Resuse the original user principal to avoid crumb issues.

as it has been observed that the case of a user may change during a refreesh flow even though they are the same user, the crumb uses the Authentications name (principal), which would be different as we use the returned value. Rather than using the new value, after checking it is the same id (according to the ID Strategy) we use the original so that the crumb can be matched. maybe fixes: #411
jenkinsci · Oct 11, 2024 · 22577a1 · 22577a1
1 parent 51d456d
commit 22577a1
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java b/src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java
@@ -1274,6 +1274,12 @@ private boolean refreshExpiredToken(
                         HttpServletResponse.SC_UNAUTHORIZED, "User name was not the same after refresh request");
                 return false;
             }
+            // the username may have changed case during a call, but still be the same user (as we have checked the
+            // idStrategy)
+            // we need to keep using exactly the same principal otherwise there is a potential for crumbs not to match.
+            // whilst we could do some normalization of the username, just use the original (expected) username
+            // see https://github.com/jenkinsci/oic-auth-plugin/issues/411
+            username = expectedUsername;
 
             if (failedCheckOfTokenField(idToken)) {
                 throw new FailedCheckOfTokenException(client.getConfiguration().findLogoutUrl());