azure-ad-plugin icon indicating copy to clipboard operation
azure-ad-plugin copied to clipboard

Published 20 hours ago verified publisher icon jenkinsci

Config Support for usgin UPN rather than Object ID

Open aytuncbeken opened this issue 1 year ago • 14 comments

What feature do you want to see added?

Problem: With the new version of the plugin, Jenkins Users are being created with their Object ID from Azure rather than UPN. This is causing problems for all the integrated systems where api calls are being made. Also making JCASC configuration less user friendly.

Reques: Please add an configuration option to the plugin configuration where users can choose to use UPN for Jenkins User IDs. For example a checkbox on the configuration page of the plugin.

"Use UPN for Jenkins ID"

Thanks in advance.

Upstream changes

No response

aytuncbeken avatar Jul 19 '23 07:07 aytuncbeken

This would be an ideal update.

If there are any pointers to check, I'd be happy to look at developing a MR

pirouet avatar Aug 19 '23 22:08 pirouet

Not sure what pointers to check. Could you please elaborate?

aytuncbeken avatar Sep 24 '23 15:09 aytuncbeken

@pirouet

Based on: https://learn.microsoft.com/en-us/azure/active-directory-b2c/user-profile-attributes

Please check with the below attribute: userPrincipalName

agrondemiraj avatar Oct 23 '23 05:10 agrondemiraj

bear in mind that you don't actually get the UPN in the id_token by default you would have to modify the manifest to enable it from reading: https://learn.microsoft.com/en-us/azure/active-directory/develop/optional-claims#v20-specific-optional-claims-set

but it would be possible to add an option to do this.

timja avatar Oct 23 '23 08:10 timja

It would be very helpful for an Admin to just input the e-mail in Jenkins when adding the users. If someone can do the change, it would be highly appreciated.

agrondemiraj avatar Oct 24 '23 05:10 agrondemiraj

Facing the same issue, We tried adding additional Claim of preffered_name and upn still no luck.

Jenkins User ID: 7c59220a-f8cafacc7a17 instead it should be the email id Jenkins User ID:- [email protected] or anyone can guide or suggestions to fix it .

abhijeetka avatar Feb 16 '24 08:02 abhijeetka

instead it should be the email id

Why do you say that it should be the email address?

timja avatar Feb 16 '24 09:02 timja

@timja There are two things that we are currently looking at.

  1. Jenkins ID should be 'Unique Principal Name' as it will be unique accross Azure AD.
  2. it will easy to use in Curl or Automation calling Jenkins API.

I am not sure if uuid is the solution for Azure Ad Plugin in Jenkins.

Please let us know your thoughts so we can understand and implement our automation accordingly.

Thanks in advance for quick response.

abhijeetka avatar Feb 16 '24 09:02 abhijeetka

Jenkins ID should be 'Unique Principal Name' as it will be unique accross Azure AD.

UPN should not be used according to Microsoft:

https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference#use-claims-to-reliably-identify-a-user

When identifying a user, it's critical to use information that remains constant and unique across time. Legacy applications sometimes use fields like the email address, phone number, or UPN. All of these fields can change over time, and can also be reused over time. For example, when an employee changes their name, or an employee is given an email address that matches that of a previous, no longer present employee. Your application mustn't use human-readable data to identify a user - human readable generally means someone can read it, and want to change it. Instead, use the claims provided by the OIDC standard, or the extension claims provided by Microsoft - the sub and oid claims.

To correctly store information per-user, use sub or oid alone (which as GUIDs are unique), with tid used for routing or sharding if needed. If you need to share data across services, oid and tid is best as all apps get the same oid and tid claims for a user acting in a tenant. The sub claim is a pair-wise value that's unique. The value is based on a combination of the token recipient, tenant, and user. Two apps that request ID tokens for a user receive different sub claims, but the same oid claims for that user.

It may be possible to allow lookup via 'username' for API calls as I think that's all people mostly want this for. but as a stable identifier it's not a solution.

see also https://openid.net/specs/openid-connect-core-1_0.html#ClaimStability and https://github.com/MicrosoftDocs/azure-docs/issues/14498

timja avatar Feb 16 '24 10:02 timja

Make sense. @timja Thanks for the clarification.

abhijeetka avatar Feb 16 '24 10:02 abhijeetka

@timja I understand the need in the backend for unique identification. However with the latest version of the plugin users showing up as hash instead of UPN or email. Is it possible that once authentication completed we can resolve the objectID to UPN or email? can it be configurable?

ibidani avatar May 07 '24 02:05 ibidani

where are they showing up as a hash?

timja avatar May 07 '24 08:05 timja

Hi, I work with @ibidani. What Idan meant is the Jenkins User ID is showing up as Azure Object ID with latest version of plugin. We are on latest LTS(2.440.3) version of jenkins with azure ad plugin version 385.v5d9f88612dd2. Please find the screenshot below. Question, Is there any way to update the Jenkins User ID to UPN instead of objectID? is it configurable in any way ?

image

annepavan avatar May 08 '24 21:05 annepavan

Not currently, why do you need that?

timja avatar May 09 '24 06:05 timja