-
Notifications
You must be signed in to change notification settings - Fork 95
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add custom parameters to authorize and logout endpoints #480
base: master
Are you sure you want to change the base?
Add custom parameters to authorize and logout endpoints #480
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #480 +/- ##
============================================
+ Coverage 71.73% 74.19% +2.46%
- Complexity 222 256 +34
============================================
Files 17 18 +1
Lines 1033 1089 +56
Branches 148 155 +7
============================================
+ Hits 741 808 +67
+ Misses 201 194 -7
+ Partials 91 87 -4 ☔ View full report in Codecov by Sentry. |
58e2662
to
36fe900
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @eva-mueller-coremedia thanks for this.
I have had a quick look and have a few comments around the UX side.
The extra parameters would IIUC not be needed in the majority of conformant IDPs, as such do you thing they should be hidden behind an advanced section?
the use of a single string for multiple keyvalue pairs (and the encoding /splitting shenaningans) would seem to be error prone (and it lacks good warnings on invalid input). (a value may need to encode &
and then you need to escape it)
Would making the KeyValue a Describable and using a repeatable option using repeatableProperty
or the like (which can then perform individual valuation of the key and the value). NB not sur how this would look in CasC.
@jtnord Thanks for the feedback, will try to follow a key value pair pattern. If you don't mind, I would like to remove the UI at all - only provide it to be set via CasC resp. Java/Groovy code. Any objections? |
it's generally considered bad to have something exposed in the UI and not CasC and vice versa. Not exposing in the UI can lead to it getting overridden if someone saves the Jenkins form in the UI (which I say you should never do as if you manage by code you should have a read only system UI, but it is useful on test systems where you want to make changes in the UI and then export the config for applying to a different server). |
Understood. 👍 I will have a look to implement it the way you described initially. Thanks for the explanation! |
…eld instanceof String'
418804d
to
dce7676
Compare
src/main/java/org/jenkinsci/plugins/oic/OicQueryParameterConfiguration.java
Fixed
Show fixed
Hide fixed
a2de73e
to
01a48ec
Compare
01a48ec
to
bf28327
Compare
@@ -219,12 +219,12 @@ public FormValidation doCheckWellKnownOpenIDConfigurationUrl( | |||
} | |||
|
|||
@POST | |||
public FormValidation doCheckOverrideScopes(@QueryParameter String overrideScopes) { | |||
public FormValidation doCheckScopesOverride(@QueryParameter String scopesOverride) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jtnord The form validation for scopes did not work since the jelly uses scopesOverride
as field name.
Fixed this with this PR or should I open a dedicated PR?
this.setLoginQueryParamNameValuePairs(this.loginQueryParamNameValuePairs); | ||
this.setLogoutQueryParamNameValuePairs(this.logoutQueryParamNameValuePairs); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is not actually doing anything.
the other calls to setXXX
above are mostly either fixing null
s or are setters with side effects (ie setting the username fiels sets the field and constructs the JMESPath
)
this.setLoginQueryParamNameValuePairs(this.loginQueryParamNameValuePairs); | |
this.setLogoutQueryParamNameValuePairs(this.logoutQueryParamNameValuePairs); |
public String getQueryParamNameDecoded() { | ||
return paramName != null | ||
? URLEncoder.encode(paramName, StandardCharsets.UTF_8).trim() | ||
: null; | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this appears to be encoding not decoding?
|
||
public String getQueryParamValueDecoded() { | ||
return paramValue != null | ||
? URLEncoder.encode(paramValue, StandardCharsets.UTF_8).trim() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this appears to be encoding not decoding?
@@ -505,7 +533,7 @@ ProxyAwareResourceRetriever getResourceRetriever() { | |||
return proxyAwareResourceRetriever; | |||
} | |||
|
|||
private OidcConfiguration buildOidcConfiguration() { | |||
private OidcConfiguration buildOidcConfiguration(boolean addCustomLoginParams) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is it needed to pass the boolean
addCustomLoginParams
here?
why would we have parameters set (a non-null non-empty collection) and not want them sent? (the UI does not have a way to enable or disable this, so it would only be driven by having some values set?)
@jtnord Thanks for the review. Will take care after my 1 week vacation. |
This PR
Additionally, some housekeeping (fixing typos, simplify statements) has been done.
The main change has been done in eb0d2ba:
maybeOpenIdLogoutEndpoint
has been refactored when it comes to combining all parametersorg.pac4j.oidc.config.OidcConfiguration
maybeOpenIdLogoutEndpoint
likeid_token_hint
,state
,post_logout_redirect_uri
Testing done
This change has been tested by unit tests as well as local testing agains AWS Cognito.
Submitter checklist