Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-9792

OpenID Javascript does not load - 403

    XMLWordPrintable

    Details

    • Similar Issues:

      Description

      I just installed the OpenID plugin, 1.3 on Jenkins 1.413. After configuring "on the side" open id endpoints for my account, when I go to log in with OpenID, I do not see the provider selection interface, and if I manually enter my endpoint or username, I get the error "org.openid4java.discovery.DiscoveryException: 0x500: Cannot parse identifier: null".

      Looking in Chrome developer tools and Firefox Firebug, I see that the openid javascript is actually not loading, it is returning a 403. I assume this is the cause of the failure. Jenkins is behind nginx, but I'm pretty sure the problem is not with nginx. I have no security applied in nginx, and the Winstone header is returned in the 403 response "X-Powered-By: Servlet/2.5 (Winstone/0.9.10)".

        Attachments

          Issue Links

            Activity

            Hide
            bjornsvenson colin schaub added a comment -

            I am experiencing the same issue; browser attempts to fetch the 2 openid javascript files and receives a 403 error for both

            Show
            bjornsvenson colin schaub added a comment - I am experiencing the same issue; browser attempts to fetch the 2 openid javascript files and receives a 403 error for both
            Hide
            mariusmarais Marius Marais added a comment -

            This error occurs when the Anonymous Read access setting is revoked. With Anon Read on, everything works correctly, turning it off causes the error.

            (Accessing Jenkins directly, not via nginx, etc.)

            Show
            mariusmarais Marius Marais added a comment - This error occurs when the Anonymous Read access setting is revoked. With Anon Read on, everything works correctly, turning it off causes the error. (Accessing Jenkins directly, not via nginx, etc.)
            Hide
            dp79 Daniel Petersson added a comment -

            Hi everyone. I need this bug/feature so much that I'm willing to pay $50.00 for it.
            This offer is registered at FreedomSponsors (http://www.freedomsponsors.org/core/issue/36/openid-javascript-does-not-load-403).
            Once you solve it (according to the acceptance criteria described there), just create a FreedomSponsors account and mark it as resolved (oh, you'll need a Paypal account too)
            I'll then check it out and will gladly pay up!

            If anyone else would like to throw in a few bucks to elevate the priority on this issue, you should check out FreedomSponsors!

            Show
            dp79 Daniel Petersson added a comment - Hi everyone. I need this bug/feature so much that I'm willing to pay $50.00 for it. This offer is registered at FreedomSponsors ( http://www.freedomsponsors.org/core/issue/36/openid-javascript-does-not-load-403 ). Once you solve it (according to the acceptance criteria described there), just create a FreedomSponsors account and mark it as resolved (oh, you'll need a Paypal account too) I'll then check it out and will gladly pay up! If anyone else would like to throw in a few bucks to elevate the priority on this issue, you should check out FreedomSponsors!
            Hide
            bshi Bo Shi added a comment -

            In Jenkins 1.502 and plugin version 1.6, the security setting "Logged-in users can do anything" with "OpenID SSO" works properly IFF "Prevent Cross Site Request Forgery exploits" is DISABLED. Enabling CSRF security breaks and exhibits the behavior OP describes.

            Show
            bshi Bo Shi added a comment - In Jenkins 1.502 and plugin version 1.6, the security setting "Logged-in users can do anything" with "OpenID SSO" works properly IFF "Prevent Cross Site Request Forgery exploits" is DISABLED. Enabling CSRF security breaks and exhibits the behavior OP describes.
            Hide
            tchap Ondrej Kupka added a comment -

            I found a workaround by putting Nginx in front of Jenkins and just bypassing Jenkins for those files.

            location /plugin/ {
            alias /var/lib/jenkins/plugins/;

            if ($request_method != "GET")

            { return 405; }
            }

            location /static/aa2563e6/plugin/ {
            alias /var/lib/jenkins/plugins/;

            if ($request_method != "GET") { return 405; }

            }

            Show
            tchap Ondrej Kupka added a comment - I found a workaround by putting Nginx in front of Jenkins and just bypassing Jenkins for those files. location /plugin/ { alias /var/lib/jenkins/plugins/; if ($request_method != "GET") { return 405; } } location /static/aa2563e6/plugin/ { alias /var/lib/jenkins/plugins/; if ($request_method != "GET") { return 405; } }
            Hide
            scm_issue_link SCM/JIRA link daemon added a comment -

            Code changed in jenkins
            User: Kohsuke Kawaguchi
            Path:
            src/main/java/hudson/plugins/openid/StaticResourceServer.java
            src/main/resources/hudson/plugins/openid/OpenIdLoginService/_openid-form-body.jelly
            src/main/resources/hudson/plugins/openid/OpenIdLoginService/loginFragment.jelly
            src/test/java/hudson/plugins/openid/OpenIdLoginServiceTest.java
            http://jenkins-ci.org/commit/openid-plugin/64ec740cd394e39e67129313dd4903e262bf2d41
            Log:
            [FIXED JENKINS-9792]

            OpenID plugin shouldn'd require global read access for authenticating users

            Show
            scm_issue_link SCM/JIRA link daemon added a comment - Code changed in jenkins User: Kohsuke Kawaguchi Path: src/main/java/hudson/plugins/openid/StaticResourceServer.java src/main/resources/hudson/plugins/openid/OpenIdLoginService/_openid-form-body.jelly src/main/resources/hudson/plugins/openid/OpenIdLoginService/loginFragment.jelly src/test/java/hudson/plugins/openid/OpenIdLoginServiceTest.java http://jenkins-ci.org/commit/openid-plugin/64ec740cd394e39e67129313dd4903e262bf2d41 Log: [FIXED JENKINS-9792] OpenID plugin shouldn'd require global read access for authenticating users

              People

              Assignee:
              kohsuke Kohsuke Kawaguchi
              Reporter:
              aaron Aaron Hamid
              Votes:
              8 Vote for this issue
              Watchers:
              12 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: