Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-11746

OpenID plugin gives NPE in OpenId Plugin at OpenIdSsoSecurityRealm.doFinishLogin(OpenIdSsoSecurityRealm.java:159)

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Not A Defect
    • Component/s: openid-plugin
    • Labels:
      None
    • Environment:
      Jenkins LTS 1.409.3 with OpenID plugin 1.4
    • Similar Issues:

      Description

      I've configured the OpenID plugin as SSO, attempting to use it with a Google Apps for Business domain, roughly as follows (in config.xml)

      + <securityRealm class="hudson.plugins.openid.OpenIdSsoSecurityRealm">
      + <endpoint>https://www.google.com/accounts/o8/site-xrds?hd=example.com</endpoint>
      + </securityRealm>

      When attempting to login, Jenkins correctly re-directs me to the Google Apps page for confirmation, but upon completion, I get a null pointer exception in doFinishLogin.

      I can't tell if this is the same as JENKINS-9216.

        Attachments

          Issue Links

            Activity

            Hide
            tomclift Tom Clift added a comment -

            Still exists in 1.486 (OpenID sign-on from URL other than configured "Jenkins URL" causes NullPointerException). Reproduced using "Google Apps SSO (with OpenID)" auth option.

            Show
            tomclift Tom Clift added a comment - Still exists in 1.486 (OpenID sign-on from URL other than configured "Jenkins URL" causes NullPointerException). Reproduced using "Google Apps SSO (with OpenID)" auth option.
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Jesse Glick
            Path:
            src/main/java/hudson/plugins/openid/OpenIdSsoSecurityRealm.java
            http://jenkins-ci.org/commit/openid-plugin/67c3d2d2109e8b815ede6768fb739389e66d7657
            Log:
            JENKINS-11746 At least fail with a descriptive error message, reused from 3686396.

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Jesse Glick Path: src/main/java/hudson/plugins/openid/OpenIdSsoSecurityRealm.java http://jenkins-ci.org/commit/openid-plugin/67c3d2d2109e8b815ede6768fb739389e66d7657 Log: JENKINS-11746 At least fail with a descriptive error message, reused from 3686396.
            Hide
            kohsuke Kohsuke Kawaguchi added a comment -

            This is normally the result of host name mismatch — you access the login page under one host name, then OpenID server redirecting you back to Jenkins on another host name.

            As far as the browser is concerned, those two host names are two different sites, not session cookies get sent, and Jenkins fails to find it.

            Check your Jenkins URL configuration.

            Show
            kohsuke Kohsuke Kawaguchi added a comment - This is normally the result of host name mismatch — you access the login page under one host name, then OpenID server redirecting you back to Jenkins on another host name. As far as the browser is concerned, those two host names are two different sites, not session cookies get sent, and Jenkins fails to find it. Check your Jenkins URL configuration.
            Hide
            tomclift Tom Clift added a comment -

            An error message asking to check configuration would be a good addition.

            Alternatively, would there be any ill effects to automatically redirect users from a non-canonical URLs to the canonical URL?

            E.g. the canonical URL is set to jenkins.example.org, and the user accesses from http://jenkins/ (internally resolvable hostname, trying to authenticate from here will fail), they are automatically redirected to http://jenkins.example.org/ ? If this happened before the user was sent to the OpenID server for authentication, there wouldn't need to be any special handling on the return trip.

            Show
            tomclift Tom Clift added a comment - An error message asking to check configuration would be a good addition. Alternatively, would there be any ill effects to automatically redirect users from a non-canonical URLs to the canonical URL? E.g. the canonical URL is set to jenkins.example.org, and the user accesses from http://jenkins/ (internally resolvable hostname, trying to authenticate from here will fail), they are automatically redirected to http://jenkins.example.org/ ? If this happened before the user was sent to the OpenID server for authentication, there wouldn't need to be any special handling on the return trip.
            Hide
            jglick Jesse Glick added a comment -

            An error message asking to check configuration would be a good addition.

            I think 67c3d2d accomplishes just that:

            Unable to find an on-going OpenID session. Could it be that you have multiple host names for your Jenkins and you started the authentication in one host name and landed back on another? If so configure the correct Jenkins root URL so that those two host names will be the same

            Show
            jglick Jesse Glick added a comment - An error message asking to check configuration would be a good addition. I think 67c3d2d accomplishes just that: Unable to find an on-going OpenID session. Could it be that you have multiple host names for your Jenkins and you started the authentication in one host name and landed back on another? If so configure the correct Jenkins root URL so that those two host names will be the same

              People

              Assignee:
              kohsuke Kohsuke Kawaguchi
              Reporter:
              sit Emil Sit
              Votes:
              3 Vote for this issue
              Watchers:
              7 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: