jenkinsci / azure-ad-plugin

Authentication and Authorization with Azure AD
https://plugins.jenkins.io/azure-ad/
MIT License
30 stars 59 forks source link

Login still possible even if client secret has been deleted from Azure #613

Closed simondivi closed 2 months ago

simondivi commented 2 months ago

Jenkins and plugins versions report

Environment ```text Jenkins: 2.462.1 OS: Linux - 5.15.0-1068-aws Java: 17.0.12 - Eclipse Adoptium (OpenJDK 64-Bit Server VM) --- analysis-model-api:11.15.0 ansicolor:1.0.4 antisamy-markup-formatter:162.v0e6ec0fcfcf6 apache-httpcomponents-client-4-api:4.5.14-208.v438351942757 asm-api:9.7-33.v4d23ef79fcc8 atlassian-bitbucket-server-integration:3.6.0 aws-credentials:231.v08a_59f17d742 aws-java-sdk-ec2:1.12.767-467.vb_e93f0c614b_6 aws-java-sdk-minimal:1.12.767-467.vb_e93f0c614b_6 azure-ad:507.vea_a_a_167b_d05c azure-sdk:174.va_89c1df897d2 basic-branch-build-strategies:81.v05e333931c7d bootstrap5-api:5.3.3-1 bouncycastle-api:2.30.1.78.1-248.ve27176eb_46cb_ branch-api:2.1178.v969d9eb_c728e caffeine-api:3.1.8-133.v17b_1ff2e0599 checks-api:2.2.0 cloudbees-folder:6.942.vb_43318a_156b_2 command-launcher:115.vd8b_301cc15d0 commons-compress-api:1.26.1-2 commons-httpclient3-api:3.1-3 commons-lang3-api:3.17.0-84.vb_b_938040b_078 commons-text-api:1.12.0-129.v99a_50df237f7 configuration-as-code:1850.va_a_8c31d3158b_ credentials:1371.vfee6b_095f0a_3 credentials-binding:681.vf91669a_32e45 data-tables-api:2.1.4-1 dependency-check-jenkins-plugin:5.5.1 display-url-api:2.204.vf6fddd8a_8b_e9 durable-task:568.v8fb_5c57e8417 ec2:1688.v8c07e01d657f echarts-api:5.5.1-1 eddsa-api:0.3.0-4.v84c6f0f4969e extensible-choice-parameter:1.8.1 font-awesome-api:6.6.0-1 forensics-api:2.5.0 git:5.4.1 git-client:5.0.0 gson-api:2.11.0-41.v019fcf6125dc htmlpublisher:1.36 http_request:1.19 instance-identity:185.v303dc7c645f9 ionicons-api:74.v93d5eb_813d5f jackson2-api:2.17.0-379.v02de8ec9f64c jakarta-activation-api:2.1.3-1 jakarta-mail-api:2.1.3-1 javadoc:280.v050b_5c849f69 javax-activation-api:1.2.0-7 javax-mail-api:1.6.2-10 jaxb:2.3.9-1 job-dsl:1.88 joda-time-api:2.12.7-29.v5a_b_e3a_82269a_ jquery3-api:3.7.1-2 json-api:20240303-41.v94e11e6de726 json-path-api:2.9.0-58.v62e3e85b_a_655 junit:1296.vb_f538b_c88630 locale:519.v4e20f313cfa_f lockable-resources:1301.v0e3b_da_4b_4462 mailer:472.vf7c289a_4b_420 mask-passwords:173.v6a_077a_291eb_5 matrix-auth:3.2.2 matrix-project:832.va_66e270d2946 metrics:4.2.21-451.vd51df8df52ec mina-sshd-api-common:2.13.2-125.v200281b_61d59 mina-sshd-api-core:2.13.2-125.v200281b_61d59 nexus-artifact-uploader:2.14 node-iterator-api:55.v3b_77d4032326 okhttp-api:4.11.0-172.vda_da_1feeb_c6e parameterized-scheduler:277.v61a_4b_a_49a_c5c pipeline-build-step:540.vb_e8849e1a_b_d8 pipeline-graph-analysis:216.vfd8b_ece330ca_ pipeline-graph-view:332.vb_232ced67fa_9 pipeline-groovy-lib:730.ve57b_34648c63 pipeline-input-step:495.ve9c153f6067b_ pipeline-milestone-step:119.vdfdc43fc3b_9a_ pipeline-model-api:2.2214.vb_b_34b_2ea_9b_83 pipeline-model-definition:2.2214.vb_b_34b_2ea_9b_83 pipeline-model-extensions:2.2214.vb_b_34b_2ea_9b_83 pipeline-rest-api:2.34 pipeline-stage-step:312.v8cd10304c27a_ pipeline-stage-tags-metadata:2.2214.vb_b_34b_2ea_9b_83 pipeline-stage-view:2.34 pipeline-utility-steps:2.17.0 plain-credentials:183.va_de8f1dd5a_2b_ plugin-util-api:4.1.0 prism-api:1.29.0-17 prometheus:784.vea_eca_f6592eb_ resource-disposer:0.23 scm-api:696.v778d637b_a_762 script-security:1354.va_70a_fe478c7f slack:741.v00f9591c586d snakeyaml-api:2.3-123.v13484c65210a_ sonar:2.15 ssh-credentials:343.v884f71d78167 structs:338.v848422169819 timestamper:1.27 token-macro:400.v35420b_922dcb_ trilead-api:2.147.vb_73cc728a_32e uno-choice:2.8.3 variant:60.v7290fc0eb_b_cd warnings-ng:10.7.0 workflow-api:1336.vee415d95c521 workflow-basic-steps:1058.vcb_fc1e3a_21a_9 workflow-cps:3953.v19f11da_8d2fa_ workflow-durable-task-step:1371.vb_7cec8f3b_95e workflow-job:1436.vfa_244484591f workflow-multibranch:795.ve0cb_1f45ca_9a_ workflow-scm-step:427.v4ca_6512e7df1 workflow-step-api:678.v3ee58b_469476 workflow-support:920.v59f71ce16f04 ws-cleanup:0.46 ```

What Operating System are you using (both controller, and any agents involved in the problem)?

Linux (Ubuntu 20.04) - no agent needed

Reproduction steps

step1 configure the plugin to use an expired / deleted secret

the instance has been completely created from scratch so no old user sessions can be there.

config as code looks like that:

jenkins:
  securityRealm:
    azure:
      cacheDuration: 7200
      clientId: {{azure_app_client_id}}
      # TODO: change the use of the secret - fine to check in but not to deploy
      clientSecret: {{azure_app_client_secret}}
      tenant: "{{tenant-id}}"

step 2 just login with an azure id

Expected Results

When the secret expires or the secret is deleted a login should not be possible anymore.

Actual Results

I can still login all users that are in the groups provided and there is no visible warning or error. Other users cannot login, and if a user is removed from the group he can not login anymore.

Anything else?

When checking in /manage/configureSecurity/ Test user principal name or object id we get the same error as below.

The Azure Active Directory Matrix-based security groups show an error:

com.microsoft.aad.msal4j.MsalServiceException: AADSTS7000222: The provided client secret keys for app 'xxxxxxxx-xxxx-xxxx-b556-07f4949bc51f' are expired. Visit the Azure portal to create new keys for your app: https://aka.ms/NewClientSecret, or consider using certificate credentials for added security: https://aka.ms/certCreds. Trace ID: 205f5352-xxxx-4d61-9154-a48cab155b00 Correlation ID: 6d5ec0aa-xxxx-4ada-a0c1-4578d7a67228 Timestamp: 2024-09-03 10:41:13Z
    at PluginClassLoader for azure-sdk//com.microsoft.aad.msal4j.MsalServiceExceptionFactory.fromHttpResponse(MsalServiceExceptionFactory.java:45)
    at PluginClassLoader for azure-sdk//com.microsoft.aad.msal4j.TokenRequestExecutor.createAuthenticationResultFromOauthHttpResponse(TokenRequestExecutor.java:113)
    at PluginClassLoader for azure-sdk//com.microsoft.aad.msal4j.TokenRequestExecutor.executeTokenRequest(TokenRequestExecutor.java:36)
    at PluginClassLoader for azure-sdk//com.microsoft.aad.msal4j.AbstractApplicationBase.acquireTokenCommon(AbstractApplicationBase.java:57)
    at PluginClassLoader for azure-sdk//com.microsoft.aad.msal4j.AcquireTokenByAuthorizationGrantSupplier.execute(AcquireTokenByAuthorizationGrantSupplier.java:63)
    at PluginClassLoader for azure-sdk//com.microsoft.aad.msal4j.AcquireTokenByClientCredentialSupplier.acquireTokenByClientCredential(AcquireTokenByClientCredentialSupplier.java:86)
    at PluginClassLoader for azure-sdk//com.microsoft.aad.msal4j.AcquireTokenByClientCredentialSupplier.execute(AcquireTokenByClientCredentialSupplier.java:49)
    at PluginClassLoader for azure-sdk//com.microsoft.aad.msal4j.AuthenticationResultSupplier.get(AuthenticationResultSupplier.java:69)
    at PluginClassLoader for azure-sdk//com.microsoft.aad.msal4j.AuthenticationResultSupplier.get(AuthenticationResultSupplier.java:18)
    at java.base/java.util.concurrent.CompletableFuture$AsyncSupply.run(Unknown Source)
Caused: java.util.concurrent.ExecutionException
    at java.base/java.util.concurrent.CompletableFuture.reportGet(Unknown Source)
    at java.base/java.util.concurrent.CompletableFuture.get(Unknown Source)
    at PluginClassLoader for azure-ad//com.microsoft.graph.httpcore.AuthenticationHandler.intercept(AuthenticationHandler.java:55)
Caused: java.io.IOException
    at PluginClassLoader for azure-ad//com.microsoft.graph.httpcore.AuthenticationHandler.intercept(AuthenticationHandler.java:67)
    at PluginClassLoader for okhttp-api//okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
    at PluginClassLoader for azure-ad//com.microsoft.graph.httpcore.TelemetryHandler.intercept(TelemetryHandler.java:68)
    at PluginClassLoader for okhttp-api//okhttp3.internal.http.RealInterceptorChain.proceed(RealInterceptorChain.kt:109)
    at PluginClassLoader for okhttp-api//okhttp3.internal.connection.RealCall.getResponseWithInterceptorChain$okhttp(RealCall.kt:201)
    at PluginClassLoader for okhttp-api//okhttp3.internal.connection.RealCall.execute(RealCall.kt:154)
    at PluginClassLoader for azure-ad//com.microsoft.graph.http.CoreHttpProvider.sendRequestInternal(CoreHttpProvider.java:407)
Caused: com.microsoft.graph.core.ClientException: Error executing the request
    at PluginClassLoader for azure-ad//com.microsoft.graph.http.CoreHttpProvider.sendRequestInternal(CoreHttpProvider.java:410)
    at PluginClassLoader for azure-ad//com.microsoft.graph.http.CoreHttpProvider.send(CoreHttpProvider.java:225)
    at PluginClassLoader for azure-ad//com.microsoft.graph.http.CoreHttpProvider.send(CoreHttpProvider.java:202)
    at PluginClassLoader for azure-ad//com.microsoft.graph.http.BaseRequest.send(BaseRequest.java:335)
    at PluginClassLoader for azure-ad//com.microsoft.graph.requests.GroupRequest.get(GroupRequest.java:59)
    at PluginClassLoader for azure-ad//com.microsoft.jenkins.azuread.AzureSecurityRealm.loadGroupByGroupname2(AzureSecurityRealm.java:591)
    at PluginClassLoader for azure-ad//com.microsoft.jenkins.azuread.ValidationUtil.validateGroup(ValidationUtil.java:120)
    at PluginClassLoader for azure-ad//com.microsoft.jenkins.azuread.AzureAdMatrixAuthorizationStrategy$DescriptorImpl.doCheckName(AzureAdMatrixAuthorizationStrategy.java:334)
    at java.base/java.lang.invoke.MethodHandle.invokeWithArguments(Unknown Source)
    at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:416)
    at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:429)
    at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:211)
    at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:138)
    at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:644)
    at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:61)
    at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:827)
    at org.kohsuke.stapler.Stapler.invoke(Stapler.java:965)
    at org.kohsuke.stapler.MetaClass$4.doDispatch(MetaClass.java:327)
    at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:61)
    at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:827)
    at org.kohsuke.stapler.Stapler.invoke(Stapler.java:965)
    at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:898)
    at org.kohsuke.stapler.Stapler.invoke(Stapler.java:965)
    at org.kohsuke.stapler.MetaClass$9.dispatch(MetaClass.java:548)
    at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:827)
    at org.kohsuke.stapler.Stapler.invoke(Stapler.java:965)
    at org.kohsuke.stapler.Stapler.invoke(Stapler.java:747)
    at org.kohsuke.stapler.Stapler.service(Stapler.java:253)
    at Jenkins Main ClassLoader//javax.servlet.http.HttpServlet.service(HttpServlet.java:590)
    at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:764)
    at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler$ChainEnd.doFilter(ServletHandler.java:1665)
    at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:163)
    at PluginClassLoader for locale//hudson.plugins.locale.LocaleFilter.doFilter(LocaleFilter.java:64)
    at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:160)
    at PluginClassLoader for atlassian-bitbucket-server-integration//com.atlassian.bitbucket.jenkins.internal.applink.oauth.serviceprovider.auth.OAuth1aRequestFilter.doFilter(OAuth1aRequestFilter.java:91)
    at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:160)
    at PluginClassLoader for metrics//jenkins.metrics.impl.MetricsFilter.doFilter(MetricsFilter.java:125)
    at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:160)
    at jenkins.util.HttpServletFilter$1.doFilter(HttpServletFilter.java:76)
    at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:160)
    at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:166)
    at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
    at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
    at jenkins.ErrorAttributeFilter.doFilter(ErrorAttributeFilter.java:29)
    at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
    at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
    at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:160)
    at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
    at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:94)
    at jenkins.security.AcegiSecurityExceptionFilter.doFilter(AcegiSecurityExceptionFilter.java:52)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
    at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:54)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
    at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:126)
    at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:120)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
    at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:100)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
    at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:110)
    at org.springframework.security.web.authentication.rememberme.RememberMeAuthenticationFilter.doFilter(RememberMeAuthenticationFilter.java:101)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:227)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:221)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
    at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:97)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:117)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
    at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:63)
    at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:99)
    at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:111)
    at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:172)
    at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
    at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
    at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:53)
    at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
    at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
    at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:86)
    at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
    at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
    at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:31)
    at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
    at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
    at jenkins.security.SuspiciousRequestFilter.doFilter(SuspiciousRequestFilter.java:38)
    at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.FilterHolder.doFilter(FilterHolder.java:202)
    at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler$Chain.doFilter(ServletHandler.java:1635)
    at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:527)
    at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:131)
    at Jenkins Main ClassLoader//org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:569)
    at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
    at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:223)
    at Jenkins Main ClassLoader//org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1580)
    at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:221)
    at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1384)
    at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:176)
    at Jenkins Main ClassLoader//org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:484)
    at Jenkins Main ClassLoader//org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1553)
    at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:174)
    at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1306)
    at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:129)
    at Jenkins Main ClassLoader//org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:122)
    at Jenkins Main ClassLoader//org.eclipse.jetty.server.Server.handle(Server.java:563)
    at Jenkins Main ClassLoader//org.eclipse.jetty.server.HttpChannel$RequestDispatchable.dispatch(HttpChannel.java:1598)
    at Jenkins Main ClassLoader//org.eclipse.jetty.server.HttpChannel.dispatch(HttpChannel.java:753)
    at Jenkins Main ClassLoader//org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:501)
    at Jenkins Main ClassLoader//org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:287)
    at Jenkins Main ClassLoader//org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:314)
    at Jenkins Main ClassLoader//org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:100)
    at Jenkins Main ClassLoader//org.eclipse.jetty.io.SelectableChannelEndPoint$1.run(SelectableChannelEndPoint.java:53)
    at Jenkins Main ClassLoader//org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.runTask(AdaptiveExecutionStrategy.java:421)
    at Jenkins Main ClassLoader//org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.consumeTask(AdaptiveExecutionStrategy.java:390)
    at Jenkins Main ClassLoader//org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.tryProduce(AdaptiveExecutionStrategy.java:277)
    at Jenkins Main ClassLoader//org.eclipse.jetty.util.thread.strategy.AdaptiveExecutionStrategy.run(AdaptiveExecutionStrategy.java:199)
    at Jenkins Main ClassLoader//org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:411)
    at Jenkins Main ClassLoader//org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:969)
    at Jenkins Main ClassLoader//org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.doRunJob(QueuedThreadPool.java:1194)
    at Jenkins Main ClassLoader//org.eclipse.jetty.util.thread.QueuedThreadPool$Runner.run(QueuedThreadPool.java:1149)
    at java.base/java.lang.Thread.run(Unknown Source)

Are you interested in contributing a fix?

We can help with testing it.

timja commented 2 months ago

Might be a cached access token thats not invalidated, have you tried restarting Jenkins?

simondivi commented 2 months ago

@timja thanks for looking at this - yes - tried restarting - also redeployed the whole thing while deleting all data with it. I used different users. They can all log in. When I change the group of a user it changes correctly in jenkins.

timja commented 2 months ago

Can you please raise a Microsoft support ticket for this?

Its not something controlled by the plugin as it just uses the SDKs

simondivi commented 2 months ago

ok after some digging we found that the secret is only used for requests that Jenkins does and has nothing to do with the auth process.

Jenkins fails to do it's requests when the secret is not valid, so that is good. Everything seems to be fine after all. Thanks for your time ;)