Oidc-provider plugin not picking up all envvars

Hello,

I would like to ask for a bit of help. I’m trying to figure out why the oidc-provider plugin is not picking up the GIT_ envvars, i would need it to put the commit sha and repourl into the claim. I’ve checked the plugin out, and some debugging told me it’s only picking up the following envvars:

BRANCH_IS_PRIMARY,BRANCH_NAME,BUILD_DISPLAY_NAME,BUILD_ID,BUILD_NUMBER,BUILD_TAG,BUILD_URL,CI,CLASSPATH,HUDSON_HOME,HUDSON_SERVER_COOKIE,HUDSON_URL,JENKINS_HOME,JENKINS_SERVER_COOKIE,JENKINS_URL,JOB_BASE_NAME,JOB_DISPLAY_URL,JOB_NAME,JOB_URL,RUN_ARTIFACTS_DISPLAY_URL,RUN_CHANGES_DISPLAY_URL,RUN_DISPLAY_URL,RUN_TESTS_DISPLAY_URL

And the plugin is fetching the envvars here.
are there any docs which are explaining how envvar propagation is working among plugins, how to query more envvars, etc. Basically how the plugin architecture isworking?

Jenkins setup:
Jenkins: 2.440.2
OS: Linux - 5.15.133+
Java: 17.0.10 - Eclipse Adoptium (OpenJDK 64-Bit Server VM)

Parameterized-Remote-Trigger:3.2.0
ace-editor:1.1
active-directory:2.35
analysis-model-api:12.3.3
ansicolor:1.0.4
ant:497.v94e7d9fffa_b_9
antisamy-markup-formatter:162.v0e6ec0fcfcf6
apache-httpcomponents-client-4-api:4.5.14-208.v438351942757
apache-httpcomponents-client-5-api:5.3.1-1.0
artifactory:4.0.6
asm-api:9.7-33.v4d23ef79fcc8
audit-trail:361.v82cde86c784e
authentication-tokens:1.53.v1c90fd9191a_b_
aws-credentials:231.v08a_59f17d742
aws-java-sdk-ec2:1.12.696-451.v0651a_da_9ca_ec
aws-java-sdk-minimal:1.12.696-451.v0651a_da_9ca_ec
badge:1.9.1
basic-branch-build-strategies:81.v05e333931c7d
blackduck-detect:9.0.0
blueocean:1.27.12
blueocean-autofavorite:1.2.5
blueocean-bitbucket-pipeline:1.27.12
blueocean-commons:1.27.12
blueocean-config:1.27.12
blueocean-core-js:1.27.12
blueocean-dashboard:1.27.12
blueocean-display-url:2.4.2
blueocean-events:1.27.12
blueocean-git-pipeline:1.27.12
blueocean-github-pipeline:1.27.12
blueocean-i18n:1.27.12
blueocean-jwt:1.27.12
blueocean-personalization:1.27.12
blueocean-pipeline-api-impl:1.27.12
blueocean-pipeline-editor:1.27.12
blueocean-pipeline-scm-api:1.27.12
blueocean-rest:1.27.12
blueocean-rest-impl:1.27.12
blueocean-web:1.27.12
bootstrap4-api:4.6.0-6
bootstrap5-api:5.3.3-1
bouncycastle-api:2.30.1.77-225.v26ea_c9455fd9
branch-api:2.1163.va_f1064e4a_a_f3
build-timestamp:1.0.3
caffeine-api:3.1.8-133.v17b_1ff2e0599
checkmarx:2024.2.3
checks-api:2.2.0
cloud-stats:336.v788e4055508b_
cloudbees-bitbucket-branch-source:883.v041fa_695e9c2
cloudbees-folder:6.901.vb_4c7a_da_75da_3
cobertura:1.17
code-coverage-api:4.99.0
command-launcher:107.v773860566e2e
commons-lang3-api:3.13.0-62.v7d18e55f51e2
commons-text-api:1.11.0-109.vfe16c66636eb_
config-file-provider:973.vb_a_80ecb_9a_4d0
configuration-as-code:1775.v810dc950b_514
copyartifact:722.v0662a_9b_e22a_c
coverage:1.14.0
credentials:1337.v60b_d7b_c7b_c9f
credentials-binding:657.v2b_19db_7d6e6d
dashboard-view:2.508.va_74654f026d1
data-tables-api:2.0.5-1
dependency-check-jenkins-plugin:5.5.0
dependency-track:4.3.1
disk-usage:1.2
display-url-api:2.200.vb_9327d658781
docker-commons:439.va_3cb_0a_6a_fb_29
docker-workflow:572.v950f58993843
durable-task:555.v6802fe0f0b_82
echarts-api:5.5.0-1
email-ext:1806.v856a_01a_fa_39a_
embeddable-build-status:487.va_0ef04c898a_2
envinject:2.908.v66a_774b_31d93
envinject-api:1.199.v3ce31253ed13
extended-read-permission:53.v6499940139e5
external-monitor-job:215.v2e88e894db_f8
favorite:2.208.v91d65b_7792a_c
font-awesome-api:6.5.2-1
forensics-api:2.4.0
generic-webhook-trigger:2.2.0
git:5.2.1
git-client:4.7.0
git-server:114.v068a_c7cc2574
git-tag-message:1.7.1
github:1.38.0
github-api:1.318-461.v7a_c09c9fa_d63
github-autostatus:3.6.2
github-branch-source:1787.v8b_8cd49a_f8f1
github-label-filter:1.0.0
github-oauth:597.ve0c3480fcb_d0
github-pr-comment-build:103.vc8919acf2a6b
global-slack-notifier:1.5
golang:1.4
google-metadata-plugin:0.5
google-oauth-plugin:1.330.vf5e86021cb_ec
google-storage-plugin:1.360.v6ca_38618b_41f
gradle:2.11
greenballs:1.15.1
groovy-postbuild:228.vcdb_cf7265066
gson-api:2.10.1-15.v0d99f670e0a_7
h2-api:11.1.4.199-12.v9f4244395f7a_
handlebars:3.0.8
handy-uri-templates-2-api:2.1.8-30.v7e777411b_148
hashicorp-vault-plugin:367.v8a_1ee1cccf3a
htmlpublisher:1.33
http_request:1.18
influxdb:3.6.1
instance-identity:185.v303dc7c645f9
ionicons-api:70.v2959a_b_74e3cf
ivy:2.5
jackson2-api:2.17.0-379.v02de8ec9f64c
jacoco:3.3.6
jakarta-activation-api:2.1.3-1
jakarta-mail-api:2.1.3-1
javadoc:243.vb_b_503b_b_45537
javax-activation-api:1.2.0-6
javax-mail-api:1.6.2-9
jaxb:2.3.9-1
jdk-tool:73.vddf737284550
jenkins-design-language:1.27.12
jersey2-api:2.42-147.va_28a_44603b_d5
jira:3.13
jjwt-api:0.11.5-112.ve82dfb_224b_a_d
job-dsl:1.87
joda-time-api:2.12.7-29.v5a_b_e3a_82269a_
jquery-detached:1.2.1
jquery3-api:3.7.1-2
jsch:0.2.16-86.v42e010d9484b_
json-api:20240303-41.v94e11e6de726
json-path-api:2.9.0-58.v62e3e85b_a_655
junit:1265.v65b_14fa_f12f0
kubernetes:4203.v1dd44f5b_1cf9
kubernetes-client-api:6.10.0-240.v57880ce8b_0b_2
kubernetes-credentials:0.11
ldap:725.v3cb_b_711b_1a_ef
lockable-resources:1255.vf48745da_35d0
mailer:472.vf7c289a_4b_420
mask-passwords:173.v6a_077a_291eb_5
matrix-auth:3.2.2
matrix-project:822.824.v14451b_c0fd42
maven-plugin:3.23
mercurial:1260.vdfb_723cdcc81
metrics:4.2.21-449.v6960d7c54c69
mina-sshd-api-common:2.12.1-101.v85b_e08b_780dd
mina-sshd-api-core:2.12.1-101.v85b_e08b_780dd
momentjs:1.1.1
multibranch-build-strategy-extension:51.v88f14e2a_4075
naginator:1.449.ve19751d70eb_0
nodejs:1.6.1
oauth-credentials:0.646.v02b_66dc03d2e
oidc-provider:62.vd67c19f76766
okhttp-api:4.11.0-172.vda_da_1feeb_c6e
openstack-cloud:2.65
pam-auth:1.10
parameterized-scheduler:262.v00f3d90585cc
parameterized-trigger:787.v665fcf2a_830b_
percentage-du-node-column:0.1.0
performance:957.v658a_7065b_92a_
pipeline-build-step:540.vb_e8849e1a_b_d8
pipeline-github:2.8-159.09e4403bc62f
pipeline-githubnotify-step:49.vf37bf92d2bc8
pipeline-graph-analysis:216.vfd8b_ece330ca_
pipeline-groovy-lib:704.vc58b_8890a_384
pipeline-input-step:495.ve9c153f6067b_
pipeline-maven:1396.veb_f07b_2fc1d8
pipeline-maven-api:1396.veb_f07b_2fc1d8
pipeline-milestone-step:119.vdfdc43fc3b_9a_
pipeline-model-api:2.2198.v41dd8ef6dd56
pipeline-model-definition:2.2198.v41dd8ef6dd56
pipeline-model-extensions:2.2198.v41dd8ef6dd56
pipeline-rest-api:2.34
pipeline-stage-step:312.v8cd10304c27a_
pipeline-stage-tags-metadata:2.2198.v41dd8ef6dd56
pipeline-stage-view:2.34
pipeline-utility-steps:2.16.2
plain-credentials:179.vc5cb_98f6db_38
plugin-util-api:4.1.0
popper-api:1.16.1-3
popper2-api:2.11.6-4
prism-api:1.29.0-13
pubsub-light:1.18
rebuild:332.va_1ee476d8f6d
resource-disposer:0.23
robot:3.5.1
role-strategy:717.v6a_69a_fe98974
run-condition:1.7
saferestart:0.7
saml:4.464.vea_cb_75d7f5e0
scm-api:690.vfc8b_54395023
script-security:1335.vf07d9ce377a_e
sidebar-link:2.4.1
simple-theme-plugin:176.v39740c03a_a_f5
slack:684.v833089650554
snakeyaml-api:2.2-111.vc6598e30cc65
sonar:2.17.2
sse-gateway:1.26
ssh-agent:367.vf9076cd4ee21
ssh-credentials:337.v395d2403ccd4
ssh-slaves:2.948.vb_8050d697fec
sshd:3.322.v159e91f6a_550
startup-trigger-plugin:2.9.4
strict-crumb-issuer:2.1.1
structs:337.v1b_04ea_4df7c8
timestamper:1.26
token-macro:400.v35420b_922dcb_
trilead-api:2.142.v748523a_76693
variant:60.v7290fc0eb_b_cd
view-job-filters:369.ve0513a_a_f5524
warnings-ng:11.3.0
webhook-step:342.v620877effe14
windows-slaves:1.8.1
workflow-aggregator:596.v8c21c963d92d
workflow-api:1291.v51fd2a_625da_7
workflow-basic-steps:1058.vcb_fc1e3a_21a_9
workflow-cps:3894.vd0f0248b_a_fc4
workflow-cps-global-lib:612.v55f2f80781ef
workflow-cps-global-lib-http:2.48.0
workflow-durable-task-step:1336.v768003e07199
workflow-job:1400.v7fd111b_ec82f
workflow-multibranch:773.vc4fe1378f1d5
workflow-scm-step:427.v4ca_6512e7df1
workflow-step-api:657.v03b_e8115821b_
workflow-support:896.v175a_a_9c5b_78f
ws-cleanup:0.45

Hello and welcome to this community, @gczuczy .

In Jenkins, environment variables are typically made available to plugins through the EnvVars class, which provides a map-like interface to access the variables.

The oidc-provider plugin, like many other Jenkins plugins, likely uses this class to access environment variables (I haven’t checked thoroughly, though).

The list of environment variables you provided seems to be the standard set of variables that Jenkins provides for each build.
These include information about the build itself, the job that triggered the build, and the Jenkins instance.

If you want to make additional environment variables available to the oidc-provider plugin, you would typically do this in your pipeline script or job configuration.

For example, you could use the withEnv step in a pipeline script to set environment variables for a block of steps:

withEnv(['GIT_COMMIT_SHA=${GIT_COMMIT}', 'GIT_REPO_URL=${GIT_URL}']) {
    // Steps that need the GIT_COMMIT_SHA and GIT_REPO_URL variables
}

In this example, GIT_COMMIT and GIT_URL are built-in Jenkins environment variables that contain the commit SHA and repository URL for the current build. The withEnv step makes these values available as GIT_COMMIT_SHA and GIT_REPO_URL for the steps inside the block.

However, whether the oidc-provider plugin can actually use these variables depends on how the plugin is implemented.
If the plugin only reads environment variables at the start of the build, then setting variables in the pipeline script might not have any effect.

As for your question about how environment variable propagation works among plugins, there isn’t a general answer because it depends on how each plugin is implemented. Some plugins might read environment variables directly from the EnvVars class, while others might require you to configure the variables in the Jenkins UI or in a pipeline script.

For more detailed information about how the oidc-provider plugin works with environment variables, I would recommend looking at the plugin’s documentation or source code.

Regarding the plugin architecture in Jenkins, it’s a broad topic I don’t mаster, but here are some key points to me:

• Jenkins plugins are written in Java and packaged as .hpi files.
• Each plugin provides an extension point, which is a Java interface that other plugins can implement to extend Jenkins’ functionality.
• Plugins can also contribute to the Jenkins UI by adding new pages, menu items, etc.
• Jenkins provides a number of core APIs and services that plugins can use, such as the EnvVars class for accessing environment variables.

For a more in-depth understanding, you might want to check out the Jenkins plugin tutorial and developer documentation, which provide a lot of information about how to create and work with Jenkins plugins.

Thank you, unfortunately this did not bring any improvements. With withEnv the claim has the raw strings (I’ve replaced it with double quotes, since singles do not do variable replacement):

     "git_commit": "${GIT_COMMIT}",
10:39:35      "git_commit_sha": "${GIT_COMMIT_SHA}",
10:39:35      "git_repo_url": "${GIT_REPO_URL}",
10:39:35      "git_url": "${GIT_URL}",
10:39:35      "github_repo": "${GITHUB_REPO}",

In the original post I’ve linked the exact line of the source (so I came here asking, after I’ve gone through most of the resources you’ve linked, and reading and locally debugging the source of the plugin), but here it is:

 env = build.getEnvironment(TaskListener.NULL);

This is how the plugin is getting its envvars. What I wasn’t able to find, is how the build variable is “there”, it’s just here, and what’s the effect of the NULL tasklistener. Also, how does this relate to a job itself (versus global environment variables)?