Add custom parameters to authorize and logout endpoints #480
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #480 +/- ##
============================================
+ Coverage 72.55% 74.38% +1.83%
- Complexity 248 282 +34
============================================
Files 20 24 +4
Lines 1115 1183 +68
Branches 154 169 +15
============================================
+ Hits 809 880 +71
+ Misses 210 207 -3
Partials 96 96 ☔ View full report in Codecov by Sentry. |
eva-mueller-coremedia
force-pushed
the
query-params
branch
from
58e2662 to
36fe900
Compare
eva-mueller-coremedia
changed the title
There was a problem hiding this comment.
Hi @eva-mueller-coremedia thanks for this.
I have had a quick look and have a few comments around the UX side.
The extra parameters would IIUC not be needed in the majority of conformant IDPs, as such do you thing they should be hidden behind an advanced section?
the use of a single string for multiple keyvalue pairs (and the encoding /splitting shenaningans) would seem to be error prone (and it lacks good warnings on invalid input). (a value may need to encode & and then you need to escape it)
Would making the KeyValue a Describable and using a repeatable option using repeatableProperty or the like (which can then perform individual valuation of the key and the value). NB not sur how this would look in CasC.
|
@jtnord Thanks for the feedback, will try to follow a key value pair pattern. If you don't mind, I would like to remove the UI at all - only provide it to be set via CasC resp. Java/Groovy code. Any objections? |
it's generally considered bad to have something exposed in the UI and not CasC and vice versa. Not exposing in the UI can lead to it getting overridden if someone saves the Jenkins form in the UI (which I say you should never do as if you manage by code you should have a read only system UI, but it is useful on test systems where you want to make changes in the UI and then export the config for applying to a different server). |
Understood. 👍 I will have a look to implement it the way you described initially. Thanks for the explanation! |
eva-mueller-coremedia
force-pushed
the
query-params
branch
2 times, most recently
from
418804d to
dce7676
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
src/main/java/org/jenkinsci/plugins/oic/OicQueryParameterConfiguration.java
Fixed
Show fixed
Hide fixed
eva-mueller-coremedia
force-pushed
the
query-params
branch
2 times, most recently
from
01a48ec to
bf28327
Compare
src/main/java/org/jenkinsci/plugins/oic/OicServerWellKnownConfiguration.java
Outdated
Show resolved
Hide resolved
src/main/java/org/jenkinsci/plugins/oic/OicQueryParameterConfiguration.java
Outdated
Show resolved
Hide resolved
src/main/java/org/jenkinsci/plugins/oic/OicQueryParameterConfiguration.java
Outdated
Show resolved
Hide resolved
|
@jtnord Thanks for the review. Will take care after my 1 week vacation. |
eva-mueller-coremedia
force-pushed
the
query-params
branch
from
bf28327 to
08746a7
Compare
|
@jtnord How to re-trigger the failed Jenkins run - there has been a |
For non maintainers, adding a new commit. |
eva-mueller-coremedia
force-pushed
the
query-params
branch
3 times, most recently
from
2c20523 to
e933a1c
Compare
eva-mueller-coremedia
force-pushed
the
query-params
branch
3 times, most recently
from
3e7c8cd to
219bd26
Compare
|
Sorry for nudging again - @jtnord @michael-doubez would be great if you could have a look. |
There was a problem hiding this comment.
The code looks reasonable but some things look a little weird and I am wondering if thebUX can be improved at all.
I wanted to try and get some time to see if this can be improved and submit a PR to the PR as doing so after merging would possibly require even more data migration that we already have.realistically this is not going to happen this week.
Thanks for this estimate. Would be great to see this feature in the (near) future since AWS Cognito requires some additional query parameters. It would be great if you could keep me/subscribers posted about the state of this PR from time to time. Thanks in advance. |
|
@eva-mueller-coremedia I filed Moves the parameters to their own types and added validation for them so it's validated in the UI. Also ensures the config can never be invalid. |
eva-mueller-coremedia
force-pushed
the
query-params
branch
from
cb33a89 to
4093c81
Compare
src/main/java/org/jenkinsci/plugins/oic/AbstractKeyValueDescribable.java
Dismissed
Show dismissed
Hide dismissed
| public static class DescriptorImpl extends AbstractKeyValueDescribable.DescriptorImpl<LoginQueryParameter> { | ||
|
|
||
| @Override | ||
| public FormValidation doCheckKey(@QueryParameter String key) { |
Check warning
Code scanning / Jenkins Security Scan
Stapler: Missing permission check Warning
There was a problem hiding this comment.
There is nothing sensitive here.
Whilst we could add a permission check we are only doing string comparisons
There was a problem hiding this comment.
@jtnord Unfortunately, I do not know how to resolve all the problems found by the github-advanced-security. Can you help me here or step in? That would be great.
Also there is already one dismissed problem. Dunno who or how this got dismissed.
There was a problem hiding this comment.
I can take a look.
I dismissed one as a false positive. (key was not sensitive in that context)
| public static class DescriptorImpl extends AbstractKeyValueDescribable.DescriptorImpl<LoginQueryParameter> { | ||
|
|
||
| @Override | ||
| public FormValidation doCheckKey(@QueryParameter String key) { |
Check warning
Code scanning / Jenkins Security Scan
Stapler: Missing POST/RequirePOST annotation Warning
| public static class DescriptorImpl extends AbstractKeyValueDescribable.DescriptorImpl<LogoutQueryParameter> { | ||
|
|
||
| @Override | ||
| public FormValidation doCheckKey(@QueryParameter String key) { |
Check warning
Code scanning / Jenkins Security Scan
Stapler: Missing permission check Warning
| public static class DescriptorImpl extends AbstractKeyValueDescribable.DescriptorImpl<LogoutQueryParameter> { | ||
|
|
||
| @Override | ||
| public FormValidation doCheckKey(@QueryParameter String key) { |
Check warning
Code scanning / Jenkins Security Scan
Stapler: Missing POST/RequirePOST annotation Warning
Thank you for the PR. I additionally removed the commented out test. |
This allows us to add parameter validation in the UI as the validation is now performed in the descriptor and prevents a bad describable from being constructed.
eva-mueller-coremedia
force-pushed
the
query-params
branch
from
85a93f0 to
e33fadb
Compare
| throw new Descriptor.FormException(valueValidation.getMessage(), "value"); | ||
| } | ||
| this.key = key.trim(); | ||
| this.value = value == null ? "" : value.trim(); |
There was a problem hiding this comment.
Hi @jtnord - I added some more test cases and encountered for LogoutQueryParameters a NPE when the value is null.
Is this solution OK for you?
In case the this.value should then be null, then all getValue() needs to be covered as well.
This PR
maybeOpenIdLogoutEndpointhas been refactored when it comes to combining all parametersorg.pac4j.oidc.config.OidcConfigurationmaybeOpenIdLogoutEndpointlikeid_token_hint,state,post_logout_redirect_uriTesting done
This change has been tested by unit tests as well as local testing agains AWS Cognito.
Submitter checklist