Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-11562

instant-messaging-plugin cannot authenticate with apiToken when using openid plugin

      When using the openid plugin, it is not possible to configure the instant-messaging plugin to authenticate using the apitoken as password. It's not clear from the error if the problem is the password or some compatibility between both plugins.

      The following message is shown in the jenkins log:

      WARNING: IRC notifier plugin couldn't authenticate against Hudson: org.acegisecurity.BadCredentialsException: Unexpected authentication type: org.acegisecurity.providers.UsernamePasswordAuthenticationToken@cf61c327: Username: hal; Password: [PROTECTED]; Authenticated: false; Details: null; Not granted any authorities

          [JENKINS-11562] instant-messaging-plugin cannot authenticate with apiToken when using openid plugin

          kutzi added a comment -

          Yes, that was more or less hacked to get it working. Do you know what the right API calls are?

          kutzi added a comment - Yes, that was more or less hacked to get it working. Do you know what the right API calls are?

          <sidnei> kohsuke, i think i understand what needs to be done to fix that issue, roughly the same as the BasicAuthenticationFilter does? check that the password matches the api token, if yes then return user.impersonate()?
          <kohsuke> I haven't read the code yet to see what this "getAuthenticationHolder()" is actually doing
          I mean, I suspect this whole code is redundant
          Shouldn't it be just doing User.get(this.descriptor.getHudsonUserName()).impersonate() ?
          <sidnei> kohsuke, and not even ask for a password in the ui? yeah, that would make sense.
          <kohsuke> presumably only the system admin can set this user name parameter anyway
          It doesn't make sense to retain the password.
          I'm suspecting this code predates the impersonate() method, which is new
          but we need kutzi to verify
          <sidnei> makes sense. i'll wait for him.
          <kohsuke> and I need to check the reference JENKINS-5978 and JENKINS-5233 as well
          <jenkins-admin> JENKINS-5978:IRC Configurations Not Available (Resolved) http://jenkins-ci.org/issue/5978
          JENKINS-5233:Jabber plugin options not showing up in configure (Resolved) http://jenkins-ci.org/issue/5233
          <kohsuke> You might consider sending the pull request in with this conversation as a comment.
          I think it might get his reaction faster.

          Sidnei da Silva added a comment - <sidnei> kohsuke, i think i understand what needs to be done to fix that issue, roughly the same as the BasicAuthenticationFilter does? check that the password matches the api token, if yes then return user.impersonate()? <kohsuke> I haven't read the code yet to see what this "getAuthenticationHolder()" is actually doing I mean, I suspect this whole code is redundant Shouldn't it be just doing User.get(this.descriptor.getHudsonUserName()).impersonate() ? <sidnei> kohsuke, and not even ask for a password in the ui? yeah, that would make sense. <kohsuke> presumably only the system admin can set this user name parameter anyway It doesn't make sense to retain the password. I'm suspecting this code predates the impersonate() method, which is new but we need kutzi to verify <sidnei> makes sense. i'll wait for him. <kohsuke> and I need to check the reference JENKINS-5978 and JENKINS-5233 as well <jenkins-admin> JENKINS-5978 :IRC Configurations Not Available (Resolved) http://jenkins-ci.org/issue/5978 JENKINS-5233 :Jabber plugin options not showing up in configure (Resolved) http://jenkins-ci.org/issue/5233 <kohsuke> You might consider sending the pull request in with this conversation as a comment. I think it might get his reaction faster.

          I haven't read all the relevant pieces, so I could be wrong about the intention of this code.

          But if it is to impersonate an existing user (and its groups that it belongs), then I believe User.impersonate() is the right API.

          Kohsuke Kawaguchi added a comment - I haven't read all the relevant pieces, so I could be wrong about the intention of this code. But if it is to impersonate an existing user (and its groups that it belongs), then I believe User.impersonate() is the right API.

          Sent a pull request for a tentative fix. This seems to fix the problem for me.

          https://github.com/jenkinsci/instant-messaging-plugin/pull/4

          Sidnei da Silva added a comment - Sent a pull request for a tentative fix. This seems to fix the problem for me. https://github.com/jenkinsci/instant-messaging-plugin/pull/4

          Code changed in jenkins
          User: Christoph Kutzinski
          Path:
          pom.xml
          src/main/java/hudson/plugins/im/IMConnectionProvider.java
          http://jenkins-ci.org/commit/instant-messaging-plugin/d8b033082963677ee8969b75282316dc01633bb4
          Log:
          JENKINS-11562 we don't need a password or similar token to authenticate as only admins may enter the login name anyway

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Christoph Kutzinski Path: pom.xml src/main/java/hudson/plugins/im/IMConnectionProvider.java http://jenkins-ci.org/commit/instant-messaging-plugin/d8b033082963677ee8969b75282316dc01633bb4 Log: JENKINS-11562 we don't need a password or similar token to authenticate as only admins may enter the login name anyway

          Code changed in jenkins
          User: Christoph Kutzinski
          Path:
          pom.xml
          src/main/java/hudson/plugins/ircbot/IrcPublisher.java
          http://jenkins-ci.org/commit/ircbot-plugin/ae515c9e4fd195ca7f2a5d2624534ea9af29fa7a
          Log:
          JENKINS-11562 we don't need a password or similar token to authenticate as only admins may enter the login name anyway

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Christoph Kutzinski Path: pom.xml src/main/java/hudson/plugins/ircbot/IrcPublisher.java http://jenkins-ci.org/commit/ircbot-plugin/ae515c9e4fd195ca7f2a5d2624534ea9af29fa7a Log: JENKINS-11562 we don't need a password or similar token to authenticate as only admins may enter the login name anyway

          Code changed in jenkins
          User: Christoph Kutzinski
          Path:
          pom.xml
          src/main/java/hudson/plugins/jabber/im/transport/JabberPublisherDescriptor.java
          http://jenkins-ci.org/commit/jabber-plugin/16e1c39592bd803280596d25cc42b48f16b77c1e
          Log:
          JENKINS-11562 we don't need a password or similar token to authenticate as only admins may enter the login name anyway

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Christoph Kutzinski Path: pom.xml src/main/java/hudson/plugins/jabber/im/transport/JabberPublisherDescriptor.java http://jenkins-ci.org/commit/jabber-plugin/16e1c39592bd803280596d25cc42b48f16b77c1e Log: JENKINS-11562 we don't need a password or similar token to authenticate as only admins may enter the login name anyway

          dogfood added a comment -

          Integrated in plugins_instant-messaging #102
          JENKINS-11562 we don't need a password or similar token to authenticate as only admins may enter the login name anyway

          Christoph Kutzinski :
          Files :

          • src/main/java/hudson/plugins/im/IMConnectionProvider.java
          • pom.xml

          dogfood added a comment - Integrated in plugins_instant-messaging #102 JENKINS-11562 we don't need a password or similar token to authenticate as only admins may enter the login name anyway Christoph Kutzinski : Files : src/main/java/hudson/plugins/im/IMConnectionProvider.java pom.xml

          dogfood added a comment -

          Integrated in plugins_jabber #113
          JENKINS-11562 we don't need a password or similar token to authenticate as only admins may enter the login name anyway

          Christoph Kutzinski :
          Files :

          • pom.xml
          • src/main/java/hudson/plugins/jabber/im/transport/JabberPublisherDescriptor.java

          dogfood added a comment - Integrated in plugins_jabber #113 JENKINS-11562 we don't need a password or similar token to authenticate as only admins may enter the login name anyway Christoph Kutzinski : Files : pom.xml src/main/java/hudson/plugins/jabber/im/transport/JabberPublisherDescriptor.java

          dogfood added a comment -

          Integrated in plugins_ircbot #122
          JENKINS-11562 we don't need a password or similar token to authenticate as only admins may enter the login name anyway

          Christoph Kutzinski :
          Files :

          • pom.xml
          • src/main/java/hudson/plugins/ircbot/IrcPublisher.java

          dogfood added a comment - Integrated in plugins_ircbot #122 JENKINS-11562 we don't need a password or similar token to authenticate as only admins may enter the login name anyway Christoph Kutzinski : Files : pom.xml src/main/java/hudson/plugins/ircbot/IrcPublisher.java

            kutzi kutzi
            sidnei Sidnei da Silva
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved: