-
Bug
-
Resolution: Fixed
-
Major
-
None
I just installed the OpenID plugin, 1.3 on Jenkins 1.413. After configuring "on the side" open id endpoints for my account, when I go to log in with OpenID, I do not see the provider selection interface, and if I manually enter my endpoint or username, I get the error "org.openid4java.discovery.DiscoveryException: 0x500: Cannot parse identifier: null".
Looking in Chrome developer tools and Firefox Firebug, I see that the openid javascript is actually not loading, it is returning a 403. I assume this is the cause of the failure. Jenkins is behind nginx, but I'm pretty sure the problem is not with nginx. I have no security applied in nginx, and the Winstone header is returned in the 403 response "X-Powered-By: Servlet/2.5 (Winstone/0.9.10)".
- is duplicated by
-
-
- Resolved
-
-
JENKINS-16162 Make OpenID plugin work even when anonymous user hasn't any permissions
-
- Resolved
-
[JENKINS-9792] OpenID Javascript does not load - 403
Marius Marais
added a comment - This error occurs when the Anonymous Read access setting is revoked. With Anon Read on, everything works correctly, turning it off causes the error.
(Accessing Jenkins directly, not via nginx, etc.)
Marius Marais
added a comment - This error occurs when the Anonymous Read access setting is revoked. With Anon Read on, everything works correctly, turning it off causes the error.
(Accessing Jenkins directly, not via nginx, etc.) 
Daniel Petersson
added a comment - Hi everyone. I need this bug/feature so much that I'm willing to pay $50.00 for it.
This offer is registered at FreedomSponsors (http://www.freedomsponsors.org/core/issue/36/openid-javascript-does-not-load-403).
Once you solve it (according to the acceptance criteria described there), just create a FreedomSponsors account and mark it as resolved (oh, you'll need a Paypal account too)
I'll then check it out and will gladly pay up!
If anyone else would like to throw in a few bucks to elevate the priority on this issue, you should check out FreedomSponsors!
Daniel Petersson
added a comment - Hi everyone. I need this bug/feature so much that I'm willing to pay $50.00 for it.
This offer is registered at FreedomSponsors ( http://www.freedomsponsors.org/core/issue/36/openid-javascript-does-not-load-403 ).
Once you solve it (according to the acceptance criteria described there), just create a FreedomSponsors account and mark it as resolved (oh, you'll need a Paypal account too)
I'll then check it out and will gladly pay up!
If anyone else would like to throw in a few bucks to elevate the priority on this issue, you should check out FreedomSponsors! 
Bo Shi
added a comment - In Jenkins 1.502 and plugin version 1.6, the security setting "Logged-in users can do anything" with "OpenID SSO" works properly IFF "Prevent Cross Site Request Forgery exploits" is DISABLED. Enabling CSRF security breaks and exhibits the behavior OP describes.
Bo Shi
added a comment - In Jenkins 1.502 and plugin version 1.6, the security setting "Logged-in users can do anything" with "OpenID SSO" works properly IFF "Prevent Cross Site Request Forgery exploits" is DISABLED. Enabling CSRF security breaks and exhibits the behavior OP describes. 
Ondrej Kupka
added a comment - I found a workaround by putting Nginx in front of Jenkins and just bypassing Jenkins for those files.
location /plugin/ {
alias /var/lib/jenkins/plugins/;
if ($request_method != "GET")
{ return 405; }}
location /static/aa2563e6/plugin/ {
alias /var/lib/jenkins/plugins/;
if ($request_method != "GET") { return 405; }
}
Ondrej Kupka
added a comment - I found a workaround by putting Nginx in front of Jenkins and just bypassing Jenkins for those files.
location /plugin/ {
alias /var/lib/jenkins/plugins/;
if ($request_method != "GET")
{
return 405;
}
}
location /static/aa2563e6/plugin/ {
alias /var/lib/jenkins/plugins/;
if ($request_method != "GET") { return 405; }
} Code changed in jenkins
User: Kohsuke Kawaguchi
Path:
src/main/java/hudson/plugins/openid/StaticResourceServer.java
src/main/resources/hudson/plugins/openid/OpenIdLoginService/_openid-form-body.jelly
src/main/resources/hudson/plugins/openid/OpenIdLoginService/loginFragment.jelly
src/test/java/hudson/plugins/openid/OpenIdLoginServiceTest.java
http://jenkins-ci.org/commit/openid-plugin/64ec740cd394e39e67129313dd4903e262bf2d41
Log:
[FIXED JENKINS-9792]
OpenID plugin shouldn'd require global read access for authenticating users
I am experiencing the same issue; browser attempts to fetch the 2 openid javascript files and receives a 403 error for both