Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-22709

Unable to find on-going openID session in one browser, not in the other one.

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Major Major
    • openid-plugin
    • None
    • jenkins 1.532.3, openid 1.8

      After a jenkins core + plugins upgrade a few weeks ago, OpenId started failing with

      "Unable to find an on-going OpenID session. Could it be that you have multiple host names for your Jenkins and you started the authentication in one host name and landed back on another? If so configure the correct Jenkins root URL so that those two host names will be the same"

      I can log properly when using a different browser so I doubt the problem is configuration only.

      On my main browser, I use 2 different gmail accounts simultaneously, on 2 different tabs (perso & company). Jenkins/openid is attached to the company one. Maybe the issue is caused by that. Or by cookies. I will try to clear things up a bit, downgrade the plugin etc.

          [JENKINS-22709] Unable to find on-going openID session in one browser, not in the other one.

          lacostej added a comment -

          After clearing my cookies, the login worked again.

          The first time I managed to log in again, it hit another issue though:

          javax.servlet.ServletException: org.openid4java.message.MessageException: 0x100: Required parameter missing: openid.mode
          	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:778)
          	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:858)
          	at org.kohsuke.stapler.MetaClass$4.doDispatch(MetaClass.java:210)
          	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
          	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:728)
          	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:858)
          	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:631)
          	at org.kohsuke.stapler.Stapler.service(Stapler.java:225)
          	at javax.servlet.http.HttpServlet.service(HttpServlet.java:45)
          	at winstone.ServletConfiguration.execute(ServletConfiguration.java:248)
          	at winstone.RequestDispatcher.forward(RequestDispatcher.java:333)
          	at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:376)
          	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:96)
          	at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:88)
          	at winstone.FilterConfiguration.execute(FilterConfiguration.java:194)
          	at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:366)
          	at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:48)
          	at winstone.FilterConfiguration.execute(FilterConfiguration.java:194)
          	at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:366)
          	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84)
          	at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51)
          	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
          	at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117)
          	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
          	at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
          	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
          	at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142)
          	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
          	at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271)
          	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
          	at org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:174)
          	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
          	at jenkins.security.ApiTokenFilter.doFilter(ApiTokenFilter.java:79)
          	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
          	at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249)
          	at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67)
          	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87)
          	at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76)
          	at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164)
          	at winstone.FilterConfiguration.execute(FilterConfiguration.java:194)
          	at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:366)
          	at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:46)
          	at winstone.FilterConfiguration.execute(FilterConfiguration.java:194)
          	at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:366)
          	at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81)
          	at winstone.FilterConfiguration.execute(FilterConfiguration.java:194)
          	at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:366)
          	at winstone.RequestDispatcher.forward(RequestDispatcher.java:331)
          	at winstone.RequestHandlerThread.processRequest(RequestHandlerThread.java:227)
          	at winstone.RequestHandlerThread.run(RequestHandlerThread.java:150)
          	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471)
          	at java.util.concurrent.FutureTask.run(FutureTask.java:262)
          	at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77)
          	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
          	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
          	at java.lang.Thread.run(Thread.java:744)
          Caused by: org.openid4java.message.MessageException: 0x100: Required parameter missing: openid.mode
          	at org.openid4java.message.Message.validate(Message.java:188)
          	at org.openid4java.message.AuthSuccess.validate(AuthSuccess.java:400)
          	at org.openid4java.message.AuthSuccess.createAuthSuccess(AuthSuccess.java:117)
          	at org.openid4java.consumer.ConsumerManager.verify(ConsumerManager.java:1146)
          	at hudson.plugins.openid.OpenIdSession.doFinishLogin(OpenIdSession.java:111)
          	at hudson.plugins.openid.OpenIdSsoSecurityRealm.doFinishLogin(OpenIdSsoSecurityRealm.java:203)
          	at sun.reflect.GeneratedMethodAccessor718.invoke(Unknown Source)
          	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
          	at java.lang.reflect.Method.invoke(Method.java:606)
          	at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:298)
          	at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:161)
          	at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:96)
          	at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:120)
          	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53)
          	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:728)
          	... 55 more
          

          And now everything is fine. We should probably close the issue. I'll let the maintainer add a word in case he has some insight on what could have gone wrong.

          lacostej added a comment - After clearing my cookies, the login worked again. The first time I managed to log in again, it hit another issue though: javax.servlet.ServletException: org.openid4java.message.MessageException: 0x100: Required parameter missing: openid.mode at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:778) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:858) at org.kohsuke.stapler.MetaClass$4.doDispatch(MetaClass.java:210) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:728) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:858) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:631) at org.kohsuke.stapler.Stapler.service(Stapler.java:225) at javax.servlet.http.HttpServlet.service(HttpServlet.java:45) at winstone.ServletConfiguration.execute(ServletConfiguration.java:248) at winstone.RequestDispatcher.forward(RequestDispatcher.java:333) at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:376) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:96) at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:88) at winstone.FilterConfiguration.execute(FilterConfiguration.java:194) at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:366) at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:48) at winstone.FilterConfiguration.execute(FilterConfiguration.java:194) at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:366) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84) at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:174) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.ApiTokenFilter.doFilter(ApiTokenFilter.java:79) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249) at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:76) at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:164) at winstone.FilterConfiguration.execute(FilterConfiguration.java:194) at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:366) at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:46) at winstone.FilterConfiguration.execute(FilterConfiguration.java:194) at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:366) at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:81) at winstone.FilterConfiguration.execute(FilterConfiguration.java:194) at winstone.RequestDispatcher.doFilter(RequestDispatcher.java:366) at winstone.RequestDispatcher.forward(RequestDispatcher.java:331) at winstone.RequestHandlerThread.processRequest(RequestHandlerThread.java:227) at winstone.RequestHandlerThread.run(RequestHandlerThread.java:150) at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:471) at java.util.concurrent.FutureTask.run(FutureTask.java:262) at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang. Thread .run( Thread .java:744) Caused by: org.openid4java.message.MessageException: 0x100: Required parameter missing: openid.mode at org.openid4java.message.Message.validate(Message.java:188) at org.openid4java.message.AuthSuccess.validate(AuthSuccess.java:400) at org.openid4java.message.AuthSuccess.createAuthSuccess(AuthSuccess.java:117) at org.openid4java.consumer.ConsumerManager.verify(ConsumerManager.java:1146) at hudson.plugins.openid.OpenIdSession.doFinishLogin(OpenIdSession.java:111) at hudson.plugins.openid.OpenIdSsoSecurityRealm.doFinishLogin(OpenIdSsoSecurityRealm.java:203) at sun.reflect.GeneratedMethodAccessor718.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:298) at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:161) at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:96) at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:120) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:53) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:728) ... 55 more And now everything is fine. We should probably close the issue. I'll let the maintainer add a word in case he has some insight on what could have gone wrong.

          I'm betting the missing openid.mode is due to you having the wrong URL configured in System Config -> Jenkins Location. (e.g. http instead of https).

          Christian Höltje added a comment - I'm betting the missing openid.mode is due to you having the wrong URL configured in System Config -> Jenkins Location. (e.g. http instead of https).

          Ben Walding added a comment - - edited

          I see this all the time in the Jenkins (1.580) - where I use Google OpenID.

          My current observations that might help narrow down the problem:

          • it occurs after a period of inactivity (e.g. a backend tomcat session timing out?) - I see it multiple times per day
          • refreshing the page once you see this error doesn't help as IIRC you are redirected to a hashed signature URL or something like that
          • browsing to / on the Jenkins shows you as logged in - next time I see it I will check if there is an OpenID dance occurring when I navigate (via changing the URL in address bar) - I suspect this is why the reporter is saying that opening a second browser fixes it - the problem is intimately linked to the session and the redirected url.
          • it happens A LOT (multiple times per day) - seems to be worse in 1.580 than previously
          • the OpenID plugin is flaky - it fails with weird class not found exceptions when the OpenID provider sends bad status codes - this is just an observation - probably not relevant to the ticket at hand.

          Ben Walding added a comment - - edited I see this all the time in the Jenkins (1.580) - where I use Google OpenID. My current observations that might help narrow down the problem: it occurs after a period of inactivity (e.g. a backend tomcat session timing out?) - I see it multiple times per day refreshing the page once you see this error doesn't help as IIRC you are redirected to a hashed signature URL or something like that browsing to / on the Jenkins shows you as logged in - next time I see it I will check if there is an OpenID dance occurring when I navigate (via changing the URL in address bar) - I suspect this is why the reporter is saying that opening a second browser fixes it - the problem is intimately linked to the session and the redirected url. it happens A LOT (multiple times per day) - seems to be worse in 1.580 than previously the OpenID plugin is flaky - it fails with weird class not found exceptions when the OpenID provider sends bad status codes - this is just an observation - probably not relevant to the ticket at hand.

          Ben Walding added a comment - - edited

          Followup to previous comment - seeing this in 1.609

          If I see this error message, then browse to / on the Jenkins instance, then an OpenID login protocol starts - jumping across to our OpenID server and then back again.

          Reloading the broken finishLogin URL - "https://<HOST>/securityRealm/finishLogin?..." - fails - presumably because the Jenkins server and the browser disagree on state at this point.

          I'm not forced to login again as my OpenID login on the OpenID server is still current - so it is just a momentary failure. It does however interrupt my work as I have to browse to /, and then find whatever job I was looking at.

          My gut feeling is that Jenkins is forcing the OpenID redirect to start at the same time the session is expiring - and during this process the OpenID state is getting confused.

          Ben Walding added a comment - - edited Followup to previous comment - seeing this in 1.609 If I see this error message, then browse to / on the Jenkins instance, then an OpenID login protocol starts - jumping across to our OpenID server and then back again. Reloading the broken finishLogin URL - "https://<HOST>/securityRealm/finishLogin?..." - fails - presumably because the Jenkins server and the browser disagree on state at this point. I'm not forced to login again as my OpenID login on the OpenID server is still current - so it is just a momentary failure. It does however interrupt my work as I have to browse to /, and then find whatever job I was looking at. My gut feeling is that Jenkins is forcing the OpenID redirect to start at the same time the session is expiring - and during this process the OpenID state is getting confused.

            kohsuke Kohsuke Kawaguchi
            lacostej lacostej
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: