Jenkins REST API Auth using URL parameters - jenkins

I'm trying configure my Jenkins to allow remote job trigger using REST API. If I pass username and password using basic authentication header param, I'm able to trigger the job
-u <username>:<api token> http://localhost:8080/job/kp-push-example/build
However if I pass username and api token in url, Jenkins is unable to authenticate, it uses anonymous user and throws error, as anonymous user does not have prevailage to execute the job.
http://<username>:<apitoken>#localhost:8080/job/kp-push-example/build
Below is the error message.
<html>
<head>
<meta http-equiv='refresh' content='1;url=/login?from=%2Fjob%2Fkp-push-example%2Fbuild'/>
<script>window.location.replace('/login?from=%2Fjob%2Fkp-push-example%2Fbuild');</script>
</head>
<body style='background-color:white; color:white;'>
Authentication required
<!--
You are authenticated as: anonymous
Groups that you are in:
Permission you need to have (but didn't): hudson.model.Hudson.Read
... which is implied by: hudson.security.Permission.GenericRead
... which is implied by: hudson.model.Hudson.Administer
-->
</body>
</html>
How to configure Jenkins to allow url basic auth?
Jenkins version: 2.129

Could you please share in which user your are actually using and if it has a valid token?
Also how are you triggering it? Are you using a script, call it with some Server-Logic, ...?
Here's a tested and working example for cURL:
curl -s -XPOST 'http://localhost:8080/job/kp-push-example/build?token=TOKEN' -u "admin:0000ADMIN-TOKEN00000"

Related

Jenkins - No valid crumb was included in request

Jenkins - 2.263.1(LTS) deployed through tomcat on CentOS-8.2and have Nginx reverse proxy running in-front of Jenkins.
Under Manage Jenkins > Configure Systems - Apply and Save not working, Due to this error, i cannot Apply (or) Save any of my configurations, It always shows below error on browser (Firefox & Chrome).
HTTP Status 403 – Forbidden
Type Status Report
Message No valid crumb was included in the request
Description The server understood the request but refuses to authorize
it. Apache Tomcat/9.0.30
Also Jenkins > Manage Jenkins > Configure Global Security - Apply works. But Save not working this too results same above given error.
Systems log error message.
Feb 19, 2021 10:56:05 AM WARNING hudson.security.csrf.CrumbFilter
doFilter No valid crumb was included in request for
/jenkins/configSubmit by ankit.sahu. Returning 403.
Workaround tried:-
1) Under Configure Global security > CSRF Protection > Enable proxy compatibility( Tick marked Enabled). - Didn't work so disabled with below command.
2) hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION = true - Even this didn't solve the problem.
3) Installed the Strict Crumb Issuer plugin.
Enabled this plugin and unchecked Check the session ID from its configuration (Under Jenkins Configure Global Security).
4) Restated the Jenkins.
Even tried by adding below in /apache-tomcat-9.0.30/conf/tomcat-users.xml file.
<?xml version='1.0' encoding='utf-8'?>
<tomcat-users>
<role rolename="manager-gui"/>
<role rolename="manager-script"/>
<role rolename="manager-jmx"/>
<role rolename="manager-status"/>
<role rolename="admin-gui"/>
<role rolename="admin-script"/>
<user username="user" password="password" roles="manager-gui,manager-script,manager-jmx,manager-status,admin-gui,admin-script"/>
</tomcat-users>
However still experiencing same problem. I don't know how to fix it, Can someone help me?
You can (temporarily) disable CSRF with below groovy script. Go to Manage Jenkins >> Script Console, then execute the below groovy script.
import jenkins.model.Jenkins
def instance = Jenkins.instance
instance.setCrumbIssuer(null)
The nonces embedded into web output from Jenkins with CSRF protection are based (at least in part as I've read) on values from the requesting client. In addition to making sure your reverse proxy is correctly configured to pass X-Forwarded-For and X-Forwarded-Proto, make sure that Tomcat valve is in place to expose those header values in the servlet request API so Jenkins has access to them.
Add the following to $CATALINA_BASE/conf/server.xml, subordinate to the <Host> element:
<Valve className="org.apache.catalina.valves.RemoteIpValve" remoteIpHeader="x-forwarded-for" protocolHeader="x-forwarded-proto" />
ref: https://www.jenkins.io/doc/book/system-administration/reverse-proxy-configuration-troubleshooting/
ref: https://www.jenkins.io/doc/book/system-administration/reverse-proxy-configuration-with-jenkins/
ref: https://tomcat.apache.org/tomcat-9.0-doc/config/valve.html#Remote_IP_Valve
If you're using jenkinsapi, I resolved this error by specifying useCrumb=True in the constructor:
j = Jenkins(base_url, username=username, password=password, useCrumb=True)

No valid crumb was included in the request - Jenkins 403

My Crumb.sh file is :
crumb=$(curl -u "jenkins:pwd" -s 'http://yuvi_jenkins:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
echo $crumb
curl -u "jenkins:pwd" -H "$crumb" -X POST http://yuvi_jenkins:8080/job/ansible-project/build?delay=0sec
The Output I get is :
Jenkins-Crumb:d3950e9f61bc9dd88fba532c17dba1ce220be11b92d78e720464afd38021a3fb
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>Error 403 No valid crumb was included in the request</title>
</head>
<body><h2>HTTP ERROR 403</h2>
<p>Problem accessing /job/ansible-project/build. Reason:
<pre> No valid crumb was included in the request</pre></p><hr>Powered by Jetty:// 9.4.z-SNAPSHOT<hr/>
</body>
</html>
Solutions that I have tried :
1) Probably you are accessing jenkins by proxy server, please do following
Go to "Global Security Settings"
Check "Enables the Compatibilty Mode for proxies".
Restart
2) To resolve this issue I unchecked "Prevent Cross Site Request Forgery exploits" in jenkins.com/configureSecurity section.
I have tried the above solutions but still I am getting the same error.
According to the Jenkins Documentation here, crumbs are now only valid for the web session in which they were created. To get around this you can store your cookies when making the crumb request, and then use those stored cookies when making subsequent API calls. So your script would become:
crumb=$(curl --cookie-jar ./cookie -u "jenkins:pwd" -s 'http://yuvi_jenkins:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)')
curl --cookie ./cookie -u "jenkins:pwd" -H "$crumb" -X POST http://yuvi_jenkins:8080/job/ansible-project/build?delay=0sec
Alternatively the documentation I linked suggests setting the system property hudson.security.csrf.DefaultCrumbIssuer.EXCLUDE_SESSION_ID to true, or using the Strict Crumb Issuer Plugin to change crumb validation to use something like time rather than session ID
Thanks to https://github.com/spinnaker/spinnaker/issues/2067#issuecomment-544993648 for helping me solve the same problem

Quarkus web app cannnot authorize with JWT and Keycloak

I am trying to authorize a user using code grant flow in Keycloak to a Quarkus application.
Here is the Quarkus configuration
# OIDC Configuration
quarkus.oidc.auth-server-url=http://localhost:8180/auth/realms/quarkus
quarkus.oidc.client-id=web-application
quarkus.oidc.credentials.secret=ca21b304-XXX-XXX-XXX-51d38ef5da02
quarkus.oidc.application-type=web-app
quarkus.oidc.authentication.scopes=email
The client configuration for "web-application" has only Standard Flow enabled (for Code Grant Flow)
I access http://localhost:8080/
I'm redirected to Keycloak (url looks good with scope=openid+email&response_type=code&client_id=web-application
I log in with sample user account
I'm redirected back with the code
Then I get an exception in Quarkus
Caused by: org.keycloak.authorization.client.util.HttpResponseException: Unexpected response from server: 401 / Unauthorized / Response from server: {"error":"unauthorized_client","error_description":"Client not enabled to retrieve service account"}
at org.keycloak.authorization.client.util.HttpMethod.execute(HttpMethod.java:95)
at org.keycloak.authorization.client.util.HttpMethodResponse$2.execute(HttpMethodResponse.java:50)
at org.keycloak.authorization.client.util.TokenCallable.obtainAccessToken(TokenCallable.java:121)
at org.keycloak.authorization.client.util.TokenCallable.call(TokenCallable.java:57)
at org.keycloak.authorization.client.resource.ProtectedResource.createFindRequest(ProtectedResource.java:276)
at org.keycloak.authorization.client.resource.ProtectedResource.access$300(ProtectedResource.java:38)
at org.keycloak.authorization.client.resource.ProtectedResource$5.call(ProtectedResource.java:205)
at org.keycloak.authorization.client.resource.ProtectedResource$5.call(ProtectedResource.java:202)
at org.keycloak.authorization.client.resource.ProtectedResource.find(ProtectedResource.java:210)
The error in Keycloak is:
09:58:25,420 WARN [org.keycloak.events] (default task-30) type=CLIENT_LOGIN_ERROR, realmId=quarkus, clientId=web-application, userId=null, ipAddress=172.17.0.1, error=invalid_client, grant_type=client_credentials, client_auth_method=client-secret
Question:
Why Quarkus tries to use "grant_type=client_credentials"? It should use the grant type = "authorization_code". This looks like a bug in Quarkus, but maybe there is a flag.
"Service Account Enabled" is off. Enabling it should fix the issue.
Could you try:
quarkus.oidc.client-type=web-app
instead of:
quarkus.oidc.application-type=web-app
Source: https://quarkus.io/guides/security-openid-connect-web-authentication

Trigger build via URL gives me no crumb included in request error

I've been trying to trigger a build via the Jenkins API so far with no success. I configured a job on 'Trigger builds remotely' and set a token, 'abc'.
Then in postman I did a post to:
$jenkinsurl:$port/job/$jobname/build?token=abc
And the response is:
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"/>
<title>Error 403 No valid crumb was included in the request</title>
</head>
<body>
<h2>HTTP ERROR 403</h2>
<p>Problem accessing /job/DCD%20Specifications/build. Reason:
<pre> No valid crumb was included in the request</pre>
</p>
<hr>
<i>
<small>Powered by Jetty://</small>
</i>
<hr/>
</body>
I also tried to use basic authentication with a valid username and password, but to no avail.
I can use gets to retrieve whatever information I want from the Jenkins API just fine; it's only this post that gives me this problem.
I had Jenkins 2.7 and updated to 2.19.4 and both versions give me this problem. What am I doing wrong here?
Pass in POST headers, "Jenkins-Crumb:5740ac1b614ca59f5dd5ef151b2895b3".
Your Crumb can be obtained from the URL http://jenkins:8080/crumbIssuer/api/xml
In the POST body, use the appropriate Jenkins XML API request.
Here is my Postman images with parameters:
This worked for me:
Obtain crumb
$ wget -q --auth-no-challenge --user yourUserName --password yourPassword--output-document - 'http://myJenkins:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'
Now run the Jenkins job
$ curl -I -X POST http://yourUserName:yourPassword#myJenkins:8080/job/JOBName/build -H "Jenkins-Crumb:44e7038af70da95a47403c3bed5q10f8"
HTTP/1.1 201 Created
Date: Fri, 28 July 2017 09:15:45 GMT
X-Content-Type-Options: nosniff
Location: http://myJenkins:8080/queue/item/17/
Content-Length: 0

Url for download Symfony1.4 checker of configuration returns 401: Authorization required

I am reading documentation of symfony1.4 becouse I've to learn it due to a legacy code. At some point documentation says:
Then, download the symfony configuration checker script at the following URL:
So I'd tried to run
$ curl -d "" http://sf-to.org/1.4/check.php
I received the message:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>301 Moved Permanently</title>
</head><body>
<h1>Moved Permanently</h1>
<p>The document has moved here.</p>
</body></html>
Then, I've tried to run
$ curl -d "" http://svn.symfony-project.com/branches/1.4/data/bin/check_configuration.php
getting this error:
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>401 Authorization Required</title>
</head><body>
<h1>Authorization Required</h1>
<p>This server could not verify that you
are authorized to access the document
requested. Either you supplied the wrong
credentials (e.g., bad password), or your
browser doesn't understand how to supply
the credentials required.</p>
</body></html>
In my opinion it's best to use the git repository of symfony:
https://github.com/symfony/symfony1
The check_configuration.php file can be found here:
https://github.com/symfony/symfony1/blob/1.4/data/bin/check_configuration.php
or if you want just the contents of the file:
https://raw.github.com/symfony/symfony1/1.4/data/bin/check_configuration.php

Resources