Service account that has no groups not mapped to role anymore
jimsnab opened this issue · 2 comments
jimsnab commented
Jenkins and plugins versions report
Environment
Jenkins: 2.414.1
OS: Linux - 5.15.107+
Java: 11.0.20 - Eclipse Adoptium (OpenJDK 64-Bit Server VM)
---
adoptopenjdk:1.5
apache-httpcomponents-client-4-api:4.5.14-208.v438351942757
authentication-tokens:1.53.v1c90fd9191a_b_
bootstrap5-api:5.3.0-1
bouncycastle-api:2.29
branch-api:2.1128.v717130d4f816
caffeine-api:3.1.8-133.v17b_1ff2e0599
checks-api:2.0.1
cloudbees-folder:6.848.ve3b_fd7839a_81
commons-lang3-api:3.13.0-62.v7d18e55f51e2
commons-text-api:1.10.0-78.v3e7b_ea_d5a_fe1
configuration-as-code:1700.v6f448841296e
credentials:1271.v54b_1c2c6388a_
credentials-binding:631.v861c06d062b_4
display-url-api:2.3.9
durable-task:523.va_a_22cf15d5e0
echarts-api:5.4.0-5
font-awesome-api:6.4.0-2
git:5.2.0
git-client:4.5.0
instance-identity:173.va_37c494ec4e5
ionicons-api:56.v1b_1c8c49374e
jackson2-api:2.15.2-350.v0c2f3f8fc595
jakarta-activation-api:2.0.1-3
jakarta-mail-api:2.0.1-3
javax-activation-api:1.2.0-6
javax-mail-api:1.6.2-9
jaxb:2.3.8-1
jquery3-api:3.7.0-1
junit:1217.v4297208a_a_b_ce
kubernetes:4029.v5712230ccb_f8
kubernetes-client-api:6.8.1-224.vd388fca_4db_3b_
kubernetes-credentials:0.11
mailer:463.vedf8358e006b_
metrics:4.2.18-442.v02e107157925
mina-sshd-api-common:2.10.0-69.v28e3e36d18eb_
mina-sshd-api-core:2.10.0-69.v28e3e36d18eb_
oic-auth:2.6
okhttp-api:4.11.0-157.v6852a_a_fa_ec11
pipeline-build-step:505.v5f0844d8d126
pipeline-graph-analysis:202.va_d268e64deb_3
pipeline-groovy-lib:687.v62591d623759
pipeline-input-step:477.v339683a_8d55e
pipeline-milestone-step:111.v449306f708b_7
pipeline-model-api:2.2144.v077a_d1928a_40
pipeline-model-definition:2.2144.v077a_d1928a_40
pipeline-model-extensions:2.2144.v077a_d1928a_40
pipeline-rest-api:2.33
pipeline-stage-step:305.ve96d0205c1c6
pipeline-stage-tags-metadata:2.2144.v077a_d1928a_40
plain-credentials:143.v1b_df8b_d3b_e48
plugin-util-api:3.3.0
popper2-api:2.11.6-2
prometheus:2.3.1
role-strategy:689.v731678c3e0eb_
scm-api:676.v886669a_199a_a_
script-security:1275.v23895f409fb_d
snakeyaml-api:2.2-111.vc6598e30cc65
ssh-credentials:308.ve4497b_ccd8f4
sshd:3.312.v1c601b_c83b_0e
structs:325.vcb_307d2a_2782
trilead-api:2.84.v72119de229b_7
variant:60.v7290fc0eb_b_cd
workflow-aggregator:596.v8c21c963d92d
workflow-api:1281.vca_5fddb_3fceb_
workflow-basic-steps:1042.ve7b_140c4a_e0c
workflow-cps:3787.v8f5dcd14a_fa_c
workflow-durable-task-step:1289.v4d3e7b_01546b_
workflow-job:1346.v180a_63f40267
workflow-multibranch:756.v891d88f2cd46
workflow-scm-step:415.v434365564324
workflow-step-api:639.v6eca_cd8c04a_a_
workflow-support:865.v43e78cc44e0d
What Operating System are you using (both controller, and any agents involved in the problem)?
GKE
Reproduction steps
- Make a service account in an OIDC provider that has no "groups" in its OIDC token
- Configure OIC plugin to use the OIDC provider
- Map by email address to a jenkins role, and give that role admin access
- Manually log onto jenkins via OIDC using the service account creds
Expected Results
Successful authentication with admin rights
Actual Results
Successful authentication, no rights
Anything else?
Jenkins logs this:
jenkins 2023-09-14 14:35:26.047+0000 [id=313] WARNING o.j.plugins.oic.OicSecurityRealm#determineAuthorities: idToken and userInfo did not contain group field name: groups
In the past this scenario was working fine.
jimsnab commented
My issue.
Caused by the breaking change that removed "assignments". Having to to stop everything and learn how to migrate the settings, I was in a hurry. I followed this advice. I did not look close enough and put group on each entry. I need user on the service account.
>:-|