Replace EOL Google Oauth library

[jtnord]

This changes the Google OAuth library which is in maintenance mode with a supported library (nimbusds via pac4j)

Warning
The library requires that the Issuer is set to enforce security and there is no option to disable this requirement as it is mandated in the specification. As such users must first update to 4.355.v3a_fb_fca_b_96d4 to set the Issuer before updating to this version.
Additionally this removes the option to send the scopes when requesting the access token. users of non conformant OPs that require this functionality should remain on the previous version until the provider fixes their implementation.

The change no longer determines how often to refresh the well-known settings (if used), they are now refreshed every hour.

fixes: #313

Testing done

• mvn hpi:run (java11) against a local AD FS server (login, logout) (disable TLS verification) (well known config)
• mvn hpi:run (java11) against a local AD FS server (login, logout) (trusted TLS cert) (well known config)
• java -jar jenkins-2.479.war --httpListenAddress=127.0.0.1 --prefix=/jenkins (java17) against a local AD FS server (login, logout) (disable TLS verification) (well known config)
• JENKINS_VERSION=2.462.3 LOCAL_JARS=/path/to/oic-auth-plugin/target/oic-auth.hpi mvn -Dtest=OicAuthPluginTest
• JENKINS_VERSION=2.479 LOCAL_JARS=/path/to/oic-auth-plugin/target/oic-auth.hpi mvn test -Dtest=OicAuthPluginTest
• mvn hpi:run (java11) against an AWS Cognito server (login, logout) (well known config)
• mvn hpi:run (java11) against an AWS Cognito server (login, logout) (manual config)
• oidcc-client-basic-certification-test-plan passed

Submitter checklist

• Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
• Ensure that the pull request title represents the desired changelog entry
• Please describe what you did
• Link to relevant issues in GitHub or Jira
• Link to relevant pull requests, esp. upstream and downstream changes
• Ensure you have provided tests - that demonstrates feature works or fixes the issue

[jtnord]

there are enough of these in all plugins this should really be in Jenkins core.

[jtnord]

Again, enough plugins use something like this that it should be offered from Jenkins core.

[jtnord]

the OpenID spec says if something is empty is it ommitted completely and does not contain "null"
may as well say we support the default.

[jtnord]

moved up as it is now mandatory to make it more prominent vs the other fields.

[jtnord]

needs to be checked and updated before final merge.

[jtnord]

for a future PR. We can cache the client and invalidate it every 1 hour if using the well-known (as the well known refresh is now hard coded to 1hr).

[jtnord]

not intending for this to happen in this PR but a follow-up that exposes some more advanced options.
e.g. #408

[codecov]

Codecov Report

Attention: Patch coverage is 68.48875% with 98 lines in your changes missing coverage. Please review.

Project coverage is 71.80%. Comparing base (5b51704) to head (d5e1522).
Report is 18 commits behind head on master.

Files with missing lines	Patch %	Lines
...va/org/jenkinsci/plugins/oic/OicSecurityRealm.java	75.48%	26 Missing and 12 partials ⚠️
...i/plugins/oic/OicServerWellKnownConfiguration.java	50.00%	18 Missing and 6 partials ⚠️
...nsci/plugins/oic/OicServerManualConfiguration.java	76.47%	5 Missing and 3 partials ⚠️
...kinsci/plugins/oic/AnythingGoesTokenValidator.java	66.66%	7 Missing ⚠️
...jenkinsci/plugins/oic/CustomOidcConfiguration.java	65.00%	4 Missing and 3 partials ⚠️
...insci/plugins/oic/ProxyAwareResourceRetriever.java	70.58%	3 Missing and 2 partials ⚠️
...nsci/plugins/oic/ssl/AnythingGoesTrustManager.java	37.50%	4 Missing and 1 partial ⚠️
...n/java/org/jenkinsci/plugins/oic/ssl/TLSUtils.java	50.00%	2 Missing and 1 partial ⚠️
...nsci/plugins/oic/ssl/IgnoringHostNameVerifier.java	50.00%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##             master     #409      +/-   ##
============================================
- Coverage     72.66%   71.80%   -0.87%     
  Complexity      199      199              
============================================
  Files            16       16              
  Lines           867      883      +16     
  Branches        116      120       +4     
============================================
+ Hits            630      634       +4     
- Misses          177      185       +8     
- Partials         60       64       +4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[jtnord]

fixing the NPE, shows there is another more serious issue here, the token validator is used to cehck the id token when refreshing (actually creating a new!) Profile.
The id token may not contain a nonce (in fact "SHOULD NOT") which is the case in AWS Cognito. However the library (infact the token verifier) is expecting a nonce and is then failing that it does not exist.

FINE: Missing JWT nonce (nonce) claim
com.nimbusds.jwt.proc.BadJWTException: Missing JWT nonce (nonce) claim
        at com.nimbusds.openid.connect.sdk.validators.BadJWTExceptions.<clinit>(BadJWTExceptions.java:70)
        at com.nimbusds.openid.connect.sdk.validators.IDTokenClaimsVerifier.verify(IDTokenClaimsVerifier.java:248)
        at com.nimbusds.jwt.proc.DefaultJWTProcessor.verifyClaims(DefaultJWTProcessor.java:271)
        at com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:373)
        at com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.validate(IDTokenValidator.java:321)
        at com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.validate(IDTokenValidator.java:254)
        at org.pac4j.oidc.profile.creator.TokenValidator.validate(TokenValidator.java:108)
        at org.pac4j.oidc.profile.creator.OidcProfileCreator.create(OidcProfileCreator.java:108)
        at org.pac4j.core.client.BaseClient.retrieveUserProfile(BaseClient.java:126)
        at org.pac4j.core.client.BaseClient.getUserProfile(BaseClient.java:105)
        at org.pac4j.oidc.client.OidcClient.renewUserProfile(OidcClient.java:69)
        at org.jenkinsci.plugins.oic.OicSecurityRealm.refreshExpiredToken(OicSecurityRealm.java:1220)

This appears to be a bug with pac4j. We ae not using the latest version as that requires java17 which is not required for Jenkins prior to 2.463 (which will mean the upcoming LTS version of 2.479).
Whilst I have not found any indication that pac4j 6.x fixes this, it should be tested as this is the active (comminuity) supported line.

[jtnord]

This appears to be a bug with pac4j. We ae not using the latest version as that requires java17 which is not required for Jenkins prior to 2.463 (which will mean the upcoming LTS version of 2.479). Whilst I have not found any indication that pac4j 6.x fixes this, it should be tested as this is the active (comminuity) supported line.

workaround added in fb4ce0c

@fcojfernandez is attempting to reproduce this with pac4j v6 to either upgrade or file a report upstream

[jtnord]

Whilst we are using code flow, it is not needed, but providers MUST support RS256 so there would always be a more secure option we can use.

[fcojfernandez]

👍

[jglick]

We [are] not using the latest version as that requires java17 which is not required for Jenkins prior to 2.463 (which will mean the upcoming LTS version of 2.479).

I do not think you should hesitate to switch the plugin baseline to 2.479, especially for a major change like this one.

[PereBueno]

For my own learning.
IllegalState instead of IllegalArgument because this is only used during login, so it means configuration was already wrong (and should have been raised when creating the realm once jtnord#1 is merged) isn't it?

[jtnord]

and should have been raised when creating the realm once jtnord#1 is merged

correct

[fcojfernandez]

We [are] not using the latest version as that requires java17 which is not required for Jenkins prior to 2.463 (which will mean the upcoming LTS version of 2.479).

I do not think you should hesitate to switch the plugin baseline to 2.479, especially for a major change like this one.

@jglick I'm doing it as part of #409 (comment)

[jtnord]

@michael-doubez would you like to take a look at this before I merge?

[mikecirioli]

I played around with this locally using a keycloak idp that i already had configured and did not encounter any issues. This change did help me uncover a misconfiguration in my security realm (disable token validation was not checked, but no JWKS url was specified - the old code cleverly hid this from you for some reason 🥲 )