{"id":18148229,"url":"https://github.com/jenkinsci/oic-auth-plugin","last_synced_at":"2026-06-02T07:00:52.298Z","repository":{"id":37269939,"uuid":"63227269","full_name":"jenkinsci/oic-auth-plugin","owner":"jenkinsci","description":"A Jenkins plugin which lets you login to Jenkins using your own, self-hosted or public openid connect server.","archived":false,"fork":false,"pushed_at":"2026-05-12T05:34:57.000Z","size":9902,"stargazers_count":81,"open_issues_count":14,"forks_count":107,"subscribers_count":7,"default_branch":"master","last_synced_at":"2026-05-12T07:32:15.042Z","etag":null,"topics":["authentication","jenkins-plugin","jenkins-security-scan-enabled","openid-connect"],"latest_commit_sha":null,"homepage":"https://plugins.jenkins.io/oic-auth","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jenkinsci.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"docs/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"community_bridge":"jenkins","custom":["https://www.jenkins.io/donate/#why-donate"]}},"created_at":"2016-07-13T08:08:47.000Z","updated_at":"2026-05-12T05:34:59.000Z","dependencies_parsed_at":"2024-01-31T08:44:03.970Z","dependency_job_id":"97d48682-e849-4cea-8f39-53a9ed5d6d40","html_url":"https://github.com/jenkinsci/oic-auth-plugin","commit_stats":null,"previous_names":[],"tags_count":71,"template":false,"template_full_name":null,"purl":"pkg:github/jenkinsci/oic-auth-plugin","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jenkinsci%2Foic-auth-plugin","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jenkinsci%2Foic-auth-plugin/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jenkinsci%2Foic-auth-plugin/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jenkinsci%2Foic-auth-plugin/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jenkinsci","download_url":"https://codeload.github.com/jenkinsci/oic-auth-plugin/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jenkinsci%2Foic-auth-plugin/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33810343,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-06-02T02:00:07.132Z","response_time":109,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","jenkins-plugin","jenkins-security-scan-enabled","openid-connect"],"created_at":"2024-11-01T23:07:39.602Z","updated_at":"2026-06-02T07:00:52.279Z","avatar_url":"https://github.com/jenkinsci.png","language":"Java","funding_links":["https://funding.communitybridge.org/projects/jenkins","https://www.jenkins.io/donate/#why-donate"],"categories":[],"sub_categories":[],"readme":"# oic-auth\n\nA Jenkins plugin which lets you login to Jenkins using your own, self-hosted or public openid connect server.\n\n[![Plugin Version](https://img.shields.io/jenkins/plugin/v/oic-auth.svg)](https://plugins.jenkins.io/oic-auth)\n[![Change Log](https://img.shields.io/github/release/jenkinsci/oic-auth-plugin.svg?label=changelog)](https://github.com/jenkinsci/oic-auth-plugin/releases/latest)\n[![Install Number](https://img.shields.io/jenkins/plugin/i/oic-auth.svg?color=blue)](https://plugins.jenkins.io/oic-auth)\n[![MIT license](https://img.shields.io/github/license/jenkinsci/oic-auth-plugin)](https://github.com/jenkinsci/oic-auth-plugin/blob/master/LICENSE)\n[![Build Status](https://ci.jenkins.io/job/Plugins/job/oic-auth-plugin/job/master/badge/icon)](https://ci.jenkins.io/job/Plugins/job/oic-auth-plugin/job/master/)\n[![Contributors](https://img.shields.io/github/contributors/jenkinsci/oic-auth-plugin.svg)](https://github.com/jenkinsci/oic-auth-plugin/graphs/contributors)\n[![Crowdin](https://badges.crowdin.net/e/b7f2178f29b3eb9adff1da2429d20de3/localized.svg)](https://jenkins.crowdin.com/oic-auth-plugin)\n[![codecov](https://codecov.io/gh/jenkinsci/oic-auth-plugin/branch/master/graph/badge.svg?token=rORWUCOfim)](https://codecov.io/gh/jenkinsci/oic-auth-plugin)\n\n![OpenID connect](/docs/images/openid-connect-logo.jpg)\n\u003cdetails\u003e\n\u003csummary\u003e\u003ch2\u003eTable of content\u003c/h2\u003e\u003c/summary\u003e\n\n- [User guide](#user-guide)\n  - [Installation](#installation)\n  - [Configuration quickstart](#configuration-quickstart)\n  - [Interacting with Jenkins as a non front-end user](#interacting-with-jenkins-as-a-non-front-end-user)\n- [OpenID Connect Authentication plugin](#openid-connect-authentication-plugin)\n  - [Open Tickets (bugs and feature requests)](#open-tickets-bugs-and-feature-requests)\n  - [Changelog](#changelog)\n  - [Contributing](#contributing)\n- [Documentation](docs/)\n  - [Configuration](docs/configuration/README.md)\n  - [How to ...](docs/howto/README.md)\n  - [FAQ](docs/FAQ.md)\n\u003c/details\u003e\n\n## User guide\n\n[OpenID Connect](https://openid.net/connect/) is an authentication\nand authorization protocol that allow users to use single sign-on (SSO)\nto access an application (Jenkins in this case) using Identity Providers.\nIn practice, with this plugin, Jenkins administrators can\nconfigure a provider which will authenticate users, provide basic\ninformation (email, username, groups) and let Jenkins grant rights accordingly.\n\nAfter installing the plugin, the Jenkins administrator can choose\n\"OpenID Connect\" as [Security Realm](https://www.jenkins.io/doc/book/security/managing-security/#access-control).\nThe configuration involves the configuration of the provider and\nthe related authorisation strategy.\n\nConfigurations for specific providers are documented:\n\n* [Google Provider](docs/configuration/GOOGLE.md)\n* [Gitlab Provider](docs/configuration/GITLAB.md)\n* [Azure AD (blog post)](http://www.epiclabs.io/configure-jenkins-use-azure-ad-authentication-openid-connect/)\n\n\n### Installation\n\nOpenID Connect Authentication plugin is installed as other plugins:\n\n- either using [Jenkins plugin management](https://www.jenkins.io/doc/book/managing/plugins/#installing-a-plugin)\n  from the web UI or the command line\n- or using [Jenkins Configuration as Code (JCasC)](https://www.jenkins.io/doc/book/managing/casc/#configuration-as-code)\n\nIn either case, choosing the plugin as Security Realm means that other\nauthentication methods (Jenkins Database, LDAP, ...) will no\nlonger be available and any misconfiguration or service availability\nissue will lock out the users. An *escape hatch* can be activated at\nconfiguration time to define a admin credential which can be used to\nrecover access to Jenkins.\n\n### Configuration quickstart\n\nConfiguration of this plugin takes a bit of effort as it requires some\nknowledge of the openid connect standard as well as the non-standard\nconfiguration of the various identity providers out there. Should you\nconfigure this plugin against a identity provider then please share your\nexperiences and found caveats through a blog post or by adding it to the\ndocumentation.\n\nIn a nutshell, the configuration is done in three steps:\n1. **Register Jenkins** as an OIDC client in your provide. You will need these details:\n    - Login Redirect URI: `${JENKINS_ROOT_URL}/securityRealm/finishLogin`\n    - Logout Redirect URI: `${JENKINS_ROOT_URL}/OicLogout`\n    - scope: openid profile email\n    - Grant Type: `authorization_code`\n    - Response Types: `code, token, id_token`\n2. **Generate Client ID** and secret which are needed in plugin configuration\n3. **Configure plugin** with providers endpoints, security features and specific configuration.\u003cbr /\u003e\n   Normally, providers expose .well-known/openid-configuration which has all the details client need to know.\n\nDetailed instructions for [Generic OpenID Connect](docs/configuration/README.md)\nconfiguration are provided in the documentation. Some [HOWTO](docs/howto/README.md)\nare provided for the various aspects of the configuration.\n\nSee the following screenshot utilizing the google well known endpoint\nfor a minimal configuration example: \n\n![global-config](/docs/images/global-config.png)\n\nAll of the fields can be configured as a [JMES Path](https://jmespath.org/) specification.\nMost of the time, the name of the field in the idtoken or userinfo is enough.\n\n\n### Interacting with Jenkins as a non front-end user\n\nTLDR: use an API token instead as described here: \n[Authenticating scripted clients](https://www.jenkins.io/doc/book/system-administration/authenticating-scripted-clients/)\n\nUsing basic auth for authentication won't work. This is because jenkins\nhas no knowledge of the password due to the way openid connect works:\nIdentifying a user is a three way interaction between the user, Jenkins\nand the openid provider.\n\nThe plugin asks the configured openid provider to confirm the identity\nof the user is and does this in a way that both Jenkins and the provider\nare 'talking' about the same user. The openid connect provider will\nlikely challenge the user to prove it's identity and might do this by\nrequesting a username and password but this is entirely up to the\nprovider. This part is between the user and the openid connect provider,\nJenkins (using this plugin) delegates proving ones identity to the\nprovider and will go with whatever conclusion the provider draws. This\nhas the benefit that with openid connect the service your trying to\naccess (in our case Jenkins) never sees a user password, so even if\nJenkins is compromised an attacker can't intercept passwords or other\nsecrets. Using basic auth would require one to send their password to\nJenkins which would defeat this.\n\n\nScripted clients can still interact with Jenkins even when the openid\nconnect plugin is active: they will have to use an API\ntoken. \n[Authenticating scripted clients](https://wiki.jenkins.io/display/JENKINS/Authenticating+scripted+clients) describes\nhow to obtain one. \n\n## OpenID Connect Authentication plugin\n\nThis plugin relies on the users and people of goodwill to improve and make\nthe plugin evolve in the most useful way. All feedbacks and help are welcome.\nWe can provide help and support but it is limited to the fair use of\nvolunteers' free time.\n\n### Open Tickets (bugs and feature requests)\n\n[GitHub issues](https://github.com/jenkinsci/oic-auth-plugin/issues?q=is%3Aopen+is%3Aissue)\nis our main communication channel for issues and feature request.\nWe will look at issues entered through [Jenkins Jira](https://issues.jenkins.io/issues/?jql=project+%3D+JENKINS+AND+component+%3D+oic-auth-plugin)\nbut the response time may currently be spotty at best.\n\nBefore adding an issue, please search for any relevant entry in the [FAQ](docs/FAQ.md)\nor if the same issue has already be reported\nand avoid duplicating it. If it is a new issue and it not purely related\nto your environment, please provide relevant information (such as the version\nof Jenkins and the plugin).\n\nIf an issue or a feature request is unclear, it will be tagged\nwith **Need more info** label. Without answer after a month, the\nissue will be closed.\n\n### Changelog\n\nChangelog file has been removed and CHANGELOG content can be review in the\n[GitHub release](https://github.com/jenkinsci/oic-auth-plugin/releases)\npanel of the plugin's repository. They also available in the\n[Jenkins plugin](https://plugins.jenkins.io/oic-auth/#releases) panel.\n\n### Contributing\n\nContributions are welcome, we are looking for:\n\n- developers to implement the features, improve the code and whatever\n  hackers do for a living\n- anybody wanting to help sorting the issues, improve,\n  [translate](https://jenkins.crowdin.com/u/projects/25)\n  document, participate in pull request review or test before release\n- just anybody who wants to drop by and take an interest\n\nPlease refer to the separate [CONTRIBUTING](docs/CONTRIBUTING.md) document for details on how to proceed!\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjenkinsci%2Foic-auth-plugin","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjenkinsci%2Foic-auth-plugin","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjenkinsci%2Foic-auth-plugin/lists"}