Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jenkins API not accessible(403 Forbidden error) with access token generated from azure ad #573

Open
sanith01988 opened this issue May 16, 2024 · 7 comments
Labels

Comments

@sanith01988
Copy link

Jenkins and plugins versions report

Environment
Paste the output here

What Operating System are you using (both controller, and any agents involved in the problem)?

docker jenkins

Reproduction steps

We're using azure ad app as security relam for our jenkins.Using the azure ad plugin through browser we're able to access the jenkins without any issue(We're not using graph api permission, instead our azure ad app assigned group configured via matrix authorization strategy). Now we need to call the jenkins api,for this we're having a technical account in entra and we're able to create access token for this user.But when we're using this access token for the jenkins api request we're getting 'Error accessing the API: 403 Client Error: Forbidden'.

Expected Results

Jenkins api access with azure ad access token

Actual Results

Error accessing the API: 403 Client Error: Forbidden

Anything else?

No response

Are you interested in contributing a fix?

No response

@timja
Copy link
Member

timja commented May 16, 2024

I think you need Graph API permission for the API to work.

@sanith01988
Copy link
Author

@timja Do I need to set graph api permission to the app registration which is using in security relam of Jenkins.

@timja
Copy link
Member

timja commented May 16, 2024

yes https://github.com/jenkinsci/azure-ad-plugin#setup-microsoft-entra-id-permissions-optional-but-recommended

This is used for:

  • Jenkins looking up the user, e.g. when you use the Rest API

@sanith01988
Copy link
Author

@timja

I've enabled the entra id permission. Still I'm getting 403 error.
`403

<script id='redirect' data-redirect-url='/securityRealm/commenceLogin?from=%2Fapi%2Fjson' src='/static/63c61884/scripts/redirect.js'></script> Authentication required ` In jenkins log I couldn't see any errors related to it.

@timja
Copy link
Member

timja commented May 17, 2024

can you talk me through step by step what you've got setup?

@sanith01988
Copy link
Author

sanith01988 commented May 17, 2024

@timja

  1. Set up jenkins with azure ad plugin as security relay using jenkins.yaml configured below details.
jenkins:
  securityRealm:
    azureSecurityRealm:
      clientId: ''
      clientSecret: ''
      tenant: ''
      cacheduration: 0
      fromrequest: true

  authorizationStrategy:
    projectMatrix:
      entries:
        - group:
            name: <object-id>
            permissions:
              - Overall/Administer
        - user:
            name: <object-id>
            permissions:
              - Overall/Administer
  1. Configured http::///securityRealm/finishLogin as redirect uri in entra app registration
  2. Added group & user to app registartion
    4.Then throuh browser I'm able to access without any issue
  3. then using a python script accessing the access_token with a technical user and using the access_ token try to access the "http::///api/json"
    token_endpoint = https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token
    response = requests.post(issuer["token_endpoint"], data={
    "client_id": '',
    'client_secret': '',
    'audience': ',
    'redirect_url': 'https://',
    "grant_type": "password",
    "username": 'technical_user',
    "password": 'password',
    "scope": "openid"
    })
    access_token = response.json()['access_token']
    url = "http:///api/json"
    headers = {
    "Authorization": f"Bearer {access_token}",
    "Accept": "application/json"
    }

api_response = requests.get(url, headers=headers, verify=False)

@timja
Copy link
Member

timja commented May 17, 2024

The Jenkins API uses a Jenkins API token and not a Microsoft access token.

Go to the Users profile in Jenkins and generate an API token

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants