Open patrickpichler opened 1 year ago
@jglick I've now also added some tests :slightly_smiling_face:
@jglick I think the PR is ready yet, could you have another look? :slightly_smiling_face: I would then proceed to make the git history nice and squash everything into a single commit :sweat_smile:
@patrickpichler do you still plan to work on this?
Yes, I am still planning to implement this, but I need to first take a look at the changes in master.
@jglick I've updated the branch. I am not 100% sure how I would go ahead and update all secrets once the global plugin config is updated though :thinking: Do you have an idea? https://github.com/jenkinsci/oidc-provider-plugin/pull/17/files#diff-8dfaabe0385e0b0a1de720d3227c8c8d0fdfd57d2f95426d2ea3eccc31984958R147
Just delete IdTokenCredentials.algorithm
and retrieve the algorithm from global settings on demand. Then there is nothing to update.
There is, as a update to the global algorithm should probably recreate the keypair used (if the algorithm changed). Otherwise the existing keypairs are out of sync with the global config .
Pending #3 you can simply resave existing credentials at any time.
I've implemented the update version. Do you know of a better way of doing this? @jglick
This PR solves #4 by extending the credentials page with a combobox to select the desired algorithm to create the key pair.
The base functionality is implemented and I now want to get some feedback from the maintainers. Tests are currently missing and the existing tests still need some adaption.
It is now possible to choose between six different algorithms used for the keypair. Three of those are RSA based and the other three EC. I found no easy way to recreate the public key from the private EC key (I'm no expert on that matter, so if there is an easy way I missed in my research, please let me know :slightly_smiling_face: ), hence I introduced a new container object to store both private and public key as Jenkins secrets. The previous private key secret is still around in order to ensure backwards compatibility for java object serialization, but it is now marked
transient
.As a base for creating key pairs for the different types, I leverage jjwt, since it already provides a nice enum (
SignatureAlgorithm
) wrapping this functionality.