Malformed authorization token when using non-global credential store

[probably-autopilot]

Jenkins and plugins versions report

Environment

```text Jenkins: 2.387.2 OS: Linux - 4.15.0-204-generic Java: 11.0.18 - Eclipse Adoptium (OpenJDK 64-Bit Server VM) --- Parameterized-Remote-Trigger:3.1.6.3 active-directory:2.30 analysis-model-api:11.1.0 ansicolor:1.0.2 antisamy-markup-formatter:159.v25b_c67cd35fb_ apache-httpcomponents-client-4-api:4.5.14-150.v7a_b_9d17134a_5 audit-trail:333.vb_e1b_b_0f1238c authentication-tokens:1.53.v1c90fd9191a_b_ basic-branch-build-strategies:71.vc1421f89888e benchmark:1.0.11 blueocean:1.27.3 blueocean-autofavorite:1.2.5 blueocean-bitbucket-pipeline:1.27.3 blueocean-commons:1.27.3 blueocean-config:1.27.3 blueocean-core-js:1.27.3 blueocean-dashboard:1.27.3 blueocean-display-url:2.4.2 blueocean-events:1.27.3 blueocean-git-pipeline:1.27.3 blueocean-github-pipeline:1.27.3 blueocean-i18n:1.27.3 blueocean-jira:1.27.3 blueocean-jwt:1.27.3 blueocean-personalization:1.27.3 blueocean-pipeline-api-impl:1.27.3 blueocean-pipeline-editor:1.27.3 blueocean-pipeline-scm-api:1.27.3 blueocean-rest:1.27.3 blueocean-rest-impl:1.27.3 blueocean-web:1.27.3 bootstrap4-api:4.6.0-5 bootstrap5-api:5.2.2-2 bouncycastle-api:2.27 branch-api:2.1071.v1a_188a_562481 build-token-root:151.va_e52fe3215fc build-user-vars-plugin:1.9 caffeine-api:3.1.6-115.vb_8b_b_328e59d8 checks-api:2.0.0 cisco-spark-notifier:1.1.1 cloudbees-bitbucket-branch-source:800.va_b_b_9a_a_5035c1 cloudbees-folder:6.815.v0dd5a_cb_40e0e cobertura:1.17 code-coverage-api:4.4.0 command-launcher:100.v2f6722292ee8 commons-lang3-api:3.12.0-36.vd97de6465d5b_ commons-text-api:1.10.0-36.vc008c8fcda_7b_ conditional-buildstep:1.4.2 config-file-provider:3.11.1 configuration-as-code:1625.v27444588cc3d conjur-credentials:1.0.15 copyartifact:698.v393f578eb_ddc credentials:1236.v31e44e6060c0 credentials-binding:604.vb_64480b_c56ca_ data-tables-api:1.13.3-3 display-url-api:2.3.7 docker-build-publish:1.4.0 docker-commons:419.v8e3cd84ef49c docker-workflow:563.vd5d2e5c4007f downstream-build-cache:1.7 durable-task:504.vb10d1ae5ba2f echarts-api:5.4.0-3 email-ext:2.96 envinject:2.901.v0038b_6471582 envinject-api:1.199.v3ce31253ed13 external-monitor-job:203.v683c09d993b_9 favorite:2.4.1 font-awesome-api:6.3.0-2 forensics-api:2.1.0 git:5.0.1 git-client:4.2.0 git-server:99.va_0826a_b_cdfa_d github:1.37.0 github-api:1.303-417.ve35d9dd78549 github-branch-source:1703.vd5a_2b_29c6cdc github-scm-trait-notification-context:1.1 handy-uri-templates-2-api:2.1.8-22.v77d5b_75e6953 htmlpublisher:1.31 http_request:1.16 instance-identity:142.v04572ca_5b_265 ionicons-api:45.vf54fca_5d2154 jackson2-api:2.15.0-334.v317a_165f9b_7c jakarta-activation-api:2.0.1-3 jakarta-mail-api:2.0.1-3 javadoc:233.vdc1a_ec702cff javax-activation-api:1.2.0-6 javax-mail-api:1.6.2-9 jaxb:2.3.8-1 jdk-tool:66.vd8fa_64ee91b_d jenkins-design-language:1.27.3 jersey2-api:2.39.1-1 jfrog:1.3.0 jira:3.9 jjwt-api:0.11.5-77.v646c772fddb_0 job-dsl:1.83 jquery3-api:3.6.4-1 jsch:0.1.55.61.va_e9ee26616e7 junit:1198.ve38db_d1b_c975 kubernetes:3923.v294a_d4250b_91 kubernetes-client-api:6.4.1-215.v2ed17097a_8e9 kubernetes-credentials:0.10.0 ldap:673.v034ec70ec2b_b_ lockable-resources:1150.v59db_2b_994618 mailer:448.v5b_97805e3767 managed-scripts:1.5.6 mapdb-api:1.0.9-28.vf251ce40855d mask-passwords:150.vf80d33113e80 matrix-auth:3.1.7 matrix-project:789.v57a_725b_63c79 maven-plugin:3.22 metrics:4.2.13-420.vea_2f17932dd6 mina-sshd-api-common:2.9.2-62.v199162f0a_2f8 mina-sshd-api-core:2.9.2-62.v199162f0a_2f8 notification:1.17 okhttp-api:4.10.0-132.v7a_7b_91cef39c pam-auth:1.10 parameterized-trigger:2.45 pipeline-build-step:491.v1fec530da_858 pipeline-github-lib:42.v0739460cda_c4 pipeline-graph-analysis:202.va_d268e64deb_3 pipeline-groovy-lib:656.va_a_ceeb_6ffb_f7 pipeline-input-step:468.va_5db_051498a_4 pipeline-milestone-step:111.v449306f708b_7 pipeline-model-api:2.2125.vddb_a_44a_d605e pipeline-model-definition:2.2125.vddb_a_44a_d605e pipeline-model-extensions:2.2125.vddb_a_44a_d605e pipeline-rest-api:2.32 pipeline-stage-step:305.ve96d0205c1c6 pipeline-stage-tags-metadata:2.2125.vddb_a_44a_d605e pipeline-stage-view:2.32 pipeline-utility-steps:2.15.2 plain-credentials:143.v1b_df8b_d3b_e48 plugin-usage-plugin:4.0 plugin-util-api:3.2.0 popper-api:1.16.1-3 popper2-api:2.11.6-2 prism-api:1.29.0-4 prometheus:2.2.2 pubsub-light:1.17 rebuild:320.v5a_0933a_e7d61 resource-disposer:0.22 run-condition:1.5 saml:4.403.v423b_3195a_9ec scm-api:667.v8b_6e07cdc7f2 scmskip:1.0.3 script-security:1244.ve463715a_f89c shelve-project-plugin:3.2 snakeyaml-api:1.33-95.va_b_a_e3e47b_fa_4 sse-gateway:1.26 ssh-agent:333.v878b_53c89511 ssh-credentials:305.v8f4381501156 ssh-slaves:2.877.v365f5eb_a_b_eec ssh-steps:2.0.65.vd26b_5b_9b_de4d sshd:3.275.v9e17c10f2571 stashNotifier:1.28 structs:324.va_f5d6774f3a_d timestamper:1.24 token-macro:359.vb_cde11682e0c tpsd-jenkins-plugin:3.1.0 trilead-api:2.84.v72119de229b_7 variant:59.vf075fe829ccb warnings-ng:10.1.0 workflow-aggregator:596.v8c21c963d92d workflow-api:1208.v0cc7c6e0da_9e workflow-basic-steps:1017.vb_45b_302f0cea_ workflow-cps:3659.v582dc37621d8 workflow-durable-task-step:1246.v5524618ea_097 workflow-job:1292.v27d8cc3e2602 workflow-multibranch:746.v05814d19c001 workflow-scm-step:408.v7d5b_135a_b_d49 workflow-step-api:639.v6eca_cd8c04a_a_ workflow-support:839.v35e2736cfd5c ws-cleanup:0.45 xvfb:1.2 xvnc:1.28 yet-another-build-visualizer:1.16 ```

What Operating System are you using (both controller, and any agents involved in the problem)?

Running Jenkins LTS images running in Kubernetes.

Reproduction steps

1. Create a folder with Credential store scoped to
2. Add Conjur Auth Credential username:password to that credential store (non-global)
3. Set up authentication in either folder config or job config to use credential above
4. Add ConjurSecret to credential store as well pointing to secret you wish to access
5. Create Jenkins Job which uses ConjurSecret defined above.

Expected Results

I expect it to authenticate and access the ConjurSecret.

Actual Results

java.io.IOException: Error fetching secret from Conjur [401 - Unauthorized
Malformed authorization token
    at org.conjur.jenkins.api.ConjurAPI.getSecret(ConjurAPI.java:187)
    at org.conjur.jenkins.conjursecrets.ConjurSecretCredentialsImpl.getSecret(ConjurSecretCredentialsImpl.java:81)
Caused: org.conjur.jenkins.exceptions.InvalidConjurSecretException: Error fetching secret from Conjur [401 - Unauthorized
Malformed authorization token
    at org.conjur.jenkins.conjursecrets.ConjurSecretCredentialsImpl.getSecret(ConjurSecretCredentialsImpl.java:85)
    at org.conjur.jenkins.conjursecrets.ConjurSecretCredentialsBinding.bind(ConjurSecretCredentialsBinding.java:133)
    at org.jenkinsci.plugins.credentialsbinding.impl.BindingStep$Execution2.doStart(BindingStep.java:132)
    at org.jenkinsci.plugins.workflow.steps.GeneralNonBlockingStepExecution.lambda$run$0(GeneralNonBlockingStepExecution.java:77)
    at java.base/java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:515)
    at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
    at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
    at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
    at java.base/java.lang.Thread.run(Thread.java:829)

Anything else?

This works by rolling back to plugin version 1.0.13, so the changes introduced in https://github.com/jenkinsci/conjur-credentials-plugin/pull/25 I suspect impacted this. If I move the username:password credential to the global store it works immediately.

This has also been reported here: https://issues.jenkins.io/browse/JENKINS-70830?jql=component%3D27223

[josemdav]

We also faced same error but when using JWT context aware authentication configured at the global level. The job is not under a folder and still it fails with the Malformed authorization token.

We could confirm the JWT authentication request reaches Conjur and authentication using the JWT token is successful, however, the getSecret method using the Conjur auth token fails with the 401 authorization Malformed authorization token.

Rolling back to 1.0.13 as suggested also fixed the issue and secrets can be fetched from Conjur.

I've seen #25 changes but haven't been able to identify the root cause.

[Delrynn]

Using v1.0.16, encountered this issue.

• I am using secrets sync'ed from PAM (so I am not able to try contextual annotations).
• The credential references are in the Jenkins Global store, and the job is top-level.
• JWT authentication is confirmed successful.
• Rolling back to v1.0.13 fixed the issue.

[Nenodema]

Nice plugin! But same issue here. Any progress on fixing this issue?