-
Task
-
Resolution: Fixed
-
Major
-
None
Google is going to shutdown its OpenID endpoint in April 2015.
As the base protocol appears to have nothing to do with OpenID, such a new feature probably needs to be implemented in a separate plugin, and OpenID plugin would have to be updated to direct users to the new plugin.
This needs to be done sooner because if an user fails to update their plugin by then, they'd lose the ability to login, which makes the update very difficult.
- duplicates
-
JENKINS-24974 OpenId with Google Apps stopped working in jenkins 1.565.3
-
- Resolved
-
[JENKINS-23431] Google is phasing out OpenID endpoint. Need to move on to G+ sign-in
Thomas Einwaller
added a comment - do you really need to move to G+ sign-in or would migrating to OAuth 2.0 login (OpenID Connect) be an alternative?
Thomas Einwaller
added a comment - do you really need to move to G+ sign-in or would migrating to OAuth 2.0 login (OpenID Connect) be an alternative? 
Ray Sennewald
added a comment - We currently use the OpenID plugin at my organization with Google Apps and I'm unable to create a new Jenkins server and have it authenticate with Google Apps SSO as its already been shutdown to allow new registrations as of April 2014. Do we have any ETA on when this may be worked out, or any other alternative for people who are in the same boat as I am?
Ray Sennewald
added a comment - We currently use the OpenID plugin at my organization with Google Apps and I'm unable to create a new Jenkins server and have it authenticate with Google Apps SSO as its already been shutdown to allow new registrations as of April 2014. Do we have any ETA on when this may be worked out, or any other alternative for people who are in the same boat as I am? 
Karthik T
added a comment - Would like to add support to what Ray said, even I am facing this.. Is there a way to get the OpenID provider to work instead?
Karthik T
added a comment - Would like to add support to what Ray said, even I am facing this.. Is there a way to get the OpenID provider to work instead? I would prefer having OpenID Connect working. This seems to be the future in OpenID.
Has anyone who is watching this ticket done any research into a solution? If not, I can try to do some. As Kohsuke points out, if we don't get a solution in place early enough, people will end up locked out of their Jenkins installs and working around that is annoying. Let's try to collaborate on a solution so we don't all get burned.
Ray Sennewald
added a comment - Is it safe to look to implement OpenID Connect here? 
John Burrows
added a comment - Kohsuke Kawaguchi added a comment - 13/Jun/14 5:45 PM
I looked at the doc a bit, and the new scheme seems to require a client ID and secret. I wonder if it means every Jenkins instance needs to be registered separately.
From what I can gather, every Jenkins instance was registered separately already using the deprecated method of authentication. That is the reason that OpenID fails to work with new Jenkins instances when set to Google Apps and your google domain, Google shut off new server registrations in April 2014.
Also, from what I have read, changing the current authentication method to G+ in the code should resolve the issue as the authentication will then register the Jenkins instance (server) with Google and again allow SSO usage.
Unfortunately I am not a java coder, otherwise I would try to do this myself, as it is I have an internal developer at my company trying to do just that, but he is also having issues as he is not very familiar with Google authentication methods.
Reference URL about switching OAuth 2.0 to G+: https://developers.google.com/accounts/docs/OAuth2LoginV1
Thanks
John Burrows
added a comment - Kohsuke Kawaguchi added a comment - 13/Jun/14 5:45 PM
I looked at the doc a bit, and the new scheme seems to require a client ID and secret. I wonder if it means every Jenkins instance needs to be registered separately.
From what I can gather, every Jenkins instance was registered separately already using the deprecated method of authentication. That is the reason that OpenID fails to work with new Jenkins instances when set to Google Apps and your google domain, Google shut off new server registrations in April 2014.
Also, from what I have read, changing the current authentication method to G+ in the code should resolve the issue as the authentication will then register the Jenkins instance (server) with Google and again allow SSO usage.
Unfortunately I am not a java coder, otherwise I would try to do this myself, as it is I have an internal developer at my company trying to do just that, but he is also having issues as he is not very familiar with Google authentication methods.
Reference URL about switching OAuth 2.0 to G+: https://developers.google.com/accounts/docs/OAuth2LoginV1
Thanks 
kylecordes
added a comment - Like others here (and probably many others who haven't found this and commented) I just learned that a newly added Jenkins instance with OpenID plugin won't work with Google, as they are no longer allowing new endpoints.
It appears that OpenID Connect would get through until April 2015, then it's all out in favor of their new G+-centric thing. This is clearly a Google-led problem, but certainly and workarounds or other ways to achieve smooth Google auth integration from the Jenkins end would be much appreciated.
kylecordes
added a comment - Like others here (and probably many others who haven't found this and commented) I just learned that a newly added Jenkins instance with OpenID plugin won't work with Google, as they are no longer allowing new endpoints.
It appears that OpenID Connect would get through until April 2015, then it's all out in favor of their new G+-centric thing. This is clearly a Google-led problem, but certainly and workarounds or other ways to achieve smooth Google auth integration from the Jenkins end would be much appreciated. 
I looked at the doc a bit, and the new scheme seems to require a client ID and secret. I wonder if it means every Jenkins instance needs to be registered separately.