weifan01,

Behavior has been changed in such a way when not using refresh token or no offline token is available, that the user is invalidated. It was reported as a security issue that API tokens associated to users no longer present in SSO system were working and as such we had to introduce usage of (long-lived) refresh tokens.

Keycloak should be able to issue a long-lived refresh token if you specify "offline_access" in request scopes. Additionally, logging out from SSO will invalidate the session on SSO UNLESS you use offline_access scope when requesting token.

Can you try that?

As a last resort, you can try ticking the "Disable Token Expiration Check" checkbox under "Advanced" configuration and you will get the old behavior.

https://github.com/jenkinsci/oic-auth-plugin/blob/master/src/main/resources/org/jenkinsci/plugins/oic/OicSecurityRealm/help-tokenExpirationCheckDisabled.html

ZIRAKrezovic commented 3 weeks ago

Also, the "Log Out from OpenID Provider" completely discards all tokens, including offline ones. This is noted in the "Help" text for "Log Out from OpenID Provider".

https://github.com/jenkinsci/oic-auth-plugin/blob/master/src/main/resources/org/jenkinsci/plugins/oic/OicSecurityRealm/help-logoutFromOpenidProvider.html

pnowy commented 3 weeks ago

Hello @ZIRAKrezovic,

thanks for the hints! We had the offline access scope included but the issue was related with the logoutFromOpenidProvider (we had that property set to true from long time).

For anyone who using the CaSC

securityRealm: |-
        oic:
          ...
          logoutFromOpenidProvider: false

One more time thanks for help and explanation what to check. Closing the ticket.