-
Patch
-
Resolution: Unresolved
-
Blocker
-
None
Will Google login plugin be updated prior to March cut off date for migration from oAuth?
[JENKINS-70593] Will Google login plugin be updated prior to March cut off date for migration from oAuth
Justin Hair
added a comment - What is the oauth migration? Should we avoid using this plugin? I would avoid using this plugin and opt for the usual RBAC if you plan on using Jenkins. Google is moving away from oauth authentication and if changes have not been made to the plugin prior to March 31st the sign in will no longer work. There is a migration guide for the ambitious but myself and my team are moving our CICD to GH actions/workflows to avoid this sort of thing in the future. Here is the migration guide for those who are more ambitious than I: https://developers.google.com/identity/gsi/web/guides/migration
Kevin
added a comment - - edited I would avoid using this plugin and opt for the usual RBAC if you plan on using Jenkins. Google is moving away from oauth authentication and if changes have not been made to the plugin prior to March 31st the sign in will no longer work. There is a migration guide for the ambitious but myself and my team are moving our CICD to GH actions/workflows to avoid this sort of thing in the future. Here is the migration guide for those who are more ambitious than I: https://developers.google.com/identity/gsi/web/guides/migration hairbuilder we have switched from the mentioned plugin to SAML 2.0 and used this document as a guide https://support.google.com/a/answer/9002495. Both seem to work with the same authorization strategies.
Sebastian
added a comment - - edited hairbuilder we have switched from the mentioned plugin to SAML 2.0 and used this document as a guide https://support.google.com/a/answer/9002495 . Both seem to work with the same authorization strategies. Justin Hair
added a comment - sebastian_s Nice! Does this allow people outside of the company who are using their own Google services to log in as well? We have several external devs who are not in our companies account but would like to give em access.
Justin Hair
added a comment - sebastian_s Nice! Does this allow people outside of the company who are using their own Google services to log in as well? We have several external devs who are not in our companies account but would like to give em access. Sebastian
added a comment - hairbuilder We don't have this usecase so I'm not sure. My assumption is, that if it worked with oauth it should also work with saml 2.0.
Oh in case you make the switch to the saml 2.0, since it's not apparent from the documentation that I've linked you have to adjust the "Maximum Authentication Lifetime" in jenkins to be in "sync" with the session lenght of your IDP, in our case the correct value was 14 days (which is the default for the session lenght https://support.google.com/a/answer/7576830?hl=en)
Sebastian
added a comment - hairbuilder We don't have this usecase so I'm not sure. My assumption is, that if it worked with oauth it should also work with saml 2.0.
Oh in case you make the switch to the saml 2.0, since it's not apparent from the documentation that I've linked you have to adjust the "Maximum Authentication Lifetime" in jenkins to be in "sync" with the session lenght of your IDP, in our case the correct value was 14 days (which is the default for the session lenght https://support.google.com/a/answer/7576830?hl=en) Just wanted to note that we are past March 31, 2023, but the plugin still works. https://developers.google.com/identity/gsi/web/guides/migration talks about migrating between JS authentication libraries. It looks like this plugin does not rely on a deprecated JS library for authentication.
k3vinwalsh as far as I can tell from the plugin history, a release was made in Dec 2022 without a changelog describing the changes in the release. The preceding release was in 2019. I think it is safe to assume that the plugin is not being actively maintained and that it won't be updated.
If your organization needs that plugin, please consider asking your organization to allow you to adopt the plugin and make the improvements that your organization needs. The "Improve a plugin" tutorial is a good place to start that type of effort.