Unable to login if iDP sends a blank ("") refresh token

[caichao1103]

Jenkins and plugins versions report

Jenkins version : 2.452.4
plugin version: 4.418.vccc7061f5b_6d

What Operating System are you using (both controller, and any agents involved in the problem)?

Ubuntu 22.04.3 LTS

Reproduction steps

Our openid Provider does not provide group info. It caused login to jenkins failed. The error messages were below:

Nov 12 02:23:36 fcai-vm-01 jenkins[161716]: 2024-11-12 02:23:36.226+0000 [id=5809]	WARNING	o.j.plugins.oic.OicSecurityRealm#compileJMESPath: groups field config failed io.burt.jmespath.parser.ParseException: Unable to compile expression "": syntax error mismatched input '<EOF>' expecting {'!', '(', '*', '[', '{', '[?', '@', '`', RAW_STRING, JSON_CONSTANT, NAME, STRING} at position 0
2024-11-12 02:24:08.913+0000 [id=5809]	WARNING	o.e.j.s.h.ContextHandler$Context#log: Error while serving http://fcai-vm-01:8080/securityRealm/finishLogin
java.lang.IllegalArgumentException: The value must not be null or empty string
	 at com.nimbusds.oauth2.sdk.id.Identifier.<init>(Identifier.java:95)
	 at com.nimbusds.oauth2.sdk.token.Token.<init>(Token.java:52)
	 at com.nimbusds.oauth2.sdk.token.RefreshToken.<init>(RefreshToken.java:79)
	 at com.nimbusds.oauth2.sdk.token.RefreshToken.parse(RefreshToken.java:121)
	 at com.nimbusds.openid.connect.sdk.token.OIDCTokens.parse(OIDCTokens.java:205)
	 at com.nimbusds.openid.connect.sdk.OIDCTokenResponse.parse(OIDCTokenResponse.java:164)
	 at com.nimbusds.openid.connect.sdk.OIDCTokenResponse.parse(OIDCTokenResponse.java:196)
	 at com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser.parse(OIDCTokenResponseParser.java:78)
	 at org.pac4j.oidc.credentials.authenticator.OidcAuthenticator.executeTokenRequest(OidcAuthenticator.java:202)
	 at org.pac4j.oidc.credentials.authenticator.OidcAuthenticator.validate(OidcAuthenticator.java:165)
	 at org.pac4j.core.client.BaseClient.lambda$retrieveCredentials$0(BaseClient.java:75)
	 at java.base/java.util.Optional.ifPresent(Optional.java:183)
	 at org.pac4j.core.client.BaseClient.retrieveCredentials(BaseClient.java:72)
	 at org.pac4j.core.client.IndirectClient.getCredentials(IndirectClient.java:145)
	 at org.jenkinsci.plugins.oic.OicSecurityRealm.doFinishLogin(OicSecurityRealm.java:1272)
	 at java.base/java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:710)
	 at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:397)
Caused: java.lang.reflect.InvocationTargetException
	 at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:401)
	 at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:409)
	 at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:207)
	 at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:140)
	 at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:558)
	 at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:59)
	 at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:770)
	 at org.kohsuke.stapler.Stapler.invoke(Stapler.java:900)
	 at org.kohsuke.stapler.MetaClass$2.doDispatch(MetaClass.java:224)
	 at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:59)
	 at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:770)
	 at org.kohsuke.stapler.Stapler.invoke(Stapler.java:900)
	 at org.kohsuke.stapler.Stapler.invoke(Stapler.java:698)
	 at org.kohsuke.stapler.Stapler.service(Stapler.java:248)
	 at javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
	 at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:764)
	 at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1665)
	 at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:163)
	 at io.jenkins.blueocean.ResourceCacheControl.doFilter(ResourceCacheControl.java:134)
	 at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:160)
	 at io.jenkins.blueocean.auth.jwt.impl.JwtAuthenticationFilter.doFilter(JwtAuthenticationFilter.java:60)
	 at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:160)
	 at jenkins.metrics.impl.MetricsFilter.doFilter(MetricsFilter.java:125)
	 at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:160)
	 at jenkins.util.HttpServletFilter$1.doFilter(HttpServletFilter.java:76)
	 at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:160)
	 at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:166)
	 at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	 at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	 at jenkins.ErrorAttributeFilter.doFilter(ErrorAttributeFilter.java:29)
	 at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	 at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	 at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:160)
	 at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	 at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:94)
	 at org.jenkinsci.plugins.oic.OicSecurityRealm$1.doFilter(OicSecurityRealm.java:863)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:94)
	 at jenkins.security.AcegiSecurityExceptionFilter.doFilter(AcegiSecurityExceptionFilter.java:52)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	 at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:54)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	 at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126)
	 at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	 at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	 at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:145)
	 at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:101)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	 at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:227)
	 at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:221)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	 at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:97)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	 at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:117)
	 at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
	 at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:63)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	 at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:111)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	 at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:111)
	 at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:172)
	 at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	 at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	 at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:53)
	 at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	 at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	 at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:86)
	 at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	 at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	 at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
	 at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	 at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	 at jenkins.security.SuspiciousRequestFilter.doFilter(SuspiciousRequestFilter.java:38)
	 at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	 at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	 at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:527)
	 at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:131)
	 at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:569)
	 at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
	 at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:223)
	 at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1580)
	 at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221)
	 at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1384)
	 at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:176)
	 at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:484)
	 at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1553)
	 at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:174)
	 at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1306)
	 at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129)
	 at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
	 at org.eclipse.jetty.server.Server.handle(Server.java:563)
	 at org.eclipse.jetty.server.HttpChannel$RequestDispatchable.dispatch(HttpChannel.java:1598)
	 at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:753)
	 at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:501)
	 at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:287)
	 at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:314)
	 at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
	 at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
	 at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:421)
	 at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:390)
	 at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:277)
	 at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.run(AdaptiveExecutionStrategy.java:199)
	 at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:411)
	 at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:969)
	 at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1194)
	 at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1149)
	 at java.base/java.lang.Thread.run(Thread.java:829)
2024-11-12 02:24:08.919+0000 [id=5809]	WARNING	h.i.i.InstallUncaughtExceptionHandler#handleException: Caught unhandled exception with ID 43575e6e-eaca-40d4-95ac-545fed58f74f
java.lang.IllegalArgumentException: The value must not be null or empty string
	 at com.nimbusds.oauth2.sdk.id.Identifier.<init>(Identifier.java:95)
	 at com.nimbusds.oauth2.sdk.token.Token.<init>(Token.java:52)
	 at com.nimbusds.oauth2.sdk.token.RefreshToken.<init>(RefreshToken.java:79)
	 at com.nimbusds.oauth2.sdk.token.RefreshToken.parse(RefreshToken.java:121)
	 at com.nimbusds.openid.connect.sdk.token.OIDCTokens.parse(OIDCTokens.java:205)
	 at com.nimbusds.openid.connect.sdk.OIDCTokenResponse.parse(OIDCTokenResponse.java:164)
	 at com.nimbusds.openid.connect.sdk.OIDCTokenResponse.parse(OIDCTokenResponse.java:196)
	 at com.nimbusds.openid.connect.sdk.OIDCTokenResponseParser.parse(OIDCTokenResponseParser.java:78)
	 at org.pac4j.oidc.credentials.authenticator.OidcAuthenticator.executeTokenRequest(OidcAuthenticator.java:202)
	 at org.pac4j.oidc.credentials.authenticator.OidcAuthenticator.validate(OidcAuthenticator.java:165)
	 at org.pac4j.core.client.BaseClient.lambda$retrieveCredentials$0(BaseClient.java:75)
	 at java.base/java.util.Optional.ifPresent(Optional.java:183)
	 at org.pac4j.core.client.BaseClient.retrieveCredentials(BaseClient.java:72)
	 at org.pac4j.core.client.IndirectClient.getCredentials(IndirectClient.java:145)
	 at org.jenkinsci.plugins.oic.OicSecurityRealm.doFinishLogin(OicSecurityRealm.java:1272)
	 at java.base/java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:710)
	 at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:397)
	 at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:409)
	 at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:207)
	 at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:140)
	 at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:558)
	 at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:59)
	 at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:770)
Caused: javax.servlet.ServletException
	 at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:818)
	 at org.kohsuke.stapler.Stapler.invoke(Stapler.java:900)
	 at org.kohsuke.stapler.MetaClass$2.doDispatch(MetaClass.java:224)
	 at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:59)
	 at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:770)
	 at org.kohsuke.stapler.Stapler.invoke(Stapler.java:900)
	 at org.kohsuke.stapler.Stapler.invoke(Stapler.java:698)
	 at org.kohsuke.stapler.Stapler.service(Stapler.java:248)
	 at javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
	 at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:764)
	 at org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1665)
	 at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:163)
	 at io.jenkins.blueocean.ResourceCacheControl.doFilter(ResourceCacheControl.java:134)
	 at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:160)
	 at io.jenkins.blueocean.auth.jwt.impl.JwtAuthenticationFilter.doFilter(JwtAuthenticationFilter.java:60)
	 at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:160)
	 at jenkins.metrics.impl.MetricsFilter.doFilter(MetricsFilter.java:125)
	 at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:160)
	 at jenkins.util.HttpServletFilter$1.doFilter(HttpServletFilter.java:76)
	 at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:160)
	 at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:166)
	 at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	 at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	 at jenkins.ErrorAttributeFilter.doFilter(ErrorAttributeFilter.java:29)
	 at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	 at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	 at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:160)
	 at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	 at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:94)
	 at org.jenkinsci.plugins.oic.OicSecurityRealm$1.doFilter(OicSecurityRealm.java:863)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:94)
	 at jenkins.security.AcegiSecurityExceptionFilter.doFilter(AcegiSecurityExceptionFilter.java:52)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	 at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:54)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	 at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126)
	 at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	 at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	 at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:145)
	 at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:101)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	 at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:227)
	 at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:221)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	 at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:97)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	 at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:117)
	 at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
	 at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:63)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	 at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:111)
	 at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	 at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:111)
	 at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:172)
	 at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	 at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	 at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:53)
	 at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	 at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	 at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:86)
	 at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	 at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	 at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30)
	 at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	 at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	 at jenkins.security.SuspiciousRequestFilter.doFilter(SuspiciousRequestFilter.java:38)
	 at org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	 at org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	 at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:527)
	 at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:131)
	 at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:569)
	 at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
	 at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:223)
	 at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1580)
	 at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221)
	 at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1384)
	 at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:176)
	 at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:484)
	 at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1553)
	 at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:174)
	 at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1306)
	 at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129)
	 at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
	 at org.eclipse.jetty.server.Server.handle(Server.java:563)
	 at org.eclipse.jetty.server.HttpChannel$RequestDispatchable.dispatch(HttpChannel.java:1598)
	 at org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:753)
	 at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:501)
	 at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:287)
	 at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:314)
	 at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
	 at org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
	 at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:421)
	 at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:390)
	 at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:277)
	 at org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.run(AdaptiveExecutionStrategy.java:199)
	 at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:411)
	 at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:969)
	 at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1194)
	 at org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1149)
	 at java.base/java.lang.Thread.run(Thread.java:829)

Expected Results

login jenkins successfully

Actual Results

failed to login jenkins

Anything else?

No response

Are you interested in contributing a fix?

No response

[biru-codeastromer]

@caichao1103 hey sir can i work on this issue?

[eva-mueller-coremedia]

@caichao1103 What did you specify as Groups field name in the configuration backend? Did you specify "" or did you leave the field empty?

[caichao1103]

@caichao1103 What did you specify as Groups field name in the configuration backend? Did you specify "" or did you leave the field empty?

I left it empty @eva-mueller-coremedia

[eva-mueller-coremedia]

@caichao1103

• Which provider do you use?
• What is the field/config name, in which your provider stores the groups of a user?

[caichao1103]

@caichao1103

* Which provider do you use?

* What is the field/config name, in which your provider stores the groups of a user?

@eva-mueller-coremedia
The provider is developed by our own team and used internally only.
The config detail is as below.

[eva-mueller-coremedia]

For me, it seems that the warning

Nov 12 02:23:36 fcai-vm-01 jenkins[161716]: 2024-11-12 02:23:36.226+0000 [id=5809]#011WARNING#011o.j.plugins.oic.OicSecurityRealm#compileJMESPath: groups field config failed io.burt.jmespath.parser.ParseException: Unable to compile expression "": syntax error mismatched input '<EOF>' expecting {'!', '(', '*', '[', '{', '[?', '@', '', RAW_STRING, JSON_CONSTANT, NAME, STRING} at position 0

is not the root cause of your problem. See https://github.com/jenkinsci/oic-auth-plugin/blob/4.418.vccc7061f5b_6d/src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java#L722

The main problem seems to be the Refresh Token:

Nov 12 02:24:08 fcai-vm-01 jenkins[161716]: 2024-11-12 02:24:08.913+0000 [id=5809]#011WARNING#011o.e.j.s.h.ContextHandler$Context#log: Error while serving http://fcai-vm-01:8080/securityRealm/finishLogin
Nov 12 02:24:08 fcai-vm-01 jenkins[161716]: java.lang.IllegalArgumentException: The value must not be null or empty string
Nov 12 02:24:08 fcai-vm-01 jenkins[161716]: #011at com.nimbusds.oauth2.sdk.id.Identifier.(Identifier.java:95)
Nov 12 02:24:08 fcai-vm-01 jenkins[161716]: #011at com.nimbusds.oauth2.sdk.token.Token.(Token.java:52)
Nov 12 02:24:08 fcai-vm-01 jenkins[161716]: #011at com.nimbusds.oauth2.sdk.token.RefreshToken.(RefreshToken.java:79)
[...]
Nov 12 02:24:08 fcai-vm-01 jenkins[161716]: #011at org.jenkinsci.plugins.oic.OicSecurityRealm.doFinishLogin(OicSecurityRealm.java:1272)

@caichao1103

• Can you ensure that your internally developed provider is a conformant OIDC provider?
• When you login via your provider, does it return an ID token, access token, and refresh token?
  • If your provider does not support refresh token, did you disable the config "Enable Token Refresh using Refresh Tokens?"
• Did you try to update to the latest version of the oic-auth plugin?

[caichao1103]

For me, it seems that the warning

Nov 12 02:23:36 fcai-vm-01 jenkins[161716]: 2024-11-12 02:23:36.226+0000 [id=5809]#011WARNING#011o.j.plugins.oic.OicSecurityRealm#compileJMESPath: groups field config failed io.burt.jmespath.parser.ParseException: Unable to compile expression "": syntax error mismatched input '<EOF>' expecting {'!', '(', '*', '[', '{', '[?', '@', '', RAW_STRING, JSON_CONSTANT, NAME, STRING} at position 0

is not the root cause of your problem. See https://github.com/jenkinsci/oic-auth-plugin/blob/4.418.vccc7061f5b_6d/src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java#L722

The main problem seems to be the Refresh Token:

Nov 12 02:24:08 fcai-vm-01 jenkins[161716]: 2024-11-12 02:24:08.913+0000 [id=5809]#011WARNING#011o.e.j.s.h.ContextHandler$Context#log: Error while serving http://fcai-vm-01:8080/securityRealm/finishLogin
Nov 12 02:24:08 fcai-vm-01 jenkins[161716]: java.lang.IllegalArgumentException: The value must not be null or empty string
Nov 12 02:24:08 fcai-vm-01 jenkins[161716]: #011at com.nimbusds.oauth2.sdk.id.Identifier.(Identifier.java:95)
Nov 12 02:24:08 fcai-vm-01 jenkins[161716]: #011at com.nimbusds.oauth2.sdk.token.Token.(Token.java:52)
Nov 12 02:24:08 fcai-vm-01 jenkins[161716]: #011at com.nimbusds.oauth2.sdk.token.RefreshToken.(RefreshToken.java:79)
[...]
Nov 12 02:24:08 fcai-vm-01 jenkins[161716]: #011at org.jenkinsci.plugins.oic.OicSecurityRealm.doFinishLogin(OicSecurityRealm.java:1272)

@caichao1103

* Can you ensure that your internally developed provider is a conformant OIDC provider?

* When you login via your provider, does it return an ID token, access token, and refresh token?
  
  * If your provider does not support refresh token, did you disable the config "Enable Token Refresh using Refresh Tokens?"

* Did you try to update to the latest version of the oic-auth plugin?

@eva-mueller-coremedia
Our production jenkins is using oic-auth 4.303.v84089a_708ea_7, everything is OK. When we tried to update oic-auth to 4.418.vccc7061f5b_6d on our dev jenkins, we ran into the issue.
How to disable the config - "Enable Token Refresh using Refresh Tokens" please?

[eva-mueller-coremedia]

How to disable the config - "Enable Token Refresh using Refresh Tokens" please?

I get this option when using the manual configuration mode. Does not seem to be present when using the well-known endpoint.

[caichao1103]

How to disable the config - "Enable Token Refresh using Refresh Tokens" please?

I get this option when using the manual configuration mode. Does not seem to be present when using the well-known endpoint.

@eva-mueller-coremedia
I just updated oic plugin version to the latest version 4.438.v6e62f6782770 on jenkins dev environment, and did not enable "Enable Token Refresh using Refresh Tokens" option, but I still get the same error.

[eva-mueller-coremedia]

When you login via your provider, does it return an ID token, access token, and refresh token?

[caichao1103]

When you login via your provider, does it return an ID token, access token, and refresh token?

it returns ID token.

[eva-mueller-coremedia]

Did you check for breaking changes in https://github.com/jenkinsci/oic-auth-plugin/releases since 4.303.v84089a_708ea_7?

Like

• https://github.com/jenkinsci/oic-auth-plugin/releases/tag/4.388.v4f73328eb_d2c
• https://github.com/jenkinsci/oic-auth-plugin/releases/tag/4.350.v347c3b_8b_9d95

If you consider all changes necessary due to the breaking changes and it still does not work, this is likely something for @jtnord

[caichao1103]

Did you check for breaking changes in https://github.com/jenkinsci/oic-auth-plugin/releases since 4.303.v84089a_708ea_7?

Like

* https://github.com/jenkinsci/oic-auth-plugin/releases/tag/4.388.v4f73328eb_d2c

* https://github.com/jenkinsci/oic-auth-plugin/releases/tag/4.350.v347c3b_8b_9d95

If you consider all changes necessary due to the breaking changes and it still does not work, this is likely something for @jtnord

Yes, I DID check for these breaking changes.

[eva-mueller-coremedia]

It seems, when OicSecurityRealm#doFinishLogin requests the credentials

Credentials credentials = client.getCredentials(webContext, sessionStore)
                    .orElseThrow(() -> new Failure("Could not extract credentials from request"));

in the end OIDCTokens wants to parse the Access Token as well the Refresh Token (at least in version oauth2-oidc-sdk-10.1.jar)

Maybe @jtnord can dig deeper here?

[jtnord]

the JMESPath shouldn't be compiled if the string is a blank string or null (I think that bug has been there for a while). #492

---

the exception says the IdP is returning an invalid refresh token https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/src/86c059d5ec7efd024f0f0e730cce3c20c69d9d7c/src/main/java/com/nimbusds/oauth2/sdk/token/RefreshToken.java#lines-79 implies the value is null

and yet there is a null defence in the method that calls this. -> https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/src/86c059d5ec7efd024f0f0e730cce3c20c69d9d7c/src/main/java/com/nimbusds/oauth2/sdk/token/RefreshToken.java#lines-117:121

https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3.1.3.3

However peeking further we see https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/src/86c059d5ec7efd024f0f0e730cce3c20c69d9d7c/src/main/java/com/nimbusds/oauth2/sdk/id/Identifier.java#lines-92:97

so the IDP is sending a blank (empty) refresh token.

https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.13.3

Omitted parameters and parameters with no value SHOULD be omitted from the object and not represented by a JSON null value, unless otherwise specified

so whilst this is SHOULD and not a MUST I would say the developers of the IDP implementation have not understood the ramifications of this.

https://www.ietf.org/rfc/rfc2119.txt

3. SHOULD This word, or the adjective "RECOMMENDED", mean that there
   may exist valid reasons in particular circumstances to ignore a
   particular item, but the full implications must be understood and
   carefully weighed before choosing a different course.

This is in the underlying libraries that we use, the reason that the previous version worked was that it was non complaint to the spec (it was based on an early draft) and you got lucky.

The latest version of the libraries has the same behaviour.

I would suggest that you go back to your OpenID provider and open a defect with them so that they do not send a blank string for a refresh token (which is completely nonsensical!).

You may be able to work around this by disabling refresh token support, which the IDP claims it supports from the well known config otherwise we should not even be requesting it! (grant_types_supported)

You may also be able to persuade the maintainers of the nimbus SDK that they should be tolerant of blank strings as well as null values, and then we would pick that fix up when compatable with a future pac4j version in the future.

[caichao1103]

@jtnord As you pointed out, our developer changed the code and not send blank (empty) refresh token any more. And I updated the plugin to the latest version - 4.444.vd4c54f157201 on our test env and then did the test. The issue has been resolved. Thanks a lot for your help.