Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-55683

Endless loop on login when using OpenID plugin after upgrading to 2.160 / 2.150.2, preventing user authentication

    XMLWordPrintable

Details

    Description

      Our users where unable to login using OpenID after upgrading our Jenkins instance from 2.159 to 2.160. Downgrading to 2.159 makes the issue disappear.

      From a HTTP perspective, Jenkins forwards the user to the OpenID provider URL, which authenticates the user and redirects him back to Jenkins, where a 403 is returned. Which, in turn, causes Jenkins to redirect the user to the OpenID provider, resulting in an endless loop.

      Unfortunately the logs do not yield any hints. Nevertheless here they are, newest log messages on top:

       

      Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.shaded.apache.http.client.protocol.ResponseProcessCookies processCookies
      Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Starting discovery on URL identifier: http://openid.example.org/user
      # Here the loop starts again.
      Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.discovery.Discovery discover
      Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Received positive auth response.
      Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.consumer.ConsumerManager verify
      Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Verifying authentication response...
      Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.consumer.ConsumerManager verify
      Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Return URL: https://jenkins.example.org/jenkins/securityRealm/finishLogin matches realm: https://jenkins.example.org/jenkins/securityRealm/finishLogin
      Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.server.RealmVerifier match
      Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Creating authentication request for OP-endpoint: https://openid.example.org/simpleid/ claimedID: http://specs.openid.net/auth/2.0/identifier_select OP-specific ID: http://specs.openid.net/auth/2.0/identifier_select
      Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.consumer.ConsumerManager authenticate
      Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Associated with https://openid.example.org/simpleid/ handle: 5c41bcf00008983de08c93d6
      Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.consumer.ConsumerManager associate
      Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Trying to associate with https://openid.example.org/simpleid/ attempts left: 4
      Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.consumer.ConsumerManager associate
      Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Discovered 1 OpenID endpoints.
      Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.discovery.Discovery discover
      Jan 18 12:48:00 ourJenkins jenkins[29449]: INFO: Yadis discovered 1 endpoints from: https://openid.example.org/
      Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.discovery.yadis.YadisResolver discover
      Jan 18 12:48:00 ourJenkins jenkins[29449]: Jan 18, 2019 12:48:00 PM org.openid4java.shaded.apache.http.client.protocol.ResponseProcessCookies processCookies
      Jan 18 12:47:59 ourJenkins jenkins[29449]: INFO: Starting discovery on URL identifier: https://openid.example.org/
      # Loop start.

      Attachments

        Issue Links

          Activity

            rdesmond Ryan Desmond added a comment -

            I am using the Bitbucket OAuth 0.7, and just updated from 2.150.1 to 2.150.2 (it looks likethe security patch causing your problem was backported to the LTS release).  I see the same problem.

            rdesmond Ryan Desmond added a comment - I am using the Bitbucket OAuth 0.7, and just updated from 2.150.1 to 2.150.2 (it looks likethe security patch causing your problem was backported to the LTS release).  I see the same problem.
            rdesmond Ryan Desmond added a comment -

            JENKINS-55669 and JENKINS-55668 are variations of this on the LTS.

            rdesmond Ryan Desmond added a comment - JENKINS-55669 and JENKINS-55668 are variations of this on the LTS.
            danielbeck Daniel Beck added a comment - Noted in https://wiki.jenkins.io/display/JENKINS/Plugins+affected+by+the+SECURITY-901+fix FYI wfollonier

            PR proposed: #14

            wfollonier Wadeck Follonier added a comment - PR proposed: #14

            Version 2.3 is released, will be available in update-center in ~30min.

            wfollonier Wadeck Follonier added a comment - Version 2.3 is released, will be available in update-center in ~30min.

            People

              wfollonier Wadeck Follonier
              flow Florian Schmaus
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: