search

jenkinsci / azure-ad-plugin

Authentication and Authorization with Azure AD
https://plugins.jenkins.io/azure-ad/
MIT License
27 stars 56 forks source link

Jenkins API not accessible(403 Forbidden error) with access token generated from azure ad #573

Open sanith01988 opened 1 month ago

sanith01988 commented 1 month ago

Jenkins and plugins versions report

Environment ```text Paste the output here ```

What Operating System are you using (both controller, and any agents involved in the problem)?

docker jenkins

Reproduction steps

We're using azure ad app as security relam for our jenkins.Using the azure ad plugin through browser we're able to access the jenkins without any issue(We're not using graph api permission, instead our azure ad app assigned group configured via matrix authorization strategy). Now we need to call the jenkins api,for this we're having a technical account in entra and we're able to create access token for this user.But when we're using this access token for the jenkins api request we're getting 'Error accessing the API: 403 Client Error: Forbidden'.

Expected Results

Jenkins api access with azure ad access token

Actual Results

Error accessing the API: 403 Client Error: Forbidden

Anything else?

No response

Are you interested in contributing a fix?

No response

timja commented 1 month ago

I think you need Graph API permission for the API to work.

sanith01988 commented 1 month ago

@timja Do I need to set graph api permission to the app registration which is using in security relam of Jenkins.

timja commented 1 month ago

yes https://github.com/jenkinsci/azure-ad-plugin#setup-microsoft-entra-id-permissions-optional-but-recommended

This is used for:

  • Jenkins looking up the user, e.g. when you use the Rest API
sanith01988 commented 1 month ago

@timja

I've enabled the entra id permission. Still I'm getting 403 error. `403

Authentication required ` In jenkins log I couldn't see any errors related to it.
timja commented 1 month ago

can you talk me through step by step what you've got setup?

sanith01988 commented 1 month ago

@timja

  1. Set up jenkins with azure ad plugin as security relay using jenkins.yaml configured below details. 
jenkins:
  securityRealm:
    azureSecurityRealm:
      clientId: ''
      clientSecret: ''
      tenant: ''
      cacheduration: 0
      fromrequest: true

  authorizationStrategy:
    projectMatrix:
      entries:
        - group:
            name: <object-id>
            permissions:
              - Overall/Administer
        - user:
            name: <object-id>
            permissions:
              - Overall/Administer
  1. Configured http::///securityRealm/finishLogin as redirect uri in entra app registration
  2. Added group & user to app registartion 4.Then throuh browser I'm able to access without any issue
  3. then using a python script accessing the accesstoken with a technical user and using the access token try to access the "http::///api/json" token_endpoint = https://login.microsoftonline.com//oauth2/v2.0/token response = requests.post(issuer["token_endpoint"], data={ "client_id": '', 'client_secret': '', 'audience': ', 'redirect_url': 'https://', "grant_type": "password", "username": 'technical_user', "password": 'password', "scope": "openid" }) access_token = response.json()['access_token'] url = "http:///api/json" headers = { "Authorization": f"Bearer {access_token}", "Accept": "application/json" }

api_response = requests.get(url, headers=headers, verify=False)

timja commented 1 month ago

The Jenkins API uses a Jenkins API token and not a Microsoft access token.

Go to the Users profile in Jenkins and generate an API token