π This post describes a real-world case of applying Google OIDC-based login to Jenkins.
The environment assumes Jenkins is installed via Helm and managed as a Terraform resource, with configuration handled using the
JCasC
plugin.If you're aiming to unify authentication across tools using OIDC in your organization, this post should be a helpful reference.
π You may want to read the following post first for better context:
Understanding OAuth 2.0 and OpenID Connect
Why We Introduced OIDC Authentication
All employees in our organization are issued Google Workspace accounts, and we have multiple internal tools requiring access control β including Jenkins, ArgoCD, Vault, and Grafana.
Managing separate user accounts for each tool was both time-consuming and a potential security risk.
So we introduced Google OIDC to unify authentication based on existing Google accounts,
which allowed us to reduce the complexity of user management and apply a consistent authentication model across our systems.
Implementation Steps
Jenkins OIDC plugin: OpenId Connect Authentication
π§© Prerequisites
- Jenkins is installed via Helm; Helm charts are managed using Terraform.
- Jenkins configuration is handled through the
JCasC
plugin.
1. Creating OAuth Client in Google Cloud Console
This process could potentially be replaced with the Terraform resource google_iam_oauth_client
in the future:
https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/iam_oauth_client
I plan to refactor accordingly.
Steps:
- Log in to Google Cloud Console
- Select a project
- Navigate to APIs & Services
- Go to Credentials
- Click Create credentials β OAuth client ID
- Select Web application as the Application type
- Set a name
- Add your Jenkins origin in Authorized JavaScript origins
-
Set the redirect URI as defined in the official documentation:
https://<your-jenkins-domain>/securityRealm/finishLogin
Once created, securely store the
client_id
andclient_secret
(e.g., Vault, AWS Secrets Manager)
The screenshots above are for demonstration purposes only. In real projects, you should never expose client information β especially the Client Secret β in public.
2. Configuring the oic-auth
Plugin
// modules/jenkins/main.tf
resource "helm_release" "default" {
...
chart = "jenkins"
repository = "https://charts.jenkins.io"
...
values = [
file("${path.module}/values.yaml"),
yamlencode({
controller = {
...
installPlugins = concat([
...
], var.extra_plugins)
...
JCasC = {
securityRealm = var.yaml_encoded_security_realm
...
}
}
...
})
]
}
// jenkins_helm.tf
module "jenkins" {
source = "../modules/jenkins"
...
yaml_encoded_security_realm = yamlencode({
oic = {
serverConfiguration = {
wellKnown = {
wellKnownOpenIDConfigurationUrl = "https://accounts.google.com/.well-known/openid-configuration"
scopesOverride = "openid profile email"
}
}
clientId = local.jenkins_secrets.jenkins_google_client_id
clientSecret = local.jenkins_secrets.jenkins_google_client_secret
userNameField = "email"
emailFieldName = "email"
pkceEnabled = true
}
})
extra_plugins = [
...
"oic-auth:4.494.v6b_f419104767",
...
]
...
}
The clientId
and clientSecret
were injected from the values issued earlier,
and the rest of the config values were based on the official documentation:
https://github.com/jenkinsci/oic-auth-plugin/blob/master/docs/configuration/GOOGLE.md#jcasc
β οΈ In the documentation above, wellKnownOpenIDConfigurationUrl
and scopesOverride
are placed directly under oic
, but this caused OIDC to fail in my case.
Placing them under serverConfiguration.wellKnown
β as shown in the general configuration reference β worked correctly:
https://github.com/jenkinsci/oic-auth-plugin/blob/master/docs/configuration/README.md#jcasc-configuration-reference
π Since clientId
and clientSecret
are sensitive credentials, they should not be hardcoded in .tfvars
or locals
.
It is strongly recommended to retrieve them securely from Vault or AWS Secrets Manager instead:
locals {
...
jenkins_secrets = jsondecode(data.aws_secretsmanager_secret_version.jenkins_secrets.secret_string)
...
}
Top comments (0)