-
Bug
-
Resolution: Fixed
-
Major
-
None
-
Fedora 14 x86_64
Google OpenID provider
I've configured Jenkins to use Google's OpenID provider in conjunction with matrix-based security, and I cannot log in using the CLI:
$ jenkins-cli --username xxx@xxx.com --password xxx Exception in thread "main" java.io.IOException: Server returned HTTP response code: 403 for URL: http://localhost:8080/cli at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1403) at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:61) at hudson.cli.CLI.<init>(CLI.java:91) at hudson.cli.CLI.<init>(CLI.java:63) at hudson.cli.CLI.main(CLI.java:176)
[JENKINS-8925] Cannot use CLI when using OpenID
With CSRF detection turned off, I now get this on the client side:
$ jenkins-cli login --username xxx@xxx.com --password xxx "--username" is not a valid option
And on the server (yes, the UUID below is anonymized):
SEVERE: I/O error in channel HTTP full-duplex channel 12341234-1234-1234-1234-123412341234
java.io.IOException: chunked stream ended unexpectedly
at hudson.util.ChunkedInputStream.getChunkSizeFromInputStream(ChunkedInputStream.java:225)
at hudson.util.ChunkedInputStream.nextChunk(ChunkedInputStream.java:197)
at hudson.util.ChunkedInputStream.read(ChunkedInputStream.java:120)
at java.io.ObjectInputStream$PeekInputStream.peek(ObjectInputStream.java:2265)
at java.io.ObjectInputStream$BlockDataInputStream.peek(ObjectInputStream.java:2558)
at java.io.ObjectInputStream$BlockDataInputStream.peekByte(ObjectInputStream.java:2568)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1314)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:368)
at hudson.remoting.Channel$ReaderThread.run(Channel.java:974)
Bryan O'Sullivan
added a comment - - edited With CSRF detection turned off, I now get this on the client side:
$ jenkins-cli login --username xxx@xxx.com --password xxx
"--username" is not a valid option
And on the server (yes, the UUID below is anonymized):
SEVERE: I/O error in channel HTTP full-duplex channel 12341234-1234-1234-1234-123412341234
java.io.IOException: chunked stream ended unexpectedly
at hudson.util.ChunkedInputStream.getChunkSizeFromInputStream(ChunkedInputStream.java:225)
at hudson.util.ChunkedInputStream.nextChunk(ChunkedInputStream.java:197)
at hudson.util.ChunkedInputStream.read(ChunkedInputStream.java:120)
at java.io.ObjectInputStream$PeekInputStream.peek(ObjectInputStream.java:2265)
at java.io.ObjectInputStream$BlockDataInputStream.peek(ObjectInputStream.java:2558)
at java.io.ObjectInputStream$BlockDataInputStream.peekByte(ObjectInputStream.java:2568)
at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1314)
at java.io.ObjectInputStream.readObject(ObjectInputStream.java:368)
at hudson.remoting.Channel$ReaderThread.run(Channel.java:974)
I guess the fundamental question is how do I authenticate the user when you use OpenID in the SSO mode. This is not an HTTP client, so it cannot go through the OpenID protocol.
I guess I need some kind of API key/secret key stuff or PKI.
Monty Taylor
added a comment - Was chatting briefly with kohsuke on email the other day - just wanted to drop a note here so that the bug would be noticed.
Monty Taylor
added a comment - Was chatting briefly with kohsuke on email the other day - just wanted to drop a note here so that the bug would be noticed. Monty Taylor
added a comment - This now works, actually. If you log in as a user via openid, it creates an auth token for that user which can be used in subsequent requests.
Monty Taylor
added a comment - This now works, actually. If you log in as a user via openid, it creates an auth token for that user which can be used in subsequent requests. 
Rafael Fonseca
added a comment - Can you clarify how you are logging in using the CLI? I can't get it to work. It does pick the right username based on my SSH key, though.
java -jar jenkins-cli.jar -s http://jenkins_url:8080/ login hudson.security.UserMayOrMayNotExistException: Unable to query user information: my_username at hudson.security.UserDetailsServiceProxy.loadUserByUsername(UserDetailsServiceProxy.java:43) at hudson.security.SecurityRealm.loadUserByUsername(SecurityRealm.java:305) at hudson.cli.ClientAuthenticationCache.set(ClientAuthenticationCache.java:90) at hudson.cli.LoginCommand.run(LoginCommand.java:37) at hudson.cli.CLICommand.main(CLICommand.java:232) at hudson.cli.CliManagerImpl.main(CliManagerImpl.java:92) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at hudson.remoting.RemoteInvocationHandler$RPCRequest.perform(RemoteInvocationHandler.java:299) at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:280) at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:239) at hudson.remoting.UserRequest.perform(UserRequest.java:118) at hudson.remoting.UserRequest.perform(UserRequest.java:48) at hudson.remoting.Request$2.run(Request.java:328) at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:72) at hudson.cli.CliManagerImpl$1.call(CliManagerImpl.java:63) at hudson.remoting.InterceptingExecutorService$2.call(InterceptingExecutorService.java:95) at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334) at java.util.concurrent.FutureTask.run(FutureTask.java:166) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at java.lang.Thread.run(Thread.java:724)
Rafael Fonseca
added a comment - Can you clarify how you are logging in using the CLI? I can't get it to work. It does pick the right username based on my SSH key, though.
java -jar jenkins-cli.jar -s http://jenkins_url:8080/ login
hudson.security.UserMayOrMayNotExistException: Unable to query user information: my_username
at hudson.security.UserDetailsServiceProxy.loadUserByUsername(UserDetailsServiceProxy.java:43)
at hudson.security.SecurityRealm.loadUserByUsername(SecurityRealm.java:305)
at hudson.cli.ClientAuthenticationCache.set(ClientAuthenticationCache.java:90)
at hudson.cli.LoginCommand.run(LoginCommand.java:37)
at hudson.cli.CLICommand.main(CLICommand.java:232)
at hudson.cli.CliManagerImpl.main(CliManagerImpl.java:92)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at hudson.remoting.RemoteInvocationHandler$RPCRequest.perform(RemoteInvocationHandler.java:299)
at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:280)
at hudson.remoting.RemoteInvocationHandler$RPCRequest.call(RemoteInvocationHandler.java:239)
at hudson.remoting.UserRequest.perform(UserRequest.java:118)
at hudson.remoting.UserRequest.perform(UserRequest.java:48)
at hudson.remoting.Request$2.run(Request.java:328)
at hudson.remoting.InterceptingExecutorService$1.call(InterceptingExecutorService.java:72)
at hudson.cli.CliManagerImpl$1.call(CliManagerImpl.java:63)
at hudson.remoting.InterceptingExecutorService$2.call(InterceptingExecutorService.java:95)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:334)
at java.util.concurrent.FutureTask.run(FutureTask.java:166)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at java.lang.Thread.run(Thread.java:724)
Oh, and I see this in jenkins.log: