Open Masahigo opened 2 years ago
Would it be possible to allow the trailing slash
Seems like a reasonable option, if in fact that helps with Azure.
should the Assertion Subject be the URL of the CI job
See #18. As to whether it should
be the name of the Azure blob storage where the discovery document is served from
then given
serving the OIDC discovery document + JWKS from Azure blob storage since the Jenkins itself is hosted from internal network
and you are already setting this as the issuer, then I do not suppose so; the subject should be some identification of what is using the token.
AFAICT the plugin should actually work OK if you save a custom issuer ending with a slash despite this error message. (When this field is set, the only thing it should affect is the actual iss
claim in the id token.) Try it; if it helps with Azure, then I will downgrade this to a warning that typically issuers do not end with a slash.
What feature do you want to see added?
I have been trying to get this plugin to work together with Azure AD's workload identity federation.
I've gotten very far by basically following the pattern described in here and serving the OIDC discovery document + JWKS from Azure blob storage since the Jenkins itself is hosted from internal network.
But when testing this from a Jenkins Pipeline I face the following error
The reason for this issue could be as simple as a trailing slash in issuer URL.
Would it be possible to allow the trailing slash in the plugin's UI view (?)
This might very well resolve this issue I'm having because Azure AD seems to somehow expect that trailing slash there.
But I'm also wondering should the Assertion Subject be the URL of the CI job in this case, because Azure is expecting it to be the name of the Azure blob storage where the discovery document is served from.
Upstream changes
No response