[REGRESSION] After updating from 2.5 to 2.6 my user do not detect any groups provided by Oic Application

[DuMaM]

Jenkins and plugins versions report

Environment

Jenkins: 2.375.4
Java: 11.0.16 - Eclipse Adoptium (OpenJDK 64-Bit Server VM)
---
Office-365-Connector:4.18.0
Parameterized-Remote-Trigger:3.1.6.3
allure-jenkins-plugin:2.30.3
amazon-ecr:1.114.vfd22430621f5
analysis-model-api:10.23.1
ansicolor:1.0.2
antisamy-markup-formatter:159.v25b_c67cd35fb_
apache-httpcomponents-client-4-api:4.5.14-150.v7a_b_9d17134a_5
audit-trail:333.vb_e1b_b_0f1238c
authentication-tokens:1.4
aws-credentials:191.vcb_f183ce58b_9
aws-java-sdk:1.12.481-392.v8b_291cfcda_09
aws-java-sdk-cloudformation:1.12.481-392.v8b_291cfcda_09
aws-java-sdk-codebuild:1.12.481-392.v8b_291cfcda_09
aws-java-sdk-ec2:1.12.481-392.v8b_291cfcda_09
aws-java-sdk-ecr:1.12.481-392.v8b_291cfcda_09
aws-java-sdk-ecs:1.12.481-392.v8b_291cfcda_09
aws-java-sdk-efs:1.12.481-392.v8b_291cfcda_09
aws-java-sdk-elasticbeanstalk:1.12.481-392.v8b_291cfcda_09
aws-java-sdk-iam:1.12.481-392.v8b_291cfcda_09
aws-java-sdk-kinesis:1.12.481-392.v8b_291cfcda_09
aws-java-sdk-logs:1.12.481-392.v8b_291cfcda_09
aws-java-sdk-minimal:1.12.481-392.v8b_291cfcda_09
aws-java-sdk-sns:1.12.481-392.v8b_291cfcda_09
aws-java-sdk-sqs:1.12.481-392.v8b_291cfcda_09
aws-java-sdk-ssm:1.12.481-392.v8b_291cfcda_09
basic-branch-build-strategies:71.vc1421f89888e
bootstrap5-api:5.2.1-3
bouncycastle-api:2.28
branch-api:2.1105.v472604208c55
build-discarder:139.v05696a_7fe240
build-failure-analyzer:2.4.1
build-name-setter:2.2.0
build-timeout:1.31
build-token-root:151.va_e52fe3215fc
build-user-vars-plugin:1.9
caffeine-api:3.1.6-115.vb_8b_b_328e59d8
checks-api:1.8.1
cloudbees-disk-usage-simple:182.v62ca_0c992a_f3
cloudbees-folder:6.815.v0dd5a_cb_40e0e
cobertura:1.17
code-coverage-api:3.5.0
command-launcher:100.v2f6722292ee8
commons-httpclient3-api:3.1-3
commons-lang3-api:3.12.0-36.vd97de6465d5b_
commons-text-api:1.10.0-36.vc008c8fcda_7b_
config-file-provider:938.ve2b_8a_591c596
configuration-as-code:1625.v27444588cc3d
confluence-publisher:156.vf3597ca_9cf27
copyartifact:705.v5295cffec284
credentials:1224.vc23ca_a_9a_2cb_0
credentials-binding:604.vb_64480b_c56ca_
cucumber-reports:5.7.5
data-tables-api:1.12.1-4
declarative-pipeline-migration-assistant:1.5.6
declarative-pipeline-migration-assistant-api:1.5.6
display-url-api:2.3.7
docker-commons:419.v8e3cd84ef49c
docker-workflow:563.vd5d2e5c4007f
durable-task:507.v050055d0cb_dd
ec2:2.0.7
echarts-api:5.4.0-1
email-ext:2.98
envinject:2.901.v0038b_6471582
envinject-api:1.199.v3ce31253ed13
extended-choice-parameter:373.v1a_ecea_fdf2a_a_
extended-read-permission:3.2
external-monitor-job:203.v683c09d993b_9
favorite:2.4.2
file-leak-detector:1.11
file-operations:1.11
font-awesome-api:6.2.1-1
forensics-api:1.17.0
git:5.0.2
git-client:4.3.0
git-parameter:0.9.18
github:1.37.1
github-api:1.314-431.v78d72a_3fe4c3
github-branch-source:1728.v859147241f49
github-checks:545.v79a_a_68b_ca_682
gradle:2.8
groovy:453.vcdb_a_c5c99890
h2-api:1.4.199
htmlpublisher:1.31
http_request:1.16
ignore-committer-strategy:1.0.4
instance-identity:173.va_37c494ec4e5
ionicons-api:56.v1b_1c8c49374e
jackson2-api:2.15.2-350.v0c2f3f8fc595
jacoco:3.3.3
jakarta-activation-api:2.0.1-3
jakarta-mail-api:2.0.1-3
javadoc:233.vdc1a_ec702cff
javax-activation-api:1.2.0-6
javax-mail-api:1.6.2-9
jaxb:2.3.8-1
jdk-tool:66.vd8fa_64ee91b_d
jersey2-api:2.39.1-2
jira:3.10
jjwt-api:0.11.5-77.v646c772fddb_0
job-dsl:1.82
job-import-plugin:3.6
jobConfigHistory:1212.vd4470d08ff12
jquery:1.12.4-1
jquery3-api:3.6.1-2
jsch:0.2.8-65.v052c39de79b_2
junit:1202.v79a_986785076
kubernetes-client-api:6.4.1-215.v2ed17097a_8e9
kubernetes-credentials:0.10.0
lockable-resources:1131.vb_7c3d377e723
mailer:457.v3f72cb_e015e5
mapdb-api:1.0.9-28.vf251ce40855d
mask-passwords:150.vf80d33113e80
matrix-auth:3.1.8
matrix-project:789.v57a_725b_63c79
maven-plugin:3.22
metrics:4.2.18-439.v86a_20b_a_8318b_
mina-sshd-api-common:2.10.0-69.v28e3e36d18eb_
mina-sshd-api-core:2.10.0-69.v28e3e36d18eb_
monitoring:1.94.1
nexus-artifact-uploader:2.14
node-iterator-api:49.v58a_8b_35f8363
nodejs:1.6.0
nodelabelparameter:1.11.0
oic-auth:2.6
okhttp-api:4.11.0-145.vcb_8de402ef81
opentelemetry:2.13.0
pam-auth:1.10
parameter-separator:1.3
parameterized-trigger:2.45
pipeline-aws:1.43
pipeline-build-step:491.v1fec530da_858
pipeline-github-lib:42.v0739460cda_c4
pipeline-graph-analysis:202.va_d268e64deb_3
pipeline-graph-view:191.vc6da_9d3eb_70a
pipeline-groovy-lib:656.va_a_ceeb_6ffb_f7
pipeline-input-step:468.va_5db_051498a_4
pipeline-maven:1298.v43b_82f220a_e9
pipeline-milestone-step:111.v449306f708b_7
pipeline-model-api:2.2133.ve46a_6113dfc3
pipeline-model-definition:2.2133.ve46a_6113dfc3
pipeline-model-extensions:2.2133.ve46a_6113dfc3
pipeline-rest-api:2.32
pipeline-stage-step:305.ve96d0205c1c6
pipeline-stage-tags-metadata:2.2133.ve46a_6113dfc3
pipeline-stage-view:2.32
pipeline-utility-steps:2.15.4
plain-credentials:143.v1b_df8b_d3b_e48
plugin-usage-plugin:4.0
plugin-util-api:2.20.0
popper2-api:2.11.6-2
postbuildscript:3.2.0-460.va_fda_0fa_26720
prism-api:1.29.0-2
pubsub-light:1.17
purge-build-queue-plugin:88.v23b_97b_f2c7a_d
purge-job-history:1.6
rebuild:320.v5a_0933a_e7d61
resource-disposer:0.22
s3:0.12.3445.vda_704535b_5a_d
scm-api:672.v64378a_b_20c60
script-security:1251.vfe552ed55f8d
slack:664.vc9a_90f8b_c24a_
snakeyaml-api:1.33-95.va_b_a_e3e47b_fa_4
sonar:2.15
sse-gateway:1.26
ssh-agent:333.v878b_53c89511
ssh-credentials:305.v8f4381501156
ssh-slaves:2.877.v365f5eb_a_b_eec
sshd:3.303.vefc7119b_ec23
strict-crumb-issuer:2.1.1
structs:324.va_f5d6774f3a_d
subversion:2.17.2
sumologic-publisher:2.2.1
testng-plugin:789.vfc860d1de85a_
throttle-concurrents:2.13
timestamper:1.25
token-macro:359.vb_cde11682e0c
trilead-api:2.84.v72119de229b_7
uno-choice:2.6.5
validating-string-parameter:2.8
variant:59.vf075fe829ccb
versioncolumn:145.va_e3ca_f8a_a_d23
view-job-filters:2.3
warnings-ng:9.23.1
workflow-aggregator:596.v8c21c963d92d
workflow-api:1213.v646def1087f9
workflow-basic-steps:1017.vb_45b_302f0cea_
workflow-cps:3673.v5b_dd74276262
workflow-durable-task-step:1247.v7f9dfea_b_4fd0
workflow-job:1308.v58d48a_763b_31
workflow-multibranch:746.v05814d19c001
workflow-scm-step:408.v7d5b_135a_b_d49
workflow-step-api:639.v6eca_cd8c04a_a_
workflow-support:839.v35e2736cfd5c
ws-cleanup:0.45

Reproduction steps

Upgrade from 2.5 to 2.6

Expected Results

The application should be able to fetch user data

Actual Results

I was able to log in thanks to the okta session token, but I lost management access.
Only user ID was correct, and any okta group was detected, like it lost connection with OicApplication.

Anything else?

I guess those new fields broke a serialization structure.

 <securityRealm>
   <pkceEnabled>false</pkceEnabled>
   <nonceDisabled>false</nonceDisabled>
 </securityRealm>

Removing and re-typing whole oic config fixed the problem.

[DuMaM]

#191
#110
#192
Possible culprits

[DuMaM]

cc: @michael-doubez @jglick

[michael-doubez]

@Madball777123 thanks. Do you mean that you lost the whole configuration ?

[Madball777123]

Lost Jenkins admin access after update to 2.6. Is it possible to return by deleting the lines and re-reading the config?

 <securityRealm>
   <pkceEnabled>false</pkceEnabled>
   <nonceDisabled>false</nonceDisabled>
 </securityRealm>

[Madball777123]

@Madball777123 thanks. Do you mean that you lost the whole configuration ?

No, the configuration is present. Only new lines have been added with 2.6. And perhaps for some reason the clientSecret has changed (I can’t say for sure, the config backup is old and there may be an old key there)

[michael-doubez]

I'll try to reproduce but it would help if there was something in the logs.

[michael-doubez]

Did you try to set nonceDisabled to true ?
Okta may mistake it with an implicit flow

https://developer.okta.com/docs/reference/api/oidc/

[DuMaM]

@Madball777123 thanks. Do you mean that you lost the whole configuration ?

No, I didn't lose it, it just didn't load properly. That's my guess.
Config.xml contained correct data, but without mentioned fields.

[Madball777123]

Sorry, I missed an important point. I use keycloak. Not Okta

[DuMaM]

Did you try to set nonceDisabled to true ?
Okta may mistake it with an implicit flow

https://developer.okta.com/docs/reference/api/oidc/

I will check it tomorrow morning.

[DuMaM]

Did you try to set nonceDisabled to true ?
Okta may mistake it with an implicit flow

https://developer.okta.com/docs/reference/api/oidc/

@michael-doubez
by default, it's false, and I wasn't able to login to the admin panel to change it.
When I retype my config, I also set it to false and it works.

[ixycoder]

Same problem as you. After updating, Losted all groups in Jenkins.
We use keycloak 16

[FHannes]

Same issue here with keycloak. Changing nonceDisabled to true did not resolve the issue either.

[jim-kirisame]

Same issue with authelia, disable nonce does not solve the issue either.

[andybotting]

We just hit this issue too. I'm not certain this was the fix, but I did notice that the Token Authentication Method setting (which is a pair of radio buttons) didn't have anything chosen.

I ticked on 'POST' and after saving the settings, I was able to see my group membership from my profile page again.

[fabian-kramer]

I also just experienced this issue with Keycloak and Jenkins. My only luck was, that permissions for the user directly still worked. Therefore I can tell, all permissions load as far as displaying them in the admin panel. I've checked the log as well, there is no message from the oicd plugin.
For me it worked then to just roll back to 2.5, and without any issue everybody who relies on roles to get access now has access again.

I'm on Jenkins: 2.387.3
and Keycloak: 17

[cafuego]

Whoops, another victim. We use Drupal with oauth2_server as oidc provider. Happily checking the Disable Nonce verification box did resolve the issue for us.

[AndreVirtimo]

Same here. Had to rollback to version 2.5

[jbgomond]

Hi, same problem here, I had to revert to 2.5 as I found no solution to the issue :(
Could it be something here ? #198

[dR3b]

Had to rollback to version 2.5 too!

[eesprit]

Hi,

I had the same problem, and it was fixed by forcing the config.xml (securityRealm part) to be regenerated.
It added the <simpleGroupsFieldName>XXX</simpleGroupsFieldName> parameter with the same value then <groupsFieldName>XXX</groupsFieldName> and groups started working again.

So yes, probably a consequence of #198

Funny thing is that I first disabled Nonce verification as suggested here on a test server, which made it work (I did it through the GUI / secuirty settings), but then I edited the config.xml directly on another server, and it was still broken. That's when I edited something else in the security settings through the GUI that it started working and it made me understood that it was probably related to some new parameter.
So after diffing the config.xml, I saw that this was this specific parameter that I needed.

People who disabled Nonce verification can probably activate it again.

Hope this helps ;)

[Reamer]

People who disabled Nonce verification can probably activate it again.

Hope this helps ;)

Thank you for your research. You are correct in your statement. For me it did not cause any problems to reactivate the Nonce verification.

[FHannes]

I had the same problem, and it was fixed by forcing the config.xml (securityRealm part) to be regenerated. It added the <simpleGroupsFieldName>XXX</simpleGroupsFieldName> parameter with the same value then <groupsFieldName>XXX</groupsFieldName> and groups started working again.

This solved the issue for me. Thanks!

[stavros-k]

Same issue with authelia, disable nonce does not solve the issue either.

Sorry for hijacking this issue, but trying to setup jenkins + authelia.
Would you be so kind to send me the configs of authelia + jenkins please?

Currently when I try to login, I see in the logs

The provided authorization grant (e.g., authorization code, resource owner credentials) or refresh token is invalid, expired, revoked, does not match the redirection URI used in the authorization request, or was issued to another client. The authorization code has already been used.

Thanks

EDIT: nvm, figured it out.
I was missing

      userNameField: preferred_username
      fullNameFieldName: name
      groupsFieldName: groups
      emailFieldName: email

[AndreVirtimo]

I had the same problem, and it was fixed by forcing the config.xml (securityRealm part) to be regenerated. It added the <simpleGroupsFieldName>XXX</simpleGroupsFieldName> parameter with the same value then <groupsFieldName>XXX</groupsFieldName> and groups started working again.

This solved the issue for me. Thanks!

For me too. Thank you