search

jenkinsci / azure-ad-plugin

Authentication and Authorization with Azure AD
https://plugins.jenkins.io/azure-ad/
MIT License
27 stars 56 forks source link

I can't start a job remotely after switching to SSO with MS Entra ID: HTTP/1.1 401 Unauthorized #565

Closed GaborVarga closed 2 months ago

GaborVarga commented 2 months ago

Jenkins and plugins versions report

Environment ```text Jenkins: 2.440.2 OS: Linux - 6.1.41-63.114.amzn2023.x86_64 Java: 17.0.10 - Amazon.com Inc. (OpenJDK 64-Bit Server VM) --- ace-editor:1.1 allure-jenkins-plugin:2.31.1 ansicolor:1.0.4 ant:497.v94e7d9fffa_b_9 antisamy-markup-formatter:162.v0e6ec0fcfcf6 apache-httpcomponents-client-4-api:4.5.14-208.v438351942757 asm-api:9.7-33.v4d23ef79fcc8 authentication-tokens:1.53.v1c90fd9191a_b_ aws-credentials:231.v08a_59f17d742 aws-java-sdk:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-api-gateway:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-autoscaling:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-cloudformation:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-cloudfront:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-codebuild:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-codedeploy:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-ec2:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-ecr:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-ecs:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-efs:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-elasticbeanstalk:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-elasticloadbalancingv2:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-iam:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-kinesis:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-lambda:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-logs:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-minimal:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-organizations:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-secretsmanager:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-sns:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-sqs:1.12.696-451.v0651a_da_9ca_ec aws-java-sdk-ssm:1.12.696-451.v0651a_da_9ca_ec azure-ad:476.vd1c42682ea_6a_ azure-sdk:157.v855da_0b_eb_dc2 blueocean:1.27.12 blueocean-autofavorite:1.2.5 blueocean-bitbucket-pipeline:1.27.12 blueocean-commons:1.27.12 blueocean-config:1.27.12 blueocean-core-js:1.27.12 blueocean-dashboard:1.27.12 blueocean-display-url:2.4.2 blueocean-events:1.27.12 blueocean-git-pipeline:1.27.12 blueocean-github-pipeline:1.27.12 blueocean-i18n:1.27.12 blueocean-jira:1.27.12 blueocean-jwt:1.27.12 blueocean-personalization:1.27.12 blueocean-pipeline-api-impl:1.27.12 blueocean-pipeline-editor:1.27.12 blueocean-pipeline-scm-api:1.27.12 blueocean-rest:1.27.12 blueocean-rest-impl:1.27.12 blueocean-web:1.27.12 bootstrap4-api:4.6.0-6 bootstrap5-api:5.3.3-1 bouncycastle-api:2.30.1.77-225.v26ea_c9455fd9 branch-api:2.1152.v6f101e97dd77 build-alias-setter:44.vb_f626d6f2734 build-monitor-plugin:1.14-860.vd06ef2568b_3f build-timeout:1.32 build-timestamp:1.0.3 build-token-root:151.va_e52fe3215fc build-with-parameters:76.v9382db_f78962 caffeine-api:3.1.8-133.v17b_1ff2e0599 checks-api:2.2.0 cloudbees-bitbucket-branch-source:883.v041fa_695e9c2 cloudbees-folder:6.901.vb_4c7a_da_75da_3 command-launcher:107.v773860566e2e commons-lang3-api:3.13.0-62.v7d18e55f51e2 commons-text-api:1.11.0-95.v22a_d30ee5d36 conditional-buildstep:1.4.3 config-file-provider:968.ve1ca_eb_913f8c copyartifact:722.v0662a_9b_e22a_c credentials:1337.v60b_d7b_c7b_c9f credentials-binding:657.v2b_19db_7d6e6d custom-tools-plugin:0.8 data-tables-api:2.0.3-1 date-parameter:0.0.4 description-setter:239.vd0a_6b_785f92d display-url-api:2.200.vb_9327d658781 docker-commons:439.va_3cb_0a_6a_fb_29 docker-workflow:572.v950f58993843 durable-task:550.v0930093c4b_a_6 ec2:1648.vf3d852e00486 ec2-fleet:3.2.0 echarts-api:5.5.0-1 email-ext:2.105 extended-choice-parameter:381.v360a_25ea_017c external-monitor-job:215.v2e88e894db_f8 favorite:2.208.v91d65b_7792a_c file-parameters:316.va_83a_1221db_a_7 font-awesome-api:6.5.1-3 gatling:1.3.0 generic-webhook-trigger:2.2.0 git:5.2.1 git-client:4.7.0 git-server:114.v068a_c7cc2574 github:1.38.0 github-api:1.318-461.v7a_c09c9fa_d63 github-branch-source:1787.v8b_8cd49a_f8f1 global-build-stats:293.vd7b_d6e361475 gradle:2.11 greenballs:1.15.1 gson-api:2.10.1-15.v0d99f670e0a_7 handlebars:3.0.8 handy-uri-templates-2-api:2.1.8-30.v7e777411b_148 htmlpublisher:1.33 instance-identity:185.v303dc7c645f9 ionicons-api:70.v2959a_b_74e3cf ivy:2.5 jackson2-api:2.17.0-379.v02de8ec9f64c jakarta-activation-api:2.1.3-1 jakarta-mail-api:2.1.3-1 javadoc:243.vb_b_503b_b_45537 javax-activation-api:1.2.0-6 javax-mail-api:1.6.2-9 jaxb:2.3.9-1 jdk-tool:73.vddf737284550 jenkins-design-language:1.27.12 jersey2-api:2.42-147.va_28a_44603b_d5 jira:3.13 jjwt-api:0.11.5-112.ve82dfb_224b_a_d jnr-posix-api:3.1.19-2 jobConfigHistory:1229.v3039470161a_d joda-time-api:2.12.7-29.v5a_b_e3a_82269a_ jquery:1.12.4-1 jquery-detached:1.2.1 jquery3-api:3.7.1-2 jsch:0.2.16-86.v42e010d9484b_ json-api:20240303-41.v94e11e6de726 json-path-api:2.9.0-58.v62e3e85b_a_655 junit:1265.v65b_14fa_f12f0 kubernetes:4203.v1dd44f5b_1cf9 kubernetes-client-api:6.10.0-240.v57880ce8b_0b_2 kubernetes-credentials:0.11 ldap:719.vcb_d039b_77d0d lockable-resources:1246.v28b_e4cc6fa_16 mailer:472.vf7c289a_4b_420 managed-scripts:1.5.6 mapdb-api:1.0.9-40.v58107308b_7a_7 matrix-auth:3.2.2 matrix-project:822.824.v14451b_c0fd42 maven-plugin:3.23 mercurial:1260.vdfb_723cdcc81 metrics:4.2.21-449.v6960d7c54c69 mina-sshd-api-common:2.12.1-101.v85b_e08b_780dd mina-sshd-api-core:2.12.1-101.v85b_e08b_780dd momentjs:1.1.1 node-iterator-api:55.v3b_77d4032326 okhttp-api:4.11.0-172.vda_da_1feeb_c6e pam-auth:1.10 parameterized-scheduler:262.v00f3d90585cc performance:957.v658a_7065b_92a_ pipeline-build-step:540.vb_e8849e1a_b_d8 pipeline-github-lib:42.v0739460cda_c4 pipeline-graph-analysis:216.vfd8b_ece330ca_ pipeline-groovy-lib:704.vc58b_8890a_384 pipeline-input-step:491.vb_07d21da_1a_fb_ pipeline-milestone-step:119.vdfdc43fc3b_9a_ pipeline-model-api:2.2198.v41dd8ef6dd56 pipeline-model-definition:2.2198.v41dd8ef6dd56 pipeline-model-extensions:2.2198.v41dd8ef6dd56 pipeline-rest-api:2.34 pipeline-stage-step:312.v8cd10304c27a_ pipeline-stage-tags-metadata:2.2198.v41dd8ef6dd56 pipeline-stage-view:2.34 plain-credentials:179.vc5cb_98f6db_38 plugin-usage-plugin:4.4 plugin-util-api:4.1.0 popper-api:1.16.1-3 popper2-api:2.11.6-4 postbuildscript:3.2.0-550.v88192b_d3e922 publish-over:0.22 publish-over-ssh:1.25 pubsub-light:1.18 rebuild:332.va_1ee476d8f6d repository-connector:2.2.1 resource-disposer:0.23 role-strategy:717.v6a_69a_fe98974 run-condition:1.7 sbt:81.vb_82499046630 scm-api:689.v237b_6d3a_ef7f script-security:1335.vf07d9ce377a_e shelve-project-plugin:3.2 snakeyaml-api:2.2-111.vc6598e30cc65 sonar:2.17.2 sse-gateway:1.26 ssh:2.6.1 ssh-agent:367.vf9076cd4ee21 ssh-credentials:337.v395d2403ccd4 ssh-slaves:2.948.vb_8050d697fec ssh-steps:2.0.68.va_d21a_12a_6476 sshd:3.322.v159e91f6a_550 strict-crumb-issuer:2.1.1 structs:337.v1b_04ea_4df7c8 subversion:1256.vee91953217b_6 text-finder:1.26 timestamper:1.26 token-macro:400.v35420b_922dcb_ trilead-api:2.142.v748523a_76693 variant:60.v7290fc0eb_b_cd view-job-filters:369.ve0513a_a_f5524 windows-slaves:1.8.1 workflow-aggregator:596.v8c21c963d92d workflow-api:1291.v51fd2a_625da_7 workflow-basic-steps:1049.v257a_e6b_30fb_d workflow-cps:3894.vd0f0248b_a_fc4 workflow-durable-task-step:1336.v768003e07199 workflow-job:1400.v7fd111b_ec82f workflow-multibranch:773.vc4fe1378f1d5 workflow-scm-step:427.v4ca_6512e7df1 workflow-step-api:657.v03b_e8115821b_ workflow-support:896.v175a_a_9c5b_78f ws-cleanup:0.45 ```

What Operating System are you using (both controller, and any agents involved in the problem)?

amazon linux

Reproduction steps

  1. switch to SSO with MS Entra ID plugin
  2. get the username of your MS user from jenkins_url/me/configure
  3. create a user token (optional)
  4. try to start a job remotely with curl using the username and password / token like this: curl -I -g -XPOST -u user@companyname.io:usertoken https://jenkins.companyname.io/view/Test_jobs/job/testbuild/build

Expected Results

the job should start as without SSO

Actual Results

HTTP/1.1 401 Unauthorized

Anything else?

No response

Are you interested in contributing a fix?

No response

timja commented 2 months ago

It uses the User ID not the username, it should work if you use your object ID I think.

GaborVarga commented 2 months ago

It uses the User ID not the username, it should work if you use your object ID I think.

It seems you are right, MS Entra object ID of the user must be used and besides this you have to generate a token in Jenkins for this user (here: jenkins-url/me/configure) and use this token in the curl request instead of the ms user's password. Example with crumb: // getting the crumb first CRUMB=$(curl --user "object_id:jenkins_token_of_the_user" "https://jenkins_url/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,%22:%22,//crumb)") // now starting the job curl -I -g -XPOST --user "object_id:jenkins_token_of_the_user" -H "$CRUMB" https://jenkins_url/jobname/build

This also works when you have parameters for the job.

timja commented 2 months ago

With the API token you do not need the crumb.