π This post describes a real-world case of applying Google OIDC-based login to Jenkins.
The environment assumes Jenkins is installed via Helm and managed as a Terraform resource, with configuration handled using the
JCasCplugin.If you're aiming to unify authentication across tools using OIDC in your organization, this post should be a helpful reference.
π You may want to read the following post first for better context:
Understanding OAuth 2.0 and OpenID Connect
Why We Introduced OIDC Authentication
All employees in our organization are issued Google Workspace accounts, and we have multiple internal tools requiring access control β including Jenkins, ArgoCD, Vault, and Grafana.
Managing separate user accounts for each tool was both time-consuming and a potential security risk.
So we introduced Google OIDC to unify authentication based on existing Google accounts,
which allowed us to reduce the complexity of user management and apply a consistent authentication model across our systems.
Implementation Steps
Jenkins OIDC plugin: OpenId Connect Authentication
𧩠Prerequisites
- Jenkins is installed via Helm; Helm charts are managed using Terraform.
- Jenkins configuration is handled through the
JCasCplugin.
1. Creating OAuth Client in Google Cloud Console
This process could potentially be replaced with the Terraform resource google_iam_oauth_client in the future:
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_oauth_client
I plan to refactor accordingly.
Steps:
- Log in to Google Cloud Console
- Select a project
- Navigate to APIs & Services
- Go to Credentials
- Click Create credentials β OAuth client ID
- Select Web application as the Application type
- Set a name
- Add your Jenkins origin in Authorized JavaScript origins
-
Set the redirect URI as defined in the official documentation:
https://<your-jenkins-domain>/securityRealm/finishLogin Once created, securely store the
client_idandclient_secret(e.g., Vault, AWS Secrets Manager)
The screenshots above are for demonstration purposes only. In real projects, you should never expose client information β especially the Client Secret β in public.
2. Configuring the oic-auth Plugin
// modules/jenkins/main.tf
resource "helm_release" "default" {
...
chart = "jenkins"
repository = "https://charts.jenkins.io"
...
values = [
file("${path.module}/values.yaml"),
yamlencode({
controller = {
...
installPlugins = concat([
...
], var.extra_plugins)
...
JCasC = {
securityRealm = var.yaml_encoded_security_realm
...
}
}
...
})
]
}
// jenkins_helm.tf
module "jenkins" {
source = "../modules/jenkins"
...
yaml_encoded_security_realm = yamlencode({
oic = {
serverConfiguration = {
wellKnown = {
wellKnownOpenIDConfigurationUrl = "https://accounts.google.com/.well-known/openid-configuration"
scopesOverride = "openid profile email"
}
}
clientId = local.jenkins_secrets.jenkins_google_client_id
clientSecret = local.jenkins_secrets.jenkins_google_client_secret
userNameField = "email"
emailFieldName = "email"
pkceEnabled = true
}
})
extra_plugins = [
...
"oic-auth:4.494.v6b_f419104767",
...
]
...
}
The clientId and clientSecret were injected from the values issued earlier,
and the rest of the config values were based on the official documentation:
https://github.com/jenkinsci/oic-auth-plugin/blob/master/docs/configuration/GOOGLE.md#jcasc
β οΈ In the documentation above, wellKnownOpenIDConfigurationUrl and scopesOverride are placed directly under oic, but this caused OIDC to fail in my case.
Placing them under serverConfiguration.wellKnown β as shown in the general configuration reference β worked correctly:
https://github.com/jenkinsci/oic-auth-plugin/blob/master/docs/configuration/README.md#jcasc-configuration-reference
π Since clientId and clientSecret are sensitive credentials, they should not be hardcoded in .tfvars or locals.
It is strongly recommended to retrieve them securely from Vault or AWS Secrets Manager instead:
locals {
...
jenkins_secrets = jsondecode(data.aws_secretsmanager_secret_version.jenkins_secrets.secret_string)
...
}
Top comments (0)