Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-14843

OpenID SSO should use POST to submit details to google apps endpoint

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • openid-plugin
    • None

      When you have more than roughly 33 google accounts (cross domains) able to access your Jenkins installation you hit googles maximum URL length when the browser is instructed to redirect to the OpenID endpoint.

      According to http://stackoverflow.com/questions/4957435/got-414-request-uri-too-large-from-google-when-authenticating-using-spring-secur the correct thing to do is POST the data from the browser rather than redirect with it all in the query string.

      I have half an implementation of this here. I will update this if I ever get it working correctly.

          [JENKINS-14843] OpenID SSO should use POST to submit details to google apps endpoint

          Is there any chance this bug could be fixed soon? Thanks.

          Open English Infrastructure Team added a comment - Is there any chance this bug could be fixed soon? Thanks.

          I am also stuck with the same issue. We are using Jenkins + google apps openID. When we reach a critical mass of users added to different projects, the URL becomes too large and Google throws a fit with a 404 URL is too large error. The URL contains every single email address that has been added to the security, and if I cut some out, the process works correctly. We are using project based security matrix.

          Please suggest how to solve the problem.

          Pardeep Chahal added a comment - I am also stuck with the same issue. We are using Jenkins + google apps openID. When we reach a critical mass of users added to different projects, the URL becomes too large and Google throws a fit with a 404 URL is too large error. The URL contains every single email address that has been added to the security, and if I cut some out, the process works correctly. We are using project based security matrix. Please suggest how to solve the problem.

          brian masson added a comment -

          I've now hit the same issue - can you provide what you've got so far, in case someone else can pick it up and get this solved?

          brian masson added a comment - I've now hit the same issue - can you provide what you've got so far, in case someone else can pick it up and get this solved?

          This has just hit my environment too. It was OK previously, but from about 10 minutes ago I've been getting a 414 error from Google saying the URI was too long. I had just added a large number of users to the matrix-based security, so that matches what others have seen.

          William Whittle added a comment - This has just hit my environment too. It was OK previously, but from about 10 minutes ago I've been getting a 414 error from Google saying the URI was too long. I had just added a large number of users to the matrix-based security, so that matches what others have seen.

          To change to use POST looks much too invasive a change. I've submitted a pull request that tries to avoid the issue by allowing the OpenID Team extension not to be used, and hard-coded not to be used with Google, which doesn't seem to support it anyway.

          https://github.com/jenkinsci/openid-plugin/pull/4

          William Whittle added a comment - To change to use POST looks much too invasive a change. I've submitted a pull request that tries to avoid the issue by allowing the OpenID Team extension not to be used, and hard-coded not to be used with Google, which doesn't seem to support it anyway. https://github.com/jenkinsci/openid-plugin/pull/4

          Code changed in jenkins
          User: Kohsuke Kawaguchi
          Path:
          src/main/java/hudson/plugins/openid/impl/TeamsExtension.java
          http://jenkins-ci.org/commit/openid-plugin/e5bf3e92ca99e095565510ea8504b3c0debba99f
          Log:
          JENKINS-14843

          We can't merge the proposed patch as is, and we should switch to POST if that's what has to happen.
          In the mean time, at least provide an escape hatch to allow people to bypass the team extension.

          Run Jenkins with -Dhudson.plugins.openid.impl.TeamsExtension.disable=true to disable the team extension.

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: src/main/java/hudson/plugins/openid/impl/TeamsExtension.java http://jenkins-ci.org/commit/openid-plugin/e5bf3e92ca99e095565510ea8504b3c0debba99f Log: JENKINS-14843 We can't merge the proposed patch as is, and we should switch to POST if that's what has to happen. In the mean time, at least provide an escape hatch to allow people to bypass the team extension. Run Jenkins with -Dhudson.plugins.openid.impl.TeamsExtension.disable=true to disable the team extension.

          John Engelman added a comment -

          Just tried to disable using the property and there is a missing '.' in the code that looks up the property. Using the malformed -Dhudson.plugins.openid.impl.TeamsExtensiondisable=true does work though.

          John Engelman added a comment - Just tried to disable using the property and there is a missing '.' in the code that looks up the property. Using the malformed -Dhudson.plugins.openid.impl.TeamsExtensiondisable=true does work though.

          John E. is right.

          Tomas Brambora added a comment - John E. is right.

          rogerhu added a comment -

          It almost be declared before the .jar file is invokved, so for Ubuntu it needs to be defined as JAVA_ARGS in /etc/default/jenkins:

          JAVA_ARGS="-Dhudson.plugins.openid.impl.TeamsExtensiondisable=true"
          JENKINS_ARGS="--webroot=/var/cache/jenkins/war --httpPort=$HTTP_PORT --ajp13Port=$AJP_PORT"

          rogerhu added a comment - It almost be declared before the .jar file is invokved, so for Ubuntu it needs to be defined as JAVA_ARGS in /etc/default/jenkins: JAVA_ARGS="-Dhudson.plugins.openid.impl.TeamsExtensiondisable=true" JENKINS_ARGS="--webroot=/var/cache/jenkins/war --httpPort=$HTTP_PORT --ajp13Port=$AJP_PORT"

          Code changed in jenkins
          User: Stephen Connolly
          Path:
          src/main/java/hudson/plugins/openid/OpenIdExtension.java
          src/main/java/hudson/plugins/openid/OpenIdSsoSecurityRealm.java
          http://jenkins-ci.org/commit/openid-plugin/e0c69e3cf3367eca7bff4e6279540e97455f42c0
          Log:
          JENKINS-14843 Allow extensions to determine whether it is appropriate for specific security realms

          SCM/JIRA link daemon added a comment - Code changed in jenkins User: Stephen Connolly Path: src/main/java/hudson/plugins/openid/OpenIdExtension.java src/main/java/hudson/plugins/openid/OpenIdSsoSecurityRealm.java http://jenkins-ci.org/commit/openid-plugin/e0c69e3cf3367eca7bff4e6279540e97455f42c0 Log: JENKINS-14843 Allow extensions to determine whether it is appropriate for specific security realms

            kohsuke Kohsuke Kawaguchi
            blongden blongden
            Votes:
            7 Vote for this issue
            Watchers:
            14 Start watching this issue

              Created:
              Updated: