Step 1: Invite a guest user in ADD
Step 2: Login Jenkins with this guest user and get the Jenkins API token
Step 3: Call http(s)://[guest user login id]:[token]@[jenkins host] in a command prompt
Step 4: The call is failed
p.s. Sometimes step 3 may success if guest user is having login. May logout guest user and wait 30mins for retry.
Results
Expected result:
Able to get result through http(s)://[user]:[token]@[jenkins host]/...
Actual result:
Response: "A problem occurred while processing the request."
[ERROR found in Jenkins System log]
Oct 27, 2021 1:00:00 PM SEVERE com.microsoft.graph.logger.DefaultLogger logError
Throwable detail: com.microsoft.graph.http.GraphServiceException: Error code: Request_ResourceNotFound
Error message: Resource '[guest user login ID]' does not exist or one of its queried reference-property objects are not present.
[Some information was truncated for brevity, enable debug logging for more details]
Oct 27, 2021 1:00:00 PM WARNING jenkins.security.BasicHeaderApiTokenAuthenticator authenticate2
API token matched for user [guest user login id] but the impersonation failed
org.springframework.security.core.userdetails.UsernameNotFoundException: Cannot find user: [guest user login ID]
Oct 27, 2021 1:00:00 PM WARNING jenkins.security.BasicHeaderApiTokenAuthenticator authenticate2
API token matched for user [guest user login ID] but the impersonation failed
Suggested solution:
As the UPN of guest user is different from "Jenkins User ID" / "guest user login ID",
Can we consider to use user object ID instead of UPN when calling https://graph.microsoft.com/v1.0/users/ ?
Version report
Jenkins and plugins versions report:
Jenkins : 2.303.1 Azure AD Plugin : 185.v3b416408dcb1 Operating System: Lunix
Reproduction steps
Step 1: Invite a guest user in ADD Step 2: Login Jenkins with this guest user and get the Jenkins API token Step 3: Call http(s)://[guest user login id]:[token]@[jenkins host] in a command prompt Step 4: The call is failed
p.s. Sometimes step 3 may success if guest user is having login. May logout guest user and wait 30mins for retry.
Results
Expected result:
Able to get result through http(s)://[user]:[token]@[jenkins host]/...
Actual result:
Response: "A problem occurred while processing the request."
[ERROR found in Jenkins System log] Oct 27, 2021 1:00:00 PM SEVERE com.microsoft.graph.logger.DefaultLogger logError Throwable detail: com.microsoft.graph.http.GraphServiceException: Error code: Request_ResourceNotFound Error message: Resource '[guest user login ID]' does not exist or one of its queried reference-property objects are not present.
GET https://graph.microsoft.com/v1.0/users/[guest user login ID] SdkVersion : graph-java/v3.8.0
404 : Not Found [...]
[Some information was truncated for brevity, enable debug logging for more details] Oct 27, 2021 1:00:00 PM WARNING jenkins.security.BasicHeaderApiTokenAuthenticator authenticate2 API token matched for user [guest user login id] but the impersonation failed org.springframework.security.core.userdetails.UsernameNotFoundException: Cannot find user: [guest user login ID]
Oct 27, 2021 1:00:00 PM WARNING jenkins.security.BasicHeaderApiTokenAuthenticator authenticate2 API token matched for user [guest user login ID] but the impersonation failed
Suggested solution: As the UPN of guest user is different from "Jenkins User ID" / "guest user login ID", Can we consider to use user object ID instead of UPN when calling https://graph.microsoft.com/v1.0/users/ ?