I am trying to configure authentication using open id connect plugin. As per the javadoc the configuration should be similar to this:
public OicSecurityRealm(String clientId,
Secret clientSecret,
OicServerConfiguration serverConfiguration,
Boolean disableSslVerification,
IdStrategy userIdStrategy,
IdStrategy groupIdStrategy)
In response i have created a script like this:
import jenkins.model.*
import org.jenkinsci.plugins.oic.*
import hudson.util.Secret
import jenkins.model.IdStrategy
def instance = Jenkins.getInstanceOrNull()
// Configuration for the server (Well-Known or Manual)
def serverConfig = new OicServerWellKnownConfiguration(
“URL FOR AUTO CONFIG”
)
serverConfig.setScopesOverride(“openid,email,profile”)
def oicRealm = new OicSecurityRealm(
“ID”, // clientId
Secret.fromString(“SECRET”), // clientSecret
serverConfig, // serverConfiguration
true, // disableSslVerification
IdStrategy.CASE_INSENSITIVE, // User ID Strategy
IdStrategy.CASE_INSENSITIVE // Group ID Strategy
)
oicRealm.setUserNameField(“username”)
oicRealm.setFullNameFieldName(“displayName”)
oicRealm.setEmailFieldName(“email”)
oicRealm.setGroupsFieldName(“tokenGroups”)
oicRealm.setLogoutFromOpenidProvider(false)
The secret is passed to the config file of the jenkins which throws the error when try to login.
https://JENKINSURL/securityRealm/commenceLogin?from=%2Fversion_release_testing%2Flogout
When i edit the secret on the config file manually it works correctly. I tried to pas the encrypted secret directly and assigning the key as variable and use it which gives the same behavior.
I tried to the encrypted has key which provides me the correct key that was passed. What is wrong here?
The issue you’re encountering is likely due to the way the Secret is being handled in your script. When you manually edit the secret in the configuration file, it works correctly, which suggests that the secret might not be getting encrypted properly when set through the script.
To ensure the secret is correctly encrypted and handled, you can try the following approach:
Use the Secret.fromString method to ensure the secret is properly encrypted.
Apply the security realm configuration to the Jenkins instance.
Here is an untested version of your script:
import jenkins.model.*
import org.jenkinsci.plugins.oic.*
import hudson.util.Secret
import jenkins.model.IdStrategy
def instance = Jenkins.getInstanceOrNull()
// Configuration for the server (Well-Known or Manual)
def serverConfig = new OicServerWellKnownConfiguration(
"URL FOR AUTO CONFIG"
)
serverConfig.setScopesOverride("openid,email,profile")
def oicRealm = new OicSecurityRealm(
"ID", // clientId
Secret.fromString("SECRET"), // clientSecret
serverConfig, // serverConfiguration
true, // disableSslVerification
IdStrategy.CASE_INSENSITIVE, // User ID Strategy
IdStrategy.CASE_INSENSITIVE // Group ID Strategy
)
oicRealm.setUserNameField("username")
oicRealm.setFullNameFieldName("displayName")
oicRealm.setEmailFieldName("email")
oicRealm.setGroupsFieldName("tokenGroups")
oicRealm.setLogoutFromOpenidProvider(false)
// Apply Security Realm
instance.setSecurityRealm(oicRealm)
instance.save()
println "OicSecurityRealm configured successfully"
As you can see in the above script which i have mentioned. I am using the Secret.fromString in the script.
Even though if it is used correctly, the problem occurs with the key. And instead of Secret.fromString, I have also tried
def rawSecret = “*SECRET”
def encryptedSecret = Secret.fromString(rawSecret)
And use the encryptedSecret on the security realm configuration. The behaviour is same even it was provided like this
