Details
-
Bug
-
Status: Resolved (View Workflow)
-
Blocker
-
Resolution: Fixed
-
Jenkins 2.160
Description
Our users where unable to login using OpenID after upgrading our Jenkins instance from 2.159 to 2.160. Downgrading to 2.159 makes the issue disappear.
From a HTTP perspective, Jenkins forwards the user to the OpenID provider URL, which authenticates the user and redirects him back to Jenkins, where a 403 is returned. Which, in turn, causes Jenkins to redirect the user to the OpenID provider, resulting in an endless loop.
Unfortunately the logs do not yield any hints. Nevertheless here they are, newest log messages on top:
Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.shaded.apache.http.client.protocol.ResponseProcessCookies processCookies
Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Starting discovery on URL identifier: http://openid.example.org/user
# Here the loop starts again.
Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.discovery.Discovery discover
Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Received positive auth response.
Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.consumer.ConsumerManager verify
Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Verifying authentication response...
Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.consumer.ConsumerManager verify
Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Return URL: https://jenkins.example.org/jenkins/securityRealm/finishLogin matches realm: https://jenkins.example.org/jenkins/securityRealm/finishLogin
Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.server.RealmVerifier match
Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Creating authentication request for OP-endpoint: https://openid.example.org/simpleid/ claimedID: http://specs.openid.net/auth/2.0/identifier_select OP-specific ID: http://specs.openid.net/auth/2.0/identifier_select
Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.consumer.ConsumerManager authenticate
Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Associated with https://openid.example.org/simpleid/ handle: 5c41bcf00008983de08c93d6
Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.consumer.ConsumerManager associate
Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Trying to associate with https://openid.example.org/simpleid/ attempts left: 4
Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.consumer.ConsumerManager associate
Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Discovered 1 OpenID endpoints.
Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.discovery.Discovery discover
Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Yadis discovered 1 endpoints from: https://openid.example.org/
Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.discovery.yadis.YadisResolver discover
Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.shaded.apache.http.client.protocol.ResponseProcessCookies processCookies
Jan 18 12:47:59 ourJenkins jenkins[29449]: INFO: Starting discovery on URL identifier: https://openid.example.org/
# Loop start.
Attachments
Issue Links
- is duplicated by
-
-
- Closed
-
- is related to
-
-
- Resolved
-
-
-
- Resolved
-
- links to
Activity
Ryan Desmond
added a comment - JENKINS-55669 and JENKINS-55668 are variations of this on the LTS. Noted in https://wiki.jenkins.io/display/JENKINS/Plugins+affected+by+the+SECURITY-901+fix
FYI wfollonier
Version 2.3 is released, will be available in update-center in ~30min.
I am using the Bitbucket OAuth 0.7, and just updated from 2.150.1 to 2.150.2 (it looks likethe security patch causing your problem was backported to the LTS release). I see the same problem.