search

jenkinsci / oidc-provider-plugin

OpenID Connect Provider Plugin for Jenkins
https://plugins.jenkins.io/oidc-provider/
MIT License
22 stars 13 forks source link

Demo of external issuer #11

Open jglick opened 2 years ago

jglick commented 2 years ago

Never managed to adjust the AWS demo to use an external issuer because neither GCS nor GitHub Pages worked (https://github.com/jenkinsci/oidc-provider-plugin/pull/8#discussion_r842260611), so we need a different free hosting site with TLS and support for Content-Type. render.com looks promising.

elinesterov commented 1 year ago

What is an external issuer in this context? I cannot see any options in the code to rely on the non-jenkins oidc plugin to do JWT signing. Does this reference to the fact that I'll host my opened configuration and JWKS on another URL (e.g., serving from S3 bucket?)

I would suggest renaming external issuer in this case to something like oidc metadata location to avoid confusion.

As a side note:

AWS secures communication with some OIDC identity providers (IdPs) through our library of trusted root certificate authorities (CAs) instead of using a certificate thumbprint to verify your IdP server certificate. These OIDC IdPs include Auth0, GitHub, Google, and those that use an Amazon S3 bucket to host a JSON Web Key Set (JWKS) endpoint. In these cases, your legacy thumbprint remains in your configuration, but is no longer used for validation.

AWS updated documentation that probable after issue were filed. Sif you put JWKS and openiid-connect to S3 bucket you don't need to deal with thumbrints.

jglick commented 1 year ago

Basically it just means picking some URL unrelated to the Jenkins controller, hosting two static files there (the OIDC well-known metadata and the JWKS), and configuring the issuer in the Jenkins credentials entry to point to this external URL rather than the Jenkins root URL.

It sounds simple but the server need to have a proper TLS certificate and the relying party may be finicky about Content-Type headers, and for purposes of a demo anyone could run I was hoping for some sort of freemium service with easy signup. GH Pages would have been a good choice (anyone with a GH account can publish with little hassle) but sent the wrong content type because it only pays attention to file extension and the OIDC spec requires the well-known endpoint to be JSON but not a *.json URL, to my frustration.

elinesterov commented 1 year ago

Thank you for the clarification @jglick

It sounds simple

I know how complicated it is :) especially regarding content type which is not a part of the spec but many enforce its validation (for multiple reasons).

jglick commented 10 months ago

https://www.acorn.io/pricing might work well enough for demo purposes.