Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Blocker
Component/s: openid-plugin
Labels:
- regression
- security-901
Environment:
Jenkins 2.160

Similar Issues:

Show

Description

Our users where unable to login using OpenID after upgrading our Jenkins instance from 2.159 to 2.160. Downgrading to 2.159 makes the issue disappear.

From a HTTP perspective, Jenkins forwards the user to the OpenID provider URL, which authenticates the user and redirects him back to Jenkins, where a 403 is returned. Which, in turn, causes Jenkins to redirect the user to the OpenID provider, resulting in an endless loop.

Unfortunately the logs do not yield any hints. Nevertheless here they are, newest log messages on top:

Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.shaded.apache.http.client.protocol.ResponseProcessCookies processCookies
Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Starting discovery on URL identifier: http://openid.example.org/user
# Here the loop starts again.
Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.discovery.Discovery discover
Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Received positive auth response.
Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.consumer.ConsumerManager verify
Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Verifying authentication response...
Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.consumer.ConsumerManager verify
Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Return URL: https://jenkins.example.org/jenkins/securityRealm/finishLogin matches realm: https://jenkins.example.org/jenkins/securityRealm/finishLogin
Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.server.RealmVerifier match
Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Creating authentication request for OP-endpoint: https://openid.example.org/simpleid/ claimedID: http://specs.openid.net/auth/2.0/identifier_select OP-specific ID: http://specs.openid.net/auth/2.0/identifier_select
Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.consumer.ConsumerManager authenticate
Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Associated with https://openid.example.org/simpleid/ handle: 5c41bcf00008983de08c93d6
Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.consumer.ConsumerManager associate
Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Trying to associate with https://openid.example.org/simpleid/ attempts left: 4
Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.consumer.ConsumerManager associate
Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Discovered 1 OpenID endpoints.
Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.discovery.Discovery discover
Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Yadis discovered 1 endpoints from: https://openid.example.org/
Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.discovery.yadis.YadisResolver discover
Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.shaded.apache.http.client.protocol.ResponseProcessCookies processCookies
Jan 18 12:47:59 ourJenkins jenkins[29449]: INFO: Starting discovery on URL identifier: https://openid.example.org/
# Loop start.

Attachments

Issue Links

is duplicated by

JENKINS-55686 Updating to 2.150.2 breaks openid plugin

Closed

is related to

JENKINS-55669 Auth plugin doesn't work after upgrade to Jenkins 2.150.2

Resolved

JENKINS-55668 Unable to login with Bitbucket Oauth plugin after Jenkins update (2.150.2)

Resolved

links to

#14 in openid

Activity

People

Assignee:: Wadeck Follonier

Reporter:: Florian Schmaus

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2019-01-18 14:22

Updated:: 2019-01-25 10:12

Resolved:: 2019-01-25 10:12