5.2 KiB
| title | description | summary | date | draft | images | weight | toc | support | seo | ||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Jenkins | Integrating Jenkins with the Authelia OpenID Connect 1.0 Provider. | 2024-04-13T13:46:05+10:00 | false | 620 | true |
|
|
Tested Versions
{{% oidc-common %}}
Assumptions
This example makes the following assumptions:
- Application Root URL:
https://jenkins.{{< sitevar name="domain" nojs="example.com" >}}/ - Authelia Root URL:
https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}/ - Client ID:
jenkins - Client Secret:
insecure_secret
Some of the values presented in this guide can automatically be replaced with documentation variables.
{{< sitevar-preferences >}}
Configuration
Authelia
The following YAML configuration is an example Authelia client configuration for use with Jenkins which will operate with the application example:
identity_providers:
oidc:
## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
## See: https://www.authelia.com/c/oidc
clients:
- client_id: 'jenkins'
client_name: 'Jenkins'
client_secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
authorization_policy: 'two_factor'
require_pkce: true
pkce_challenge_method: 'S256'
redirect_uris:
- 'https://jenkins.{{< sitevar name="domain" nojs="example.com" >}}/accounts/authelia/login/callback'
scopes:
- 'openid'
- 'profile'
- 'email'
- 'groups'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_basic'
Application
Installation
The plugin required to use OpenID Connect 1.0 can either be installed and configured via the GUI or via Jenkins Configuration as Code.
Via the UI
To install the Jenkins plugin for OpenID Connect 1.0 via the UI:
-
Visit
Manage Jenkins. -
Visit
Plugins. -
Visit
Available Plugins. -
Search for
oic-auth. -
Install.
-
Restart Jenkins.
-
Proceed to the Configuration step.
Via Jenkins Configuration as Code
Ensure the plugin is installed before running the Jenkins Configuration as Code:
jenkins-plugin-cli --plugins oic-auth
Add this to your Jenkins Configuration as Code:
jenkins:
systemMessage: "This Jenkins instance was configured using the Authelia example Configuration as Code, thanks Authelia!"
securityRealm:
oic:
automanualconfigure: auto
wellKnownOpenIDConfigurationUrl: https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}/.well-known/openid-configuration
clientId: jenkins
clientSecret: insecure_secret
tokenAuthMethod: client_secret_basic
scopes: openid profile email groups
userNameField: preferred_username
groupsFieldName: groups
fullNameFieldName: name
emailFieldName: email
pkceEnabled: true
# escapeHatchEnabled: <boolean>
# escapeHatchUsername: escapeHatchUsername
# escapeHatchSecret: <string:secret>
# escapeHatchGroup: <string>
Configuration
To configure Jenkins to utilize Authelia as an OpenID Connect 1.0 Provider:
- Visit
Manage Jenkins. - Visit
Security. - Select
Login with Openid Connectin the Security Realm. - Enter
jenkinsin theClient idfield. - Enter
insecure_secretin theClient secretfield. - Select
Automatic configurationfrom the configuration mode. - Enter
https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}/.well-known/openid-configurationin theWell-known configuration endpointfield. - Select
Override scopes. - Enter
openid profile email groupsin theScopesfield. - Expand
Advanced. - Enter
preferred_usernameinto theUser name field namefield. - Enter
nameinto theFull name field namefield. - Enter
emailinto theEmail field namefield. - Enter
groupsinto theGroups field namefield. - Select
Enable Proof Key for Code Exchange. - Consider using the
Configure 'escape hatch' for when the OpenID Provider is unavailableto prevent login issues.