GET used instead of POST for token validation (405: Bad request)

[marius-meissner]

Jenkins and plugins versions report

Environment

Jenkins: 2.462.2
OS: Linux - 6.8.4-3-pve
Java: 17.0.13 - Ubuntu (OpenJDK 64-Bit Server VM)
---
antisamy-markup-formatter:162.v0e6ec0fcfcf6
apache-httpcomponents-client-4-api:4.5.14-208.v438351942757
asm-api:9.7.1-97.v4cc844130d97
authentication-tokens:1.119.v50285141b_7e1
blueocean:1.27.16
blueocean-autofavorite:1.2.5
blueocean-bitbucket-pipeline:1.27.16
blueocean-commons:1.27.16
blueocean-config:1.27.16
blueocean-core-js:1.27.16
blueocean-dashboard:1.27.16
blueocean-display-url:2.4.3
blueocean-events:1.27.16
blueocean-git-pipeline:1.27.16
blueocean-github-pipeline:1.27.16
blueocean-i18n:1.27.16
blueocean-jira:1.27.16
blueocean-jwt:1.27.16
blueocean-personalization:1.27.16
blueocean-pipeline-api-impl:1.27.16
blueocean-pipeline-editor:1.27.16
blueocean-pipeline-scm-api:1.27.16
blueocean-rest:1.27.16
blueocean-rest-impl:1.27.16
blueocean-web:1.27.16
bootstrap5-api:5.3.3-1
bouncycastle-api:2.30.1.78.1-248.ve27176eb_46cb_
branch-api:2.1206.vd9f35001c95c
build-timeout:1.33
caffeine-api:3.1.8-133.v17b_1ff2e0599
checks-api:2.2.1
cloudbees-bitbucket-branch-source:895.v15dc41668f03
cloudbees-folder:6.955.v81e2a_35c08d3
command-launcher:116.vd85919c54a_d6
commons-lang3-api:3.17.0-84.vb_b_938040b_078
commons-text-api:1.12.0-129.v99a_50df237f7
copyartifact:761.vea_2b_25523e84
credentials:1380.va_435002fa_924
credentials-binding:681.vf91669a_32e45
data-tables-api:2.1.8-1
display-url-api:2.204.vf6fddd8a_8b_e9
durable-task:581.v299a_5609d767
echarts-api:5.5.1-4
eddsa-api:0.3.0-4.v84c6f0f4969e
email-ext:1844.v3ea_a_b_842374a_
favorite:2.221.v19ca_666b_62f5
font-awesome-api:6.6.0-2
git:5.5.2
git-client:5.0.0
git-server:126.v0d945d8d2b_39
github:1.40.0
github-api:1.321-468.v6a_9f5f2d5a_7e
github-branch-source:1807.v50351eb_7dd13
gson-api:2.11.0-85.v1f4e87273c33
handy-uri-templates-2-api:2.1.8-30.v7e777411b_148
htmlpublisher:1.37
instance-identity:201.vd2a_b_5a_468a_a_6
ionicons-api:74.v93d5eb_813d5f
jackson2-api:2.17.0-379.v02de8ec9f64c
jakarta-activation-api:2.1.3-1
jakarta-mail-api:2.1.3-1
javax-activation-api:1.2.0-7
javax-mail-api:1.6.2-10
jaxb:2.3.9-1
jdk-tool:80.v8a_dee33ed6f0
jenkins-design-language:1.27.16
jersey2-api:2.44-151.v6df377fff741
jira:3.13
jjwt-api:0.11.5-112.ve82dfb_224b_a_d
jnr-posix-api:3.1.20-125.vb_6ec4b_21b_15e
joda-time-api:2.13.0-93.v9934da_29b_a_e9
jquery3-api:3.7.1-2
jsch:0.2.16-86.v42e010d9484b_
json-api:20241224-119.va_dca_a_b_ea_7da_5
json-path-api:2.9.0-118.v7f23ed82a_8b_8
junit:1312.v1a_235a_b_94a_31
lockable-resources:1327.ved786b_a_197e0
mailer:488.v0c9639c1a_eb_3
matrix-auth:3.2.3
matrix-project:839.vff91cd7e3a_b_2
mina-sshd-api-common:2.14.0-138.v6341ee58e1df
mina-sshd-api-core:2.14.0-138.v6341ee58e1df
oic-auth:4.444.vd4c54f157201
okhttp-api:4.11.0-172.vda_da_1feeb_c6e
pam-auth:1.11
pipeline-build-step:540.vb_e8849e1a_b_d8
pipeline-github-lib:61.v629f2cc41d83
pipeline-graph-analysis:216.vfd8b_ece330ca_
pipeline-groovy-lib:745.vdf6077913de0
pipeline-input-step:495.ve9c153f6067b_
pipeline-milestone-step:119.vdfdc43fc3b_9a_
pipeline-model-api:2.2218.v56d0cda_37c72
pipeline-model-definition:2.2218.v56d0cda_37c72
pipeline-model-extensions:2.2218.v56d0cda_37c72
pipeline-rest-api:2.34
pipeline-stage-step:312.v8cd10304c27a_
pipeline-stage-tags-metadata:2.2218.v56d0cda_37c72
pipeline-stage-view:2.34
plain-credentials:183.va_de8f1dd5a_2b_
plugin-util-api:5.1.0
pubsub-light:1.18
resource-disposer:0.24
scm-api:696.v778d637b_a_762
script-security:1369.v9b_98a_4e95b_2d
snakeyaml-api:2.3-123.v13484c65210a_
sse-gateway:1.27
ssh-credentials:349.vb_8b_6b_9709f5b_
ssh-slaves:2.973.v0fa_8c0dea_f9f
ssh-steps:2.0.68.va_d21a_12a_6476
sshd:3.330.vc866a_8389b_58
structs:338.v848422169819
throttle-concurrents:2.14
timestamper:1.27
token-macro:400.v35420b_922dcb_
trilead-api:2.147.vb_73cc728a_32e
variant:60.v7290fc0eb_b_cd
workflow-aggregator:600.vb_57cdd26fdd7
workflow-api:1336.vee415d95c521
workflow-basic-steps:1058.vcb_fc1e3a_21a_9
workflow-cps:4007.vd705fc76a_34e
workflow-durable-task-step:1378.v6a_3e903058a_3
workflow-job:1436.vfa_244484591f
workflow-multibranch:795.ve0cb_1f45ca_9a_
workflow-scm-step:427.v4ca_6512e7df1
workflow-step-api:678.v3ee58b_469476
workflow-support:936.v9fa_77211ca_e1
ws-cleanup:0.47

What Operating System are you using (both controller, and any agents involved in the problem)?

Ubuntu 20.04 LTS

Reproduction steps

1. Configure d Open ID Connect as security provider
2. Use Manual entry for configuration mode
3. Set all URLs including token server url
4. Chose Token authentication method Post

Expected Results

Expected that plugin sends POST requests to token server URL (<keycloak server>/protocol/openid-connect/token)

Actual Results

Instead a GET requests is received:
Keycloak logs

Jan 10 16:25:55 pg-keycloak kc.sh[1160135]: 2025-01-10 16:25:55,926 TRACE [io.vertx.ext.web.impl.RouterImpl] (vert.x-eventloop-thread-1) Router: 635576031 accepting request GET [****]/realms/Corp/protocol/openid-connect/token

Jenkins exception:

Jan 10 16:25:55 pg-jenkins jenkins[846]: org.pac4j.core.exception.TechnicalException: Bad token response, error=HTTP 405 Method Not Allowed, description=For more on this error consult the server log at the debug level.
Jan 10 16:25:55 pg-jenkins jenkins[846]:         at PluginClassLoader for oic-auth//org.pac4j.oidc.credentials.authenticator.OidcAuthenticator.executeTokenRequest(OidcAuthenticator.java:206)
Jan 10 16:25:55 pg-jenkins jenkins[846]:         at PluginClassLoader for oic-auth//org.pac4j.oidc.credentials.authenticator.OidcAuthenticator.validate(OidcAuthenticator.java:165)
Jan 10 16:25:55 pg-jenkins jenkins[846]:         at PluginClassLoader for oic-auth//org.pac4j.core.client.BaseClient.lambda$retrieveCredentials$0(BaseClient.java:75)
Jan 10 16:25:55 pg-jenkins jenkins[846]:         at java.base/java.util.Optional.ifPresent(Optional.java:178)
Jan 10 16:25:55 pg-jenkins jenkins[846]:         at PluginClassLoader for oic-auth//org.pac4j.core.client.BaseClient.retrieveCredentials(BaseClient.java:72)
Jan 10 16:25:55 pg-jenkins jenkins[846]:         at PluginClassLoader for oic-auth//org.pac4j.core.client.IndirectClient.getCredentials(IndirectClient.java:145)
Jan 10 16:25:55 pg-jenkins jenkins[846]:         at PluginClassLoader for oic-auth//org.jenkinsci.plugins.oic.OicSecurityRealm.doFinishLogin(OicSecurityRealm.java:1276)
Jan 10 16:25:55 pg-jenkins jenkins[846]:         at java.base/java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:732)
Jan 10 16:25:55 pg-jenkins jenkins[846]:         at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:416)
Jan 10 16:25:55 pg-jenkins jenkins[846]:         at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:429)
Jan 10 16:25:55 pg-jenkins jenkins[846]:         at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:211)
Jan 10 16:25:55 pg-jenkins jenkins[846]:         at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:138)
Jan 10 16:25:55 pg-jenkins jenkins[846]:         at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:644)
Jan 10 16:25:55 pg-jenkins jenkins[846]:         at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:61)
Jan 10 16:25:55 pg-jenkins jenkins[846]:         at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:827)

Anything else?

No response

Are you interested in contributing a fix?

No response

[marius-meissner]

Seems the problem was introduced in version 4.388.v4f73328eb_d2c.

Just tested successfully with version 4.371.vc7c0c06e8a_f5.
When installing the next release 4.388.v4f73328eb_d2c, even with 'Disable Token Expiration Check' enabled, the mentioned issue occurs.

[jtnord]

There are numerous tests that should cover this e.g. -> https://github.com/jenkinsci/oic-auth-plugin/blob/4.452.v2849b_d3945fa_/src/test/java/org/jenkinsci/plugins/oic/PluginTest.java#L148

[jtnord]

FWIW we also have tests using keycloak

[marius-meissner]

Maybe some kind of regression, caused by some other dependencies?
Do you have any suggestions how I could do further tracing for finding the root cause?

[jtnord]

looking at https://bitbucket.org/connect2id/oauth-2.0-sdk-with-openid-connect-extensions/src/5822caae520661cdfe5bce79e57a33c70e4159ab/src/main/java/com/nimbusds/oauth2/sdk/TokenRequest.java#lines-933 the method is hardcoded to use post per the spec.
Could it be was are sending a POST yet for some reason your keycloak is refusing the POST and expecting a GET only?

you can try adding a logger for sun.net.www.protocol.http.HttpURLConnection to ALL (may depend on which JDK you use, but it uses java.net.HttpUrlConnection for as the "client"

[marius-meissner]

Thanks a lot for your hint regarding the log tracing.

Seems the problem is caused by a 301 redirect.
We still had an old URL and after it was updated, the issue disappeared.

Now the question is whether the reaction to the 301 is correct?

Log:

sun.net.www.MessageHeader@57bd3e4c7 pairs: {POST /realms/Corp/protocol/openid-connect/token HTTP/1.1: null}{Content-Type: application/x-www-form-urlencoded; charset=UTF-8}{User-Agent: Java/17.0.13}{Host: sso.old.url}{Accept: */*}{Connection: keep-alive}{Content-Length: 298}

Feb 01, 2025 11:09:46 AM FINE sun.net.www.protocol.http.HttpURLConnection
sun.net.www.MessageHeader@739d931a4 pairs: {null: HTTP/1.1 301 Moved Permanently}{content-length: 0}{location: https://sso.keycloak.xyz/realms/Corp/protocol/openid-connect/token}{connection: close}

Feb 01, 2025 11:09:46 AM FINE sun.net.www.protocol.http.HttpURLConnection
Redirected from https://sso.old.url/realms/Corp/protocol/openid-connect/token to https://sso.keycloak.xyz/realms/Corp/protocol/openid-connect/token

Feb 01, 2025 11:09:46 AM FINEST sun.net.www.protocol.http.HttpURLConnection
ProxySelector Request for https://sso.keycloak.xyz/realms/Corp/protocol/openid-connect/token

Feb 01, 2025 11:09:46 AM FINEST sun.net.www.protocol.http.HttpURLConnection
Looking for HttpClient for URL https://sso.keycloak.xyz/realms/Corp/protocol/openid-connect/token and proxy value of DIRECT

Feb 01, 2025 11:09:46 AM FINEST sun.net.www.protocol.http.HttpURLConnection
Creating new HttpsClient with url:https://sso.keycloak.xyz/realms/Corp/protocol/openid-connect/token and proxy:DIRECT with connect timeout:500

Feb 01, 2025 11:09:46 AM FINEST sun.net.www.protocol.http.HttpURLConnection
Proxy used: DIRECT

Feb 01, 2025 11:09:46 AM FINE sun.net.www.protocol.http.HttpURLConnection
sun.net.www.MessageHeader@423e00d5 pairs: {GET /realms/Corp/protocol/openid-connect/token HTTP/1.1: null}{User-Agent: Java/17.0.13}{Host: sso.keycloak.xyz}{Accept: */*}{Connection: keep-alive}