@twz123 anyway to purge this cache? can logout from jenkins work :D

Maybe logging out would help. But a malicious user wouldn't want to logout. That way, the malicious user can retain access to Jenkins indefinitely, even if administrators revoke access via the OIDC Identity Provider. So this is a real security concern.

The only workarounds that come to my mind would be to delete the user properties via some groovy script, or to delete the user XML file from the filesystem and refresh Jenkins configuration from disk.

seems like a full logout (both from Jenkins and OIDC) won't help. I encountered a problem when granting extra roles in OIDC provider won't reflect into Jenkins authorities.

A Jenkins restart did purge the cache in my situation. If possible, can you share the Groovy script to purge user cache? a possible workaround is putting a cron job to clear this cache every specific interval

Running Jenkins 2.282 the Jenkins logout button appears to flush the roles. After clicking Logout, if I navigate to the jenkins url, it seamlessly re-auths with updated roles/groups

I'll have to check if the code still has the issue.
If that's the case, the refresh is a good time to renew user info.

This is still an issue. Tried setting OIDC token lifespan to 1 minute but seems like it never refreshes it.
And while group info is now used for Jenkins API, it never gets updated if user is removed from certain groups that provide/limit access or if the user is disabled on the OIDC provider.

1. It should start using the refresh token and update groups.

2. And afterwards the Jenkins API token issue can be tackled somehow. One option would be to use OIDC backchannel-logout. In case when user is disabled or groups changed, session can be terminated on OIDC side and provider would connect to Jenkins and log the user out (and possibly remove groups to disable Jenkins API usage).

Yes, that one in on my "what's next" list.

I am investigating the use use of filter which seems to be called whenever an access occurs.
I ve not yet asked to experts on newsgroup channel - they may have a better answer.

Hi @michael-doubez. I have found https://github.com/jenkinsci/keycloak-plugin/blob/master/src/main/java/org/jenkinsci/plugins/RefreshFilter.java which implements token refresh via filter. Would you accept such solution for this plugin? I would be willing to incorporate refresh token support in this plugin.

Hello

Gladly. Implementation should not assume an offline or refresh token is available. There should also be a configurable renewal interval.