Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-36709

Possible duplicate user creation.

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Major Major
    • openid-plugin
    • None
    • Current plugin master
      Jenkins >= 1.556

      When a new user is logged it the openid security realm uses different values as the principal name in the security context, depending on the metadata fields available in the openid identity.

      After logging the user in, the actual User is created (if needed), and depending on the field used for id (e.g. if it ends up being the openid url) it may be transformed by the canonical id resolver, resulting in a user with a different id that the one registered in the SecurityContextHolder.

      After 84e8d0118, User.current will assume the user is the one in the SecurityContextHolder, so it may end up creating another User object for an already existing one, as the search does not go through the canonical id resolver.

          [JENKINS-36709] Possible duplicate user creation.

          Andres Rodriguez created issue -
          Andres Rodriguez made changes -
          Description Original: When a new user is logged it the openid security realm uses different values as the principal name in the security context, depending on the metadata fields available in the openid identity.

          After logging the user in, the actual {{User}} is created (if needed), and depending on the field used for id (e.g. if it ends up being the openid url) it may be transformed by the canonical id resolver, resulting in a user with a different id that the one registered in the {{SecurityContextHolder}}.

          After [84e8d0118|https://github.com/jenkinsci/jenkins/commit/84e8d011805194578d3b3ccfca060ce5cffbf7eb], {{User.current}} will assume the user is the one in the {{SecurityContextHolder}}, so it may end up creating another {{User}} object for an already existing one.

          		 New: When a new user is logged it the openid security realm uses different values as the principal name in the security context, depending on the metadata fields available in the openid identity.

          After logging the user in, the actual {{User}} is created (if needed), and depending on the field used for id (e.g. if it ends up being the openid url) it may be transformed by the canonical id resolver, resulting in a user with a different id that the one registered in the {{SecurityContextHolder}}.

          After [84e8d0118|https://github.com/jenkinsci/jenkins/commit/84e8d011805194578d3b3ccfca060ce5cffbf7eb], {{User.current}} will assume the user is the one in the {{SecurityContextHolder}}, so it may end up creating another {{User}} object for an already existing one, as the search does not go through the canonical id resolver.
          Andres Rodriguez made changes -
          Status Original: Open [ 1 ] New: In Progress [ 3 ]
          Andres Rodriguez made changes -
          Remote Link New: This issue links to "PR openid-plugin#11 (Web Link)" [ 14630 ]
          R. Tyler Croy made changes -
          Workflow Original: JNJira [ 173439 ] New: JNJira + In-Review [ 185837 ]
          Wadeck Follonier made changes -
          Resolution New: Fixed [ 1 ]
          Status Original: In Progress [ 3 ] New: Resolved [ 5 ]

            andresrc Andres Rodriguez
            andresrc Andres Rodriguez
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: