Replace EOL Google Oauth library, disable nonce check during token refresh #419
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This changes the Google OAuth library which is in maintainance mode with a supported library (nimbusds via pac4j) The library requires that the Issuer is set to enforce security and there is no option to disable this requirement as it is mandated in the specificiation. As such users must first update to 4.355.v3a_fb_fca_b_96d4 to set the Issuer before updating to this version. fixes: jenkinsci#313
The OidcAuthenticator was not using the resource retreiver to talk to servers. As such when used against a server with a self signed certificate and disableTLS checks was set it would still fail. Whilst we could implement our own Authenticator, there may be other places where we need to modify the HttpRequest. Therefore we just create a custom configuration that will set the proxy and TLS options as required.
The provider config did not contain the jsksServerUrl if it was present in the manual configuration. This caused signed tokens to be rejected when in manual configuration mode.
The option is not removed here, so that it can staty in the config. This will at least allow users to downgrade as the option would be retained.
Pac4j setups the token validators, which during the refresh lifecycle will attempt to check an ID tokens nonce. However a provider should not set the nonce in the idtoken during a refresh, and in this case the validator fails because the nonce is missing from the token! we disable the nonce check for the refresh call. it can be optionally re-enabled by setting the system property org.jenkinsci.plugins.oic.OicSecurityRealm.checkNonceInRefreshFlow to true. this is not exposed as a config option in the UI as 1) providers should not be sending the nonce anyway 2) this should be a short lived workaround whilst the issue with the library is filed and fixed.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| throw new FailedCheckOfTokenException( | ||
| maybeOpenIdLogoutEndpoint(response.getIdToken(), state, buildOauthCommenceLogin())); | ||
| } | ||
| public void doCommenceLogin(@QueryParameter String from, @Header("Referer") final String referer) |
Check warning
Code scanning / Jenkins Security Scan
Stapler: Missing POST/RequirePOST annotation Warning
src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java
Dismissed
Show dismissed
Hide dismissed
src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java
Dismissed
Show dismissed
Hide dismissed
src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java
Dismissed
Show dismissed
Hide dismissed
src/main/java/org/jenkinsci/plugins/oic/ProxyAwareResourceRetriever.java
Dismissed
Show dismissed
Hide dismissed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is #409 with 2 additional commits.
Testing done
Submitter checklist