[JENKINS-55683] Endless loop on login when using OpenID plugin after upgrading to 2.160 / 2.150.2, preventing user authentication - Jenkins Jira

XML

Word

Printable

Details

Type: Bug
Status: Resolved (View Workflow)
Priority: Blocker
Resolution: Fixed
Component/s: openid-plugin
Labels:
- regression
- security-901
Environment:
Jenkins 2.160

Similar Issues:

Show

Description

Our users where unable to login using OpenID after upgrading our Jenkins instance from 2.159 to 2.160. Downgrading to 2.159 makes the issue disappear.

From a HTTP perspective, Jenkins forwards the user to the OpenID provider URL, which authenticates the user and redirects him back to Jenkins, where a 403 is returned. Which, in turn, causes Jenkins to redirect the user to the OpenID provider, resulting in an endless loop.

Unfortunately the logs do not yield any hints. Nevertheless here they are, newest log messages on top:

Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.shaded.apache.http.client.protocol.ResponseProcessCookies processCookies
Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Starting discovery on URL identifier: http://openid.example.org/user
# Here the loop starts again.
Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.discovery.Discovery discover
Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Received positive auth response.
Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.consumer.ConsumerManager verify
Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Verifying authentication response...
Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.consumer.ConsumerManager verify
Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Return URL: https://jenkins.example.org/jenkins/securityRealm/finishLogin matches realm: https://jenkins.example.org/jenkins/securityRealm/finishLogin
Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.server.RealmVerifier match
Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Creating authentication request for OP-endpoint: https://openid.example.org/simpleid/ claimedID: http://specs.openid.net/auth/2.0/identifier_select OP-specific ID: http://specs.openid.net/auth/2.0/identifier_select
Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.consumer.ConsumerManager authenticate
Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Associated with https://openid.example.org/simpleid/ handle: 5c41bcf00008983de08c93d6
Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.consumer.ConsumerManager associate
Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Trying to associate with https://openid.example.org/simpleid/ attempts left: 4
Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.consumer.ConsumerManager associate
Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Discovered 1 OpenID endpoints.
Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.discovery.Discovery discover
Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Yadis discovered 1 endpoints from: https://openid.example.org/
Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.discovery.yadis.YadisResolver discover
Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.shaded.apache.http.client.protocol.ResponseProcessCookies processCookies
Jan 18 12:47:59 ourJenkins jenkins[29449]: INFO: Starting discovery on URL identifier: https://openid.example.org/
# Loop start.

Attachments

Issue Links

is duplicated by

JENKINS-55686 Updating to 2.150.2 breaks openid plugin

Closed

is related to

JENKINS-55669 Auth plugin doesn't work after upgrade to Jenkins 2.150.2

Resolved

JENKINS-55668 Unable to login with Bitbucket Oauth plugin after Jenkins update (2.150.2)

Resolved

links to

#14 in openid

Activity

Ascending order - Click to sort in descending order

Florian Schmaus created issue - 2019-01-18 14:22

Florian Schmaus made changes - 2019-01-18 14:23

Field	Original Value	New Value
Environment		Jenkins 2.160

Florian Schmaus made changes - 2019-01-18 14:23

Component/s

core [ 15593 ]

Ryan Desmond added a comment - 2019-01-18 17:00

I am using the Bitbucket OAuth 0.7, and just updated from 2.150.1 to 2.150.2 (it looks likethe security patch causing your problem was backported to the LTS release). I see the same problem.

Ryan Desmond added a comment - 2019-01-18 17:00 I am using the Bitbucket OAuth 0.7, and just updated from 2.150.1 to 2.150.2 (it looks likethe security patch causing your problem was backported to the LTS release). I see the same problem.

Ryan Desmond added a comment - 2019-01-18 17:03

~~JENKINS-55669~~ and ~~JENKINS-55668~~ are variations of this on the LTS.

Ryan Desmond added a comment - 2019-01-18 17:03 JENKINS-55669 and JENKINS-55668 are variations of this on the LTS.

Florian Schmaus made changes - 2019-01-18 21:37

Link

This issue is related to ~~JENKINS-55669~~ [ ~~JENKINS-55669~~ ]

Florian Schmaus made changes - 2019-01-18 21:37

Link

This issue is related to ~~JENKINS-55668~~ [ ~~JENKINS-55668~~ ]

Daniel Beck added a comment - 2019-01-19 12:17

Noted in https://wiki.jenkins.io/display/JENKINS/Plugins+affected+by+the+SECURITY-901+fix

FYI wfollonier

Daniel Beck added a comment - 2019-01-19 12:17 Noted in https://wiki.jenkins.io/display/JENKINS/Plugins+affected+by+the+SECURITY-901+fix FYI wfollonier

Daniel Beck made changes - 2019-01-19 12:18

Labels

security-901

Daniel Beck made changes - 2019-01-19 12:19

Link

This issue is duplicated by ~~JENKINS-55686~~ [ ~~JENKINS-55686~~ ]

Wadeck Follonier made changes - 2019-01-21 08:26

Component/s

core [ 15593 ]

Wadeck Follonier made changes - 2019-01-21 08:27

Labels

security-901

regression security-901

Wadeck Follonier made changes - 2019-01-21 08:30

Priority

Critical [ 2 ]

Blocker [ 1 ]

Wadeck Follonier added a comment - 2019-01-21 08:41

PR proposed: #14

Wadeck Follonier added a comment - 2019-01-21 08:41 PR proposed: #14

Wadeck Follonier made changes - 2019-01-21 08:41

Remote Link

This issue links to "#14 in openid (Web Link)" [ 22223 ]

Florian Schmaus made changes - 2019-01-21 08:42

Summary

Endless loop on login when using OpenID plugin after upgrading to 2.160, preventing user authentication

Endless loop on login when using OpenID plugin after upgrading to 2.160 / 2.150.2, preventing user authentication

Wadeck Follonier made changes - 2019-01-21 08:44

Status

Open [ 1 ]

In Progress [ 3 ]

Wadeck Follonier made changes - 2019-01-21 08:45

Status

In Progress [ 3 ]

In Review [ 10005 ]

Wadeck Follonier made changes - 2019-01-21 08:45

Assignee

Kohsuke Kawaguchi [ kohsuke ]

t stepanchuk [ step ]

Wadeck Follonier made changes - 2019-01-21 08:45

Assignee

t stepanchuk [ step ]

Stephen Connolly [ stephenconnolly ]

Stephen Connolly made changes - 2019-01-21 11:36

Assignee

Stephen Connolly [ stephenconnolly ]

Wadeck Follonier [ wfollonier ]

Wadeck Follonier added a comment - 2019-01-25 10:12

Version 2.3 is released, will be available in update-center in ~30min.

Wadeck Follonier added a comment - 2019-01-25 10:12 Version 2.3 is released, will be available in update-center in ~30min.

Wadeck Follonier made changes - 2019-01-25 10:12

Resolution		Fixed [ 1 ]
Status	In Review [ 10005 ]	Resolved [ 5 ]

People

Assignee:: Wadeck Follonier

Reporter:: Florian Schmaus

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2019-01-18 14:22

Updated:: 2019-01-25 10:12

Resolved:: 2019-01-25 10:12