Jenkins › Jenkins issues

[JIRA] Created: (JENKINS-9216) Make OpenID work with Google Apps accounts

Classic

List

Threaded

17 messages Options

JIRA noreply@jenkins-ci.org

[JIRA] Created: (JENKINS-9216) Make OpenID work with Google Apps accounts

Make OpenID work with Google Apps accounts
------------------------------------------

Key: JENKINS-9216
URL: http://issues.jenkins-ci.org/browse/JENKINS-9216
Project: Jenkins
Issue Type: Improvement
Components: openid
Reporter: Kohsuke Kawaguchi
Assignee: Kohsuke Kawaguchi

There appears to be some bootstrap/discovery problem that prevents this from working.

--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

JIRA noreply@jenkins-ci.org

[JIRA] Commented: (JENKINS-9216) Make OpenID work with Google Apps accounts

[ http://issues.jenkins-ci.org/browse/JENKINS-9216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=147423#comment-147423 ]

Kohsuke Kawaguchi commented on JENKINS-9216:
--------------------------------------------

Relevant thread in the users list: http://groups.google.com/group/jenkinsci-users/browse_frm/thread/8786c1f74db8200/9c1ec47a775265d5?lnk=gst&q=openid

> Make OpenID work with Google Apps accounts
> ------------------------------------------
>
> Key: JENKINS-9216
> URL: http://issues.jenkins-ci.org/browse/JENKINS-9216
> Project: Jenkins
> Issue Type: Improvement
> Components: openid
> Reporter: Kohsuke Kawaguchi
> Assignee: Kohsuke Kawaguchi
>
> There appears to be some bootstrap/discovery problem that prevents this from working.

--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

JIRA noreply@jenkins-ci.org

[JIRA] Commented: (JENKINS-9216) Make OpenID work with Google Apps accounts

In reply to this post by JIRA noreply@jenkins-ci.org

[ https://issues.jenkins-ci.org/browse/JENKINS-9216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=150027#comment-150027 ]

Petr Dvorak commented on JENKINS-9216:
--------------------------------------

Hi guys, how does it look with this one? :) Using Google Apps for Hudson authentication would make a pretty nice feature. Keep up the great effort!

> Make OpenID work with Google Apps accounts
> ------------------------------------------
>
> Key: JENKINS-9216
> URL: https://issues.jenkins-ci.org/browse/JENKINS-9216
> Project: Jenkins
> Issue Type: Improvement
> Components: openid
> Reporter: Kohsuke Kawaguchi
> Assignee: Kohsuke Kawaguchi
>
> There appears to be some bootstrap/discovery problem that prevents this from working.

--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

JIRA noreply@jenkins-ci.org

[JIRA] Commented: (JENKINS-9216) Make OpenID work with Google Apps accounts

In reply to this post by JIRA noreply@jenkins-ci.org

[ https://issues.jenkins-ci.org/browse/JENKINS-9216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=151569#comment-151569 ]

Kasper Garnæs commented on JENKINS-9216:
----------------------------------------

Is this ticket still relevant?

We have used the OpenID plugin with our Google Apps account the last couple of weeks without problems.

--
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

JIRA noreply@jenkins-ci.org

[JIRA] (JENKINS-9216) Make OpenID work with Google Apps accounts

In reply to this post by JIRA noreply@jenkins-ci.org

[ https://issues.jenkins-ci.org/browse/JENKINS-9216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=156239#comment-156239 ]

Kevin Behrens commented on JENKINS-9216:
----------------------------------------

I'm with @Kasper Garnæs
My jenkins works fine with my google apps domain.
My only open question is how to configure it such that only users of my domain have access.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jenkins-ci.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira

JIRA noreply@jenkins-ci.org

[JIRA] (JENKINS-9216) Make OpenID work with Google Apps accounts

In reply to this post by JIRA noreply@jenkins-ci.org

[ https://issues.jenkins-ci.org/browse/JENKINS-9216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=156477#comment-156477 ]

btrim commented on JENKINS-9216:
--------------------------------

Yes, it does work (I think Google changed something in the last 8 months). However, like Kevin Behrens said, it only works automatically if you use the generic Google account URL.

If you use the URLs for your specific domain, OpenID generally expects to be able to get the xrds file from your domain, like example.com. Google *does* host a version of that file for you, but the discovery mechanism is tweaked to allow for it, so you either have to host it yourself or modify the discovery to read the file from the well-known URL pattern on google.

This is mostly from memory so hopefully I got it right.

JIRA noreply@jenkins-ci.org

[JIRA] (JENKINS-9216) Make OpenID work with Google Apps accounts

In reply to this post by JIRA noreply@jenkins-ci.org

[ https://issues.jenkins-ci.org/browse/JENKINS-9216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=158053#comment-158053 ]

Stephen Palmer commented on JENKINS-9216:
-----------------------------------------

I found that this ALMOST works. According to this spec: https://sites.google.com/site/oauthgoog/fedlogininterp/openiddiscovery

I can use this endpoint URL (for my domain) in the plugin to get the process started correctly:
https://www.google.com/accounts/o8/site-xrds?hd=example.com

After I validate the login with Google, according to the spec above, the user OpenID file is by default found here:
http://example.com/openid?id=108441225163454056756

But google actually hosts that for you, with this URL template, which is defined in the site XRDS doc.
https://www.google.com/accounts/o8/user-xrds?uri={%uri}

So the plugin fails because it doesn't apply that template and instead tires to retrieve the User XRDS doc from example.com.

At least, I think that's what is happening. I am going to try doing a URL rewrite on our web server as a workaround, but hopefully the author can take a look and see if perhaps there is a straightforward fix?

JIRA noreply@jenkins-ci.org

[JIRA] (JENKINS-9216) Make OpenID work with Google Apps accounts

In reply to this post by JIRA noreply@jenkins-ci.org

[ https://issues.jenkins-ci.org/browse/JENKINS-9216?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=160589#comment-160589 ]

Aaron Stone commented on JENKINS-9216:
--------------------------------------

Here's an Apache mod_rewrite + mod_proxy rewrite rule that works for me:

RewriteRule ^/openid$ <a href="http://www.google.com/accounts/o8/user-xrds?uri=http://example.com/openid?%">http://www.google.com/accounts/o8/user-xrds?uri=http://example.com/openid?%{QUERY_STRING} [P,L]

JIRA noreply@jenkins-ci.org

[JIRA] (JENKINS-9216) Make OpenID work with Google Apps accounts

In reply to this post by JIRA noreply@jenkins-ci.org

Code changed in jenkins
User: Kohsuke Kawaguchi
Path:
src/main/java/hudson/plugins/openid/GoogleAppSsoSecurityRealm.java
http://jenkins-ci.org/commit/openid-plugin/c2f725f9dd25462edf95a5e3a59759538ab23136
Log:
[FIXED JENKINS-9216]

Reworked the change based on the comment in the ticket.
This approach does not skip any checks, so it doesn't compromise on
security.

Compare: https://github.com/jenkinsci/openid-plugin/compare/51272cc7dd48...c2f725f9dd25

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators.
For more information on JIRA, see: http://www.atlassian.com/software/jira

JIRA noreply@jenkins-ci.org

[JIRA] (JENKINS-9216) Make OpenID work with Google Apps accounts

In reply to this post by JIRA noreply@jenkins-ci.org

Change By:	SCM/JIRA link daemon (12/Jul/12 1:57 AM)
Status:	Open Resolved
Resolution:	Fixed

JIRA noreply@jenkins-ci.org

[JIRA] (JENKINS-9216) Make OpenID work with Google Apps accounts

In reply to this post by JIRA noreply@jenkins-ci.org

Thanks, Kohsuke! This was exactly the OpenId4Java subclass I was hoping would be possible! (Shout out to @autojack for channeling me IRL yesterday on IRC.)

I got the hint for this approach from a Ruby gem published by Living Social. The minimum OpenID workaround is encapsulated here:
https://github.com/sodabrew/rails-googleapps-auth/blob/master/lib/googleapps_auth.rb#L151-168

JIRA noreply@jenkins-ci.org

[JIRA] (JENKINS-9216) Make OpenID work with Google Apps accounts

In reply to this post by JIRA noreply@jenkins-ci.org

Damn it Kohsuke, you resolved it just before I got the chance to make an offer for this issue at FreedomSponsors. I'm taking the liberty of reopening it ONLY to draw your attention for it, hope you don't mind. Here's the offer --> http://www.freedomsponsors.com/core/offer/2/make-openid-work-with-google-apps-accounts Please go there and mark it as resolved and I will gladly pay up - as soon as the fix is available in a release version of Jenkins - (or you can wait a couple of days and maybe someone else will join me as a sponsor, it's up to you, really) Everyone else, just to explain what this is about: I'm a big fan of Jenkins (and Kohsuke's), and I created FreedomSponsors, specifically to make him rich (and maybe other people like him who also deserve it) And this is the very issue that I was looking at, when the whole idea hit me. That was like, 7 weeks ago. Now it's has been up and running for a couple of days. Yes, I have every intention of creating a big positive impact on open source projects like Jenkins. So please feel free to join and spread the word about it. Cheers Tony Lâmpada FreedomSponsors - http://www.freedomsponsors.com Software engineer and CEO, I guess
Change By:	Tony Lampada (12/Jul/12 5:48 PM)
Resolution:	Fixed
Status:	Resolved Reopened

JIRA noreply@jenkins-ci.org

[JIRA] (JENKINS-9216) Make OpenID work with Google Apps accounts

In reply to this post by JIRA noreply@jenkins-ci.org

Damn it Kohsuke,
you resolved it just before I got the chance to make an offer for this issue at FreedomSponsors.

I'm taking the liberty of reopening it ONLY to draw your attention for it, hope you don't mind.
Here's the offer --> http://www.freedomsponsors.com/core/offer/2/make-openid-work-with-google-apps-accounts
Please go there and mark it as resolved and I will gladly pay up - as soon as the fix is available in a release version of Jenkins - (or you can wait a couple of days and maybe someone else will join me as a sponsor, it's up to you, really)

Everyone else, just to explain what this is about:
I'm a big fan of Jenkins (and Kohsuke's), and I created FreedomSponsors, specifically to make him rich (and maybe other people like him who also deserve it)

And this is the very issue that I was looking at, when the whole idea hit me.

That was like, 7 weeks ago. Now it has been up and running for a couple of days.

Yes, I have every intention of creating a big positive impact on open source projects like Jenkins. So please feel free to join and spread the word about it.

Cheers
Tony Lâmpada
FreedomSponsors - http://www.freedomsponsors.com
Software engineer and CEO, I guess

JIRA noreply@jenkins-ci.org

[JIRA] (JENKINS-9216) Make OpenID work with Google Apps accounts

In reply to this post by JIRA noreply@jenkins-ci.org

Thank you! I just updated that offer and also marking this as closed.
Change By:	Kohsuke Kawaguchi (12/Jul/12 7:53 PM)
Status:	Reopened Resolved
Resolution:	Fixed

JIRA noreply@jenkins-ci.org

[JIRA] (JENKINS-9216) Make OpenID work with Google Apps accounts

In reply to this post by JIRA noreply@jenkins-ci.org

No, thank you!
I'll check it out

JIRA noreply@jenkins-ci.org

[JIRA] (JENKINS-9216) Make OpenID work with Google Apps accounts

In reply to this post by JIRA noreply@jenkins-ci.org

It's actually not working for me yet.

The weirdest thing happens: it works for everyone else in the company except for me
(And I already checked with HR: I have NOT been fired... hehe)

So, when I come back from Google Apps' login page, I get stuck on a HTTP redirect infinite loop on "/jenkins/securityRealm/finishLogin?openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth (....)"

There seems to be something worng with my account, specifically, that's triggering this srange behaviour.

I have jenkins running inside tomcat, on port 8181, and I'm accessing it directly (without apache).
Also, this is a brand new jenkins installation (meaning: there was no .jenkins folder before I started tomcat) with OpenId plugin 1.5 newly installed.

I'm attaching a piece of the log from catalina.out (I changed the domain name though...)

Should I open a bug for this?

Cheers

JIRA noreply@jenkins-ci.org

[JIRA] (JENKINS-9216) Make OpenID work with Google Apps accounts

In reply to this post by JIRA noreply@jenkins-ci.org

Change By:	Tony Lampada (15/Jul/12 4:11 AM)
Attachment:	redirect_loop_in_catalina.out