-
Notifications
You must be signed in to change notification settings - Fork 84
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OIDC logins are cached forever #100
Comments
@twz123 anyway to purge this cache? can logout from jenkins work :D |
Maybe logging out would help. But a malicious user wouldn't want to logout. That way, the malicious user can retain access to Jenkins indefinitely, even if administrators revoke access via the OIDC Identity Provider. So this is a real security concern. The only workarounds that come to my mind would be to delete the user properties via some groovy script, or to delete the user XML file from the filesystem and refresh Jenkins configuration from disk. |
seems like a full logout (both from Jenkins and OIDC) won't help. I encountered a problem when granting extra roles in OIDC provider won't reflect into Jenkins authorities. A Jenkins restart did purge the cache in my situation. If possible, can you share the Groovy script to purge user cache? a possible workaround is putting a cron job to clear this cache every specific interval |
Running Jenkins 2.282 the Jenkins logout button appears to flush the roles. After clicking Logout, if I navigate to the jenkins url, it seamlessly re-auths with updated roles/groups |
I'll have to check if the code still has the issue. |
This is still an issue. Tried setting OIDC token lifespan to 1 minute but seems like it never refreshes it.
|
Yes, that one in on my "what's next" list. I am investigating the use use of |
Hi @michael-doubez. I have found https://github.com/jenkinsci/keycloak-plugin/blob/master/src/main/java/org/jenkinsci/plugins/RefreshFilter.java which implements token refresh via filter. Would you accept such solution for this plugin? I would be willing to incorporate refresh token support in this plugin. |
Hello Gladly. Implementation should not assume an offline or refresh token is available. There should also be a configurable renewal interval. |
During debugging of #41, I noticed that the information from the user's last full login are stored indefinitely in
OicUserProperty
. So there's already a caching/security problem, as anticipated in #41 (comment).Any changes to the user inside the Identity Provider won't be reflected back into Jenkins if the user won't re-login. As a consequence, session cookies, API Tokens and so on may be valid forever, even if the user has long been disabled in the Identity Provider.
A possible solution would be to use the
exp
field of the ID Token to check how long the credentials are valid, and, if they are expired, transparently request a new ID Token from the Identity Provider, using a Refresh Token.The text was updated successfully, but these errors were encountered: