jenkinsci · michael-doubez · Apr 3, 2024 · Apr 3, 2024 · jglick · Apr 4, 2024
@@ -62,6 +62,7 @@
 import io.burt.jmespath.RuntimeConfiguration;
 import io.burt.jmespath.jcf.JcfRuntime;
 import java.io.IOException;
+import java.io.Serializable;
 import java.io.UnsupportedEncodingException;
 import java.lang.reflect.Field;
 import java.net.MalformedURLException;
@@ -119,7 +120,8 @@
 * @author Steve Arch
 */
 @SuppressWarnings("deprecation")
-public class OicSecurityRealm extends SecurityRealm {
+public class OicSecurityRealm extends SecurityRealm implements Serializable {
+    private static final long serialVersionUID = 1L;
 
     private static final Logger LOGGER = Logger.getLogger(OicSecurityRealm.class.getName());
     public static enum TokenAuthMethod { client_secret_basic, client_secret_post };
@@ -803,17 +805,15 @@ public HttpResponse doCommenceLogin(@QueryParameter String from, @Header("Refere
 
         final String redirectOnFinish = getValidRedirectUrl(from != null ? from : referer);
 
-        final AuthorizationCodeFlow flow = this.buildAuthorizationCodeFlow();
-
-        return new OicSession(flow, from, buildOAuthRedirectUrl()) {
+        return new OicSession(from, buildOAuthRedirectUrl()) {
             @Override
-            public HttpResponse onSuccess(String authorizationCode) {
+            public HttpResponse onSuccess(String authorizationCode, AuthorizationCodeFlow flow) {
                 try {
                     AuthorizationCodeTokenRequest tokenRequest = flow.newTokenRequest(authorizationCode)
                         .setRedirectUri(buildOAuthRedirectUrl())
                         .setResponseClass(OicTokenResponse.class);
                     if (!sendScopesInTokenRequest) {
-                        tokenRequest.setScopes(Collections.<String>emptyList());
+                        tokenRequest.setScopes(Collections.emptyList());
                     }
 
                     OicTokenResponse response = (OicTokenResponse) tokenRequest.execute();
@@ -850,7 +850,7 @@ public HttpResponse onSuccess(String authorizationCode) {
                 }
 
             }
-        }.doCommenceLogin(isNonceDisabled());
+        }.commenceLogin(isNonceDisabled(), buildAuthorizationCodeFlow());
     }
 
     @SuppressFBWarnings(
@@ -1132,7 +1132,7 @@ public HttpResponse doFinishLogin(StaplerRequest request) throws IOException {
             LOGGER.fine("No session to resume (perhaps jenkins was restarted?)");
             return HttpResponses.errorWithoutStack(401, "Unauthorized");
         }
-        return currentSession.doFinishLogin(request);
+        return currentSession.finishLogin(request, buildAuthorizationCodeFlow());
     }
 
     @Extension

@@ -32,6 +32,7 @@
 import hudson.model.Failure;
 import hudson.remoting.Base64;
 import java.io.IOException;
+import java.io.Serializable;
 import java.nio.charset.StandardCharsets;
 import java.util.UUID;
 import javax.servlet.http.HttpSession;
@@ -52,9 +53,8 @@
  * @author Michael Bischoff - adoptation
  */
 @SuppressWarnings("deprecation")
-abstract class OicSession {
-
-    private final AuthorizationCodeFlow flow;
+abstract class OicSession implements Serializable {
+    private static final long serialVersionUID = 1L;
 
     /**
      * An opaque value used by the client to maintain state between the request and callback.
@@ -79,8 +79,7 @@ abstract class OicSession {
      */
     private String idToken;
 
-    OicSession(AuthorizationCodeFlow flow, String from, String redirectUrl) {
-        this.flow = flow;
+    OicSession(String from, String redirectUrl) {
         this.from = from;
         this.redirectUrl = redirectUrl;
     }
@@ -100,7 +99,7 @@ private void setupOicSession(HttpSession session) {
      * @return an {@link HttpResponse}
      */
     @Restricted(DoNotUse.class)
-    public HttpResponse doCommenceLogin(boolean disableNonce) {
+    public HttpResponse commenceLogin(boolean disableNonce, AuthorizationCodeFlow flow) {
         setupOicSession(Stapler.getCurrentRequest().getSession());
         AuthorizationCodeRequestUrl authorizationCodeRequestUrl = flow.newAuthorizationUrl().setState(state).setRedirectUri(redirectUrl);
         if (disableNonce) {
@@ -115,7 +114,7 @@ public HttpResponse doCommenceLogin(boolean disableNonce) {
      * When the identity provider is done with its thing, the user comes back here.
      * @return an {@link HttpResponse}
      */
-    public HttpResponse doFinishLogin(StaplerRequest request) throws IOException {
+    public HttpResponse finishLogin(StaplerRequest request, AuthorizationCodeFlow flow) throws IOException {
         StringBuffer buf = request.getRequestURL();
         if (request.getQueryString() != null) {
             buf.append('?').append(request.getQueryString());
@@ -142,7 +141,7 @@ public HttpResponse doFinishLogin(StaplerRequest request) throws IOException {
         }
         setupOicSession(request.getSession(true));
 
-        return onSuccess(code);
+        return onSuccess(code, flow);
     }
 
     /**
@@ -158,7 +157,7 @@ public String getState() {
         return this.state;
     }
 
-    protected abstract HttpResponse onSuccess(String authorizationCode);
+    protected abstract HttpResponse onSuccess(String authorizationCode, AuthorizationCodeFlow flow);
 
     protected final boolean validateNonce(IdToken idToken) {
         if (idToken == null || this.nonce == null) {

@@ -1,5 +1,6 @@
 package org.jenkinsci.plugins.oic;
 
+import com.google.api.client.auth.oauth2.AuthorizationCodeFlow;
 import java.io.IOException;
 import jenkins.model.Jenkins;
 import org.junit.Before;
@@ -28,9 +29,9 @@ public void init() throws IOException {
         .WithMinimalDefaults().WithScopes("openid")
         .build();
 
-    session = new OicSession(realm.buildAuthorizationCodeFlow(), from, buildOAuthRedirectUrl()) {
+    session = new OicSession(from, buildOAuthRedirectUrl()) {
             @Override
-            public HttpResponse onSuccess(String authorizationCode) {
+            public HttpResponse onSuccess(String authorizationCode, AuthorizationCodeFlow flow) {
                 return null;
             }
         };