Migrate from Implicit OAuth Flow to Authorization Code Flow with Certificate-Based Authentication Support

[schaeferdavid]

#794

The changes implement a migration from Implicit OAuth Flow to Authorization Code Flow with support for certificate-based authentication using JWT client assertions. This is a significant security enhancement required by modern OAuth 2.0 best practices and Azure AD security requirements.

Key Changes Made

1. OAuth Flow Migration (Critical Security Change) Security Requirement: The implicit flow is deprecated by OAuth 2.0 security best practices and Azure AD security policies Token Security: Authorization code flow provides better token security by keeping access tokens away from the browser Compliance: Modern Azure AD applications require authorization code flow for enhanced security Best Practice: Industry standard for server-side applications like Jenkins

2. Manual Token Exchange Implementation Authorization Code Handling: The new flow requires exchanging the authorization code for actual tokens Custom Implementation: ScribeJava library doesn't fully support Azure AD's specific token endpoint requirements Certificate Support: Enables proper certificate-based authentication via client assertions Error Handling: Provides better error handling and logging for authentication failures

3. Certificate-Based Authentication Support Enterprise Security Requirements: Many enterprise environments require certificate-based authentication instead of client secrets Azure AD Compliance: Certificate-based authentication is the recommended secure method for Azure AD applications Regulatory Compliance: Certificates provide non-repudiation and stronger authentication for compliance requirements Security Best Practice: Certificates are more secure than client secrets as they cannot be easily compromised

Conclusion
These changes are essential for maintaining a secure, compliant, and future-compatible Azure AD integration in Jenkins. The migration from implicit flow to authorization code flow with certificate support addresses critical security requirements and provides a robust foundation for enterprise authentication scenarios.

Testing done

Submitter checklist

• Make sure you are opening from a topic/feature/bugfix branch (right side) and not your main branch!
• Ensure that the pull request title represents the desired changelog entry
• Please describe what you did
• Link to relevant issues in GitHub or Jira
• Link to relevant pull requests, esp. upstream and downstream changes
• Ensure you have provided tests that demonstrate the feature works or the issue is fixed

[Copilot]

Pull request overview

This PR migrates the Azure AD Jenkins security realm from the deprecated implicit OAuth flow to the authorization code flow, adding support for certificate-based authentication via JWT client assertions to meet modern Azure AD/OAuth security requirements.

Changes:

• Switch OAuth response type from id_token to code to enable Authorization Code Flow.
• Implement a manual token exchange against Azure AD’s token endpoint to retrieve tokens server-side.
• Add logic to generate and submit JWT client assertions when using certificate-based credentials.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 3 comments.

[Copilot]

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 4 comments.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

Comments suppressed due to low confidence (2)

src/main/java/com/microsoft/jenkins/azuread/AzureSecurityRealm.java:498

• This line has trailing whitespace, which is rejected by the repository's Checkstyle RegexpSingleline rule in checkstyle.xml lines 44-49. Remove the extra spaces after the closing brace.

                    }               

src/main/java/com/microsoft/jenkins/azuread/AzureSecurityRealm.java:638

• This line has trailing whitespace, which is rejected by the repository's Checkstyle RegexpSingleline rule in checkstyle.xml lines 44-49. Remove the extra spaces after the closing brace.

    }    

[Copilot]

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 3 comments.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 3 comments.

[Copilot]

Pull request overview

Copilot reviewed 6 out of 6 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (1)

src/main/java/com/microsoft/jenkins/azuread/AzureSecurityRealm.java:564

• This fallback message is now misleading for the authorization-code flow: the Azure “ID tokens” checkbox under Authentication applies to implicit/hybrid flows, while this code receives the ID token from the token endpoint when the openid scope is honored. Update the message to point at the token response / requested scopes instead of asking users to enable implicit ID tokens.

            if (StringUtils.isBlank(idToken)) {
                LOGGER.info("No `id_token` found ensure you have enabled it on the 'Authentication' page of the "
                        + "app registration");