oidc-provider-plugin icon indicating copy to clipboard operation
oidc-provider-plugin copied to clipboard

Published 20 hours ago verified publisher icon jenkinsci

Allow trailing slash in Issuer (URL)

Open Masahigo opened this issue 3 years ago • 2 comments

What feature do you want to see added?

I have been trying to get this plugin to work together with Azure AD's workload identity federation.

I've gotten very far by basically following the pattern described in here and serving the OIDC discovery document + JWKS from Azure blob storage since the Jenkins itself is hosted from internal network.

But when testing this from a Jenkins Pipeline I face the following error

pipeline {
    
    ..

    stages {
        
        ...

        stage('Test Azure CLI login') {
            environment {
                AZURE_TENANT_ID = 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
                AZURE_CLIENT_ID = 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
            }
            steps {
                withCredentials([string(credentialsId: 'aad-id-token', variable: 'TOKEN')]) {
                    sh '''
                      set +x
                      echo "Login with service principal.."
                      az login --service-principal -u $AZURE_CLIENT_ID -t $AZURE_TENANT_ID --federated-token $TOKEN
                    '''
                  }
            }
        }
    }
}

Login with service principal..
ERROR: AADSTS70021: No matching federated identity record found for presented assertion. Assertion Issuer: 'https://oidcissuer9612eaad.blob.core.windows.net/jenkins'. Assertion Subject: 'https://xxx/xx/Jenkins/job/OpenID_AAD_test/'. Assertion Audience: 'api://AzureADTokenExchange'. https://docs.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation

The reason for this issue could be as simple as a trailing slash in issuer URL.

Would it be possible to allow the trailing slash in the plugin's UI view (?) image

This might very well resolve this issue I'm having because Azure AD seems to somehow expect that trailing slash there.

But I'm also wondering should the Assertion Subject be the URL of the CI job in this case, because Azure is expecting it to be the name of the Azure blob storage where the discovery document is served from.

Upstream changes

No response

Masahigo avatar Oct 31 '22 13:10 Masahigo

Would it be possible to allow the trailing slash

Seems like a reasonable option, if in fact that helps with Azure.

should the Assertion Subject be the URL of the CI job

See #18. As to whether it should

be the name of the Azure blob storage where the discovery document is served from

then given

serving the OIDC discovery document + JWKS from Azure blob storage since the Jenkins itself is hosted from internal network

and you are already setting this as the issuer, then I do not suppose so; the subject should be some identification of what is using the token.

jglick avatar Nov 01 '22 13:11 jglick

AFAICT the plugin should actually work OK if you save a custom issuer ending with a slash despite this error message. (When this field is set, the only thing it should affect is the actual iss claim in the id token.) Try it; if it helps with Azure, then I will downgrade this to a warning that typically issuers do not end with a slash.

jglick avatar Nov 01 '22 13:11 jglick