Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Replace OpenID Connect backend library #313

Closed
michael-doubez opened this issue May 3, 2024 · 3 comments · Fixed by #409
Closed

Replace OpenID Connect backend library #313

michael-doubez opened this issue May 3, 2024 · 3 comments · Fixed by #409
Assignees
@jtnord
Labels
enhancement

Comments

@michael-doubez
Copy link
Contributor

michael-doubez commented May 3, 2024
edited
Loading

What feature do you want to see added?

The backend library currently used is Google OAuth Client library which brings many issues:

  • the library is in maintenance mode
  • the code is primarily design to work for google API - features are hard to implement or checks prevents usage of library (see Login not working if alg field is missing in jwks_uri response #304 )
  • the library is pulling dependencies which are not needed or desirable for Jenkins plugin - in particular some transistive dependencies are hard to specify right

Moving to a more generic library would allow restoring advanced checked bypassed in #308.

Spring security seems to have a decent support of openid connect and is more in line with Jenkins' dependencies.
@jtnord
Copy link
Member

jtnord commented Jul 17, 2024
edited
Loading

the library is pulling dependencies which are not needed or desirable for Jenkins plugin - in particular some transistive dependencies are hard to specify right

spring security-oauth when I looked quickly also pulls in some undersirables (at least in terms of FIPS support). Currently the google library is in a better shape in this regard.

Anyway irrespective I would leave a note about using spring-security-oauth2-client the version ties to the version of spring which ties to the version of Jenkins (although Jenkins does not ship the oauth-client jar) . Thus an upgrade of Jenkins does bring the possibility that it could break the plugin. It may never (or rarely) happen due to backward compatibility of the Spring project, but if the client uses internal APIs then this becomes more likely.

@jtnord
Copy link
Member

jtnord commented Aug 6, 2024
edited
Loading

I lack permissions on this repo to assign it to myself, but I am actively working on this.

@jtnord
Copy link
Member

jtnord commented Sep 25, 2024

#62 (comment) / #185 are problematic

I don't think we want to hold back the plugin to workaround non conformant OpenId Providers so long as we are conformant (passing the conformance tests) and we work with any conformant OpenId Providers.

Whilst we may want to add (and retain) some options for non compliant providers, I would say if we can not, it should not stop the plugin form moving on. Users with non conformant OPs can stay on the existing (working) version of the plugin, and file issues with the implementor of the OP to become conformant.

@michael-doubez WDYT?

jtnord added a commit to jtnord/oic-auth-plugin that referenced this issue Oct 2, 2024
@jtnord
Replace EOL Google Oauth library
6e17311 
This changes the Google OAuth library which is in maintainance mode with
a supported library (nimbusds via pac4j)

The library requires that the Issuer is set to enforce security and
there is no option to disable this requirement as it is mandated in the
specificiation.  As such users must first update to 4.355.v3a_fb_fca_b_96d4
to set the Issuer before updating to this version.

fixes: jenkinsci#313
@jtnord jtnord mentioned this issue Oct 2, 2024
Merged
6 tasks
jtnord added a commit to jtnord/oic-auth-plugin that referenced this issue Oct 3, 2024
@jtnord
Replace EOL Google Oauth library
3b0103a 
This changes the Google OAuth library which is in maintainance mode with
a supported library (nimbusds via pac4j)

The library requires that the Issuer is set to enforce security and
there is no option to disable this requirement as it is mandated in the
specificiation.  As such users must first update to 4.355.v3a_fb_fca_b_96d4
to set the Issuer before updating to this version.

fixes: jenkinsci#313
jtnord added a commit to jtnord/oic-auth-plugin that referenced this issue Oct 3, 2024
@jtnord
Replace EOL Google Oauth library
d7120c5 
This changes the Google OAuth library which is in maintainance mode with
a supported library (nimbusds via pac4j)

The library requires that the Issuer is set to enforce security and
there is no option to disable this requirement as it is mandated in the
specificiation.  As such users must first update to 4.355.v3a_fb_fca_b_96d4
to set the Issuer before updating to this version.

fixes: jenkinsci#313
jtnord added a commit to jtnord/oic-auth-plugin that referenced this issue Oct 4, 2024
@jtnord
Replace EOL Google Oauth library
cf4eb19 
This changes the Google OAuth library which is in maintainance mode with
a supported library (nimbusds via pac4j)

The library requires that the Issuer is set to enforce security and
there is no option to disable this requirement as it is mandated in the
specificiation.  As such users must first update to 4.355.v3a_fb_fca_b_96d4
to set the Issuer before updating to this version.

fixes: jenkinsci#313
jtnord added a commit to jtnord/oic-auth-plugin that referenced this issue Oct 4, 2024
@jtnord
Replace EOL Google Oauth library
5005bc1 
This changes the Google OAuth library which is in maintainance mode with
a supported library (nimbusds via pac4j)

The library requires that the Issuer is set to enforce security and
there is no option to disable this requirement as it is mandated in the
specificiation.  As such users must first update to 4.355.v3a_fb_fca_b_96d4
to set the Issuer before updating to this version.

fixes: jenkinsci#313
jtnord added a commit to jtnord/oic-auth-plugin that referenced this issue Oct 4, 2024
@jtnord
Replace EOL Google Oauth library
dfbf868 
This changes the Google OAuth library which is in maintainance mode with
a supported library (nimbusds via pac4j)

The library requires that the Issuer is set to enforce security and
there is no option to disable this requirement as it is mandated in the
specificiation.  As such users must first update to 4.355.v3a_fb_fca_b_96d4
to set the Issuer before updating to this version.

fixes: jenkinsci#313
jtnord added a commit to jtnord/oic-auth-plugin that referenced this issue Oct 4, 2024
@jtnord
Replace EOL Google Oauth library
a8f5665 
This changes the Google OAuth library which is in maintainance mode with
a supported library (nimbusds via pac4j)

The library requires that the Issuer is set to enforce security and
there is no option to disable this requirement as it is mandated in the
specificiation.  As such users must first update to 4.355.v3a_fb_fca_b_96d4
to set the Issuer before updating to this version.

fixes: jenkinsci#313
jtnord added a commit to jtnord/oic-auth-plugin that referenced this issue Oct 4, 2024
@jtnord
Replace EOL Google Oauth library
3fec21b 
This changes the Google OAuth library which is in maintainance mode with
a supported library (nimbusds via pac4j)

The library requires that the Issuer is set to enforce security and
there is no option to disable this requirement as it is mandated in the
specificiation.  As such users must first update to 4.355.v3a_fb_fca_b_96d4
to set the Issuer before updating to this version.

fixes: jenkinsci#313
jtnord added a commit to jtnord/oic-auth-plugin that referenced this issue Oct 4, 2024
@jtnord
Replace EOL Google Oauth library
b6041de 
This changes the Google OAuth library which is in maintainance mode with
a supported library (nimbusds via pac4j)

The library requires that the Issuer is set to enforce security and
there is no option to disable this requirement as it is mandated in the
specificiation.  As such users must first update to 4.355.v3a_fb_fca_b_96d4
to set the Issuer before updating to this version.

fixes: jenkinsci#313
@jtnord jtnord closed this as completed in 60fc090 Oct 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jtnord jtnord

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Replace EOL Google Oauth library jtnord/oic-auth-plugin
2 participants
@jtnord @michael-doubez