invalid auth after 3 minutes of inactivity

[edwinvanderham]

Jenkins and plugins versions report

Environment

Jenkins: 2.462.3
OS: Linux - 6.1.0-25-cloud-arm64
Java: 17.0.12 - Debian (OpenJDK 64-Bit Server VM)
---
agent-maintenance:2.207.v73c521a_1d9db_
amazon-ecs:1.49
analysis-model-api:12.7.0
ansicolor:1.0.4
antisamy-markup-formatter:162.v0e6ec0fcfcf6
apache-httpcomponents-client-4-api:4.5.14-208.v438351942757
apache-httpcomponents-client-5-api:5.4-118.v199115451c4d
asm-api:9.7-33.v4d23ef79fcc8
audit-trail:361.v82cde86c784e
authentication-tokens:1.119.v50285141b_7e1
aws-credentials:231.v08a_59f17d742
aws-java-sdk-ec2:1.12.767-467.vb_e93f0c614b_6
aws-java-sdk-ecs:1.12.767-467.vb_e93f0c614b_6
aws-java-sdk-efs:1.12.767-467.vb_e93f0c614b_6
aws-java-sdk-minimal:1.12.767-467.vb_e93f0c614b_6
bootstrap5-api:5.3.3-1
bouncycastle-api:2.30.1.78.1-248.ve27176eb_46cb_
branch-api:2.1178.v969d9eb_c728e
build-monitor-plugin:1.14-925.v95b_9089a_4c7f
build-name-setter:2.4.3
build-timeout:1.33
build-timestamp:1.0.3
caffeine-api:3.1.8-133.v17b_1ff2e0599
checks-api:2.2.1
cloudbees-folder:6.955.v81e2a_35c08d3
command-launcher:115.vd8b_301cc15d0
commons-httpclient3-api:3.1-3
commons-lang3-api:3.17.0-84.vb_b_938040b_078
commons-text-api:1.12.0-129.v99a_50df237f7
conditional-buildstep:1.4.3
config-file-provider:978.v8e85886ffdc4
copyartifact:749.vfb_dca_a_9b_6549
credentials:1381.v2c3a_12074da_b_
credentials-binding:681.vf91669a_32e45
cucumber-reports:5.8.3
data-tables-api:2.1.6-1
dependency-check-jenkins-plugin:5.5.1
description-setter:252.v98a_7fd3b_c3c1
display-url-api:2.204.vf6fddd8a_8b_e9
dtkit-api:3.0.2
durable-task:577.v2a_8a_4b_7c0247
echarts-api:5.5.1-1
eddsa-api:0.3.0-4.v84c6f0f4969e
email-ext:1844.v3ea_a_b_842374a_
envinject:2.919.v009a_a_1067cd0
envinject-api:1.199.v3ce31253ed13
ez-templates:1.3.5
fail-the-build-plugin:5.v153b_2c826ef0
flatpickr-api:4.6.13-5.v534d8025a_a_59
flexible-publish:0.16.1
font-awesome-api:6.6.0-2
forensics-api:2.6.0
generic-webhook-trigger:2.2.2
git:5.5.1
git-client:5.0.0
git-parameter:0.9.19
gitlab-api:5.6.0-97.v6603a_83f8690
gitlab-branch-source:710.v6f19df32544b_
gitlab-plugin:1.8.1
gradle:2.13
gson-api:2.11.0-41.v019fcf6125dc
handy-uri-templates-2-api:2.1.8-30.v7e777411b_148
htmlpublisher:1.36
instance-identity:201.vd2a_b_5a_468a_a_6
ionicons-api:74.v93d5eb_813d5f
jackson2-api:2.17.0-379.v02de8ec9f64c
jakarta-activation-api:2.1.3-1
jakarta-mail-api:2.1.3-1
javadoc:280.v050b_5c849f69
javax-activation-api:1.2.0-7
javax-mail-api:1.6.2-10
jaxb:2.3.9-1
jdk-tool:80.v8a_dee33ed6f0
jersey2-api:2.44-151.v6df377fff741
jjwt-api:0.11.5-112.ve82dfb_224b_a_d
joda-time-api:2.13.0-85.vb_64d1c2921f1
jquery3-api:3.7.1-2
jsch:0.2.16-86.v42e010d9484b_
json-api:20240303-41.v94e11e6de726
json-path-api:2.9.0-58.v62e3e85b_a_655
junit:1303.v05e2505656b_7
keycloak:2.3.2
lockable-resources:1315.v4ea_8e5159ec8
mailer:488.v0c9639c1a_eb_3
managed-scripts:1.5.6
matrix-auth:3.2.2
matrix-project:838.v4d7b_7b_f9b_d4b_
maven-plugin:3.23
mina-sshd-api-common:2.14.0-131.v04e9b_6b_e0362
mina-sshd-api-core:2.14.0-131.v04e9b_6b_e0362
nested-view:1.34
nexus-artifact-uploader:2.14
nodejs:1.6.2
nodelabelparameter:1.12.0
oic-auth:4.355.v3a_fb_fca_b_96d4
okhttp-api:4.11.0-172.vda_da_1feeb_c6e
parameterized-scheduler:277.v61a_4b_a_49a_c5c
parameterized-trigger:806.vf6fff3e28c3e
pipeline-build-step:540.vb_e8849e1a_b_d8
pipeline-graph-analysis:216.vfd8b_ece330ca_
pipeline-groovy-lib:730.ve57b_34648c63
pipeline-input-step:495.ve9c153f6067b_
pipeline-milestone-step:119.vdfdc43fc3b_9a_
pipeline-model-api:2.2214.vb_b_34b_2ea_9b_83
pipeline-model-definition:2.2214.vb_b_34b_2ea_9b_83
pipeline-model-extensions:2.2214.vb_b_34b_2ea_9b_83
pipeline-rest-api:2.34
pipeline-stage-step:312.v8cd10304c27a_
pipeline-stage-tags-metadata:2.2214.vb_b_34b_2ea_9b_83
pipeline-stage-view:2.34
plain-credentials:183.va_de8f1dd5a_2b_
plugin-util-api:5.1.0
postbuildscript:3.3.0-654.v67cf36130d78
prism-api:1.29.0-17
release:2.19
resource-disposer:0.24
run-condition:1.7
scm-api:696.v778d637b_a_762
script-security:1362.v67dc1f0e1b_b_3
snakeyaml-api:2.3-123.v13484c65210a_
sonar:2.17.2
ssh-credentials:343.v884f71d78167
sshd:3.330.vc866a_8389b_58
structs:338.v848422169819
testcafe:1.0
throttle-concurrents:2.14
timestamper:1.27
token-macro:400.v35420b_922dcb_
trilead-api:2.147.vb_73cc728a_32e
variant:60.v7290fc0eb_b_cd
warnings-ng:11.9.0
workflow-aggregator:600.vb_57cdd26fdd7
workflow-api:1336.vee415d95c521
workflow-basic-steps:1058.vcb_fc1e3a_21a_9
workflow-cps:3969.vdc9d3a_efcc6a_
workflow-durable-task-step:1371.vb_7cec8f3b_95e
workflow-job:1436.vfa_244484591f
workflow-multibranch:795.ve0cb_1f45ca_9a_
workflow-scm-step:427.v4ca_6512e7df1
workflow-step-api:678.v3ee58b_469476
workflow-support:926.v9f4f9b_b_98c19
ws-cleanup:0.46
xunit:3.1.5

What Operating System are you using (both controller, and any agents involved in the problem)?

Linux

Reproduction steps

1. Open the configuration page for any job
2. Wait for at least 3 minutes
3. Click on the "Save" Button

Expected Results

Normally, the job configuration would be updated and the job overview shown

Actual Results

Instead of the job configuration begin saved, an error page is shown:

HTTP ERROR 403 No valid crumb was included in the request

URI: | /view/Playground/job/playground/job/test/configSubmit -- | -- 403 No valid crumb was included in the request Stapler

It looks like the current auth token has been invalidated after 3 minutes of inactivity. When I go back to the Jenkins main page I am still logged in, presumably because there has been a refresh request on the OIDC provider allowing my session to be valid again.

Anything else?

This behaviour started after upgrading both Jenkins from version 2.462.2 to 2.462.3 and the oic plugin from version 4.303.v84089a_708ea_7 to the latest 4.355.v3a_fb_fca_b_96d4

Maybe relevant to mention: I did not configure an issuer in the plugin configuration after the upgrade.

I see similar behaviour if I open the Jenkins System Log page (/manage/log/all), then wait for 3 minutes and then refresh the browser. This gives me the Jenkins "Oops! Not Found" page.

Are you interested in contributing a fix?

No response

[eva-mueller-coremedia]

This behaviour started after upgrading both Jenkins from version 2.462.2 to 2.462.3 and the oic plugin from version 4.340.ve70636c6590e to the latest 4.355.v3a_fb_fca_b_96d4

I also updated Jenkins to 2.462.3 and the oic-auth plugin to version 4.355.v3a_fb_fca_b_96d4, but I could not reproduce the reported behaviour (even w/o the required issuer for the manual configuration case of the oic-auth plugin)

Did you try

• to update Jenkins version first and check if you encounter the error with the latest working oic-auth plugin?
• If the Jenkins update does not cause any troubles, update the oic-auth plugin and see if the plugin causes the trouble
• If so, if adding the issuer, did this solve the problem?

My Environment

Jenkins: 2.462.3
OS: Linux - 6.6.30-0-virt
Java: 17.0.12 - Eclipse Adoptium (OpenJDK 64-Bit Server VM)
---
antisamy-markup-formatter:162.v0e6ec0fcfcf6
apache-httpcomponents-client-4-api:4.5.14-208.v438351942757
asm-api:9.7-33.v4d23ef79fcc8
authorize-project:1.7.2
bootstrap5-api:5.3.3-1
bouncycastle-api:2.30.1.78.1-248.ve27176eb_46cb_
branch-api:2.1178.v969d9eb_c728e
caffeine-api:3.1.8-133.v17b_1ff2e0599
checks-api:2.2.1
cloudbees-folder:6.955.v81e2a_35c08d3
commons-compress-api:1.26.1-2
commons-lang3-api:3.17.0-84.vb_b_938040b_078
commons-text-api:1.12.0-129.v99a_50df237f7
credentials:1381.v2c3a_12074da_b_
credentials-binding:681.vf91669a_32e45
data-tables-api:2.1.6-1
display-url-api:2.204.vf6fddd8a_8b_e9
downstream-build-cache:1.7
durable-task:577.v2a_8a_4b_7c0247
echarts-api:5.5.1-1
eddsa-api:0.3.0-4.v84c6f0f4969e
favorite:2.221.v19ca_666b_62f5
font-awesome-api:6.6.0-2
git:5.5.2
git-client:5.0.0
groovy:457.v99900cb_85593
gson-api:2.11.0-41.v019fcf6125dc
instance-identity:201.vd2a_b_5a_468a_a_6
ionicons-api:74.v93d5eb_813d5f
jackson2-api:2.17.0-379.v02de8ec9f64c
jakarta-activation-api:2.1.3-1
jakarta-mail-api:2.1.3-1
javax-activation-api:1.2.0-7
javax-mail-api:1.6.2-10
jaxb:2.3.9-1
job-dsl:1.89
joda-time-api:2.13.0-85.vb_64d1c2921f1
jquery3-api:3.7.1-2
json-api:20240303-41.v94e11e6de726
json-path-api:2.9.0-58.v62e3e85b_a_655
junit:1303.v05e2505656b_7
lockable-resources:1315.v4ea_8e5159ec8
mailer:488.v0c9639c1a_eb_3
markdown-formatter:225.v859f46dea_3b_5
mask-passwords:173.v6a_077a_291eb_5
matrix-auth:3.2.2
matrix-project:838.v4d7b_7b_f9b_d4b_
metrics:4.2.21-451.vd51df8df52ec
mina-sshd-api-common:2.14.0-131.v04e9b_6b_e0362
mina-sshd-api-core:2.14.0-131.v04e9b_6b_e0362
oic-auth:4.355.v3a_fb_fca_b_96d4
pipeline-build-step:540.vb_e8849e1a_b_d8
pipeline-graph-analysis:216.vfd8b_ece330ca_
pipeline-graph-view:340.v28cecee8b_25f
pipeline-groovy-lib:730.ve57b_34648c63
pipeline-input-step:495.ve9c153f6067b_
pipeline-milestone-step:119.vdfdc43fc3b_9a_
pipeline-model-api:2.2214.vb_b_34b_2ea_9b_83
pipeline-model-definition:2.2214.vb_b_34b_2ea_9b_83
pipeline-model-extensions:2.2214.vb_b_34b_2ea_9b_83
pipeline-stage-step:312.v8cd10304c27a_
pipeline-stage-tags-metadata:2.2214.vb_b_34b_2ea_9b_83
pipeline-utility-steps:2.17.0
plain-credentials:183.va_de8f1dd5a_2b_
plugin-util-api:5.1.0
rebuild:332.va_1ee476d8f6d
resource-disposer:0.24
scm-api:696.v778d637b_a_762
script-security:1362.v67dc1f0e1b_b_3
simple-theme-plugin:196.v96d9592f4efa_
snakeyaml-api:2.3-123.v13484c65210a_
ssh-credentials:343.v884f71d78167
ssh-slaves:2.973.v0fa_8c0dea_f9f
sshd:3.330.vc866a_8389b_58
structs:338.v848422169819
timestamper:1.27
token-macro:400.v35420b_922dcb_
trilead-api:2.147.vb_73cc728a_32e
uno-choice:2.8.3
variant:60.v7290fc0eb_b_cd
view-job-filters:382.vdf2d5e3f02f0
workflow-aggregator:600.vb_57cdd26fdd7
workflow-api:1336.vee415d95c521
workflow-basic-steps:1058.vcb_fc1e3a_21a_9
workflow-cps:3969.vdc9d3a_efcc6a_
workflow-durable-task-step:1371.vb_7cec8f3b_95e
workflow-job:1436.vfa_244484591f
workflow-multibranch:795.ve0cb_1f45ca_9a_
workflow-scm-step:427.v4ca_6512e7df1
workflow-step-api:678.v3ee58b_469476
workflow-support:926.v9f4f9b_b_98c19
ws-cleanup:0.46
yet-another-build-visualizer:1.17

[edwinvanderham]

Thanks for your reponse, I just reverted the plugin to version 4.303.v84089a_708ea_7, which is the version I was using before the upgrade to the latest (sorry, I mentioned the wrong version in my bug description). I also reverted the changes to the jenkins config.xml that were done by the plugin upgrade because the new plugin config is incompatible with the old.

I am still on the latest Jenkins and now everything works as expected again, except for the security warning ;)
Maybe worth mentioning is that I have overridden the default sessionTimeout and sessionEviction with custom values.

Excerpt from /etc/systemd/system/jenkins.service.d/override.conf:

Environment="JENKINS_OPTS=--sessionTimeout=600 --sessionEviction=28800"

Could these settings cause the aforementioned problem?
I will try to figure out what exact plugin version is causing this by manually upgrading to newer versions one at a time.

[edwinvanderham]

I was able to do some more exhaustive testing with different versions of the plugin and found some interesting results:

• version 290: everything works fine
• version 297: after waiting a few minutes I get in a redirect loop
• version 299: same issue as 297
• version 303: the redirect loop issue was fixed (Fix redirect loop when oic credentials have expired but jenkins session is still valid #357) and everything works fine again
• version 320: Still fine
• version 324: I now start getting the 403 errors after timeout, presumably because the expiration timestamp calculation has been fixed (Fix calculation of expiration timestamp #359)

It seems like this is related to the session timeout configured in our keycloak server. I yet need to figure this out with another team, but I suspect this is set to a few minutes in my situation. This would then get me in the situation where the jenkins session is still valid but the OIDC token needs to be refreshed. Refresh works fine for pages in Jenkins that do not POST any content but apparently fails for others such as saving a job configuration.

[rorobig]

@edwinvanderham Have you tried enabling refresh tokens in you oidc configuration?

[edwinvanderham]

@rorobig that is a good suggestion, I did not try this. Will let you know if this helps.

[rorobig]

I have this version of the plugin installed together with the refresh tokens configuration and i haven't seen this bug in a while, however i'm not 100% certain that this is the fix.

this bug is a bit tricky to reproduce seeing how its an timing issue.

[edwinvanderham]

I will let you know after business hours, it is a little bit tricky to test this while the CI is used by many other people for building our software

[rorobig]

I just got the issue again while using refresh tokens so unfortunately that is not the fix. Gotta look further..

[jtnord]

Environment="JENKINS_OPTS=--sessionTimeout=600 --sessionEviction=28800"

I think this is expected. if your browser is inactive to this amount of time then session will be gone (sessionTimeout). the session timeout should be longer than the access tokens lifetime (if you want the refresh token to work).

[jtnord]

Refresh works fine for pages in Jenkins that do not POST any content

This may not be a refresh, but that you are bounced to the OIC server to authenticate again (refresh would be using a refresh token which will not redirect you at all in the browser).

The CSRF Crumb needs the user to be the same when issuing the crumb and using the crumb (if your jenkins session has timedout then you have in effect gone from logged-in to logged-out)

[edwinvanderham]

Environment="JENKINS_OPTS=--sessionTimeout=600 --sessionEviction=28800"

I think this is expected. if your browser is inactive to this amount of time then session will be gone (sessionTimeout). the session timeout should be longer than the access tokens lifetime (if you want the refresh token to work).

Yes it is expected that the session times out after 600 minutes, in my case it is only a few minutes after which I cannot submit a job configuration change anymore, but can refresh the main page without having to re-login

Unfortunately sessionTimeout is specified in minutes and sessionEviction in seconds. See https://www.cleanwinner.com/2020/04/09/jenkins-session-timeout/

[jtnord]

I would summize that the access token received from the RP has a lifetime of 3 minutes (which is perfectly reasonable).
however if the token fails to renew you should get bounced to the login page, or get an error (and processing should not continue to the crumb).

So the crumb becomes invalid - the question is then why.....

The crumb contains the user ID

https://github.com/jenkinsci/oic-auth-plugin/releases/tag/4.346.v10401f543622 (#394) is implying that the OP returns different cases usernames in some situation for the same user.

I am wondering if the cause of the missmatch is the issue here - we are using the received username verbatim here which
is called from

oic-auth-plugin/src/main/java/org/jenkinsci/plugins/oic/OicSecurityRealm.java

Line 1345 in c7c0c06

loginAndSetUserData(username, parsedIdToken, userInfo, refreshedCredentials);

as part of the refresh.

I think we should pass the username through IdStrategy.keyFor to perform normalisation.