DEV Community

Woobuntu
Woobuntu

Posted on • Edited on

How to Enable Google OIDC Login in Jenkins Using Helm, JCasC, and Terraform

πŸ“Œ This post describes a real-world case of applying Google OIDC-based login to Jenkins.

The environment assumes Jenkins is installed via Helm and managed as a Terraform resource, with configuration handled using the JCasC plugin.

If you're aiming to unify authentication across tools using OIDC in your organization, this post should be a helpful reference.

πŸ”— You may want to read the following post first for better context:
Understanding OAuth 2.0 and OpenID Connect


Why We Introduced OIDC Authentication

All employees in our organization are issued Google Workspace accounts, and we have multiple internal tools requiring access control β€” including Jenkins, ArgoCD, Vault, and Grafana.

Managing separate user accounts for each tool was both time-consuming and a potential security risk.

So we introduced Google OIDC to unify authentication based on existing Google accounts,

which allowed us to reduce the complexity of user management and apply a consistent authentication model across our systems.


Implementation Steps

Jenkins OIDC plugin: OpenId Connect Authentication

🧩 Prerequisites

  1. Jenkins is installed via Helm; Helm charts are managed using Terraform.
  2. Jenkins configuration is handled through the JCasC plugin.

1. Creating OAuth Client in Google Cloud Console

This process could potentially be replaced with the Terraform resource google_iam_oauth_client in the future:

https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_oauth_client

I plan to refactor accordingly.

Reference:

https://github.com/jenkinsci/oic-auth-plugin/blob/master/docs/configuration/GOOGLE.md#provider-configuration

Steps:

  1. Log in to Google Cloud Console
  2. Select a project
  3. Navigate to APIs & Services
  4. Go to Credentials
  5. Click Create credentials β†’ OAuth client ID Image0
  6. Select Web application as the Application type
  7. Set a name
  8. Add your Jenkins origin in Authorized JavaScript origins
  9. Set the redirect URI as defined in the official documentation:

    https://<your-jenkins-domain>/securityRealm/finishLogin
    
  10. Once created, securely store the client_id and client_secret (e.g., Vault, AWS Secrets Manager)

Image1

Image2

The screenshots above are for demonstration purposes only. In real projects, you should never expose client information β€” especially the Client Secret β€” in public.


2. Configuring the oic-auth Plugin

// modules/jenkins/main.tf
resource "helm_release" "default" {
  ...
  chart            = "jenkins"
  repository       = "https://charts.jenkins.io"
  ...

  values = [
    file("${path.module}/values.yaml"),
    yamlencode({
      controller = {
          ...
          installPlugins = concat([
              ...
          ], var.extra_plugins)
        ...
        JCasC = {
          securityRealm         = var.yaml_encoded_security_realm
          ...
        }
      }
      ...
    })
  ]
}
Enter fullscreen mode Exit fullscreen mode
// jenkins_helm.tf
module "jenkins" {
  source                      = "../modules/jenkins"
    ...
  yaml_encoded_security_realm = yamlencode({
    oic = {
      serverConfiguration = {
        wellKnown = {
          wellKnownOpenIDConfigurationUrl = "https://accounts.google.com/.well-known/openid-configuration"
          scopesOverride                  = "openid profile email"
        }
      }
      clientId       = local.jenkins_secrets.jenkins_google_client_id
      clientSecret   = local.jenkins_secrets.jenkins_google_client_secret
      userNameField  = "email"
      emailFieldName = "email"
      pkceEnabled    = true
    }
  })

  extra_plugins = [
      ...
    "oic-auth:4.494.v6b_f419104767",
    ...
  ]
  ...
}
Enter fullscreen mode Exit fullscreen mode

The clientId and clientSecret were injected from the values issued earlier,
and the rest of the config values were based on the official documentation:
https://github.com/jenkinsci/oic-auth-plugin/blob/master/docs/configuration/GOOGLE.md#jcasc

⚠️ In the documentation above, wellKnownOpenIDConfigurationUrl and scopesOverride are placed directly under oic, but this caused OIDC to fail in my case.
Placing them under serverConfiguration.wellKnown β€” as shown in the general configuration reference β€” worked correctly:
https://github.com/jenkinsci/oic-auth-plugin/blob/master/docs/configuration/README.md#jcasc-configuration-reference

πŸ” Since clientId and clientSecret are sensitive credentials, they should not be hardcoded in .tfvars or locals.
It is strongly recommended to retrieve them securely from Vault or AWS Secrets Manager instead:

locals {
    ...
  jenkins_secrets = jsondecode(data.aws_secretsmanager_secret_version.jenkins_secrets.secret_string)
  ...
}
Enter fullscreen mode Exit fullscreen mode

Top comments (0)