OIDC login failing with `missing_client_id`
amit-yp opened this issue · 7 comments
Jenkins and plugins versions report
Environment
jenkins helm chart version: 4.2.15
oic-auth:2.3
What Operating System are you using (both controller, and any agents involved in the problem)?
- jenkins deployed in kubernetes using helm chart
- configmap.yaml
jcasc-default-config.yaml: |-
jenkins:
authorizationStrategy:
loggedInUsersCanDoAnything:
allowAnonymousRead: false
securityRealm:
oic:
clientId: "some-secret"
clientSecret: "some-secret"
wellKnownOpenIDConfigurationUrl: "some-secret"
userInfoServerUrl: "https://some-secret/oauth2/userinfo"
groupsFieldName: "roles"
disableSslVerification: true
escapeHatchEnabled: false
logoutFromOpenidProvider: true
emailFieldName: "email"
userNameField: "email"
rootURLFromRequest: true
tokenServerUrl: "https://some-secret/oauth2/token"
authorizationServerUrl: "https://some-secret/oauth2/authorize?client_id=some-secret&response_type=code&redirect_uri=https%3A%2F%2Fsome-secret%2FsecurityRealm%2FfinishLogin"
scopes: "openid email profile offline_access"
Reproduction steps
jenkins-0 jenkins 2022-11-30 14:40:17.941+0000 [id=12] WARNING h.i.i.InstallUncaughtExceptionHandler#handleException: Caught unhandled exception with ID fd9aea05-554e-41b2-b7a8-54e09fb573f0
jenkins-0 jenkins com.google.api.client.auth.oauth2.TokenResponseException: 400
jenkins-0 jenkins POST https://some-secret/oauth2/token
jenkins-0 jenkins {
jenkins-0 jenkins "error" : "invalid_request",
jenkins-0 jenkins "error_description" : "The request is missing a required parameter: client_id",
jenkins-0 jenkins "error_reason" : "missing_client_id"
jenkins-0 jenkins }
jenkins-0 jenkins at com.google.api.client.auth.oauth2.TokenResponseException.from(TokenResponseException.java:103)
jenkins-0 jenkins at com.google.api.client.auth.oauth2.TokenRequest.executeUnparsed(TokenRequest.java:308)
jenkins-0 jenkins at com.google.api.client.auth.openidconnect.IdTokenResponse.execute(IdTokenResponse.java:115)
jenkins-0 jenkins at org.jenkinsci.plugins.oic.OicSecurityRealm$3.onSuccess(OicSecurityRealm.java:442)
jenkins-0 jenkins at org.jenkinsci.plugins.oic.OicSession.doFinishLogin(OicSession.java:112)
jenkins-0 jenkins at org.jenkinsci.plugins.oic.OicSecurityRealm.doFinishLogin(OicSecurityRealm.java:697)
jenkins-0 jenkins at java.base/java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:710)
jenkins-0 jenkins at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:397)
jenkins-0 jenkins at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:409)
jenkins-0 jenkins at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:207)
jenkins-0 jenkins at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:140)
jenkins-0 jenkins at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:558)
jenkins-0 jenkins at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:59)
jenkins-0 jenkins at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:762)
jenkins-0 jenkins at org.kohsuke.stapler.Stapler.invoke(Stapler.java:894)
jenkins-0 jenkins at org.kohsuke.stapler.MetaClass$2.doDispatch(MetaClass.java:224)
Expected Results
- OIDC should accept the clientId and client_secret i'm providing
Actual Results
- failing with the exception shown above
Anything else?
No response
I assume the well known URL has been edited:
wellKnownOpenIDConfigurationUrl: "some-secret"
It is in fact:
wellKnownOpenIDConfigurationUrl: "https://some-secret/oauth/.well-known/openid-configuration"
And that the authorizationServerUrl is not actually used as it should be:
authorizationServerUrl: "https://some-secret/oauth2/authorize
I also expect you are in fact using version 2.2, otherwise the exception is not at the right plaxce in the code:
It may be related to the authentication method from you wellknown endpoint.
Can you please share it ?
Otherwise, can you remove the well known configuration and try to set the authentication method to either client_secret_basic or client_secret_post ?
- Thank you for your response and different pointers @michael-doubez. Appreciate your time and help with this.
- i'm using fusionauth as the auth server, it was working fine last week, but then it suddenly started giving this error.
wellKnownOpenIDConfigurationUrlwas correct before- i fixed the following with oic-auth=2.3 version:
authorizationServerUrl: "https://some-secret/oauth2/authorize"
tokenAuthMethod: "client_secret_basic" (tried client_secret_post as well)
wellKnownOpenIDConfigurationUrl: "https://some-secret/.well-known/openid-configuration/some-secret"
still getting the same error:
jenkins-0 jenkins com.google.api.client.auth.oauth2.TokenResponseException: 400
jenkins-0 jenkins POST https://some-secret/oauth2/token
jenkins-0 jenkins {
jenkins-0 jenkins "error" : "invalid_request",
jenkins-0 jenkins "error_description" : "The request is missing a required parameter: client_id",
jenkins-0 jenkins "error_reason" : "missing_client_id"
jenkins-0 jenkins }
jenkins-0 jenkins at com.google.api.client.auth.oauth2.TokenResponseException.from(TokenResponseException.java:103)
jenkins-0 jenkins at com.google.api.client.auth.oauth2.TokenRequest.executeUnparsed(TokenRequest.java:308)
jenkins-0 jenkins at com.google.api.client.auth.openidconnect.IdTokenResponse.execute(IdTokenResponse.java:115)
jenkins-0 jenkins at org.jenkinsci.plugins.oic.OicSecurityRealm$3.onSuccess(OicSecurityRealm.java:442)
jenkins-0 jenkins at org.jenkinsci.plugins.oic.OicSession.doFinishLogin(OicSession.java:112)
jenkins-0 jenkins at org.jenkinsci.plugins.oic.OicSecurityRealm.doFinishLogin(OicSecurityRealm.java:697)
jenkins-0 jenkins at java.base/java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:710)
jenkins-0 jenkins at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:397)
jenkins-0 jenkins at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:409)
jenkins-0 jenkins at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:207) ```
When using wellKnownOpenIDConfigurationUrl, the other parameters are ignored (don't ask, I'll fix that in next version).
So, to make tokenAuthMethod works you would have to comment it.
My assumption is that it is the root cause but I cannot tell without the content of the wellknown:
Could you please share the content of your well known config enpoint , just to be sure (just point your browser to the url) ?
You can send it to my personnal email if you fear some info leakage (and rightly so).
@amit-yp Are you using this API ?
https://fusionauth.io/docs/v1/tech/oauth/endpoints
@amit-yp do you still have the issue ?
Reading the documentation, the client_id should be optional if provided in the basicauth header (which should be the case).
If you can share the exact oauth configuration (auth method used ...), I could reproduce your case.
No input