Logout doesn't work. It works only if we sign out of our gmail account (from the gmail website)

liv-ci commented 3 days ago

Jenkins and plugins versions report

Environment

```text Jenkins: 2.479.1 OS: Linux - 6.1.100+ Java: 17.0.13 - Eclipse Adoptium (OpenJDK 64-Bit Server VM) --- analysis-model-api:12.9.0 ansible:403.v8d0ca_dcb_b_502 ansicolor:1.0.5 antisamy-markup-formatter:162.v0e6ec0fcfcf6 apache-httpcomponents-client-4-api:4.5.14-208.v438351942757 apache-httpcomponents-client-5-api:5.4-124.v31e2987e48f4 asm-api:9.7.1-97.v4cc844130d97 authentication-tokens:1.119.v50285141b_7e1 authorize-project:1.8.1 aws-credentials:231.v08a_59f17d742 aws-java-sdk-api-gateway:1.12.772-474.v7f79a_2046a_fb_ aws-java-sdk-cloudformation:1.12.772-474.v7f79a_2046a_fb_ aws-java-sdk-cloudfront:1.12.772-474.v7f79a_2046a_fb_ aws-java-sdk-codedeploy:1.12.772-474.v7f79a_2046a_fb_ aws-java-sdk-ec2:1.12.772-474.v7f79a_2046a_fb_ aws-java-sdk-ecr:1.12.772-474.v7f79a_2046a_fb_ aws-java-sdk-elasticbeanstalk:1.12.772-474.v7f79a_2046a_fb_ aws-java-sdk-elasticloadbalancingv2:1.12.772-474.v7f79a_2046a_fb_ aws-java-sdk-iam:1.12.772-474.v7f79a_2046a_fb_ aws-java-sdk-lambda:1.12.772-474.v7f79a_2046a_fb_ aws-java-sdk-minimal:1.12.772-474.v7f79a_2046a_fb_ aws-java-sdk-organizations:1.12.772-474.v7f79a_2046a_fb_ aws-java-sdk-sns:1.12.772-474.v7f79a_2046a_fb_ aws-java-sdk-sqs:1.12.772-474.v7f79a_2046a_fb_ basic-branch-build-strategies:190.v343a_ee70d920 bootstrap5-api:5.3.3-1 bouncycastle-api:2.30.1.78.1-248.ve27176eb_46cb_ branch-api:2.1197.vfa_d0c47c267d build-discarder:139.v05696a_7fe240 caffeine-api:3.1.8-133.v17b_1ff2e0599 checks-api:2.2.1 cloudbees-disk-usage-simple:205.v47f4ee8803d1 cloudbees-folder:6.955.v81e2a_35c08d3 command-launcher:115.vd8b_301cc15d0 commons-compress-api:1.26.1-2 commons-lang3-api:3.17.0-84.vb_b_938040b_078 commons-text-api:1.12.0-129.v99a_50df237f7 configuration-as-code:1887.v9e47623cb_043 configuration-as-code-groovy:1.1 copyartifact:757.v05365583a_455 credentials:1389.vd7a_b_f5fa_50a_2 credentials-binding:687.v619cb_15e923f customizable-header:141.vdd3dcb_cfcf66 dark-theme:479.v661b_1b_911c01 data-tables-api:2.1.8-1 discord-notifier:260.v8f28622b_a_6b_7 display-url-api:2.209.v582ed814ff2f docker-commons:443.v921729d5611d docker-workflow:580.vc0c340686b_54 durable-task:577.v2a_8a_4b_7c0247 echarts-api:5.5.1-4 eddsa-api:0.3.0-4.v84c6f0f4969e flatpickr-api:4.6.13-5.v534d8025a_a_59 font-awesome-api:6.6.0-2 forensics-api:2.6.0 generic-webhook-trigger:2.2.5 git:5.6.0 git-client:6.1.0 gitlab-plugin:1.9.5 google-login:109.v022b_cf87b_e5b_ gravatar:113.v8846c95107e6 gson-api:2.11.0-85.v1f4e87273c33 http_request:1.19 instance-identity:201.vd2a_b_5a_468a_a_6 ionicons-api:74.v93d5eb_813d5f jackson2-api:2.17.0-379.v02de8ec9f64c jakarta-activation-api:2.1.3-1 jakarta-mail-api:2.1.3-1 javax-activation-api:1.2.0-7 javax-mail-api:1.6.2-10 jaxb:2.3.9-1 jdk-tool:80.v8a_dee33ed6f0 jersey2-api:2.44-151.v6df377fff741 joda-time-api:2.13.0-93.v9934da_29b_a_e9 jquery3-api:3.7.1-2 jsch:0.2.16-86.v42e010d9484b_ json-api:20240303-101.v7a_8666713110 json-path-api:2.9.0-118.v7f23ed82a_8b_8 junit:1307.vdd5b_2646279e kubernetes:4295.v7fa_01b_309c95 kubernetes-client-api:6.10.0-240.v57880ce8b_0b_2 kubernetes-credentials:174.va_36e093562d9 kubernetes-credentials-provider:1.262.v2670ef7ea_0c5 locale:544.v5ee877a_46b_90 lockable-resources:1327.ved786b_a_197e0 mailer:489.vd4b_25144138f material-theme:0.5.2-rc100.6121925fe229 matrix-project:840.v812f627cb_578 metrics:4.2.21-458.vcf496cb_839e4 mina-sshd-api-common:2.14.0-133.vcc091215a_358 mina-sshd-api-core:2.14.0-133.vcc091215a_358 modernstatus:1.3 nunit:547.v9dcdd7a_90848 oic-auth:4.421.v5422614eb_e0a_ okhttp-api:4.11.0-181.v1de5b_83857df p4:1.16.0 pipeline-agent-build-history:90.vf089ff0feff9 pipeline-aws:1.45 pipeline-build-step:540.vb_e8849e1a_b_d8 pipeline-graph-analysis:216.vfd8b_ece330ca_ pipeline-groovy-lib:744.v5b_556ee7c253 pipeline-input-step:495.ve9c153f6067b_ pipeline-milestone-step:119.vdfdc43fc3b_9a_ pipeline-model-api:2.2214.vb_b_34b_2ea_9b_83 pipeline-model-definition:2.2214.vb_b_34b_2ea_9b_83 pipeline-model-extensions:2.2214.vb_b_34b_2ea_9b_83 pipeline-rest-api:2.34 pipeline-stage-step:312.v8cd10304c27a_ pipeline-stage-tags-metadata:2.2214.vb_b_34b_2ea_9b_83 pipeline-utility-steps:2.18.0 plain-credentials:183.va_de8f1dd5a_2b_ plasticscm-plugin:4.4 plugin-util-api:5.1.0 prism-api:1.29.0-17 prometheus:795.v995762102f28 resource-disposer:0.25 role-strategy:743.v142ea_b_d5f1d3 scm-api:698.v8e3b_c788f0a_6 script-security:1367.vdf2fc45f229c skip-certificate-check:1.1 snakeyaml-api:2.3-123.v13484c65210a_ solarized-theme:0.1 ssh-agent:376.v8933585c69d3 ssh-credentials:343.v884f71d78167 ssh-slaves:2.973.v0fa_8c0dea_f9f ssh-steps:2.0.68.va_d21a_12a_6476 sshd:3.330.vc866a_8389b_58 startup-trigger-plugin:2.9.4 structs:338.v848422169819 theme-manager:262.vc57ee4a_eda_5d trilead-api:2.147.vb_73cc728a_32e uno-choice:2.8.5 variant:60.v7290fc0eb_b_cd warnings-ng:11.10.0 workflow-aggregator:600.vb_57cdd26fdd7 workflow-api:1336.vee415d95c521 workflow-basic-steps:1058.vcb_fc1e3a_21a_9 workflow-cps:3990.vd281dd77a_388 workflow-durable-task-step:1371.vb_7cec8f3b_95e workflow-job:1460.v28178c1ef6e6 workflow-multibranch:795.ve0cb_1f45ca_9a_ workflow-scm-step:427.v4ca_6512e7df1 workflow-step-api:678.v3ee58b_469476 workflow-support:930.vf51d22b_ce488 ws-cleanup:0.48 ```

What Operating System are you using (both controller, and any agents involved in the problem)?

Controller OS : Debian GNU/Linux 12 (bookworm) Agent OS: Windows Server 2022

Reproduction steps

Log in with Jenkins
Click on Logout. You will see the message : "You are now logged out of Jenkins. Have a nice day!"
Click on the Jenkins Home button (upper left corner link), or simply go back to your root domaine url for the jenkins instance.

Expected Results

I should be asked to reconnect using my google account.

Actual Results

I am still logged in

Anything else?

This is the configuration that I have for the ioc plugin :

    securityRealm: |
      oic:
        allowedTokenExpirationClockSkewSeconds: 0
        clientId: "{{ jenkins_oic_client_id }}"
        clientSecret: "{{ jenkins_oic_client_secret }}"
        disableSslVerification: false
        escapeHatchEnabled: true
        escapeHatchSecret: "{{ escape_hatch_secret }}"
        escapeHatchUsername: "admin"
        serverConfiguration:
          wellKnown:
            wellKnownOpenIDConfigurationUrl: "https://accounts.google.com/.well-known/openid-configuration"
        userNameField: "email"
    authorizationStrategy: |-            
      roleBased:
        roles:
          global:
            - name: "admin"
              permissions:
                - "Overall/Administer"
              entries:
...

I noticed that the only way to log out is to sign out of my gmail account from gmail website, or by going here : https://mail.google.com/mail/?logout&hl=fr The going back to jenkins, you will need to login again. However signing out of gmail and signing out of jenkins should be two different things, and should not interfere between the apps behaviour.

Are you interested in contributing a fix?

No response

krezovic commented 2 days ago

Did you enable "Log out from OpenID Provider" checkbox in plugin configuration? (disabled by default)

https://github.com/jenkinsci/oic-auth-plugin/blob/master/src/main/resources/org/jenkinsci/plugins/oic/OicSecurityRealm/config.jelly#L29

liv-ci commented 1 day ago

Did you enable "Log out from OpenID Provider" checkbox in plugin configuration? (disabled by default)

https://github.com/jenkinsci/oic-auth-plugin/blob/master/src/main/resources/org/jenkinsci/plugins/oic/OicSecurityRealm/config.jelly#L29

Hello ! Yes the checkbox is checked on my end.

krezovic commented 1 day ago

It appears that Google does not provide end_session_endpoint in their OpenID Metadata (or at all). The only way to log out would be to use revocation_endpoint to revoke the ID token

jenkinsci / oic-auth-plugin