Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Config Support for usgin UPN rather than Object ID #441

Open
aytuncbeken opened this issue Jul 19, 2023 · 14 comments
Open

Config Support for usgin UPN rather than Object ID #441

aytuncbeken opened this issue Jul 19, 2023 · 14 comments

Comments

@aytuncbeken
Copy link

What feature do you want to see added?

Problem: With the new version of the plugin, Jenkins Users are being created with their Object ID from Azure rather than UPN.
This is causing problems for all the integrated systems where api calls are being made. Also making JCASC configuration less user friendly.

Reques:
Please add an configuration option to the plugin configuration where users can choose to use UPN for Jenkins User IDs.
For example a checkbox on the configuration page of the plugin.

"Use UPN for Jenkins ID"

Thanks in advance.

Upstream changes

No response

@aytuncbeken aytuncbeken changed the title Optional Config Support for user UPN rather than Object ID Config Support for usgin UPN rather than Object ID Jul 19, 2023
@pirouet
Copy link

pirouet commented Aug 19, 2023

This would be an ideal update.

If there are any pointers to check, I'd be happy to look at developing a MR

@aytuncbeken
Copy link
Author

Not sure what pointers to check. Could you please elaborate?

@agrondemiraj
Copy link

agrondemiraj commented Oct 23, 2023

@pirouet

Based on: https://learn.microsoft.com/en-us/azure/active-directory-b2c/user-profile-attributes

Please check with the below attribute:
userPrincipalName

@timja
Copy link
Member

timja commented Oct 23, 2023

bear in mind that you don't actually get the UPN in the id_token by default you would have to modify the manifest to enable it from reading:
https://learn.microsoft.com/en-us/azure/active-directory/develop/optional-claims#v20-specific-optional-claims-set

but it would be possible to add an option to do this.

@agrondemiraj
Copy link

It would be very helpful for an Admin to just input the e-mail in Jenkins when adding the users.
If someone can do the change, it would be highly appreciated.

@abhijeetka
Copy link

Facing the same issue, We tried adding additional Claim of preffered_name and upn still no luck.

Jenkins User ID: 7c59220a-f8cafacc7a17 instead it should be the email id Jenkins User ID:- [email protected] or anyone can guide or suggestions to fix it .

@timja
Copy link
Member

timja commented Feb 16, 2024

instead it should be the email id

Why do you say that it should be the email address?

@abhijeetka
Copy link

abhijeetka commented Feb 16, 2024

@timja There are two things that we are currently looking at.

  1. Jenkins ID should be 'Unique Principal Name' as it will be unique accross Azure AD.
  2. it will easy to use in Curl or Automation calling Jenkins API.

I am not sure if uuid is the solution for Azure Ad Plugin in Jenkins.

Please let us know your thoughts so we can understand and implement our automation accordingly.

Thanks in advance for quick response.

@timja
Copy link
Member

timja commented Feb 16, 2024

Jenkins ID should be 'Unique Principal Name' as it will be unique accross Azure AD.

UPN should not be used according to Microsoft:

https://learn.microsoft.com/en-us/entra/identity-platform/id-token-claims-reference#use-claims-to-reliably-identify-a-user

When identifying a user, it's critical to use information that remains constant and unique across time. Legacy applications sometimes use fields like the email address, phone number, or UPN. All of these fields can change over time, and can also be reused over time. For example, when an employee changes their name, or an employee is given an email address that matches that of a previous, no longer present employee. Your application mustn't use human-readable data to identify a user - human readable generally means someone can read it, and want to change it. Instead, use the claims provided by the OIDC standard, or the extension claims provided by Microsoft - the sub and oid claims.

To correctly store information per-user, use sub or oid alone (which as GUIDs are unique), with tid used for routing or sharding if needed. If you need to share data across services, oid and tid is best as all apps get the same oid and tid claims for a user acting in a tenant. The sub claim is a pair-wise value that's unique. The value is based on a combination of the token recipient, tenant, and user. Two apps that request ID tokens for a user receive different sub claims, but the same oid claims for that user.

It may be possible to allow lookup via 'username' for API calls as I think that's all people mostly want this for.
but as a stable identifier it's not a solution.

see also https://openid.net/specs/openid-connect-core-1_0.html#ClaimStability and https://github.com/MicrosoftDocs/azure-docs/issues/14498

@abhijeetka
Copy link

Make sense. @timja Thanks for the clarification.

@ibidani
Copy link
Contributor

ibidani commented May 7, 2024

@timja I understand the need in the backend for unique identification. However with the latest version of the plugin users showing up as hash instead of UPN or email. Is it possible that once authentication completed we can resolve the objectID to UPN or email? can it be configurable?

@timja
Copy link
Member

timja commented May 7, 2024

where are they showing up as a hash?

@annepavan
Copy link

Hi, I work with @ibidani. What Idan meant is the Jenkins User ID is showing up as Azure Object ID with latest version of plugin. We are on latest LTS(2.440.3) version of jenkins with azure ad plugin version 385.v5d9f88612dd2. Please find the screenshot below. Question, Is there any way to update the Jenkins User ID to UPN instead of objectID? is it configurable in any way ?

image

@timja
Copy link
Member

timja commented May 9, 2024

Not currently, why do you need that?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

7 participants