API token calls does not work with Guest Users in AAD

Version report

Jenkins and plugins versions report:

Jenkins : 2.303.1 Azure AD Plugin : 185.v3b416408dcb1 Operating System: Lunix

Reproduction steps

Step 1: Invite a guest user in ADD Step 2: Login Jenkins with this guest user and get the Jenkins API token Step 3: Call http(s)://[guest user login id]:[token]@[jenkins host] in a command prompt Step 4: The call is failed

p.s. Sometimes step 3 may success if guest user is having login. May logout guest user and wait 30mins for retry.

Results

Expected result:

Able to get result through http(s)://[user]:[token]@[jenkins host]/...

Actual result:

Response: "A problem occurred while processing the request."

[ERROR found in Jenkins System log] Oct 27, 2021 1:00:00 PM SEVERE com.microsoft.graph.logger.DefaultLogger logError Throwable detail: com.microsoft.graph.http.GraphServiceException: Error code: Request_ResourceNotFound Error message: Resource '[guest user login ID]' does not exist or one of its queried reference-property objects are not present.

GET https://graph.microsoft.com/v1.0/users/[guest user login ID] SdkVersion : graph-java/v3.8.0

404 : Not Found [...]

[Some information was truncated for brevity, enable debug logging for more details] Oct 27, 2021 1:00:00 PM WARNING jenkins.security.BasicHeaderApiTokenAuthenticator authenticate2 API token matched for user [guest user login id] but the impersonation failed org.springframework.security.core.userdetails.UsernameNotFoundException: Cannot find user: [guest user login ID]

Oct 27, 2021 1:00:00 PM WARNING jenkins.security.BasicHeaderApiTokenAuthenticator authenticate2 API token matched for user [guest user login ID] but the impersonation failed

Suggested solution: As the UPN of guest user is different from "Jenkins User ID" / "guest user login ID", Can we consider to use user object ID instead of UPN when calling https://graph.microsoft.com/v1.0/users/ ?

jenkinsci / azure-ad-plugin