mirrors
/
authelia
mirror of https://github.com/authelia/authelia.git
0
0
Fork 0
Code Issues Projects Releases Wiki Activity
authelia/docs/content/integration/openid-connect/jenkins/index.md

161 lines
5.2 KiB
Markdown
Raw Permalink Blame History

---
title: "Jenkins"
description: "Integrating Jenkins with the Authelia OpenID Connect 1.0 Provider."
summary: ""
date: 2024-04-13T13:46:05+10:00
draft: false
images: []
weight: 620
toc: true
support:
level: community
versions: true
integration: true
seo:
title: "" # custom title (optional)
description: "" # custom description (recommended)
canonical: "" # custom canonical URL (optional)
noindex: false # false (default) or true
---
## Tested Versions
* [Authelia]
* [v4.38.0](https://github.com/authelia/authelia/releases/tag/v4.38.0)
* [Jenkins]
* [v2.453](https://www.jenkins.io/changelog/2.453/)
{{% oidc-common %}}
### Assumptions
This example makes the following assumptions:
* __Application Root URL:__ `https://jenkins.{{< sitevar name="domain" nojs="example.com" >}}/`
* __Authelia Root URL:__ `https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}/`
* __Client ID:__ `jenkins`
* __Client Secret:__ `insecure_secret`
Some of the values presented in this guide can automatically be replaced with documentation variables.
{{< sitevar-preferences >}}
## Configuration
### Authelia
The following YAML configuration is an example __Authelia__ [client configuration] for use with [Jenkins] which will
operate with the application example:
```yaml {title="configuration.yml"}
identity_providers:
oidc:
## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
## See: https://www.authelia.com/c/oidc
clients:
- client_id: 'jenkins'
client_name: 'Jenkins'
client_secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
authorization_policy: 'two_factor'
require_pkce: true
pkce_challenge_method: 'S256'
redirect_uris:
- 'https://jenkins.{{< sitevar name="domain" nojs="example.com" >}}/accounts/authelia/login/callback'
scopes:
- 'openid'
- 'profile'
- 'email'
- 'groups'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_basic'
```
### Application
#### Installation
The plugin required to use [OpenID Connect 1.0] can either be installed and configured via the GUI or via [Jenkins]
Configuration as Code.
##### Via the UI
To install the [Jenkins] plugin for [OpenID Connect 1.0] via the UI:
1. Visit `Manage Jenkins`.
2. Visit `Plugins`.
3. Visit `Available Plugins`.
4. Search for `oic-auth`.
5. Install.
6. Restart [Jenkins].
7. Proceed to the [Configuration](#configuration-1) step.
##### Via Jenkins Configuration as Code
Ensure the plugin is installed before running the Jenkins Configuration as Code:
```bash
jenkins-plugin-cli --plugins oic-auth
```
Add this to your Jenkins Configuration as Code:
```yaml
jenkins:
systemMessage: "This Jenkins instance was configured using the Authelia example Configuration as Code, thanks Authelia!"
securityRealm:
oic:
automanualconfigure: auto
wellKnownOpenIDConfigurationUrl: https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}/.well-known/openid-configuration
clientId: jenkins
clientSecret: insecure_secret
tokenAuthMethod: client_secret_basic
scopes: openid profile email groups
userNameField: preferred_username
groupsFieldName: groups
fullNameFieldName: name
emailFieldName: email
pkceEnabled: true
# escapeHatchEnabled: <boolean>
# escapeHatchUsername: escapeHatchUsername
# escapeHatchSecret: <string:secret>
# escapeHatchGroup: <string>
```
#### Configuration
To configure [Jenkins] to utilize Authelia as an [OpenID Connect 1.0] Provider:
1. Visit `Manage Jenkins`.
2. Visit `Security`.
3. Select `Login with Openid Connect` in the Security Realm.
4. Enter `jenkins` in the `Client id` field.
5. Enter `insecure_secret` in the `Client secret` field.
6. Select `Automatic configuration` from the configuration mode.
7. Enter `https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}/.well-known/openid-configuration` in the `Well-known configuration endpoint` field.
8. Select `Override scopes`.
9. Enter `openid profile email groups` in the `Scopes` field.
10. Expand `Advanced`.
11. Enter `preferred_username` into the `User name field name` field.
12. Enter `name` into the `Full name field name` field.
13. Enter `email` into the `Email field name` field.
14. Enter `groups` into the `Groups field name` field.
15. Select `Enable Proof Key for Code Exchange`.
16. Consider using the `Configure 'escape hatch' for when the OpenID Provider is unavailable` to prevent login issues.
## See Also
- [Jenkins OpenID Connect Documentation](https://plugins.jenkins.io/oic-auth/)
- [Jenkins OpenID JCasC Documentation](https://github.com/jenkinsci/oic-auth-plugin/blob/master/docs/configuration/README.md)
[Jenkins]: https://www.jenkins.io/
[Authelia]: https://www.authelia.com
[OpenID Connect 1.0]: ../../openid-connect/introduction.md
[client configuration]: ../../../configuration/identity-providers/openid-connect/clients.md
Reference in New Issue View Git Blame Copy Permalink