Jenkins Google Authentication

26 / Aug / 2016 by Rajdeep Singh 8 comments

Old fashioned key and lock

In Jenkins by default user authentication is not enabled but we can establish the user authentication from the Global Security section. We have to create users for team members and it maintains all user in its own database. But we can also configure Jenkins with Google oAuth. So, if you are leveraging Google services and already have users on it. The users can login to Jenkins and perform their task.

I am assuming that we have already installed Jenkins server and have admin right to make changes in it. The whole configuration is divided into three easy steps.

1. Create Google OAuth Client Key

Before we start, we need to a create a project in Google developer console. In this project we will generate authantication credentials to enable OAuth API.

  • To create your project login to Google developer console and in top bar select Create project:

Screen Shot 2016-08-12 at 6.05.34 PM

  • In the pop-up window specify your project name it can be any name which is more meaning full to you. Here I have created a project named Jenkins OAuth. In the advanced section, you can select app engine geographical location:Screen Shot 2016-08-19 at 2.23.57 PM

 

 

  • It will take few minutes to create your project. Once it completes, on the left sidebar under API Manager select Credentials and then click on Create Credentials:Screen Shot 2016-08-19 at 2.56.46 PM

 

 

  • In Create Credentials drop down menu there are three options. We will choose OAuth client ID to create client id. It will genrate API credentials and these credentails are required to configure in Jenkins in last step:
    Screen Shot 2016-08-19 at 3.30.00 PM

 

 

  • As we are going to integrate this in Jenkins and it is a web service, So in application type select Web application:Screen Shot 2016-08-19 at 3.57.33 PM

 

  • In the next section, Register Jenkins URI from where we allowed to access the Google APIs. We have to provide Jenkins server detail. You can replace jenkins.mydimain.com with your own Jenkins URI. This will be the landing page of your Jenkins server. Once you hit this page it will be redirected to google for the authentication:Screen Shot 2016-08-19 at 3.57.45 PM

 

  • The authorized redirect URIs is required to redirect you after successful login. It is the combination of your Jenkins landing page and a suffix string to validate you are a logged in user. As we want to land user to Jenkins dashboard, so it has the same URI which we mentioned in the previous step and don’t forget to include securityRealm/finishLogin at the end:Screen Shot 2016-08-19 at 3.57.55 PM

 

  • Here we have Client ID and Client Secret. Copy and save these credential as these will be used to enable Google APIs in Jenkins:Screen Shot 2016-08-19 at 4.11.14 PM

 

2. Install Google Login Plugin

In Jenkins there is no mechanism to configure OAuth but there are many plugins are available and we are using Google Login plugin. We can easily install this plugin from Manage Jenkins –> Manage Plugins –> Available and search for “Google Login”. Select the plugin. There is no need to restart to install this plugin. This plugin allows for the register Google OAuth and performs authentication:

Screen Shot 2016-08-19 at 4.20.20 PM

3. Configure Jenkins

In this step, we will setup Google security credentials in installed plugin. Navigate to manage Jenkins –> Configure Global Security and select Login with Google under Security Realm paste credentials generated in the first step. In the last field do not forget to enter your domain name it allows you to restrict access to given domain name:

Screen Shot 2016-08-12 at 6.30.48 PM

Immediately after saving changes Jenkins will allow access to all users in your domain. Now, try to login into your Jenkins it will redirect you to Google Authentication page. If everything is set up properly you will be logged in but just in case you’re still facing any problem go back and check each step. The logged in user can do anything and if you want to restrict users you can implement Matrix-based security.

FOUND THIS USEFUL? SHARE IT

comments (8)

  1. Patrick

    Following this guide completely broke my login. I can no longer access my Jenkins instances except via SSH. I am receiving this error in my browser:

    HTTP ERROR 401
    Problem accessing /securityRealm/finishLogin. Reason:
    Unauthorized

    What now?

    Reply
    1. Andy

      Hi Patrick, just in case you are still facing this issue, you can recover your jenkins be editing:
      /var/lib/jenkins/config.xml
      Look for the line:
      true
      And change true to false. Then you can access your jenkins box again, and reconfigure your security. I ran through all of these issues as well, so if you still have some issues, let me know and I’ll help where I can.

      Reply
  2. David

    I’m trying to follow the above method but it becomes tricky in the authorized redirect URIs section, since the original client application (jenkins) is an IP address and this section doesn’t allow IP address.
    plz help.

    Reply
  3. Rohini

    I followed above method. But I am getting this error:
    400. That’s an error.

    Error: invalid_request

    Invalid parameter value for redirect_uri: Missing scheme: ****.*****.com/securityRealm/finishLogin

    Reply
        1. Greg

          Hey guys, we are facing same issue, can you please give some hints or help ?

          By saying same issue , I was meaning this one:
          400. That’s an error. Error: invalid_request Invalid parameter value for redirect_uri: Missing scheme: ****.*****.com/securityRealm/finishLogin

          Reply
          1. vivek

            Are you guys still facing issue? Please send me screenshots of the settings settings such as manage settings

Leave a Reply

Your email address will not be published. Required fields are marked *