Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-16463

OpenID plugin does not work when Jenkins run behind apache2 + SSL

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Major
    • Resolution: Not A Defect
    • Component/s: openid-plugin
    • Labels:
      None
    • Environment:
      Ubuntu
    • Similar Issues:

      Description

      Jenkins runs fine standalone with openID as security realm but Jenkins starts giving issues when it runs behind apache2 (ssl)and openID is enabled.

      Instead of going to apache URL it redirects to Jenkins original URL and failed to launch.

      for example when Jenkins runs behind proxy it redirects to https://build.xyx/jenkins but when open ID is enabled it goes to http://ip_address:8080/jenkins and failed to launch.

      When I try to use openID SSO as security realm in Jenkins and use provider url as - https://www.google.com/accounts/o8/id, I get below error while launching Jenkins -

      http://IP:8080/jenkins/securityRealm/finishLogin?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&openid.op_endpoint=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fud&openid.response_nonce=2013-01-25T05%3A27%3A23ZHqUBL2t2TULPjQ&openid.return_to=http%3A%2F%2FIP%3A8080%2Fjenkins%2FsecurityRealm%2FfinishLogin&openid.assoc_handle=AMlYA9Wdp9pT9NLHLYeMhEF0KYu4mQW5lFaniafOkn6leUUrn8_X_k8LsDfJuw16gU_tX2Zy&openid.signed=op_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle%2Cns.ext1%2Cext1.mode%2Cext1.type.email%2Cext1.value.email%2Cext1.type.firstName%2Cext1.value.firstName%2Cext1.type.lastName%2Cext1.value.lastName&openid.sig=5KqqDrmYfcWCw8%2B92YcMH9t48qSrs3hqt%2BYhIbVUkhU%3D&openid.identity=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3DAItOawmqs8g_JhXH7jDfZbzyHlaKbglun-1_grQ&openid.claimed_id=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3DAItOawmqs8g_JhXH7jDfZbzyHlaKbglun-1_grQ&openid.ns.ext1=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ext1.mode=fetch_response&openid.ext1.type.email=http%3A%2F%2Fschema.openid.net%2Fcontact%2Femail&openid.ext1.value.email=pardeep.chahal%40hcentive.com&openid.ext1.type.firstName=http%3A%2F%2Faxschema.org%2FnamePerson%2Ffirst&openid.ext1.value.firstName=Pardeep&openid.ext1.type.lastName=http%3A%2F%2Faxschema.org%2FnamePerson%2Flast&openid.ext1.value.lastName=Chahal

      I have installed 1.480.2 version of jenkins

      Orginial URL of Jenkins - http://hostIP:8080/jenkins
      When access via apache - https://dns_name/jenkins

      Examining the code of openIDsession.java, it looks like the receivingURL is being pulled from the deployed and not from the url which was sent. Changing( String receivingURL = Hudson.getInstance().getRootUrl() + this.finishUrl would likely solve the problem.

      It worked fine after I mentioned my company domain name

      Let me know if further details are required

      Please suggest how to overcome this issue.

        Attachments

          Activity

          Hide
          kohsuke Kohsuke Kawaguchi added a comment -

          The problem is that you didn't set the Jenkins root URL correctly. Jenkins needs to know the URL people access it with, or else things like this will not work.

          Show
          kohsuke Kohsuke Kawaguchi added a comment - The problem is that you didn't set the Jenkins root URL correctly. Jenkins needs to know the URL people access it with, or else things like this will not work.
          Hide
          pardeep Pardeep Chahal added a comment -

          Working fine now. But I got new requirement.
          All logged in users should have read only permissions and few selected users can have jab-creater access.

          Now all users from google apps can login but I need to provide them read only permission which is not a good idea.

          Is it possible that all loggged in users will have read only permission by default?

          Show
          pardeep Pardeep Chahal added a comment - Working fine now. But I got new requirement. All logged in users should have read only permissions and few selected users can have jab-creater access. Now all users from google apps can login but I need to provide them read only permission which is not a good idea. Is it possible that all loggged in users will have read only permission by default?

            People

            Assignee:
            kohsuke Kohsuke Kawaguchi
            Reporter:
            pardeep Pardeep Chahal
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: