Closed alfador1 closed 3 years ago
I probably need a bit more info to reproduce? How is this setup exactly?
I've checked and guests get looked up appropriately.
You can probably work around it by ticking 'Disable graph integration' saving, reloading and then adding yourself with "$DisplayName ($objectId)", and may even be able to re-enable graph after that.
As soon as I re-enable I get username or group not found for username@mail.com.
So how to reproduce fully: Go into Azure , create a new AD. Invite external AD users ( from another domain) as guests , create app registrations, add all the api permissions and credentials. Try to add a user from the external AD users in the Jenkins matrix or just do "verify application" it will give you "user not found".
The biggest irony is that users can login, but as authenticated users meanwhile
Can you give a bit more detail about how you're adding them?
Are you using the user picker?
I can lookup a guest user and add them fine, along with verifying with 'verify application'
I can't use user picker, because it doesn't show anything there(only endless "LOADING). I can only add users if I disable graph integration and once I re-enable it I get user not found. Also I get resource not found when doing verify application
Errors will be in the browser console, probably permissions aren't right (see README for what's needed)
@timja Check my permissions:
Looks fine anything in browser console?
As soon as I open Configure Global Security I get errors in the stacktrace
what's the response code? if the /me request fails then it will disable the user picker.
anything in the server logs
Request is empty Jenkins logs doesn't say anything except, when I do verify application. They give the same logs as the output on the screen (resource not found )
2021-07-20 15:57:08.487+0000 [id=39659] SEVERE c.m.graph.logger.DefaultLogger#logError: CoreHttpProvider[sendRequestInternal] - 396GET https://graph.microsoft.com/v1.0/users/email@email.com
2021-07-20 15:57:08.487+0000 [id=39659] SEVERE c.m.graph.logger.DefaultLogger#logError: CoreHttpProvider[sendRequestInternal] - 396SdkVersion : graph-java/v3.8.0
2021-07-20 15:57:08.488+0000 [id=39659] SEVERE c.m.graph.logger.DefaultLogger#logError: CoreHttpProvider[sendRequestInternal] - 396
2021-07-20 15:57:08.489+0000 [id=39659] SEVERE c.m.graph.logger.DefaultLogger#logError: CoreHttpProvider[sendRequestInternal] - 396
2021-07-20 15:57:08.489+0000 [id=39659] SEVERE c.m.graph.logger.DefaultLogger#logError: CoreHttpProvider[sendRequestInternal] - 396404 : Not Found
2021-07-20 15:57:08.490+0000 [id=39659] SEVERE c.m.graph.logger.DefaultLogger#logError: CoreHttpProvider[sendRequestInternal] - 396[...]
![image](https://user-images.githubusercontent.com/35370751/126356648-1b72ec09-ee53-4acb-a85a-62000398cabe.png)
You could try reproduce with: https://developer.microsoft.com/en-us/graph/graph-explorer
You might get better error messages, try the /me endpoint and looking up your user via email
I see your point. When I login with the graph explorer and try /me endpoint I get my my e-mail If i try same e-mail in verify application it doesn't work
On Tue, Jul 20, 2021 at 6:04 PM Tim Jacomb @.***> wrote:
You could try reproduce with: https://developer.microsoft.com/en-us/graph/graph-explorer
You might get better error messages, try the /me endpoint and looking up your user via email
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/jenkinsci/azure-ad-plugin/issues/156#issuecomment-883511825, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIN3N77NPCI3OJQKZTFFKGDTYWM7JANCNFSM5AUOZENA .
If you want, I can you show on live the issue
On Tue, Jul 20, 2021 at 6:10 PM Denis Hristov @.***> wrote:
I see your point. When I login with the graph explorer and try /me endpoint I get my my e-mail If i try same e-mail in verify application it doesn't work
On Tue, Jul 20, 2021 at 6:04 PM Tim Jacomb @.***> wrote:
You could try reproduce with: https://developer.microsoft.com/en-us/graph/graph-explorer
You might get better error messages, try the /me endpoint and looking up your user via email
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/jenkinsci/azure-ad-plugin/issues/156#issuecomment-883511825, or unsubscribe https://github.com/notifications/unsubscribe-auth/AIN3N77NPCI3OJQKZTFFKGDTYWM7JANCNFSM5AUOZENA .
Right it may not work for a guest to configure it.
That's likely enough for me to reproduce it
I found a way to get to the users object ID and verified that works.
should be released soon, PR at https://github.com/jenkinsci/azure-ad-plugin/pull/165
Sadly the problem is still here in 184.v44f04b65bdd5 I can do "verify application" by object id of the user, but that's it. (I could do that before). Can't use people picker for guest users @timja
Anything in the logs?
the above fixed my guest user
Does it work for non guest users?
These are the logs, which are quite fun, cause I'm logged from the user that it says "Cannot find the user"
2021-09-30 10:09:26.225+0000 [id=88022] INFO c.m.a.m.AcquireTokenByClientCredentialSupplier#execute: SkipCache set to false. Attempting cache lookup
2021-09-30 10:09:26.329+0000 [id=88022] INFO c.a.c.util.logging.ClientLogger#performLogging: Azure Identity => getToken() result for scopes [https://graph.microsoft.com/.default]: SUCCESS
2021-09-30 10:09:26.449+0000 [id=4213] SEVERE c.m.graph.logger.DefaultLogger#logError: CoreHttpProvider[sendRequestInternal] - 396Graph service exception Error code: Request_ResourceNotFound
2021-09-30 10:09:26.450+0000 [id=4213] SEVERE c.m.graph.logger.DefaultLogger#logError: CoreHttpProvider[sendRequestInternal] - 396Error message: Resource 'denis.hristov@domain.com' does not exist or one of its queried reference-property objects are not present.
2021-09-30 10:09:26.450+0000 [id=4213] SEVERE c.m.graph.logger.DefaultLogger#logError: CoreHttpProvider[sendRequestInternal] - 396
2021-09-30 10:09:26.451+0000 [id=4213] SEVERE c.m.graph.logger.DefaultLogger#logError: CoreHttpProvider[sendRequestInternal] - 396GET https://graph.microsoft.com/v1.0/users/denis.hristov@domain.com
2021-09-30 10:09:26.451+0000 [id=4213] SEVERE c.m.graph.logger.DefaultLogger#logError: CoreHttpProvider[sendRequestInternal] - 396SdkVersion : graph-java/v3.8.0
2021-09-30 10:09:26.452+0000 [id=4213] SEVERE c.m.graph.logger.DefaultLogger#logError: CoreHttpProvider[sendRequestInternal] - 396
2021-09-30 10:09:26.452+0000 [id=4213] SEVERE c.m.graph.logger.DefaultLogger#logError: CoreHttpProvider[sendRequestInternal] - 396
2021-09-30 10:09:26.453+0000 [id=4213] SEVERE c.m.graph.logger.DefaultLogger#logError: CoreHttpProvider[sendRequestInternal] - 396404 : Not Found
2021-09-30 10:09:26.453+0000 [id=4213] SEVERE c.m.graph.logger.DefaultLogger#logError: CoreHttpProvider[sendRequestInternal] - 396[...]
2021-09-30 10:09:26.454+0000 [id=4213] SEVERE c.m.graph.logger.DefaultLogger#logError: CoreHttpProvider[sendRequestInternal] - 396
2021-09-30 10:09:26.454+0000 [id=4213] SEVERE c.m.graph.logger.DefaultLogger#logError: CoreHttpProvider[sendRequestInternal] - 396[Some information was truncated for brevity, enable debug logging for more details]
2021-09-30 10:09:26.454+0000 [id=4213] SEVERE c.m.graph.logger.DefaultLogger#logError: Throwable detail: com.microsoft.graph.http.GraphServiceException: Error code: Request_ResourceNotFound
Error message: Resource 'denis.hristov@domain.com' does not exist or one of its queried reference-property objects are not present.
GET https://graph.microsoft.com/v1.0/users/denis.hristov@domain.com
SdkVersion : graph-java/v3.8.0
404 : Not Found
[...]
You sure you've upgraded (and restarted)? on the new version it should be looking you up by object id and not email address
You sure you've upgraded (and restarted)? on the new version it should be looking you up by object id and not email address
I will restart once again, just to be on the safe side
Just restarted - same thing unfortunately. when I do verify application Plugin version is:
Ok, People picker is working when I start typing the name, but the verify application is not, but people picker we have atleast :P
What happens with verify application?
The error that I showed u on top. 404 not found. People picker is working when u start typing something. That is a huge improvement. You did a good job there
Created a new issue ^^
Version report
Jenkins and plugins versions report: Jenkins: 2.277.4 OS: Linux - 4.18.0-193.6.3.el8_2.x86_64
git-client:3.7.1 trilead-api:1.0.13 cloudbees-folder:6.15 antisamy-markup-formatter:2.1 jaxb:2.3.0.1 jdk-tool:1.4 git-server:1.9 structs:1.23 gradle:1.36 workflow-step-api:2.23 token-macro:2.15 build-timeout:1.20 branch-api:2.6.4 credentials:2.5 pipeline-rest-api:2.19 plain-credentials:1.7 ssh-credentials:1.18.1 handlebars:3.0.8 credentials-binding:1.26 scm-api:2.6.4 workflow-api:2.46 timestamper:1.13 script-security:1.77 momentjs:1.1.1 workflow-support:3.8 durable-task:1.37 workflow-basic-steps:2.23 workflow-durable-task-step:2.39 okhttp-api:3.14.9 junit:1.49 matrix-project:1.18 pipeline-stage-view:2.19 command-launcher:1.6 resource-disposer:0.15 ws-cleanup:0.39 ant:1.11 pipeline-build-step:2.13 bouncycastle-api:2.20 github-api:1.123 ace-editor:1.1 jquery-detached:1.2.1 pipeline-model-api:1.8.5 workflow-scm-step:2.12 workflow-cps:2.92 git:4.7.2 workflow-job:2.41 mailer:1.34 apache-httpcomponents-client-4-api:4.5.13-1.0 display-url-api:2.3.5 pipeline-graph-analysis:1.10 pipeline-milestone-step:1.3.2 snakeyaml-api:1.27.0 github:1.33.1 jackson2-api:2.12.3 jsch:0.1.55.2 pipeline-input-step:2.12 pipeline-stage-step:2.5 blueocean-jwt:1.24.7 pipeline-model-extensions:1.8.5 favorite:2.3.3 cucumber:0.0.2 workflow-cps-global-lib:2.21 jira:3.5 workflow-multibranch:2.26 blueocean-rest-impl:1.24.7 pipeline-stage-tags-metadata:1.8.5 blueocean-pipeline-api-impl:1.24.7 pipeline-model-definition:1.8.5 blueocean-jira:1.24.7 lockable-resources:2.10 blueocean-display-url:2.4.1 workflow-aggregator:2.6 sse-gateway:1.24 github-branch-source:2.9.1 blueocean-events:1.24.7 pipeline-github-lib:1.0 mapdb-api:1.0.9.0 subversion:2.13.2 ssh-slaves:1.31.2 matrix-auth:2.6.7 pam-auth:1.6 ansible:1.1 ldap:1.26 email-ext:2.83 docker-commons:1.17 azure-commons:1.1.3 azure-ad:175.v5513346d764a docker-workflow:1.26 config-file-provider:3.8.0 pipeline-multibranch-defaults:2.1 blueocean-github-pipeline:1.24.7 authentication-tokens:1.4 mercurial:2.15 blueocean-git-pipeline:1.24.7 handy-uri-templates-2-api:2.1.8-1.0 blueocean-web:1.24.7 cloudbees-bitbucket-branch-source:2.9.9 nodejs:1.4.0 sonar:2.12 xvfb:1.1.3 variant:1.4 aws-java-sdk:1.11.995 blueocean-i18n:1.24.7 aws-credentials:1.29 blueocean-autofavorite:1.2.4 windows-slaves:1.7 blueocean-config:1.24.7 cloudbees-credentials:3.3 blueocean:1.24.7 cucumber-reports:5.5.0 ansicolor:1.0.0 htmlpublisher:1.25 folder-properties:1.2.1 blueocean-bitbucket-pipeline:1.24.7 jenkins-design-language:1.24.7 blueocean-core-js:1.24.7 blueocean-commons:1.24.7 blueocean-rest:1.24.7 pubsub-light:1.13 blueocean-dashboard:1.24.7 blueocean-pipeline-scm-api:1.24.7 blueocean-personalization:1.24.7 blueocean-pipeline-editor:1.24.7 ruby-runtime:0.12 popper-api:1.16.1-2 external-monitor-job:1.7 jquery3-api:3.6.0-1 azure-credentials:182.v3ccd4a755864 copyartifact:1.46.1 windows-azure-storage:358.v5c001416d74f allure-jenkins-plugin:2.29.0 bootstrap4-api:4.6.0-3 Office-365-Connector:4.15.0 javadoc:1.6 echarts-api:5.1.0-2 checks-api:1.7.0 plugin-util-api:2.3.0 font-awesome-api:5.15.3-3 azure-container-agents:209.vb415245ae23a ivy:2.1 scmskip:1.0.3 kubernetes-credentials:0.9.0 simple-theme-plugin:0.6 theme-manager:0.6 kubernetes:1.30.0 run-condition:1.5 kubernetes-client-api:5.4.1 python:1.3 metrics:4.0.2.7 artifactory:3.11.4 caffeine-api:2.9.1-23.v51c4e2c879c8 maven-plugin:3.12 extended-read-permission:3.2 cloud-stats:0.27 azure-sdk:23.v5682688d0eef dark-theme:0.0.12 pipeline-utility-steps:2.8.0 snyk-security-scanner:2.13.0