search

jenkinsci / oic-auth-plugin

A Jenkins plugin which lets you login to Jenkins using your own, self-hosted or public openid connect server.
https://plugins.jenkins.io/oic-auth
MIT License
71 stars 94 forks source link

User name was not the same after refresh request #392

Closed eva-mueller-coremedia closed 1 month ago

eva-mueller-coremedia commented 1 month ago

Jenkins and plugins versions report

oic-auth 4.331.vd925b_f76f3a_c Jenkins: 2.462.2

Environment ```text Jenkins: 2.462.2 OS: Linux - 6.6.30-0-virt Java: 17.0.12 - Eclipse Adoptium (OpenJDK 64-Bit Server VM) --- antisamy-markup-formatter:162.v0e6ec0fcfcf6 apache-httpcomponents-client-4-api:4.5.14-208.v438351942757 asm-api:9.7-33.v4d23ef79fcc8 authorize-project:1.7.2 bootstrap5-api:5.3.3-1 bouncycastle-api:2.30.1.78.1-248.ve27176eb_46cb_ branch-api:2.1178.v969d9eb_c728e caffeine-api:3.1.8-133.v17b_1ff2e0599 checks-api:2.2.1 cloudbees-folder:6.942.vb_43318a_156b_2 oic-auth:4.331.vd925b_f76f3a_c commons-compress-api:1.26.1-2 commons-lang3-api:3.17.0-84.vb_b_938040b_078 commons-text-api:1.12.0-129.v99a_50df237f7 credentials:1371.vfee6b_095f0a_3 credentials-binding:681.vf91669a_32e45 display-url-api:2.204.vf6fddd8a_8b_e9 downstream-build-cache:1.7 durable-task:568.v8fb_5c57e8417 echarts-api:5.5.1-1 eddsa-api:0.3.0-4.v84c6f0f4969e font-awesome-api:6.6.0-2 git:5.4.1 git-client:5.0.0 groovy:457.v99900cb_85593 gson-api:2.11.0-41.v019fcf6125dc instance-identity:185.v303dc7c645f9 ionicons-api:74.v93d5eb_813d5f jackson2-api:2.17.0-379.v02de8ec9f64c jakarta-activation-api:2.1.3-1 jakarta-mail-api:2.1.3-1 javax-activation-api:1.2.0-7 javax-mail-api:1.6.2-10 jaxb:2.3.9-1 job-dsl:1.88 joda-time-api:2.12.7-29.v5a_b_e3a_82269a_ jquery3-api:3.7.1-2 json-api:20240303-41.v94e11e6de726 junit:1296.vb_f538b_c88630 mailer:472.vf7c289a_4b_420 markdown-formatter:201.v7057261b_8dff mask-passwords:173.v6a_077a_291eb_5 matrix-auth:3.2.2 matrix-project:832.va_66e270d2946 metrics:4.2.21-451.vd51df8df52ec mina-sshd-api-common:2.13.2-125.v200281b_61d59 mina-sshd-api-core:2.13.2-125.v200281b_61d59 pipeline-build-step:540.vb_e8849e1a_b_d8 pipeline-graph-analysis:216.vfd8b_ece330ca_ pipeline-graph-view:335.v064a_314706a_e pipeline-groovy-lib:730.ve57b_34648c63 pipeline-input-step:495.ve9c153f6067b_ pipeline-milestone-step:119.vdfdc43fc3b_9a_ pipeline-model-api:2.2214.vb_b_34b_2ea_9b_83 pipeline-model-definition:2.2214.vb_b_34b_2ea_9b_83 pipeline-model-extensions:2.2214.vb_b_34b_2ea_9b_83 pipeline-stage-step:312.v8cd10304c27a_ pipeline-stage-tags-metadata:2.2214.vb_b_34b_2ea_9b_83 pipeline-utility-steps:2.17.0 plain-credentials:183.va_de8f1dd5a_2b_ plugin-util-api:4.1.0 rebuild:332.va_1ee476d8f6d resource-disposer:0.23 scm-api:696.v778d637b_a_762 script-security:1358.vb_26663c13537 simple-theme-plugin:196.v96d9592f4efa_ snakeyaml-api:2.3-123.v13484c65210a_ ssh-credentials:343.v884f71d78167 ssh-slaves:2.973.v0fa_8c0dea_f9f sshd:3.330.vc866a_8389b_58 structs:338.v848422169819 timestamper:1.27 trilead-api:2.147.vb_73cc728a_32e uno-choice:2.8.3 variant:60.v7290fc0eb_b_cd workflow-aggregator:600.vb_57cdd26fdd7 workflow-api:1336.vee415d95c521 workflow-basic-steps:1058.vcb_fc1e3a_21a_9 workflow-cps:3961.ve48ee2c44a_b_3 workflow-durable-task-step:1371.vb_7cec8f3b_95e workflow-job:1436.vfa_244484591f workflow-multibranch:795.ve0cb_1f45ca_9a_ workflow-scm-step:427.v4ca_6512e7df1 workflow-step-api:678.v3ee58b_469476 workflow-support:920.v59f71ce16f04 ws-cleanup:0.46 yet-another-build-visualizer:1.17 ```

What Operating System are you using (both controller, and any agents involved in the problem)?

Jenkins: 2.462.2 OS: Linux - 6.6.30-0-virt Java: 17.0.12 - Eclipse Adoptium (OpenJDK 64-Bit Server VM)

Reproduction steps

(Cognito) Refresh Configuration:

Login. Wait 15minutes. Reload.

Expected Results

Reload with updated session.

Actual Results

Screenshot 2024-09-09 at 17 54 20

Anything else?

Problem is solved after deleting the Cookie

eva-mueller-coremedia commented 1 month ago

I added some log statements:

WARNING o.j.plugins.oic.OicSecurityRealm#handleTokenRefreshResponse: userNameFieldExpr Property(username)
WARNING o.j.plugins.oic.OicSecurityRealm#handleTokenRefreshResponse: expectedUsername  mysso_emueller@test.com
WARNING o.j.plugins.oic.OicSecurityRealm#handleTokenRefreshResponse: username          MySSO_emueller@test.com
WARNING o.j.plugins.oic.OicSecurityRealm#handleTokenRefreshResponse: userInfo          {"sub":"fb983f1d-c64a-4a61-b063-5a16f229e462","identities":"[{\"userId\":\"emueller@test.com\",\"providerName\":\"MySSO\",\"providerType\":\"SAML\",\"issuer\":\"https://ISSUSER_URL/\",\"primary\":true,\"dateCreated\":1723044158347}]","custom:ssoGroups":"[group1, group2, group3, group4]","email":"Eva.Mueller@test.com","username":"MySSO_emueller@test.com"}

As far as I can debug right, the expected user name is based on: user.getId()

tomaszpolachowski commented 1 month ago

Today I got exactly the same result. Using the same version of Java and Jenkins in containerized environment (=same image?) and exactly the same version of oic-auth.

image

I configured it for the first time yesterday so it's hard for me to determine if it could work before :)

Clearing cookies temporarily helped.

At the piece of log file mentioned above we can observe differences in letter case. I have something similar in my environment. Identity provider returns username in upper-case however in Jenkins there are usernames in lower-case. It works for initial/regular login (case-insensitive match = this is ok) but does not work for refresh (unexpected case-sensitive match of usernames?).

Possible workaround is to switch to manual configuration and disable Token Refresh using Refresh Tokens. But still - it's good to have it working consistently (always case-insensitive so no break to existing solutions). Best would be to have a choice of username adjustment/policy (like in SAML plugin).

tomaszpolachowski commented 1 month ago

To be more precise: I use Project-based Matrix Authorization Strategy where usernames are provided in lower-case while OIDC IdP provides them in upper-case. If that makes a difference...

tomaszpolachowski commented 1 month ago

Ok. I'm not good particularly in Java but I tried to find a potential reason. OicSecurityRealm class (https://github.com/jenkinsci/oic-auth-plugin/blob/master/src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java) does not override a method getUserIdStrategy from the base class (available since ~Apr 2014). See: https://github.com/jenkinsci/jenkins/commit/1c6734098ca068b66bbd1abab30353d7a4f1c5e4. By default it returns IdStrategy.CASE_INSENSITIVE . That means oic-auth presents itself as case-insensitive security realm and it's further taken into account.

Therefore oic-auth should consistently behave as case-insensitive realm (quick-win: equalsIgnoreCase instead of equals where applicable, see: https://github.com/jenkinsci/oic-auth-plugin/blob/master/src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java#L1519).

Alternatively, it can have configurable solution for username strategy and more robust version of getUserIdStrategy method.

eva-mueller-coremedia commented 1 month ago

Locally, I replaced if (!expectedUsername.equals(username)) { with if (!User.idStrategy().equals(expectedUsername, username)) { in https://github.com/jenkinsci/oic-auth-plugin/blob/master/src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java#L1519

and it worked. I wonder if this change would be sufficient...

f-w commented 1 month ago

Same error happened to me a few days ago after updating. Was working fine.