Tim Jacomb

Looking at the git blame and linked issues I think it was for groups with a `#` at the start, see https://github.com/jenkinsci/azure-ad-plugin/issues/145#issuecomment-866736490

I guess we could expire the graph client every now and then in the cache (ensuring its shutdown cleanly as well) here: https://github.com/jenkinsci/azure-ad-plugin/blob/cc82c54af8c28ec67697925a5bcbe97bb989d616/src/main/java/com/microsoft/jenkins/azuread/GraphClientCache.java#L29-L31 Not too keen on it though. I...

Reading the code it looks like the SDK is where this best fits they have a lot of code around proxying, this plugin just delegates to the library. If someone...

bear in mind that you don't actually get the UPN in the id_token by default you would have to modify the manifest to enable it from reading: https://learn.microsoft.com/en-us/azure/active-directory/develop/optional-claims#v20-specific-optional-claims-set but it...

> instead it should be the email id Why do you say that it should be the email address?

> Jenkins ID should be 'Unique Principal Name' as it will be unique accross Azure AD. UPN should not be used according to Microsoft: https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference#use-claims-to-reliably-identify-a-user > When identifying a user,...

where are they showing up as a hash?

Not currently, why do you need that?

Some info from Microsoft: https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-handle-samesite-cookie-changes-chrome-browser We shouldn't have any cookies that require cross domain, but I'll check this when I have time. It works in Chrome's implementation of this just...

Could the system get its clock fixed instead? 5 minutes is already quite generous