people picker either stuck on loading or does not find any matches

[tzachs]

Jenkins and plugins versions report

Environment

```text Jenkins: 2.319.1 OS: Linux - 4.4.0-1128-aws --- Parameterized-Remote-Trigger:3.1.3 ace-editor:1.1 all-changes:1.5 ansicolor:1.0.1 ant:1.13 antisamy-markup-formatter:2.6 apache-httpcomponents-client-4-api:4.5.13-1.0 audit-trail:3.10 authentication-tokens:1.4 authorize-project:1.4.0 azure-ad:185.v3b416408dcb1 azure-commons:1.1.3 azure-sdk:70.v63f6a95999a7 bitbucket:214.v2fd4234d0554 blueocean:1.25.1 blueocean-autofavorite:1.2.4 blueocean-bitbucket-pipeline:1.25.1 blueocean-commons:1.25.2 blueocean-config:1.25.2 blueocean-core-js:1.25.2 blueocean-dashboard:1.25.2 blueocean-display-url:2.4.1 blueocean-events:1.25.1 blueocean-git-pipeline:1.25.1 blueocean-github-pipeline:1.25.1 blueocean-i18n:1.25.2 blueocean-jira:1.25.2 blueocean-jwt:1.25.2 blueocean-personalization:1.25.2 blueocean-pipeline-api-impl:1.25.1 blueocean-pipeline-editor:1.25.1 blueocean-pipeline-scm-api:1.25.2 blueocean-rest:1.25.2 blueocean-rest-impl:1.25.2 blueocean-web:1.25.2 bootstrap4-api:4.6.0-3 bootstrap5-api:5.1.3-4 bouncycastle-api:2.25 branch-api:2.7.0 build-blocker-plugin:1.7.7 build-timeout:1.20 build-token-root:1.9 build-user-vars-plugin:1.8 build-with-parameters:1.6 caffeine-api:2.9.2-29.v717aac953ff3 changes-since-last-success:0.6 checks-api:1.7.2 cloudbees-bitbucket-branch-source:734.v2f848c5e6ea2 cloudbees-folder:6.17 command-launcher:1.6 conditional-buildstep:1.4.1 copyartifact:1.46.2 credentials:1055.v1346ba467ba1 credentials-binding:1.27 custom-checkbox-parameter:1.4 dashboard-view:2.18 description-setter:1.10 display-url-api:2.3.5 docker-commons:1.17 docker-workflow:1.26 durable-task:493.v195aefbb0ff2 echarts-api:5.2.2-2 email-ext:2.86 envinject:2.4.0 envinject-api:1.8 extended-read-permission:3.2 external-monitor-job:1.7 favorite:2.3.3 font-awesome-api:5.15.4-5 git:4.10.1 git-client:3.10.1 git-parameter:0.9.14 git-server:1.10 github:1.34.1 github-api:1.301-378.v9807bd746da5 github-branch-source:2.11.4 global-build-stats:1.5 google-login:1.6 gradle:1.37.1 groovy:2.4 handlebars:3.0.8 handy-uri-templates-2-api:2.1.8-1.0 htmlpublisher:1.28 jackson2-api:2.13.1-242.v1a45bad25ceb javadoc:1.6 jdk-tool:1.5 jenkins-design-language:1.25.2 jira:3.6 jjwt-api:0.11.2-9.c8b45b8bb173 jobConfigHistory:2.31-rc1092.de9e11acbcf3 jquery:1.12.4-1 jquery-detached:1.2.1 jquery-ui:1.0.2 jquery3-api:3.6.0-2 jsch:0.1.55.2 junit:1.53 ldap:2.7 lockable-resources:2.13 mail-watcher-plugin:1.16 mailer:1.34 mapdb-api:1.0.9.0 matrix-auth:2.6.8 matrix-project:1.19 maven-plugin:3.16 mercurial:2.16 metrics:4.0.2.8 momentjs:1.1.1 monitoring:1.90.0 nodelabelparameter:1.10.3 okhttp-api:4.9.3-105.vb96869f8ac3a pam-auth:1.6.1 parameterized-scheduler:1.0 parameterized-trigger:2.43 pipeline-build-step:2.15 pipeline-github-lib:1.0 pipeline-graph-analysis:188.v3a01e7973f2c pipeline-input-step:427.va6441fa17010 pipeline-milestone-step:1.3.2 pipeline-model-api:1.9.3 pipeline-model-declarative-agent:1.1.1 pipeline-model-definition:1.9.3 pipeline-model-extensions:1.9.3 pipeline-rest-api:2.20 pipeline-stage-step:291.vf0a8a7aeeb50 pipeline-stage-tags-metadata:1.9.3 pipeline-stage-view:2.20 pipeline-utility-steps:2.11.0 plain-credentials:1.7 plugin-util-api:2.9.0 popper-api:1.16.1-2 popper2-api:2.11.0-1 project-build-times:1.2.1 project-description-setter:1.2 pubsub-light:1.16 rebuild:1.32 resource-disposer:0.17 role-strategy:3.2.0 run-condition:1.5 saml:2.0.9 scm-api:2.6.5 script-security:1118.vba21ca2e3286 shelve-project-plugin:3.2 slack:2.23 snakeyaml-api:1.29.1 sse-gateway:1.24 ssh-credentials:1.19 ssh-slaves:1.33.0 sshd:3.1.0 started-by-envvar:1.0 structs:308.v852b473a2b8c subversion:2.15.1 test-results-analyzer:0.3.5 timestamper:1.15 token-macro:267.vcdaea6462991 trilead-api:1.0.13 uno-choice:2.5.7 variant:1.4 windows-slaves:1.8 workflow-aggregator:2.6 workflow-api:1108.v57edf648f5d4 workflow-basic-steps:2.24 workflow-cps:2648.va9433432b33c workflow-cps-global-lib:552.vd9cc05b8a2e1 workflow-durable-task-step:2.39 workflow-job:1145.v7f2433caa07f workflow-multibranch:696.v52535c46f4c9 workflow-scm-step:2.13 workflow-step-api:615.vb09dac339255 workflow-support:804.vba10a18a1476 ws-cleanup:0.40 ```

What Operating System are you using (both controller, and any agents involved in the problem)?

No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04.7 LTS Release: 16.04 Codename: xenial

Reproduction steps

• Go to Dashboard --> Configure Global Security --> Click on "Test user principal name or object id", type email and press Verify Application. Works as expected
• Go to Azure User/group to add, type the same email. Expected to find the user but getting "Didn't any matches" or stuck on Loading

Expected Results

Ability to find the users

Actual Results

Getting Didn't find any matches

Anything else?

No response

[timja]

Check the browser console logs for errors

[tzachs]

@timja I've checked, nothing in the console logs

[tzachs]

It looks there is no XHR query running when i'm typing

[timja]

Refresh the page and make sure the query to /me on page load works

[tzachs]

@timja 1st, thanks for the quick response :) 2nd, I don't see any request to /me under Network What am I missing?

[timja]

Could you attach a screenshot of the security configuration page and of the network tab of browser console after a fresh page load, blurring / masking whatever you need

[tzachs]

Unfortunately I can't. Is there a way I can troubleshoot this? I suspect it's something with the Graph API

[timja]

On page load there should be an XHR request to this:

If there's not an XHR request the only thing I can think of is either the plugin isn't configured or you're using an old browser that the web component doesn't work on.

[tzachs]

Both on latest chrome (96.0.4664.110) and latest safari (Version 15.2 (17612.3.6.1.6)) I don't see a request to me

[timja]

Don't think I can help much more without seeing the config, (you can redact as much as you like I just need to see what's ticked and what fields are filled out)

[KalleOlaviNiemitalo]

I have seen some HTTP requests to Jenkins fail because of a misconfigured reverse proxy. That was not with the Azure AD plugin, but if you are using a reverse proxy, please do check its logs as well.

[tzachs]

@timja here is my configuration (BTW, I do really appreciate you trying to help me on New Years 🙂 ) Notice that I was able to verify my name using the email I've typed in "Test user principal name or object id"

[timja]

can you add network tab from fresh page load and browser console?

Also any chance you are a guest user (should work although didn't initially) or something special set up on your tenant?

[timja]

Have you checked the system log too?

[tzachs]

@timja nothing in the system logs

[tzachs]

@timja network of XHR only?

[timja]

yup XHR only is fine

[tzachs]

[tzachs]

[timja]

Any reason you aren't on 189 not sure if it would cause any issues but shouldn't?

(be aware of the breaking changes in matrix-auth)

[tzachs]

@timja because of the breaking change 🙂

[aubertaa]

if this could help, i had the same issue on Firefox but search is well returning results on chrome.

[tzachs]

Thanks @aubertaa , I've tried from both safari and chrome :(

[weyCC81]

Jenkins and plugins versions report

We have to same problem under: Jenkins 2.332.1 Azure AD PluginVersion191.vfc8019068670

What Operating System are you using (both controller, and any agents involved in the problem)? Distributor ID: Windows Description: Server 2019 Datacenter Release: 17763.1158

Reproduction steps Go to Dashboard --> Configure Global Security --> Click on "Test user principal name or object id", type email and press Verify Application. Works as expected Go to Azure User/group to add, type the same email. Expected to find the user but getting "Didn't any matches" or stuck on Loading

Expected Results Ability to find the users

Actual Results Getting Didn't find any matches

Console Output: GET http://localhost:8080//GraphProxy/v1.0/me 400 (Bad Request)

Response Header:

Response Body: {"error":{"code":"BadRequest","message":"/me request is only valid with delegated authentication flow.","innerError":{"date":"2022-03-23T10:43:11","request-id":"9932c8ee-fd3d-49ae-90a7-000000000000","client-request-id":"9932c8ee-fd3d-49ae-90a7-000000000000"}}}

Anything else? Permission on Azure:

Jenkins Url (Root URL): http://localhost:8080/

[gtbuchanan]

I was having this same issue under Jenkins 2.345 with Azure AD plugin 191.vfc8019068670. I could not upgrade to the latest plugin version due to #198 but I couldn't fix my configuration because the user picker for "Azure Active Directory Matrix-based security" is broken. I tried Brave Browser, Chrome, and Firefox. It's worth noting that the user picker worked in the project configuration under "Enable Project-based Security", so I don't think it was related to my reverse proxy. It just wasn't working in the "Configure Global Security" section. The user picker wasn't making any HTTP requests on the "Configure Global Security" page for some reason and there were no JavaScript errors.

As a workaround, I saved a project configuration with project-based security so I could see the correct permission values, manually updated the root config.xml, and restarted Jenkins. This seemed to work and allowed me to upgrade to the latest version of the plugin (195.v8555a0bf0d22) where the user picker appears to be working again.

[timja]

user picker won't make any http requests if the first call to /me fails. which is probably what happened but would need to see why

[gtbuchanan]

@timja It appears that there is no /me request made when the page is loaded with "Project-based Matrix Authorization Strategy" selected and the drop-down is changed to "Azure Active Directory Matrix-based security". I was just able to reproduce the problem by downgrading. I confirmed the user picker started working after saving the selection for "Azure Active Directory Matrix-based security", granting "authenticated" users full access (so as to not lock myself out), and reloading the page.

[timja]

Right yes, that's a limitation I think. It might be fixed on recent versions of Jenkins core, but I'd need to check that as there was a change in that area.

[davidtopham]

@timja It appears that there is no /me request made when the page is loaded with "Project-based Matrix Authorization Strategy" selected and the drop-down is changed to "Azure Active Directory Matrix-based security". I was just able to reproduce the problem by downgrading. I confirmed the user picker started working after saving the selection for "Azure Active Directory Matrix-based security", granting "authenticated" users full access (so as to not lock myself out), and reloading the page.

I'm still seeing this issue with Jenkins 2.414.3, I used the workaround from @gtbuchanan

[lukolszewski]

Hi,

We're seeing that on 2.426.1 with latest released plugins (azure ad version 442.v355cca_6b_c169).

It appears user search doesn't work until the configuration is saved. Afterwards it works fine until jenkins service restart. Then it stops working again until its saved.

It appears the only changes to the config made when save is hit are to clientid and tenentid values in config.xml

We've tried removing the authorizationStrategy section of the config as a test, with no difference. There are no exceptions logged also.

[OlgierdWWW]

Hi,

We're seeing that on 2.426.1 with latest released plugins (azure ad version 442.v355cca_6b_c169).

It appears user search doesn't work until the configuration is saved. Afterwards it works fine until jenkins service restart. Then it stops working again until its saved.

It appears the only changes to the config made when save is hit are to clientid and tenentid values in config.xml

We've tried removing the authorizationStrategy section of the config as a test, with no difference. There are no exceptions logged also.

This issue is really annoying - we need to add instruction for users, that after every restart of jenkins they need to: in UI, goto security and just SAVE to activate Garph integration with AzureAD.

[timja]

It appears user search doesn't work until the configuration is saved

Yes that's expected. I think the only way to fix that is to separate the pages.

Afterwards it works fine until jenkins service restart

I can't reproduce that and it shouldn't do that =/