com.nimbusds.jose.proc.BadJOSEException: Signed JWT rejected: Another algorithm expected, or no matching key(s) found

[rthevenin]

Jenkins and plugins versions report

Environment

Jenkins: 2.462.3
OS: Windows Server 2022 - 10.0
Java: 17.0.11 - Oracle Corporation (Java HotSpot(TM) 64-Bit Server VM)
---
Matrix-sorter-plugin:1.3
ant:511.v0a_a_1a_334f41b_
antisamy-markup-formatter:162.v0e6ec0fcfcf6
any-buildstep:14.ve115ec1484f0
apache-httpcomponents-client-4-api:4.5.14-208.v438351942757
artifactdeployer:1.3
asm-api:9.7.1-97.v4cc844130d97
bootstrap5-api:5.3.3-1
bouncycastle-api:2.30.1.78.1-248.ve27176eb_46cb_
branch-api:2.1178.v969d9eb_c728e
build-environment:1.7
build-failure-analyzer:2.5.2
build-name-setter:2.4.3
build-timeout:1.33
build-timestamp:1.0.3
build-user-vars-plugin:176.vb_9c7907fd524
built-on-column:1.4
caffeine-api:3.1.8-133.v17b_1ff2e0599
checks-api:2.2.1
cloudbees-folder:6.955.v81e2a_35c08d3
command-launcher:115.vd8b_301cc15d0
commons-httpclient3-api:3.1-3
commons-lang3-api:3.17.0-84.vb_b_938040b_078
commons-text-api:1.12.0-129.v99a_50df237f7
compress-artifacts:109.v98a_db_d3cb_72c
compress-buildlog:1.2
conditional-buildstep:1.4.3
config-file-provider:978.v8e85886ffdc4
copyartifact:749.vfb_dca_a_9b_6549
credentials:1384.vf0a_2ed06f9c6
credentials-binding:681.vf91669a_32e45
dark-theme:479.v661b_1b_911c01
data-tables-api:2.1.8-1
display-url-api:2.204.vf6fddd8a_8b_e9
durable-task:577.v2a_8a_4b_7c0247
echarts-api:5.5.1-3
eddsa-api:0.3.0-4.v84c6f0f4969e
email-ext:1844.v3ea_a_b_842374a_
envinject:2.919.v009a_a_1067cd0
envinject-api:1.199.v3ce31253ed13
extended-choice-parameter:382.v5697b_32134e8
external-monitor-job:215.v2e88e894db_f8
flexible-publish:0.16.1
folder-properties:1.2.1
font-awesome-api:6.6.0-2
git:5.5.2
git-client:5.0.0
git-parameter:0.9.19
git-server:126.v0d945d8d2b_39
github:1.40.0
github-api:1.321-468.v6a_9f5f2d5a_7e
github-branch-source:1803.v98e3d8a_c8169
gitlab-plugin:1.8.2
global-variable-string-parameter:1.2
gradle:2.13.1
gson-api:2.11.0-85.v1f4e87273c33
housekeeper:1.1
instance-identity:201.vd2a_b_5a_468a_a_6
ionicons-api:74.v93d5eb_813d5f
ivy:2.6
jackson2-api:2.17.0-379.v02de8ec9f64c
jakarta-activation-api:2.1.3-1
jakarta-mail-api:2.1.3-1
javadoc:280.v050b_5c849f69
javax-activation-api:1.2.0-7
javax-mail-api:1.6.2-10
jaxb:2.3.9-1
jdk-tool:80.v8a_dee33ed6f0
jenkins-multijob-plugin:630.v80676e0dc658
jersey2-api:2.44-151.v6df377fff741
jjwt-api:0.11.5-112.ve82dfb_224b_a_d
jnr-posix-api:3.1.19-2
job-parameter-summary:0.5
jobConfigHistory:1277.vb_9a_0808495d7
joda-time-api:2.13.0-93.v9934da_29b_a_e9
jqs-monitoring:37.vf50a_82a_0b_f32
jquery:1.12.4-1
jquery3-api:3.7.1-2
jsch:0.2.16-86.v42e010d9484b_
json-api:20240303-101.v7a_8666713110
json-path-api:2.9.0-118.v7f23ed82a_8b_8
junit:1307.vdd5b_2646279e
ldap:725.v3cb_b_711b_1a_ef
list-git-branches-parameter:0.0.13
lockable-resources:1320.v1f0dff578476
mailer:488.v0c9639c1a_eb_3
matrix-auth:3.2.2
matrix-combinations-parameter:1.3.3
matrix-project:839.vff91cd7e3a_b_2
maven-plugin:3.23
metrics:4.2.21-451.vd51df8df52ec
mina-sshd-api-common:2.14.0-133.vcc091215a_358
mina-sshd-api-core:2.14.0-133.vcc091215a_358
monitoring:1.99.0
msbuild:1.35
nodelabelparameter:1.13.0
oic-auth:4.411.v990b_9d36e74e
okhttp-api:4.11.0-172.vda_da_1feeb_c6e
pam-auth:1.11
parameterized-trigger:806.vf6fff3e28c3e
pipeline-build-step:540.vb_e8849e1a_b_d8
pipeline-github-lib:61.v629f2cc41d83
pipeline-graph-analysis:216.vfd8b_ece330ca_
pipeline-graph-view:340.v28cecee8b_25f
pipeline-groovy-lib:740.va_2701257fe8d
pipeline-input-step:495.ve9c153f6067b_
pipeline-milestone-step:119.vdfdc43fc3b_9a_
pipeline-model-api:2.2214.vb_b_34b_2ea_9b_83
pipeline-model-definition:2.2214.vb_b_34b_2ea_9b_83
pipeline-model-extensions:2.2214.vb_b_34b_2ea_9b_83
pipeline-rest-api:2.34
pipeline-stage-step:312.v8cd10304c27a_
pipeline-stage-tags-metadata:2.2214.vb_b_34b_2ea_9b_83
pipeline-stage-view:2.34
plain-credentials:183.va_de8f1dd5a_2b_
plugin-usage-plugin:4.6
plugin-util-api:5.1.0
postbuild-task:1.9
postbuildscript:3.4.1-695.vf6b_0b_8053979
publish-over:0.22
publish-over-ssh:1.25
rebuild:332.va_1ee476d8f6d
resource-disposer:0.24
run-condition:1.7
scm-api:696.v778d637b_a_762
script-security:1365.v4778ca_84b_de5
show-build-parameters:1.0
snakeyaml-api:2.3-123.v13484c65210a_
sonar:2.17.2
ssh-agent:376.v8933585c69d3
ssh-credentials:343.v884f71d78167
ssh-slaves:2.973.v0fa_8c0dea_f9f
sshd:3.330.vc866a_8389b_58
structs:338.v848422169819
theme-manager:262.vc57ee4a_eda_5d
thinBackup:2.1.1
throttle-concurrents:2.14
timestamper:1.27
token-macro:400.v35420b_922dcb_
trilead-api:2.147.vb_73cc728a_32e
uno-choice:2.8.4
variant:60.v7290fc0eb_b_cd
workflow-aggregator:600.vb_57cdd26fdd7
workflow-api:1336.vee415d95c521
workflow-basic-steps:1058.vcb_fc1e3a_21a_9
workflow-cps:3975.v567e2a_1ffa_22
workflow-durable-task-step:1371.vb_7cec8f3b_95e
workflow-job:1436.vfa_244484591f
workflow-multibranch:795.ve0cb_1f45ca_9a_
workflow-scm-step:427.v4ca_6512e7df1
workflow-step-api:678.v3ee58b_469476
workflow-support:930.vf51d22b_ce488
ws-cleanup:0.47

What Operating System are you using (both controller, and any agents involved in the problem)?

Windows Server 2022

Reproduction steps

1. Login with OIDC was working fine
2. Weekend pass
3. Login with OIDC fails

Expected Results

Works like before, or at least provide meaningful logs

Actual Results

Jenkins shows a generic "A problem occurred while processing the request"
Logs refer to an algorythm or kid mismatch in JWT from what I could understand:

2024-10-21 09:02:36.530+0000 [id=13]	WARNING	h.i.i.InstallUncaughtExceptionHandler#handleException: Caught unhandled exception with ID d8f32987-d2e1-49b9-803a-fc1b136f1b61
com.nimbusds.jose.proc.BadJOSEException: Signed JWT rejected: Another algorithm expected, or no matching key(s) found
	at PluginClassLoader for oic-auth//com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:357)
	at PluginClassLoader for oic-auth//com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.validate(IDTokenValidator.java:321)
	at PluginClassLoader for oic-auth//com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.validate(IDTokenValidator.java:254)
	at PluginClassLoader for oic-auth//org.pac4j.oidc.profile.creator.TokenValidator.validate(TokenValidator.java:108)
	at PluginClassLoader for oic-auth//org.pac4j.oidc.profile.creator.OidcProfileCreator.create(OidcProfileCreator.java:108)
Caused: org.pac4j.core.exception.TechnicalException
	at PluginClassLoader for oic-auth//org.pac4j.oidc.profile.creator.OidcProfileCreator.create(OidcProfileCreator.java:152)
	at PluginClassLoader for oic-auth//org.jenkinsci.plugins.oic.OicSecurityRealm.doFinishLogin(OicSecurityRealm.java:1279)
	at java.base/java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:732)
	at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:416)
	at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:429)
	at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:211)
	at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:138)
	at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:644)
	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:61)
	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:827)
Caused: javax.servlet.ServletException
	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:878)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:965)
	at org.kohsuke.stapler.MetaClass$2.doDispatch(MetaClass.java:244)
	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:61)
	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:827)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:965)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:747)
	at org.kohsuke.stapler.Stapler.service(Stapler.java:253)
	at Jenkins Main ClassLoader//javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:764)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1665)
	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:163)
	at PluginClassLoader for monitoring//net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:239)
	at PluginClassLoader for monitoring//net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:215)
	at PluginClassLoader for monitoring//net.bull.javamelody.PluginMonitoringFilter.doFilter(PluginMonitoringFilter.java:88)
	at PluginClassLoader for monitoring//org.jvnet.hudson.plugins.monitoring.HudsonMonitoringFilter.doFilter(HudsonMonitoringFilter.java:121)
	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:160)
	at PluginClassLoader for metrics//jenkins.metrics.impl.MetricsFilter.doFilter(MetricsFilter.java:125)
	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:160)
	at jenkins.util.HttpServletFilter$1.doFilter(HttpServletFilter.java:76)
	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:160)
	at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:166)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at jenkins.ErrorAttributeFilter.doFilter(ErrorAttributeFilter.java:29)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:160)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:94)
	at PluginClassLoader for oic-auth//org.jenkinsci.plugins.oic.OicSecurityRealm$1.doFilter(OicSecurityRealm.java:863)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:94)
	at jenkins.security.AcegiSecurityExceptionFilter.doFilter(AcegiSecurityExceptionFilter.java:52)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:54)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:145)
	at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:101)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:227)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:221)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:97)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:117)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
	at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:63)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:111)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:111)
	at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:172)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:53)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:86)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:31)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at jenkins.security.SuspiciousRequestFilter.doFilter(SuspiciousRequestFilter.java:38)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:527)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:131)
	at Jenkins Main ClassLoader//org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:569)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:223)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1580)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1384)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:176)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:484)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1553)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:174)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1306)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:822)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.Server.handle(Server.java:563)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.HttpChannel$RequestDispatchable.dispatch(HttpChannel.java:1598)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:753)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:501)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:287)
	at Jenkins Main ClassLoader//org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:314)
	at Jenkins Main ClassLoader//org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
	at Jenkins Main ClassLoader//org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
	at Jenkins Main ClassLoader//org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:421)
	at Jenkins Main ClassLoader//org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:390)
	at Jenkins Main ClassLoader//org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:277)
	at Jenkins Main ClassLoader//org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.run(AdaptiveExecutionStrategy.java:199)
	at Jenkins Main ClassLoader//org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:411)
	at Jenkins Main ClassLoader//org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:969)
	at Jenkins Main ClassLoader//org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1194)
	at Jenkins Main ClassLoader//org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1149)
	at java.base/java.lang.Thread.run(Thread.java:842)
2024-10-21 09:15:45.356+0000 [id=20]	WARNING	o.j.plugins.oic.OicSecurityRealm#compileJMESPath: groups field config failed io.burt.jmespath.parser.ParseException: Unable to compile expression "": syntax error mismatched input '<EOF>' expecting {'!', '(', '*', '[', '{', '[?', '@', '`', RAW_STRING, JSON_CONSTANT, NAME, STRING} at position 0
2024-10-21 09:29:42.152+0000 [id=16]	WARNING	o.e.j.s.h.ContextHandler$Context#log: Error while serving http://redacted.net/securityRealm/finishLogin
org.pac4j.core.exception.TechnicalException: State cannot be determined
	at PluginClassLoader for oic-auth//org.pac4j.oidc.credentials.extractor.OidcExtractor.lambda$extract$0(OidcExtractor.java:133)
	at java.base/java.util.Optional.orElseThrow(Optional.java:403)
	at PluginClassLoader for oic-auth//org.pac4j.oidc.credentials.extractor.OidcExtractor.extract(OidcExtractor.java:133)
	at PluginClassLoader for oic-auth//org.pac4j.core.client.BaseClient.retrieveCredentials(BaseClient.java:71)
	at PluginClassLoader for oic-auth//org.pac4j.core.client.IndirectClient.getCredentials(IndirectClient.java:145)
	at PluginClassLoader for oic-auth//org.jenkinsci.plugins.oic.OicSecurityRealm.doFinishLogin(OicSecurityRealm.java:1272)
	at java.base/java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:732)
	at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:416)
Caused: java.lang.reflect.InvocationTargetException
	at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:420)
	at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:429)
	at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:211)
	at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:138)
	at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:644)
	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:61)
	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:827)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:965)
	at org.kohsuke.stapler.MetaClass$2.doDispatch(MetaClass.java:244)
	at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:61)
	at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:827)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:965)
	at org.kohsuke.stapler.Stapler.invoke(Stapler.java:747)
	at org.kohsuke.stapler.Stapler.service(Stapler.java:253)
	at Jenkins Main ClassLoader//javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:764)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1665)
	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:163)
	at PluginClassLoader for monitoring//net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:239)
	at PluginClassLoader for monitoring//net.bull.javamelody.MonitoringFilter.doFilter(MonitoringFilter.java:215)
	at PluginClassLoader for monitoring//net.bull.javamelody.PluginMonitoringFilter.doFilter(PluginMonitoringFilter.java:88)
	at PluginClassLoader for monitoring//org.jvnet.hudson.plugins.monitoring.HudsonMonitoringFilter.doFilter(HudsonMonitoringFilter.java:121)
	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:160)
	at PluginClassLoader for metrics//jenkins.metrics.impl.MetricsFilter.doFilter(MetricsFilter.java:125)
	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:160)
	at jenkins.util.HttpServletFilter$1.doFilter(HttpServletFilter.java:76)
	at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:160)
	at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:166)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at jenkins.ErrorAttributeFilter.doFilter(ErrorAttributeFilter.java:29)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:160)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:94)
	at PluginClassLoader for oic-auth//org.jenkinsci.plugins.oic.OicSecurityRealm$1.doFilter(OicSecurityRealm.java:863)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:94)
	at jenkins.security.AcegiSecurityExceptionFilter.doFilter(AcegiSecurityExceptionFilter.java:52)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:54)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:145)
	at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:101)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:227)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:221)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:97)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:117)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
	at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:63)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:111)
	at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
	at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:111)
	at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:172)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:53)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:86)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:31)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at jenkins.security.SuspiciousRequestFilter.doFilter(SuspiciousRequestFilter.java:38)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:527)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:131)
	at Jenkins Main ClassLoader//org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:569)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:223)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1580)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1384)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:176)
	at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:484)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1553)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:174)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1306)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:822)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.Server.handle(Server.java:563)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.HttpChannel$RequestDispatchable.dispatch(HttpChannel.java:1598)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:753)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:501)
	at Jenkins Main ClassLoader//org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:287)
	at Jenkins Main ClassLoader//org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:314)
	at Jenkins Main ClassLoader//org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
	at Jenkins Main ClassLoader//org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
	at Jenkins Main ClassLoader//org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:969)
	at Jenkins Main ClassLoader//org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1194)
	at Jenkins Main ClassLoader//org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1149)
	at java.base/java.lang.Thread.run(Thread.java:842)

Anything else?

I couldn't find documentation or settings to move forward on this issue:

• how to get the actual algorithms send and received?
• how to dump the actual messages exchanged?
• how to force a specific algorithm in the plugin configuration?

Are you interested in contributing a fix?

No response

[jtnord]

The exception from pac4j is missing details (there's a loop where it tries all supported methods then throws an exception but throws away all the others from the loop which contains the interesting one)

Enabling finer logging on org.pac4j.oidc.profile.creator.TokenValidator should show the real reason.

[jtnord]

https://groups.google.com/g/pac4j-dev/c/wCPqWJSrCMk

[rthevenin]

I can't find an option or documentation on increase log level, did I miss something? or did you mean a custom build with added logs?
Could we disable some of the validators to narrow down the issue?

[jtnord]

see https://docs.cloudbees.com/docs/cloudbees-ci-kb/latest/client-and-managed-controllers/configure-loggers-for-jenkins or https://www.youtube.com/watch?v=G6V56is5Pyw

[rthevenin]

From what I understand of those fine logs, there's a 'time ahead of current time' issue, So I guess a timezone or NTP issue on our server.
https://gist.github.com/rthevenin/6c6a7f4535a2fe9cffc491da55b36851

Oct 25, 2024 2:58:52 PM FINE org.pac4j.oidc.profile.creator.TokenValidator validate

JWT issue time ahead of current time
com.nimbusds.jwt.proc.BadJWTException: JWT issue time ahead of current time
	at PluginClassLoader for oic-auth//com.nimbusds.openid.connect.sdk.validators.BadJWTExceptions.<clinit>(BadJWTExceptions.java:84)
	at PluginClassLoader for oic-auth//com.nimbusds.openid.connect.sdk.validators.IDTokenClaimsVerifier.verify(IDTokenClaimsVerifier.java:233)
	at PluginClassLoader for oic-auth//com.nimbusds.jwt.proc.DefaultJWTProcessor.verifyClaims(DefaultJWTProcessor.java:271)
	at PluginClassLoader for oic-auth//com.nimbusds.jwt.proc.DefaultJWTProcessor.process(DefaultJWTProcessor.java:373)
	at PluginClassLoader for oic-auth//com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.validate(IDTokenValidator.java:321)
	at PluginClassLoader for oic-auth//com.nimbusds.openid.connect.sdk.validators.IDTokenValidator.validate(IDTokenValidator.java:254)
	at PluginClassLoader for oic-auth//org.pac4j.oidc.profile.creator.TokenValidator.validate(TokenValidator.java:108)
	at PluginClassLoader for oic-auth//org.pac4j.oidc.profile.creator.OidcProfileCreator.create(OidcProfileCreator.java:108)
	at PluginClassLoader for oic-auth//org.jenkinsci.plugins.oic.OicSecurityRealm.doFinishLogin(OicSecurityRealm.java:1279)
	at java.base/java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:732)

I wish we had more details on the actual values observed.

[jtnord]

there is a clock skew option you can use, but the timezone should not matter as the times are always in seconds since a well known epoc which is zoneless.

Alas the library offers no more information here :(

But as this token was generated in the future either your Jenkins instance is running in the past or your OIDC server is running in the future.
The default allowed clockskew in the plugin is 60 seconds which should always be enough for a server with a well maintained clock.

you should be able to see the clock time of your OIDC server by inspecting the HTTP headers when you login to it (or visit any dynamic page on the site). and you should be able to get the data of your Jenkins server as you are an admin of it :) this can give you an indication if something is out of sync, and give you a value of difference that you may want to use for the clockskew parameter if 60 seconds is not enough

[rthevenin]

My laptop was about 80 s ahead of the Jenkins server, so I've forced an clock sync on the server. I'm used to Kerberos clock screw tolerance of 300 s, so I wasn't expecting a clock issue here initially.

[jtnord]

Thanks for the update.
I'm going to keep this issue open until pac4j issue is addressed.

[thiagosanches]

any news on this? just checking...

[SebastienPi]

Hi,

I had what looks like the same issue: JWT issue time ahead of current time.
As suggest, I locked at header and Jenkins ones are a bit strange: Date | Thu, 31 Jul 2025 16:32:04 GMT

Inside the pod (Jenkins is deployed in K8S):

$ date
Thu Jul 31 16:35:51 UTC 2025.

IDP issue a token with 2 hours expiration:

$ date --date @1753986724
Thu Jul 31 18:32:04 UTC 2025

So valid between 18:32-20:32 GMT.

I did not have time to check today. I may have miss some parameter in Jenkins to set timezone?