• Type: Bug
• Resolution: Not A Defect
• Priority: Major
• Component/s: openid-plugin
• Labels:

  None
• Environment:

  Ubuntu

[JENKINS-16463] OpenID plugin does not work when Jenkins run behind apache2 + SSL

Pardeep Chahal created issue - 2013-01-24 08:26

Pardeep Chahal made changes - 2013-01-25 05:33

Description

Original: OpenID (Google Apps) works fine when Jenkins runs standalone but it starts giving issues when run behind apache2 (ssl). Standard security works fine in Jenkins even behind apache2 but when I enable openID and try to launch Jenkins from apache it gives below error: Instead of going on apache URL it redirects to Jenkins original URL and failed to launch. Integration of openID with Jenkins was one reason we migrated from Hudson to Jenkins. Please suggest how to overcome this issue.

New: Jenkins runs fine standalone with openID as security realm but Jenkins starts giving issues when it runs behind apache2 (ssl)and openID is enabled. Instead of going to apache URL it redirects to Jenkins original URL and failed to launch. for example when Jenkins runs behind proxy it redirects to https://build.xyx/jenkins but when open ID is enabled it goes to http://ip_address:8080/jenkins and failed to launch. When I try to use openID SSO as security realm in Jenkins and use provider url as - https://www.google.com/accounts/o8/id, I get below error while launching Jenkins - http://IP:8080/jenkins/securityRealm/finishLogin?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&openid.op_endpoint=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fud&openid.response_nonce=2013-01-25T05%3A27%3A23ZHqUBL2t2TULPjQ&openid.return_to=http%3A%2F%2FIP%3A8080%2Fjenkins%2FsecurityRealm%2FfinishLogin&openid.assoc_handle=AMlYA9Wdp9pT9NLHLYeMhEF0KYu4mQW5lFaniafOkn6leUUrn8_X_k8LsDfJuw16gU_tX2Zy&openid.signed=op_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle%2Cns.ext1%2Cext1.mode%2Cext1.type.email%2Cext1.value.email%2Cext1.type.firstName%2Cext1.value.firstName%2Cext1.type.lastName%2Cext1.value.lastName&openid.sig=5KqqDrmYfcWCw8%2B92YcMH9t48qSrs3hqt%2BYhIbVUkhU%3D&openid.identity=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3DAItOawmqs8g_JhXH7jDfZbzyHlaKbglun-1_grQ&openid.claimed_id=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3DAItOawmqs8g_JhXH7jDfZbzyHlaKbglun-1_grQ&openid.ns.ext1=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ext1.mode=fetch_response&openid.ext1.type.email=http%3A%2F%2Fschema.openid.net%2Fcontact%2Femail&openid.ext1.value.email=pardeep.chahal%40hcentive.com&openid.ext1.type.firstName=http%3A%2F%2Faxschema.org%2FnamePerson%2Ffirst&openid.ext1.value.firstName=Pardeep&openid.ext1.type.lastName=http%3A%2F%2Faxschema.org%2FnamePerson%2Flast&openid.ext1.value.lastName=Chahal I have installed 1.480.2 version of jenkins Please suggest how to overcome this issue.

Pardeep Chahal made changes - 2013-01-25 05:42

Description	Original: Jenkins runs fine standalone with openID as security realm but Jenkins starts giving issues when it runs behind apache2 (ssl)and openID is enabled. Instead of going to apache URL it redirects to Jenkins original URL and failed to launch. for example when Jenkins runs behind proxy it redirects to https://build.xyx/jenkins but when open ID is enabled it goes to http://ip_address:8080/jenkins and failed to launch. When I try to use openID SSO as security realm in Jenkins and use provider url as - https://www.google.com/accounts/o8/id, I get below error while launching Jenkins - http://IP:8080/jenkins/securityRealm/finishLogin?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&openid.op_endpoint=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fud&openid.response_nonce=2013-01-25T05%3A27%3A23ZHqUBL2t2TULPjQ&openid.return_to=http%3A%2F%2FIP%3A8080%2Fjenkins%2FsecurityRealm%2FfinishLogin&openid.assoc_handle=AMlYA9Wdp9pT9NLHLYeMhEF0KYu4mQW5lFaniafOkn6leUUrn8_X_k8LsDfJuw16gU_tX2Zy&openid.signed=op_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle%2Cns.ext1%2Cext1.mode%2Cext1.type.email%2Cext1.value.email%2Cext1.type.firstName%2Cext1.value.firstName%2Cext1.type.lastName%2Cext1.value.lastName&openid.sig=5KqqDrmYfcWCw8%2B92YcMH9t48qSrs3hqt%2BYhIbVUkhU%3D&openid.identity=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3DAItOawmqs8g_JhXH7jDfZbzyHlaKbglun-1_grQ&openid.claimed_id=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3DAItOawmqs8g_JhXH7jDfZbzyHlaKbglun-1_grQ&openid.ns.ext1=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ext1.mode=fetch_response&openid.ext1.type.email=http%3A%2F%2Fschema.openid.net%2Fcontact%2Femail&openid.ext1.value.email=pardeep.chahal%40hcentive.com&openid.ext1.type.firstName=http%3A%2F%2Faxschema.org%2FnamePerson%2Ffirst&openid.ext1.value.firstName=Pardeep&openid.ext1.type.lastName=http%3A%2F%2Faxschema.org%2FnamePerson%2Flast&openid.ext1.value.lastName=Chahal I have installed 1.480.2 version of jenkins Please suggest how to overcome this issue.	New: Jenkins runs fine standalone with openID as security realm but Jenkins starts giving issues when it runs behind apache2 (ssl)and openID is enabled. Instead of going to apache URL it redirects to Jenkins original URL and failed to launch. for example when Jenkins runs behind proxy it redirects to https://build.xyx/jenkins but when open ID is enabled it goes to http://ip_address:8080/jenkins and failed to launch. When I try to use openID SSO as security realm in Jenkins and use provider url as - https://www.google.com/accounts/o8/id, I get below error while launching Jenkins - http://IP:8080/jenkins/securityRealm/finishLogin?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&openid.op_endpoint=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fud&openid.response_nonce=2013-01-25T05%3A27%3A23ZHqUBL2t2TULPjQ&openid.return_to=http%3A%2F%2FIP%3A8080%2Fjenkins%2FsecurityRealm%2FfinishLogin&openid.assoc_handle=AMlYA9Wdp9pT9NLHLYeMhEF0KYu4mQW5lFaniafOkn6leUUrn8_X_k8LsDfJuw16gU_tX2Zy&openid.signed=op_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle%2Cns.ext1%2Cext1.mode%2Cext1.type.email%2Cext1.value.email%2Cext1.type.firstName%2Cext1.value.firstName%2Cext1.type.lastName%2Cext1.value.lastName&openid.sig=5KqqDrmYfcWCw8%2B92YcMH9t48qSrs3hqt%2BYhIbVUkhU%3D&openid.identity=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3DAItOawmqs8g_JhXH7jDfZbzyHlaKbglun-1_grQ&openid.claimed_id=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3DAItOawmqs8g_JhXH7jDfZbzyHlaKbglun-1_grQ&openid.ns.ext1=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ext1.mode=fetch_response&openid.ext1.type.email=http%3A%2F%2Fschema.openid.net%2Fcontact%2Femail&openid.ext1.value.email=pardeep.chahal%40hcentive.com&openid.ext1.type.firstName=http%3A%2F%2Faxschema.org%2FnamePerson%2Ffirst&openid.ext1.value.firstName=Pardeep&openid.ext1.type.lastName=http%3A%2F%2Faxschema.org%2FnamePerson%2Flast&openid.ext1.value.lastName=Chahal I have installed 1.480.2 version of jenkins Orginial URL of Jenkins - http://hostIP:8080/jenkins When access via apache - https://dns_name/jenkis Let me know if further details are required Please suggest how to overcome this issue.
Due Date	Original: 2013-01-25

Pardeep Chahal made changes - 2013-01-25 06:42

Description

Original: Jenkins runs fine standalone with openID as security realm but Jenkins starts giving issues when it runs behind apache2 (ssl)and openID is enabled. Instead of going to apache URL it redirects to Jenkins original URL and failed to launch. for example when Jenkins runs behind proxy it redirects to https://build.xyx/jenkins but when open ID is enabled it goes to http://ip_address:8080/jenkins and failed to launch. When I try to use openID SSO as security realm in Jenkins and use provider url as - https://www.google.com/accounts/o8/id, I get below error while launching Jenkins - http://IP:8080/jenkins/securityRealm/finishLogin?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&openid.op_endpoint=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fud&openid.response_nonce=2013-01-25T05%3A27%3A23ZHqUBL2t2TULPjQ&openid.return_to=http%3A%2F%2FIP%3A8080%2Fjenkins%2FsecurityRealm%2FfinishLogin&openid.assoc_handle=AMlYA9Wdp9pT9NLHLYeMhEF0KYu4mQW5lFaniafOkn6leUUrn8_X_k8LsDfJuw16gU_tX2Zy&openid.signed=op_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle%2Cns.ext1%2Cext1.mode%2Cext1.type.email%2Cext1.value.email%2Cext1.type.firstName%2Cext1.value.firstName%2Cext1.type.lastName%2Cext1.value.lastName&openid.sig=5KqqDrmYfcWCw8%2B92YcMH9t48qSrs3hqt%2BYhIbVUkhU%3D&openid.identity=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3DAItOawmqs8g_JhXH7jDfZbzyHlaKbglun-1_grQ&openid.claimed_id=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3DAItOawmqs8g_JhXH7jDfZbzyHlaKbglun-1_grQ&openid.ns.ext1=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ext1.mode=fetch_response&openid.ext1.type.email=http%3A%2F%2Fschema.openid.net%2Fcontact%2Femail&openid.ext1.value.email=pardeep.chahal%40hcentive.com&openid.ext1.type.firstName=http%3A%2F%2Faxschema.org%2FnamePerson%2Ffirst&openid.ext1.value.firstName=Pardeep&openid.ext1.type.lastName=http%3A%2F%2Faxschema.org%2FnamePerson%2Flast&openid.ext1.value.lastName=Chahal I have installed 1.480.2 version of jenkins Orginial URL of Jenkins - http://hostIP:8080/jenkins When access via apache - https://dns_name/jenkis Let me know if further details are required Please suggest how to overcome this issue.

New: Jenkins runs fine standalone with openID as security realm but Jenkins starts giving issues when it runs behind apache2 (ssl)and openID is enabled. Instead of going to apache URL it redirects to Jenkins original URL and failed to launch. for example when Jenkins runs behind proxy it redirects to https://build.xyx/jenkins but when open ID is enabled it goes to http://ip_address:8080/jenkins and failed to launch. When I try to use openID SSO as security realm in Jenkins and use provider url as - https://www.google.com/accounts/o8/id, I get below error while launching Jenkins - http://IP:8080/jenkins/securityRealm/finishLogin?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&openid.op_endpoint=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fud&openid.response_nonce=2013-01-25T05%3A27%3A23ZHqUBL2t2TULPjQ&openid.return_to=http%3A%2F%2FIP%3A8080%2Fjenkins%2FsecurityRealm%2FfinishLogin&openid.assoc_handle=AMlYA9Wdp9pT9NLHLYeMhEF0KYu4mQW5lFaniafOkn6leUUrn8_X_k8LsDfJuw16gU_tX2Zy&openid.signed=op_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle%2Cns.ext1%2Cext1.mode%2Cext1.type.email%2Cext1.value.email%2Cext1.type.firstName%2Cext1.value.firstName%2Cext1.type.lastName%2Cext1.value.lastName&openid.sig=5KqqDrmYfcWCw8%2B92YcMH9t48qSrs3hqt%2BYhIbVUkhU%3D&openid.identity=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3DAItOawmqs8g_JhXH7jDfZbzyHlaKbglun-1_grQ&openid.claimed_id=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3DAItOawmqs8g_JhXH7jDfZbzyHlaKbglun-1_grQ&openid.ns.ext1=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ext1.mode=fetch_response&openid.ext1.type.email=http%3A%2F%2Fschema.openid.net%2Fcontact%2Femail&openid.ext1.value.email=pardeep.chahal%40hcentive.com&openid.ext1.type.firstName=http%3A%2F%2Faxschema.org%2FnamePerson%2Ffirst&openid.ext1.value.firstName=Pardeep&openid.ext1.type.lastName=http%3A%2F%2Faxschema.org%2FnamePerson%2Flast&openid.ext1.value.lastName=Chahal I have installed 1.480.2 version of jenkins Orginial URL of Jenkins - http://hostIP:8080/jenkins When access via apache - https://dns_name/jenkins Examining the code of openIDsession.java, it looks like the receivingURL is being pulled from the deployed and not from the url which was sent. Changing( String receivingURL = Hudson.getInstance().getRootUrl() + this.finishUrl;) would likely solve the problem. Let me know if further details are required Please suggest how to overcome this issue.

Pardeep Chahal made changes - 2013-01-28 07:47

Fix Version/s		New: current [ 10162 ]
Description	Original: Jenkins runs fine standalone with openID as security realm but Jenkins starts giving issues when it runs behind apache2 (ssl)and openID is enabled. Instead of going to apache URL it redirects to Jenkins original URL and failed to launch. for example when Jenkins runs behind proxy it redirects to https://build.xyx/jenkins but when open ID is enabled it goes to http://ip_address:8080/jenkins and failed to launch. When I try to use openID SSO as security realm in Jenkins and use provider url as - https://www.google.com/accounts/o8/id, I get below error while launching Jenkins - http://IP:8080/jenkins/securityRealm/finishLogin?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&openid.op_endpoint=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fud&openid.response_nonce=2013-01-25T05%3A27%3A23ZHqUBL2t2TULPjQ&openid.return_to=http%3A%2F%2FIP%3A8080%2Fjenkins%2FsecurityRealm%2FfinishLogin&openid.assoc_handle=AMlYA9Wdp9pT9NLHLYeMhEF0KYu4mQW5lFaniafOkn6leUUrn8_X_k8LsDfJuw16gU_tX2Zy&openid.signed=op_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle%2Cns.ext1%2Cext1.mode%2Cext1.type.email%2Cext1.value.email%2Cext1.type.firstName%2Cext1.value.firstName%2Cext1.type.lastName%2Cext1.value.lastName&openid.sig=5KqqDrmYfcWCw8%2B92YcMH9t48qSrs3hqt%2BYhIbVUkhU%3D&openid.identity=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3DAItOawmqs8g_JhXH7jDfZbzyHlaKbglun-1_grQ&openid.claimed_id=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3DAItOawmqs8g_JhXH7jDfZbzyHlaKbglun-1_grQ&openid.ns.ext1=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ext1.mode=fetch_response&openid.ext1.type.email=http%3A%2F%2Fschema.openid.net%2Fcontact%2Femail&openid.ext1.value.email=pardeep.chahal%40hcentive.com&openid.ext1.type.firstName=http%3A%2F%2Faxschema.org%2FnamePerson%2Ffirst&openid.ext1.value.firstName=Pardeep&openid.ext1.type.lastName=http%3A%2F%2Faxschema.org%2FnamePerson%2Flast&openid.ext1.value.lastName=Chahal I have installed 1.480.2 version of jenkins Orginial URL of Jenkins - http://hostIP:8080/jenkins When access via apache - https://dns_name/jenkins Examining the code of openIDsession.java, it looks like the receivingURL is being pulled from the deployed and not from the url which was sent. Changing( String receivingURL = Hudson.getInstance().getRootUrl() + this.finishUrl;) would likely solve the problem. Let me know if further details are required Please suggest how to overcome this issue.	New: Jenkins runs fine standalone with openID as security realm but Jenkins starts giving issues when it runs behind apache2 (ssl)and openID is enabled. Instead of going to apache URL it redirects to Jenkins original URL and failed to launch. for example when Jenkins runs behind proxy it redirects to https://build.xyx/jenkins but when open ID is enabled it goes to http://ip_address:8080/jenkins and failed to launch. When I try to use openID SSO as security realm in Jenkins and use provider url as - https://www.google.com/accounts/o8/id, I get below error while launching Jenkins - http://IP:8080/jenkins/securityRealm/finishLogin?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.mode=id_res&openid.op_endpoint=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fud&openid.response_nonce=2013-01-25T05%3A27%3A23ZHqUBL2t2TULPjQ&openid.return_to=http%3A%2F%2FIP%3A8080%2Fjenkins%2FsecurityRealm%2FfinishLogin&openid.assoc_handle=AMlYA9Wdp9pT9NLHLYeMhEF0KYu4mQW5lFaniafOkn6leUUrn8_X_k8LsDfJuw16gU_tX2Zy&openid.signed=op_endpoint%2Cclaimed_id%2Cidentity%2Creturn_to%2Cresponse_nonce%2Cassoc_handle%2Cns.ext1%2Cext1.mode%2Cext1.type.email%2Cext1.value.email%2Cext1.type.firstName%2Cext1.value.firstName%2Cext1.type.lastName%2Cext1.value.lastName&openid.sig=5KqqDrmYfcWCw8%2B92YcMH9t48qSrs3hqt%2BYhIbVUkhU%3D&openid.identity=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3DAItOawmqs8g_JhXH7jDfZbzyHlaKbglun-1_grQ&openid.claimed_id=https%3A%2F%2Fwww.google.com%2Faccounts%2Fo8%2Fid%3Fid%3DAItOawmqs8g_JhXH7jDfZbzyHlaKbglun-1_grQ&openid.ns.ext1=http%3A%2F%2Fopenid.net%2Fsrv%2Fax%2F1.0&openid.ext1.mode=fetch_response&openid.ext1.type.email=http%3A%2F%2Fschema.openid.net%2Fcontact%2Femail&openid.ext1.value.email=pardeep.chahal%40hcentive.com&openid.ext1.type.firstName=http%3A%2F%2Faxschema.org%2FnamePerson%2Ffirst&openid.ext1.value.firstName=Pardeep&openid.ext1.type.lastName=http%3A%2F%2Faxschema.org%2FnamePerson%2Flast&openid.ext1.value.lastName=Chahal I have installed 1.480.2 version of jenkins Orginial URL of Jenkins - http://hostIP:8080/jenkins When access via apache - https://dns_name/jenkins Examining the code of openIDsession.java, it looks like the receivingURL is being pulled from the deployed and not from the url which was sent. Changing( String receivingURL = Hudson.getInstance().getRootUrl() + this.finishUrl;) would likely solve the problem. It worked fine after I mentioned my company domain name Let me know if further details are required Please suggest how to overcome this issue.

Kohsuke Kawaguchi made changes - 2013-11-27 19:24

Resolution		New: Not A Defect [ 7 ]
Status	Original: Open [ 1 ]	New: Resolved [ 5 ]

R. Tyler Croy made changes - 2016-07-25 23:55

Workflow

Original: JNJira [ 147285 ]

New: JNJira + In-Review [ 192319 ]