Suggested user/group fails to appear with Bad Request 404

[joe-agent]

Jenkins and plugins versions report

Environment

```text Jenkins: 2.426.1 OS: Windows Server 2019 - 10.0 Java: 11.0.8 - AdoptOpenJDK (OpenJDK 64-Bit Server VM) --- Parameterized-Remote-Trigger:3.2.0 ace-editor:1.1 analysis-model-api:11.13.0 antisamy-markup-formatter:162.v0e6ec0fcfcf6 apache-httpcomponents-client-4-api:4.5.14-208.v438351942757 atlassian-jira-software-cloud:2.0.11 authentication-tokens:1.53.v1c90fd9191a_b_ azure-ad:449.v92b_39a_d8e523 azure-credentials:293.vb_d506148f506 azure-sdk:157.v855da_0b_eb_dc2 azure-vm-agents:883.v63c930b_025dc bitbucket:241.v6d24a_57f9359 bitbucket-filter-project-trait:1.0 blueocean:1.27.9 blueocean-autofavorite:1.2.5 blueocean-bitbucket-pipeline:1.27.9 blueocean-commons:1.27.9 blueocean-config:1.27.9 blueocean-core-js:1.27.9 blueocean-dashboard:1.27.9 blueocean-display-url:2.4.2 blueocean-events:1.27.9 blueocean-git-pipeline:1.27.9 blueocean-github-pipeline:1.27.9 blueocean-i18n:1.27.9 blueocean-jwt:1.27.9 blueocean-personalization:1.27.9 blueocean-pipeline-api-impl:1.27.9 blueocean-pipeline-editor:1.27.9 blueocean-pipeline-scm-api:1.27.9 blueocean-rest:1.27.9 blueocean-rest-impl:1.27.9 blueocean-web:1.27.9 bootstrap4-api:4.6.0-6 bootstrap5-api:5.3.2-3 bouncycastle-api:2.30.1.77-225.v26ea_c9455fd9 branch-api:2.1135.v8de8e7899051 build-token-root:151.va_e52fe3215fc build-user-vars-plugin:1.9 build-with-parameters:76.v9382db_f78962 caffeine-api:3.1.8-133.v17b_1ff2e0599 checks-api:2.0.2 cloud-stats:320.v96b_65297a_4b_b_ cloudbees-bitbucket-branch-source:856.v04c46c86f911 cloudbees-folder:6.858.v898218f3609d command-launcher:107.v773860566e2e commons-lang3-api:3.13.0-62.v7d18e55f51e2 commons-text-api:1.11.0-95.v22a_d30ee5d36 credentials:1311.vcf0a_900b_37c2 credentials-binding:642.v737c34dea_6c2 custom-folder-icon:2.10 custom-tools-plugin:0.8 dashboard-view:2.495.v07e81500c3f2 data-tables-api:1.13.8-2 display-url-api:2.200.vb_9327d658781 docker-commons:439.va_3cb_0a_6a_fb_29 docker-workflow:572.v950f58993843 dtkit-api:3.0.2 durable-task:523.va_a_22cf15d5e0 echarts-api:5.4.3-2 embeddable-build-status:412.v09da_db_1dee68 extended-choice-parameter:376.v2e02857547b_a_ extended-read-permission:53.v6499940139e5 favorite:2.208.v91d65b_7792a_c font-awesome-api:6.5.1-1 forensics-api:2.3.0 git:5.2.1 git-client:4.6.0 github:1.37.3.1 github-api:1.318-461.v7a_c09c9fa_d63 github-branch-source:1755.vcdb_d136f3b_25 handlebars:3.0.8 handy-uri-templates-2-api:2.1.8-22.v77d5b_75e6953 htmlpublisher:1.32 instance-identity:185.v303dc7c645f9 ionicons-api:56.v1b_1c8c49374e jackson2-api:2.15.3-372.v309620682326 jakarta-activation-api:2.0.1-3 jakarta-mail-api:2.0.1-3 javadoc:243.vb_b_503b_b_45537 javax-activation-api:1.2.0-6 javax-mail-api:1.6.2-9 jaxb:2.3.9-1 jdk-tool:73.vddf737284550 jenkins-design-language:1.27.9 jjwt-api:0.11.5-77.v646c772fddb_0 jquery:1.12.4-1 jquery3-api:3.7.1-1 jsch:0.2.8-65.v052c39de79b_2 json-path-api:2.8.0-5.v07cb_a_1ca_738c junit:1240.vf9529b_881428 lockable-resources:1218.va_3dd45e2b_fa_7 mailer:463.vedf8358e006b_ matrix-auth:3.2.1 matrix-project:818.v7eb_e657db_924 mercurial:1260.vdfb_723cdcc81 mina-sshd-api-common:2.11.0-86.v836f585d47fa_ mina-sshd-api-core:2.11.0-86.v836f585d47fa_ momentjs:1.1.1 msbuild:1.30 mstest:1.0.5 multi-slave-config-plugin:1.2.0 nodelabelparameter:1.12.0 nuget:1.1 okhttp-api:4.11.0-157.v6852a_a_fa_ec11 parameterized-trigger:787.v665fcf2a_830b_ pipeline-build-step:539.v8c889169451f pipeline-graph-analysis:202.va_d268e64deb_3 pipeline-groovy-lib:689.veec561a_dee13 pipeline-input-step:477.v339683a_8d55e pipeline-milestone-step:111.v449306f708b_7 pipeline-model-api:2.2151.ve32c9d209a_3f pipeline-model-definition:2.2151.ve32c9d209a_3f pipeline-model-extensions:2.2151.ve32c9d209a_3f pipeline-rest-api:2.34 pipeline-stage-step:305.ve96d0205c1c6 pipeline-stage-tags-metadata:2.2151.ve32c9d209a_3f pipeline-stage-view:2.34 pipeline-utility-steps:2.16.0 plain-credentials:143.v1b_df8b_d3b_e48 plugin-util-api:3.6.0 popper-api:1.16.1-3 popper2-api:2.11.6-4 prism-api:1.29.0-10 pubsub-light:1.18 resource-disposer:0.23 scm-api:683.vb_16722fb_b_80b_ script-security:1294.v99333c047434 show-build-parameters:1.0 snakeyaml-api:2.2-111.vc6598e30cc65 sse-gateway:1.26 ssh-credentials:308.ve4497b_ccd8f4 ssh-slaves:2.916.vd17b_43357ce4 sshd:3.303.vefc7119b_ec23 structs:325.vcb_307d2a_2782 timestamper:1.26 token-macro:400.v35420b_922dcb_ trilead-api:2.84.v72119de229b_7 uno-choice:2.8.1 validating-string-parameter:183.v3748e79b_9737 variant:60.v7290fc0eb_b_cd view-job-filters:369.ve0513a_a_f5524 warnings-ng:10.5.2 windows-slaves:1.8.1 workflow-aggregator:596.v8c21c963d92d workflow-api:1283.v99c10937efcb_ workflow-basic-steps:1042.ve7b_140c4a_e0c workflow-cps:3826.v3b_5707fe44da_ workflow-durable-task-step:1289.v4d3e7b_01546b_ workflow-job:1385.vb_58b_86ea_fff1 workflow-multibranch:756.v891d88f2cd46 workflow-scm-step:415.v434365564324 workflow-step-api:639.v6eca_cd8c04a_a_ workflow-support:865.v43e78cc44e0d ws-cleanup:0.45 xunit:3.1.3 ```

What Operating System are you using (both controller, and any agents involved in the problem)?

Windows

Reproduction steps

1. I have connected Jenkins with Azure AD & anyone within my organisation can login to Jenkins.
2. I had updated Azure AD plugin to the latest version (as of 23rd Dec 2023)
3. I also got API permission granted in the Jenkins's Service Principal account in Azure below: Microsoft Graph
   • Directory.Read.All Delegated
   • Directory.Read.All Application
   • email Delegated
   • Group.Read.All Delegated
   • Group.Read.All Application
   • People.Read.All Delegated
   • People.Read.All Application
   • User.Read Delegated
   • User.Read.All
4. I have assigned Administrator role to the Anonymous & Authenticated Users like below:

Expected Results

User or Azure user group shows up.

Actual Results

When I type user or Azure group in the Azure User/group to add, no user shows up.

Instead, I got 400 Bad Request status code from many API calls like below:

{
    "error": {
        "code": "BadRequest",
        "message": "Query option '$top' was specified more than once, but it must be specified at most once.",
        "innerError": {
            "date": "2023-12-23T07:35:43",
            "request-id": "337e4376-149a-4cf8-8611-e6f84d13d97d",
            "client-request-id": "337e4376-149a-4cf8-8611-e6f84d13d97d"
        }
    }
}

Anything else?

I have not checked the console from the Script Console in Jenkins > Manage Jenkins > Script Console

Are you interested in contributing a fix?

No response

[timja]

Is there anything in the system log? can you provide the network request that is being made from the network tab of the browser console please?

[joe-agent]

Hi @timja, thanks for the response.

network request that is being made from the network tab of the browser console please

https://jenkins.redacted.net/manage//GraphProxy/v1.0/me/people?$top=10&$filter=personType/class%20eq%20%27Person%27

Here is one of the many failed API calls made by the plugins. I got the response for the API call above:

{
    "error": {
        "code": "BadRequest",
        "message": "Query option '$top' was specified more than once, but it must be specified at most once.",
        "innerError": {
            "date": "2023-12-31T14:07:19",
            "request-id": "dec14c93-d18f-4ec9-a96b-f8e5533dc76e",
            "client-request-id": "dec14c93-d18f-4ec9-a96b-f8e5533dc76e"
        }
    }
}

When I typed in my office email address in the Azure User/group to add, I got a similar API response like below: https://jenkins.redacted.net/manage//GraphProxy/v1.0/me/people?$search=%22firstname.surname%22&$top=10&$filter=personType/class%20eq%20%27Person%27

{
    "error": {
        "code": "BadRequest",
        "message": "Query option '$search' was specified more than once, but it must be specified at most once.",
        "innerError": {
            "date": "2023-12-31T13:58:53",
            "request-id": "16932a77-ad1a-49fd-8828-cb3c4f637992",
            "client-request-id": "16932a77-ad1a-49fd-8828-cb3c4f637992"
        }
    }
}

Is there anything in the system log Here is what the system log shows when I searched my email address.

Returning token from cache
Dec 31, 2023 1:57:53 PM INFO com.azure.core.util.logging.ClientLogger performDeferredLogging
Azure Identity => getToken() result for scopes [https://graph.microsoft.com/.default]: SUCCESS
Dec 31, 2023 1:57:54 PM INFO com.microsoft.aad.msal4j.AcquireTokenSilentSupplier execute
Returning token from cache
Dec 31, 2023 1:57:54 PM INFO com.azure.core.util.logging.ClientLogger performDeferredLogging
Azure Identity => getToken() result for scopes [https://graph.microsoft.com/.default]: SUCCESS
Dec 31, 2023 1:57:55 PM INFO com.microsoft.jenkins.azuread.AzureSecurityRealm lambda$doFinishLogin$1
Fetch user details with sub: 5204c90e***

Please advise what other diagnostic information do you need to troubleshoot this issue further. Thanks.

[joe-agent]

I have updated my Jenkins vesion & list of all installed plugins in my original post.

[timja]

Hmm, $top only seems to be in the query once =/.

Has admin consent been provided for the application permissions by a global administrator?

[joe-agent]

@timja , thanks for the response.

Has admin consent been provided for the application permissions by a global administrator?

Did you mean those API permissions?

I have got those permissions granted after the client secret token had been added ages ago in Jenkins. Do I need to recreate the client secret token after the API permissions have been granted?

[timja]

Do I need to recreate the client secret token after the API permissions have been granted?

No. You also don't need the delegated permissions, only the application ones are required.

Maybe try create a new one from scratch, I can't think of anything else.

[joe-agent]

Hi @timja, after several trial & errors, I finally got it to work.

Here is the summary: The reason we got this bug is the plugin has issue with Jenkins reverse proxy IIS setup in a Windows Server virtual machine. The UNENCODED_URL broke the API call.

So we have to set up 2 separate rule sets in the reverse proxy:

1. The default unencoded URL based on the Jenkins recommended setup
2. Another ruleset which does not use unencoded URL

We enable ruleset rule 2 first to set up the user group in the Azure Matrix then disable ruleset rule 2 and enable rule 1.

Let me know if we are happy to close this. Or do you know any better/easier management of Jenkins setup in Windows Server which works with the plugin?

[timja]

I've never used Jenkins with windows server, good to know you figured it out.