Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-43796

Logout on restart when using Project-based Matrix Authorization Strategy

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Minor
    • Resolution: Not A Defect
    • Labels:
      None
    • Environment:
    • Similar Issues:

      Description

      Using Github OAuth as the authentication mechanism. After switching from "GitHub Committer Authorization Strategy" to "Project-based Matrix Authorization Strategy", Jenkins restarts log out all users.

      I'm not sure if this was happening also before, but the previous authorization strategy was doing an automated redirect to Github.

        Attachments

          Activity

          Hide
          giorgiosironi Giorgio Sironi added a comment -

          It seems this only happens on pages that are visible to Anonymous: more protected pages like /credentials redirect to Github, which logs in the user, who then comes back and can see that page.

          Show
          giorgiosironi Giorgio Sironi added a comment - It seems this only happens on pages that are visible to Anonymous: more protected pages like /credentials redirect to Github, which logs in the user, who then comes back and can see that page.
          Hide
          giorgiosironi Giorgio Sironi added a comment - - edited

          In my case, the Anonymous user has the Overall\Read permission, which makes a non-logged in user able to see the homepage (although it's empty). Deselecting this option as a workaround forces the homepage to redirect the user to Github, logging him in as a result. Now testing if this works in all scenarios.

          https://wiki.jenkins-ci.org/display/JENKINS/GitHub+OAuth+Plugin does recommend only Job/Discover and Job/ViewStatus for Anonymous.

          Show
          giorgiosironi Giorgio Sironi added a comment - - edited In my case, the Anonymous user has the Overall\Read permission, which makes a non-logged in user able to see the homepage (although it's empty). Deselecting this option as a workaround forces the homepage to redirect the user to Github, logging him in as a result. Now testing if this works in all scenarios. https://wiki.jenkins-ci.org/display/JENKINS/GitHub+OAuth+Plugin does recommend only Job/Discover and Job/ViewStatus for Anonymous.
          Hide
          giorgiosironi Giorgio Sironi added a comment -

          Can't break it with this settings, up to the maintainers to close if this is expected behavior. Hope this can be useful for anyone googling a solution for the problem.

          Show
          giorgiosironi Giorgio Sironi added a comment - Can't break it with this settings, up to the maintainers to close if this is expected behavior. Hope this can be useful for anyone googling a solution for the problem.
          Hide
          oleg_nenashev Oleg Nenashev added a comment -

          IMHO it is a correct behavior unless the plugin provides some SSO functionality with automatic discovery. AFAIK it does not

          Show
          oleg_nenashev Oleg Nenashev added a comment - IMHO it is a correct behavior unless the plugin provides some SSO functionality with automatic discovery. AFAIK it does not
          Hide
          sag47 Sam Gleske added a comment -

          At the moment, I don't consider this a defect. When authorization strategies are switched I would actually expect all previous logins to be invalidated. Any pages which don't require authentication should not force a user login.

          I will close this for now. Feel free to reopen with additional details/arguments if you think this behavior should be different.

          Show
          sag47 Sam Gleske added a comment - At the moment, I don't consider this a defect. When authorization strategies are switched I would actually expect all previous logins to be invalidated. Any pages which don't require authentication should not force a user login. I will close this for now. Feel free to reopen with additional details/arguments if you think this behavior should be different.

            People

            • Assignee:
              sag47 Sam Gleske
              Reporter:
              giorgiosironi Giorgio Sironi
            • Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: