CloudBees CI SSO relay in OIDC mode strips parameters from authorization response causing login failures

Last Reviewed:2026-03-18()
2 minute readKnowledge base

Issue

When CloudBees CI is configured to use SSO Relay for CloudBees CI single sign-on in OIDC mode, users experience login failures after the identity provider (IdP) completes authentication. The SSO relay service is stripping all extra URL parameters from the authorization response, including the iss (issuer) parameter.

This issue is particularly triggered by recent changes in the behavior of identity providers such as Google, which now include the iss parameter in the OIDC authorization response URL.

The following error is observed in the CloudBees CI logs when the iss parameter is stripped:

WARNING h.i.i.InstallUncaughtExceptionHandler#handleException: Caught unhandled exception with ID ...
org.pac4j.oidc.exceptions.OidcIssuerMismatchException: Issuer mismatch, possible mix-up attack.
    at PluginClassLoader for oic-auth//org.pac4j.oidc.credentials.extractor.OidcCredentialsExtractor.extract(OidcCredentialsExtractor.java:134)
    at PluginClassLoader for oic-auth//org.pac4j.core.client.BaseClient.getCredentials(BaseClient.java:80)
    at PluginClassLoader for oic-auth//org.jenkinsci.plugins.oic.OicSecurityRealm.doFinishLogin(OicSecurityRealm.java:1147)

Environment

Resolution

This article will be updated once a fix is available. Until then, see the Workarounds section below.

Workarounds

  1. If the IdP supports configuration, disable inclusion of the iss parameter in the authorization response URL.

  2. After you encounter a login failure, add the missing iss parameter back to the URL in the browser’s address bar and submit the form. For Google as the IdP, it would be &iss=https://accounts.google.com added to the end of the URL.

  3. Disable SSO Relay for CloudBees CI single sign-on until the fix is available.

  4. Switch the configuration mode of the oic-auth plugin from Discovery via well-known endpoint to Manual and provide the required configuration values for your provider in the operations center security configuration.

As an alternative, contact CloudBees Support for guidance specific to your IdP and CloudBees CI configuration.

These workarounds are temporary until a fix is available in a CloudBees CI release that correctly preserves the iss parameter through the SSO relay service.
This article is part of our Knowledge Base and is provided for guidance-based purposes only. The solutions or workarounds described here are not officially supported by CloudBees and may not be applicable in all environments. Use at your own discretion, and test changes in a safe environment before applying them to production systems.