[JIRA] (JENKINS-58809) CLI and API call do not work with SAML Realm

[gdupin@gmail.com (JIRA)]

Guillaume Dupin created an issue

Jenkins / JENKINS-58809 CLI and API call do not work with SAML Realm Issue Type: Bug Assignee: Ivan Fernandez Calvo Components: saml-plugin Created: 2019-08-05 11:24 Environment: Jenkins ver. 2.176.2 saml-plugin 1.1.2 Labels: cli client crumb SAML2 saml Priority: Major Reporter: Guillaume Dupin Jenkins is configured with SAML 2.0 security realm (to connect to a Keycloak Identity Provider), and I can access to the GUI as a user 'jenkins_admin' created in Keycloak without problem. But when I try to get the "Crumb" to do API calls or to use "jenkins-cli.jar" by authenticating with the user/password of the keycloak user, I get errors as mentionned below :   As Anonymous : OK $ java -jar jenkins-cli.jar -s $JENKINS_URL who-am-i Aug 05, 2019 1:16:21 PM org.apache.sshd.common.util.security.AbstractSecurityProviderRegistrar getOrCreateProvider INFO: getOrCreateProvider(EdDSA) created instance of net.i2p.crypto.eddsa.EdDSASecurityProvider Authenticated as: anonymous Authorities:   $ wget -q --auth-no-challenge --output-document - $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)' Jenkins-Crumb:bc52953b81fdd89d445a6a898440a766%   As SAML user : KO $ java -jar jenkins-cli.jar -s $JENKINS_URL -auth jenkins_admin:XXXXX who-am-i {{ Aug 05, 2019 1:17:59 PM org.apache.sshd.common.util.security.AbstractSecurityProviderRegistrar getOrCreateProviderINFO: getOrCreateProvider(EdDSA) created instance of net.i2p.crypto.eddsa.EdDSASecurityProviderjava.io.IOException: Server returned HTTP response code: 401 for URL: https://test-jenkins.tooling.prod.cdsf.io/cli?remoting=false at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1894) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:263) at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:72) at hudson.cli.CLI.plainHttpConnection(CLI.java:279) at hudson.cli.CLI._main(CLI.java:271) at hudson.cli.CLI.main(CLI.java:83)}}   $ wget q --auth-no-challenge -user jenkins_admin --password XXXXX --output-document - $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)' <<NO OUTPUT>>   I configured all permissions for this user in the autorization. When I switch back to a local user, all above commands work perfectly. Add Comment

This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)

[gdupin@gmail.com (JIRA)]

Guillaume Dupin updated an issue

Jenkins / JENKINS-58809 CLI and API call do not work with SAML Realm

Change By: Guillaume Dupin

Jenkins is configured with SAML 2.0 security realm (to connect to a Keycloak Identity Provider), and I can access to the GUI as a user 'jenkins_admin' created in Keycloak without problem.

But when I try to get the "Crumb" to do API calls or to use "jenkins-cli.jar" by authenticating with the user/password of the keycloak user, I get errors as mentionned below :

*+As Anonymous : OK+* *{{$ java -jar jenkins-cli.jar -s $JENKINS_URL who-am-i}}* {{Aug 05, 2019 1:16:21 PM org.apache.sshd.common.util.security.AbstractSecurityProviderRegistrar getOrCreateProvider}}

{{INFO: getOrCreateProvider(EdDSA) created instance of net.i2p.crypto.eddsa.EdDSASecurityProvider}} {{Authenticated as: anonymous}} {{Authorities:}}

*{{$ wget -q --auth-no-challenge --output-document - $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'}}* {{Jenkins-Crumb:bc52953b81fdd89d445a6a898440a766%}}   *+As SAML user : KO+* *{{$ java -jar jenkins-cli.jar -s $JENKINS_URL -auth jenkins_admin:XXXXX who-am-i}}* {{

Aug 05, 2019 1:17:59 PM org.apache.sshd.common.util.security.AbstractSecurityProviderRegistrar getOrCreateProviderINFO: getOrCreateProvider(EdDSA) created instance of net.i2p.crypto.eddsa.EdDSASecurityProviderjava.io.IOException: Server returned HTTP response code: 401 for URL: [ https://test-jenkins.tooling.prod.cdsf.io/cli?remoting=false ] at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1894) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:263) at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:72) at hudson.cli.CLI.plainHttpConnection(CLI.java:279) at hudson.cli.CLI._main(CLI.java:271) at hudson.cli.CLI.main(CLI.java:83)}}

{{   }}{{ *{{$ wget -q --auth-no-challenge -  - - user jenkins_admin --password XXXXX --output-document - $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'}}* }} _{{<<NO OUTPUT>>}}_

I configured all permissions for this user in the autorization. When I switch back to a local user, all above commands work perfectly.

Add Comment

[gdupin@gmail.com (JIRA)]

Guillaume Dupin updated an issue

Jenkins / JENKINS-58809 CLI and API call do not work with SAML Realm Change By: Guillaume Dupin

Jenkins is configured with SAML 2.0 security realm (to connect to a Keycloak Identity Provider), and I can access to the GUI as a user 'jenkins_admin' created in Keycloak without problem. But when I try to get the "Crumb" to do API calls or to use "jenkins-cli.jar" by authenticating with the user/password of the keycloak user, I get errors as mentionned below :   *+As Anonymous : OK+* *{{$ java -jar jenkins-cli.jar -s $JENKINS_URL who-am-i}}* {{Aug 05, 2019 1:16:21 PM org.apache.sshd.common.util.security.AbstractSecurityProviderRegistrar getOrCreateProvider}} {{INFO: getOrCreateProvider(EdDSA) created instance of net.i2p.crypto.eddsa.EdDSASecurityProvider}} {{Authenticated as: anonymous}} {{Authorities:}}   *{{$ wget -q --auth-no-challenge --output-document - $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'}}* {{Jenkins-Crumb:bc52953b81fdd89d445a6a898440a766%}}   *+As SAML user : KO+* *{{$ java -jar jenkins-cli.jar -s $JENKINS_URL -auth jenkins_admin:XXXXX who-am-i}}*

{{ Aug 05, 2019 1:17:59 PM org.apache.sshd.common.util.security.AbstractSecurityProviderRegistrar getOrCreateProviderINFO: getOrCreateProvider(EdDSA) created instance of net.i2p.crypto.eddsa.EdDSASecurityProviderjava.io.IOException: Server returned HTTP response code: 401 for URL: [https://test-jenkins.tooling.prod.cdsf.io/cli?remoting=false] at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1894) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:263) at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:72) at hudson.cli.CLI.plainHttpConnection(CLI.java:279) at hudson.cli.CLI._main(CLI.java:271) at hudson.cli.CLI.main(CLI.java:83)}}{{ }}{{*{{$ wget -q --auth-no-challenge- -user jenkins_admin --password XXXXX --output-document - $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'}} *}}

_{{<<NO OUTPUT>>}}_   I configured all permissions for this user in the autorization. When I switch back to a local user, all above commands work perfectly.

Add Comment

[gdupin@gmail.com (JIRA)]

Guillaume Dupin updated an issue

Jenkins / JENKINS-58809 CLI and API call do not work with SAML Realm Change By: Guillaume Dupin

Jenkins is configured with SAML 2.0 security realm (to connect to a Keycloak Identity Provider), and I can access to the GUI as a user 'jenkins_admin' created in Keycloak without problem. But when I try to get the "Crumb" to do API calls or to use "jenkins-cli.jar" by authenticating with the user/password of the keycloak user, I get errors as mentionned below :   *+As Anonymous : OK+* *{{$ java -jar jenkins-cli.jar -s $JENKINS_URL who-am-i}}* {{Aug 05, 2019 1:16:21 PM org.apache.sshd.common.util.security.AbstractSecurityProviderRegistrar getOrCreateProvider}} {{INFO: getOrCreateProvider(EdDSA) created instance of net.i2p.crypto.eddsa.EdDSASecurityProvider}} {{Authenticated as: anonymous}} {{Authorities:}}   *{{$ wget -q --auth-no-challenge --output-document - $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'}}* {{Jenkins-Crumb:bc52953b81fdd89d445a6a898440a766%}}   *+As SAML user : KO+* *{{$ java -jar jenkins-cli.jar -s $JENKINS_URL -auth jenkins_admin:XXXXX who-am-i}}*

{{ Aug 05, 2019 1:17:59 PM org.apache.sshd.common.util.security.AbstractSecurityProviderRegistrar getOrCreateProviderINFO: getOrCreateProvider(EdDSA) created instance of net.i2p.crypto.eddsa.EdDSASecurityProviderjava.io.IOException: Server returned HTTP response code: 401 for URL: [https:// <jenkinsUrl>/cli?remoting=false|https:// test-jenkins.tooling.prod.cdsf.io/cli?remoting=false] at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1894) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:263) at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:72) at hudson.cli.CLI.plainHttpConnection(CLI.java:279) at hudson.cli.CLI._main(CLI.java:271) at hudson.cli.CLI.main(CLI.java:83)}}   * {{ $ wget  }}{{ *{{$ wget -q --auth-no-challenge }}{{ -  - user jenkins_admin --password XXXXX --output-document - $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'}} * _{{<<NO OUTPUT>>}}_   I configured all permissions for this user in the autorization authorization .

When I switch back to a local user, all above commands work perfectly.

Add Comment

[kuisathaverat@gmail.com (JIRA)]

Ivan Fernandez Calvo closed an issue as Not A Defect

because of how SAML works user and password thought and API cal will not work (redirection to the IdP to authenticate), you have to use API tokens that work.

Jenkins / JENKINS-58809 CLI and API call do not work with SAML Realm

Change By: Ivan Fernandez Calvo Status: Open Closed Resolution: Not A Defect

Add Comment

[gdupin@gmail.com (JIRA)]

Guillaume Dupin commented on JENKINS-58809

Re: CLI and API call do not work with SAML Realm Ivan Fernandez Calvo thanks for your help. I did try to use API token for the 'jenkins_admin' user but it is the same result (in my initial post, I tested to use both the password and the API token of the user in place of the "XXXXX") but it behaves the same way.

Add Comment

[gdupin@gmail.com (JIRA)]

Guillaume Dupin edited a comment on JENKINS-58809

Re: CLI and API call do not work with SAML Realm

[~ifernandezcalvo] thanks for your help. I did try to use   an API token generated for the 'jenkins_admin' user but it is the same result ( . In fact, in my initial post, I tested to use both the password and the API token of the user in place of the "XXXXX" ) but it behaves the same way.

Add Comment

[gdupin@gmail.com (JIRA)]

Guillaume Dupin reopened an issue

Is does not work even with the API token

Jenkins / JENKINS-58809

CLI and API call do not work with SAML Realm

Change By: Guillaume Dupin Resolution: Not A Defect Status: Closed Reopened

Add Comment

[gdupin@gmail.com (JIRA)]

Guillaume Dupin updated an issue

Jenkins / JENKINS-58809 CLI and API call do not work with SAML Realm

Change By: Guillaume Dupin Comment:

Is does not work even with the API token

Add Comment

[kuisathaverat@gmail.com (JIRA)]

Ivan Fernandez Calvo commented on JENKINS-58809

Re: CLI and API call do not work with SAML Realm I just remember that I have seen something about Jenkins CLI on the releases notes https://jenkins.io/blog/2019/02/17/remoting-cli-removed/ there are some services removed on 2.176.2, Which version of Jenkins-CLI you are using? Is it the latest? I'm gonna test it

Add Comment

[kuisathaverat@gmail.com (JIRA)]

Ivan Fernandez Calvo commented on JENKINS-58809

Re: CLI and API call do not work with SAML Realm

I have tested the issue with the environment at https://github.com/kuisathaverat/jenkins-issues/tree/master/JENKINS-58809/jenkins-2.176.2, I make the following steps: 1 - start docker-compose environment running the up.sh script 2 - add jenkins.example.com and saml host to my_ /etc/hosts_ pointing to 127.0.0.1 3 - Enter on http://jenkins.example.com:8080 and log in with the user tesla and password password 4 - Create an API Token for the user tesla 5 - run in a terminal the command curl -L $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)' works as expected, it returns the crumb 6 - run in a terminal the command curl -u tesla:11d8ab0b87fff558fd48ebe51f9c43d352 $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)' works as expected, it returns the crumb 7 - run the command java -jar jenkins-cli.jar -s $JENKINS_URL -http -auth tesla:11d8ab0b87fff558fd48ebe51f9c43d352 who-am-i works as expected, it returns the user info noted that I added the parameter `-http` to the jenkins-cli and I've used the jenkins-cli that comes with Jenkins core 2.176.2 see https://jenkins.io/blog/2017/04/11/new-cli/ , so there is no issue the two request works as expected

Add Comment

[kuisathaverat@gmail.com (JIRA)]

Ivan Fernandez Calvo closed an issue as Not A Defect

Jenkins / JENKINS-58809

CLI and API call do not work with SAML Realm

Change By: Ivan Fernandez Calvo

Status: Reopened Closed Resolution: Not A Defect

Add Comment

[gdupin@gmail.com (JIRA)]

Guillaume Dupin commented on JENKINS-58809

Re: CLI and API call do not work with SAML Realm Thanks for the help Indeed, the test you indicated is working well. So maybe in my case the problem comes from Keycloak SAML configuration... ? Or from the configuration of my reverse-proxy ? (my jenkins is behind an AWS LB + a NGINX reverse-proxy) Anyway, your test will give me a reference to compare to in my investigation ! Thank you again

Add Comment

[gdupin@gmail.com (JIRA)]

Guillaume Dupin commented on JENKINS-58809

Re: CLI and API call do not work with SAML Realm

Ivan Fernandez Calvo FYI (and for people that might encounter the same issue and land on this page), the problem came from 2 points : the configuration of the nginx reverse-proxy in front of jenkins (this page helped me : https://wiki.jenkins.io/display/JENKINS/Jenkins+behind+an+NGinX+reverse+proxy) server {    listen 8080;    server_tokens off;   location / {         proxy_pass http://jenkins:8080;         proxy_set_header Host $host;         proxy_set_header X-Forwarded-Proto https;         proxy_set_header X-Forwarded-Host $host;         proxy_http_version 1.1;         proxy_request_buffering off;   } } the "Name ID Format" configured in my SAML IdP provider (Keycloak) that was set to "email" and not to "username" : this attribute is the one that will be referenced in Jenkins as the user login and you must use it in your API authentication (mine was set to "email" so I had to use the email as the user id) Thank you again for your time

Add Comment