search

jenkinsci / oic-auth-plugin

A Jenkins plugin which lets you login to Jenkins using your own, self-hosted or public openid connect server.
https://plugins.jenkins.io/oic-auth
MIT License
71 stars 91 forks source link

Jenkins API tokens should never expire regardless user session #404

Closed tuxy85 closed 1 week ago

tuxy85 commented 1 week ago

Jenkins and plugins versions report

Environment ```text Jenkins: 2.462.1.3 OS: Linux - 5.10.223-212.873.amzn2.x86_64 Java: 17.0.12 - Red Hat, Inc. (OpenJDK 64-Bit Server VM) --- BlazeMeterJenkinsPlugin:4.18 Parameterized-Remote-Trigger:3.2.0 adsk-jenkins-disk-usage:1.5 analysis-model-api:12.1.0 ansicolor:1.0.4 ant:497.v94e7d9fffa_b_9 antisamy-markup-formatter:162.v0e6ec0fcfcf6 apache-httpcomponents-client-4-api:4.5.14-208.v438351942757 artifact-manager-s3:855.v1239f6b_0f582 artifactory:4.0.8 asm-api:9.7-33.v4d23ef79fcc8 audit-trail:361.v82cde86c784e authentication-tokens:1.119.v50285141b_7e1 aws-credentials:231.v08a_59f17d742 aws-global-configuration:130.v35b_7b_96f53c3 aws-java-sdk-ec2:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-elasticbeanstalk:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-minimal:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-secretsmanager:1.12.696-451.v0651a_da_9ca_ec azure-credentials:312.v0f3973cd1e59 azure-sdk:157.v855da_0b_eb_dc2 azure-vm-agents:901.ved986df424b_3 badge:1.13 basic-branch-build-strategies:81.v05e333931c7d blueocean:1.27.14 blueocean-bitbucket-pipeline:1.27.14 blueocean-commons:1.27.14 blueocean-config:1.27.14 blueocean-core-js:1.27.14 blueocean-dashboard:1.27.14 blueocean-display-url:2.4.3 blueocean-events:1.27.14 blueocean-git-pipeline:1.27.14 blueocean-github-pipeline:1.27.14 blueocean-i18n:1.27.14 blueocean-jwt:1.27.14 blueocean-personalization:1.27.14 blueocean-pipeline-api-impl:1.27.14 blueocean-pipeline-editor:1.27.14 blueocean-pipeline-scm-api:1.27.14 blueocean-rest:1.27.14 blueocean-rest-impl:1.27.14 blueocean-web:1.27.14 bootstrap5-api:5.3.3-1 bouncycastle-api:2.30.1.78.1-248.ve27176eb_46cb_ branch-api:2.1169.va_f810c56e895 build-with-parameters:76.v9382db_f78962 caffeine-api:3.1.8-133.v17b_1ff2e0599 checks-api:2.2.0 cloud-stats:336.v788e4055508b_ cloudbees-aborted-builds:1.25 cloudbees-administrative-monitors:148 cloudbees-analytics:1.61 cloudbees-assurance:2.276.0.35 cloudbees-bitbucket-branch-source:888.v8e6d479a_1730 cloudbees-blueocean-default-theme:0.8 cloudbees-build-strategies-plugin:1.80 cloudbees-cache-step:295 cloudbees-casc-client:2.62 cloudbees-casc-items-api:2.67 cloudbees-casc-items-commons:2.67 cloudbees-casc-items-controller:2.67 cloudbees-casc-shared:1.6 cloudbees-console-log-masker:1.0.9 cloudbees-disk-usage-simple:203.v3f46a_7462b_1a_ cloudbees-folder:6.928.v7c780211d66e cloudbees-folders-plus:3.32 cloudbees-groovy-view:1.15 cloudbees-hashicorp-vault:1.455 cloudbees-inactive-items:0.12 cloudbees-jenkins-advisor:358.v58972d19b_1f0 cloudbees-license:1261 cloudbees-monitoring:2.18 cloudbees-nodes-plus:222 cloudbees-pipeline-explorer:1.20 cloudbees-pipeline-policies:1.13 cloudbees-platform-common:1.29 cloudbees-platform-data:753 cloudbees-plugin-usage:2.26 cloudbees-quiet-start:1.9 cloudbees-restricted-credentials:0.6 cloudbees-s3-cache:295 cloudbees-slack:562 cloudbees-ssh-slaves:333 cloudbees-support:3.33 cloudbees-template:4.63 cloudbees-uc-data-api:4.59 cloudbees-unified-ui:1.34 cloudbees-view-creation-filter:1.9 cloudbees-workflow-template:3.27 cloudbees-workflow-ui:2.12 cobertura:1.17 code-coverage-api:4.99.0 command-launcher:107.v773860566e2e commons-compress-api:1.26.1-2 commons-lang3-api:3.14.0-76.vda_5591261cfe commons-text-api:1.12.0-119.v73ef73f2345d config-file-provider:973.vb_a_80ecb_9a_4d0 configuration-as-code:1836.vccda_4a_122a_a_e copyartifact:749.vfb_dca_a_9b_6549 coverage:1.16.1 credentials:1371.vfee6b_095f0a_3 credentials-binding:681.vf91669a_32e45 dashboard-view:2.508.va_74654f026d1 data-tables-api:2.0.8-1 display-url-api:2.204.vf6fddd8a_8b_e9 docker-commons:439.va_3cb_0a_6a_fb_29 docker-workflow:580.vc0c340686b_54 downstream-build-cache:1.7 dtkit-api:3.0.2 durable-task:555.v6802fe0f0b_82 ec2:1688.v8c07e01d657f echarts-api:5.5.0-1 eddsa-api:0.3.0-4.v84c6f0f4969e email-ext:1814.v404722f34263 embeddable-build-status:487.va_0ef04c898a_2 extended-choice-parameter:382.v5697b_32134e8 extended-read-permission:53.v6499940139e5 favorite:2.218.vd60382506538 font-awesome-api:6.5.2-1 forensics-api:2.4.0 generic-webhook-trigger:2.0.0 git:5.2.2 git-client:5.0.0 git-server:126.v0d945d8d2b_39 github:1.39.0 github-api:1.318-461.v7a_c09c9fa_d63 github-branch-source:1790.v5a_7859812c8d github-checks:581.va_9669c91d6cb_ gradle:2.12 gson-api:2.11.0-41.v019fcf6125dc handy-uri-templates-2-api:2.1.8-30.v7e777411b_148 htmlpublisher:1.36 http_request:1.19 infradna-backup:1038 instance-identity:185.v303dc7c645f9 ionicons-api:74.v93d5eb_813d5f jackson2-api:2.17.0-379.v02de8ec9f64c jacoco:3.3.6 jakarta-activation-api:2.1.3-1 jakarta-mail-api:2.1.3-1 javadoc:243.vb_b_503b_b_45537 javax-activation-api:1.2.0-7 javax-mail-api:1.6.2-10 jaxb:2.3.9-1 jdk-tool:73.vddf737284550 jenkins-build-metrics:6.0 jenkins-design-language:1.27.14 jersey2-api:2.42-147.va_28a_44603b_d5 jjwt-api:0.11.5-112.ve82dfb_224b_a_d joda-time-api:2.12.7-29.v5a_b_e3a_82269a_ jquery3-api:3.7.1-2 jsch:0.2.16-86.v42e010d9484b_ json-api:20240303-41.v94e11e6de726 json-path-api:2.9.0-58.v62e3e85b_a_655 junit:1265.v65b_14fa_f12f0 kube-agent-management:796 kubernetes:4250.v93f47a_8e67b_f kubernetes-client-api:6.10.0-240.v57880ce8b_0b_2 kubernetes-credentials:174.va_36e093562d9 lockable-resources:1255.vf48745da_35d0 log-parser:2.3.5 mailer:472.vf7c289a_4b_420 mapdb-api:1.0.9-40.v58107308b_7a_7 mask-passwords:173.v6a_077a_291eb_5 matrix-auth:3.2.2 matrix-project:832.va_66e270d2946 maven-plugin:3.23 metrics:4.2.21-451.vd51df8df52ec mina-sshd-api-common:2.13.1-117.v2f1a_b_66ff91d mina-sshd-api-core:2.13.1-117.v2f1a_b_66ff91d mina-sshd-api-scp:2.13.1-117.v2f1a_b_66ff91d mina-sshd-api-sftp:2.13.1-117.v2f1a_b_66ff91d nectar-license:8.44 nectar-rbac:1617 next-build-number:1.8 node-iterator-api:55.v3b_77d4032326 notification-api:1.12 oauth-credentials:0.653.v14cf2088e950 oic-auth:4.331.vd925b_f76f3a_c okhttp-api:4.11.0-172.vda_da_1feeb_c6e operations-center-agent:3.27115 operations-center-client:3.27115 operations-center-cloud:3.27115 operations-center-context:3.27115 operations-center-notification:1.6 parameter-separator:166.vd0120849b_386 parameterized-scheduler:277.v61a_4b_a_49a_c5c performance:962.v95a_4913d332e pipeline-build-step:540.vb_e8849e1a_b_d8 pipeline-event-step:1.16 pipeline-github:2.8-159.09e4403bc62f pipeline-github-lib:61.v629f2cc41d83 pipeline-graph-analysis:216.vfd8b_ece330ca_ pipeline-groovy-lib:727.ve832a_9244dfa_ pipeline-input-step:495.ve9c153f6067b_ pipeline-maven:1421.v610fa_b_e2d60e pipeline-maven-api:1421.v610fa_b_e2d60e pipeline-milestone-step:119.vdfdc43fc3b_9a_ pipeline-model-api:2.2205.vc9522a_9d5711 pipeline-model-definition:2.2205.vc9522a_9d5711 pipeline-model-extensions:2.2205.vc9522a_9d5711 pipeline-rest-api:2.34 pipeline-stage-step:312.v8cd10304c27a_ pipeline-stage-tags-metadata:2.2205.vc9522a_9d5711 pipeline-stage-view:2.34 pipeline-utility-steps:2.17.0 plain-credentials:183.va_de8f1dd5a_2b_ plugin-util-api:4.1.0 popper2-api:2.11.6-5 prism-api:1.29.0-15 pubsub-light:1.18 rebuild:332.va_1ee476d8f6d resource-disposer:0.23 s3:483.vcb_db_3dcee68f scm-api:690.vfc8b_54395023 script-security:1341.va_2819b_414686 sidebar-link:2.4.1 skip-plugin:217 slack:722.vd07f1ea_7ff40 snakeyaml-api:2.2-111.vc6598e30cc65 sse-gateway:1.27 ssh-agent:367.vf9076cd4ee21 ssh-credentials:337.v395d2403ccd4 ssh-slaves:2.973.v0fa_8c0dea_f9f sshd:3.330.vc866a_8389b_58 structs:338.v848422169819 support-core:1459.va_f527ce9a_d64 suppress-stack-trace:1.6 swarm:3.47 timestamper:1.27 token-macro:400.v35420b_922dcb_ trilead-api:2.147.vb_73cc728a_32e unique-id:2.107.v3fa_e48679298 uno-choice:2.8.3 user-activity-monitoring:2.421 variant:60.v7290fc0eb_b_cd versioncolumn:243.vda_c20eea_a_8a_f warnings-ng:11.3.0 workflow-aggregator:600.vb_57cdd26fdd7 workflow-api:1316.v33eb_726c50b_a_ workflow-basic-steps:1058.vcb_fc1e3a_21a_9 workflow-cps:3908.vd6b_b_5a_a_54010 workflow-cps-checkpoint:2.17 workflow-durable-task-step:1360.v82d13453da_a_f workflow-job:1426.v2ecb_a_a_42fd46 workflow-multibranch:783.787.v50539468395f workflow-scm-step:427.v4ca_6512e7df1 workflow-step-api:678.v3ee58b_469476 workflow-support:907.v6713a_ed8a_573 ws-cleanup:0.46 xunit:3.1.4 yet-another-build-visualizer:1.17 ```

What Operating System are you using (both controller, and any agents involved in the problem)?

OS: Linux - 5.10.223-212.873.amzn2.x86_64

Reproduction steps

  1. Create a Jenkins API token on a Jenkins controller configured with OicSecurityRealm and Logout from OpenID Provider enabled. Let's assume the token is associated with UserA.
  2. Logout UserA from the Jenkins controller.
  3. Send an API request with the API token generated in step 1 (Authorization Basic with UserA username and API token).

Expected Results

I should be able to send API requests with the Jenkins API token even though the user's session (OpenID Provider session) is terminated (logout).

Logout from OpenID Provider Logout from Jenkins entails logout from OpenID Provider.

Actual Results

It is impossible to send API requests with the Jenkins API token when the user's session is terminated (logout) because getting HTTP ERROR 401 Token expired.

Logout from OpenID Provider Logout from Jenkins entails logout from OpenID Provider. Please note that this will make all API Keys invalid.

Anything else?

The method redirectOrRejectRequest at https://github.com/jenkinsci/oic-auth-plugin/blob/4.331.vd925b_f76f3a_c/src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java#L1419-L1427 should be changed like below:

    private void redirectOrRejectRequest(HttpServletRequest req, HttpServletResponse res)
            throws IOException, ServletException {
        if (req.getSession(false) != null) {
            req.getSession().invalidate();
            res.sendRedirect(Jenkins.get().getSecurityRealm().getLoginUrl());
        } else if (Strings.isNullOrEmpty(req.getHeader("Authorization"))) {
            res.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Missing HTTP Authorization request header");
        }
    }

Are you interested in contributing a fix?

No response

eva-mueller-coremedia commented 1 week ago

I am wondering if this is solved with https://github.com/jenkinsci/oic-auth-plugin/releases/tag/4.340.ve70636c6590e (one release after the version you use 4.331.vd925b_f76f3a_c)

mikecirioli commented 1 week ago

yes, i belive that (or newer versions) should resolve your problem. There is a new checkbox in the config which can enable the behavior

tuxy85 commented 1 week ago

Thanks for pointing this out. In this case, upgrading the plugin would be the best option. I am closing this issue.