Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-55683

Endless loop on login when using OpenID plugin after upgrading to 2.160 / 2.150.2, preventing user authentication

      Our users where unable to login using OpenID after upgrading our Jenkins instance from 2.159 to 2.160. Downgrading to 2.159 makes the issue disappear.

      From a HTTP perspective, Jenkins forwards the user to the OpenID provider URL, which authenticates the user and redirects him back to Jenkins, where a 403 is returned. Which, in turn, causes Jenkins to redirect the user to the OpenID provider, resulting in an endless loop.

      Unfortunately the logs do not yield any hints. Nevertheless here they are, newest log messages on top:

       

      Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.shaded.apache.http.client.protocol.ResponseProcessCookies processCookies
      Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Starting discovery on URL identifier: http://openid.example.org/user
      # Here the loop starts again.
      Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.discovery.Discovery discover
      Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Received positive auth response.
      Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.consumer.ConsumerManager verify
      Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Verifying authentication response...
      Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.consumer.ConsumerManager verify
      Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Return URL: https://jenkins.example.org/jenkins/securityRealm/finishLogin matches realm: https://jenkins.example.org/jenkins/securityRealm/finishLogin
      Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.server.RealmVerifier match
      Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Creating authentication request for OP-endpoint: https://openid.example.org/simpleid/ claimedID: http://specs.openid.net/auth/2.0/identifier_select OP-specific ID: http://specs.openid.net/auth/2.0/identifier_select
      Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.consumer.ConsumerManager authenticate
      Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Associated with https://openid.example.org/simpleid/ handle: 5c41bcf00008983de08c93d6
      Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.consumer.ConsumerManager associate
      Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Trying to associate with https://openid.example.org/simpleid/ attempts left: 4
      Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.consumer.ConsumerManager associate
      Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Discovered 1 OpenID endpoints.
      Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.discovery.Discovery discover
      Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Yadis discovered 1 endpoints from: https://openid.example.org/
      Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.discovery.yadis.YadisResolver discover
      Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.shaded.apache.http.client.protocol.ResponseProcessCookies processCookies
      Jan 18 12:47:59 ourJenkins jenkins[29449]: INFO: Starting discovery on URL identifier: https://openid.example.org/
      # Loop start.

          [JENKINS-55683] Endless loop on login when using OpenID plugin after upgrading to 2.160 / 2.150.2, preventing user authentication

          Ryan Desmond added a comment -

          I am using the Bitbucket OAuth 0.7, and just updated from 2.150.1 to 2.150.2 (it looks likethe security patch causing your problem was backported to the LTS release).  I see the same problem.

          Ryan Desmond added a comment - I am using the Bitbucket OAuth 0.7, and just updated from 2.150.1 to 2.150.2 (it looks likethe security patch causing your problem was backported to the LTS release).  I see the same problem.

          Ryan Desmond added a comment -

          JENKINS-55669 and JENKINS-55668 are variations of this on the LTS.

          Ryan Desmond added a comment - JENKINS-55669 and JENKINS-55668 are variations of this on the LTS.

          Daniel Beck added a comment -

          Daniel Beck added a comment - Noted in https://wiki.jenkins.io/display/JENKINS/Plugins+affected+by+the+SECURITY-901+fix FYI wfollonier

          PR proposed: #14

          Wadeck Follonier added a comment - PR proposed: #14

          Version 2.3 is released, will be available in update-center in ~30min.

          Wadeck Follonier added a comment - Version 2.3 is released, will be available in update-center in ~30min.

            wfollonier Wadeck Follonier
            flow Florian Schmaus
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated:
              Resolved: