Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add custom parameters to authorize and logout endpoints #480

Open
wants to merge 15 commits into
base: master
Choose a base branch
from

Conversation

eva-mueller-coremedia
Copy link
Contributor

@eva-mueller-coremedia eva-mueller-coremedia commented Dec 14, 2024

This PR

Additionally, some housekeeping (fixing typos, simplify statements) has been done.

The main change has been done in eb0d2ba:

  • Add new input fields for login resp. logout query parameters in the Jenkins management backend
  • maybeOpenIdLogoutEndpoint has been refactored when it comes to combining all parameters
  • Login query parameters are not allowed to overwrite keys as defined in org.pac4j.oidc.config.OidcConfiguration
  • Logout query parameters are not allowed to overwrite keys as set in maybeOpenIdLogoutEndpoint like id_token_hint, state, post_logout_redirect_uri
query-params

Testing done

This change has been tested by unit tests as well as local testing agains AWS Cognito.

Submitter checklist

  • Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
  • Ensure that the pull request title represents the desired changelog entry
  • Please describe what you did
  • Link to relevant issues in GitHub or Jira
  • Link to relevant pull requests, esp. upstream and downstream changes
  • Ensure you have provided tests - that demonstrates feature works or fixes the issue

@eva-mueller-coremedia eva-mueller-coremedia requested a review from a team as a code owner December 14, 2024 23:08
Copy link

codecov bot commented Dec 14, 2024

Codecov Report

Attention: Patch coverage is 92.47312% with 7 lines in your changes missing coverage. Please review.

Project coverage is 74.19%. Comparing base (84359ac) to head (bf28327).
Report is 16 commits behind head on master.

Files with missing lines Patch % Lines
...va/org/jenkinsci/plugins/oic/OicSecurityRealm.java 88.52% 5 Missing and 2 partials ⚠️
Additional details and impacted files
@@             Coverage Diff              @@
##             master     #480      +/-   ##
============================================
+ Coverage     71.73%   74.19%   +2.46%     
- Complexity      222      256      +34     
============================================
  Files            17       18       +1     
  Lines          1033     1089      +56     
  Branches        148      155       +7     
============================================
+ Hits            741      808      +67     
+ Misses          201      194       -7     
+ Partials         91       87       -4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@eva-mueller-coremedia eva-mueller-coremedia changed the title Add custom parameters to authorize and logout endpoint Add custom parameters to authorize and logout endpoints Dec 15, 2024
Copy link
Member

@jtnord jtnord left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @eva-mueller-coremedia thanks for this.

I have had a quick look and have a few comments around the UX side.

The extra parameters would IIUC not be needed in the majority of conformant IDPs, as such do you thing they should be hidden behind an advanced section?

the use of a single string for multiple keyvalue pairs (and the encoding /splitting shenaningans) would seem to be error prone (and it lacks good warnings on invalid input). (a value may need to encode & and then you need to escape it)
Would making the KeyValue a Describable and using a repeatable option using repeatableProperty or the like (which can then perform individual valuation of the key and the value). NB not sur how this would look in CasC.

@eva-mueller-coremedia
Copy link
Contributor Author

@jtnord Thanks for the feedback, will try to follow a key value pair pattern.

If you don't mind, I would like to remove the UI at all - only provide it to be set via CasC resp. Java/Groovy code. Any objections?

@jtnord
Copy link
Member

jtnord commented Dec 24, 2024

@jtnord Thanks for the feedback, will try to follow a key value pair pattern.

If you don't mind, I would like to remove the UI at all - only provide it to be set via CasC resp. Java/Groovy code. Any objections?

it's generally considered bad to have something exposed in the UI and not CasC and vice versa. Not exposing in the UI can lead to it getting overridden if someone saves the Jenkins form in the UI (which I say you should never do as if you manage by code you should have a read only system UI, but it is useful on test systems where you want to make changes in the UI and then export the config for applying to a different server).

@eva-mueller-coremedia
Copy link
Contributor Author

@jtnord Thanks for the feedback, will try to follow a key value pair pattern.
If you don't mind, I would like to remove the UI at all - only provide it to be set via CasC resp. Java/Groovy code. Any objections?

it's generally considered bad to have something exposed in the UI and not CasC and vice versa. Not exposing in the UI can lead to it getting overridden if someone saves the Jenkins form in the UI (which I say you should never do as if you manage by code you should have a read only system UI, but it is useful on test systems where you want to make changes in the UI and then export the config for applying to a different server).

Understood. 👍 I will have a look to implement it the way you described initially. Thanks for the explanation!

@eva-mueller-coremedia eva-mueller-coremedia force-pushed the query-params branch 2 times, most recently from 418804d to dce7676 Compare December 24, 2024 21:59
@@ -219,12 +219,12 @@ public FormValidation doCheckWellKnownOpenIDConfigurationUrl(
}

@POST
public FormValidation doCheckOverrideScopes(@QueryParameter String overrideScopes) {
public FormValidation doCheckScopesOverride(@QueryParameter String scopesOverride) {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jtnord The form validation for scopes did not work since the jelly uses scopesOverride as field name.

Fixed this with this PR or should I open a dedicated PR?

Comment on lines +367 to +368
this.setLoginQueryParamNameValuePairs(this.loginQueryParamNameValuePairs);
this.setLogoutQueryParamNameValuePairs(this.logoutQueryParamNameValuePairs);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is not actually doing anything.
the other calls to setXXX above are mostly either fixing nulls or are setters with side effects (ie setting the username fiels sets the field and constructs the JMESPath )

Suggested change
this.setLoginQueryParamNameValuePairs(this.loginQueryParamNameValuePairs);
this.setLogoutQueryParamNameValuePairs(this.logoutQueryParamNameValuePairs);

Comment on lines +55 to +59
public String getQueryParamNameDecoded() {
return paramName != null
? URLEncoder.encode(paramName, StandardCharsets.UTF_8).trim()
: null;
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this appears to be encoding not decoding?


public String getQueryParamValueDecoded() {
return paramValue != null
? URLEncoder.encode(paramValue, StandardCharsets.UTF_8).trim()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this appears to be encoding not decoding?

@@ -505,7 +533,7 @@ ProxyAwareResourceRetriever getResourceRetriever() {
return proxyAwareResourceRetriever;
}

private OidcConfiguration buildOidcConfiguration() {
private OidcConfiguration buildOidcConfiguration(boolean addCustomLoginParams) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is it needed to pass the boolean addCustomLoginParams here?
why would we have parameters set (a non-null non-empty collection) and not want them sent? (the UI does not have a way to enable or disable this, so it would only be driven by having some values set?)

@eva-mueller-coremedia
Copy link
Contributor Author

@jtnord Thanks for the review. Will take care after my 1 week vacation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants