Trigger Build with Api Token

[Simon Turner]

The docs at https://www.jenkins.io/doc/book/system-administration/authenticating-scripted-clients/ and https://www.jenkins.io/doc/book/using/remote-access-api/ both strongly imply that you don't need to supply a crumb when calling the API from scripted clients, if you use an API token. They both illustrate curl/wget calls with API tokens and no crumb header, and the latter says "API tokens are preferred *instead of* crumbs for CSRF protection"

This seems to be true for GET requests - I can make a GET to $JENKINS_URL/job/myjob/changes with a valid user/ApiToken and it succeeds. However, when I POST to trigger that job, I get "HTTP ERROR 403 No valid crumb was included in the request"

(Problem for me is that this seems to break Spinnaker's ability to trigger Jenkins jobs unless I disable CSRF completely, which obviously I don't want to do.)

Is it by design that even an ApiToken must be combined with a crumb to do POSTs? Can this be disabled? Is this anything to do with https://www.jenkins.io/doc/upgrade-guide/2.204/#upgrading-to-jenkins-lts-2-204-6?

I'm on Jenkins 2.235.5

Thanks

[Simon Turner]

Just an update for anyone with the particular problem I had with Spinnaker: the docs https://spinnaker.io/setup/ci/jenkins/ indicate that Spinnaker can only connect to Jenkins if:

1. csrf=true on the Spinnaker connection to Jenkins

2. Jenkins's 'strict' crumb issuer is installed rather than the default issuer and set to *not* check the session

So that would imply that even with an Api token you still need to get and pass a crumb for API calls (and by default a valid session as well?!)

If anyone can clarify the current state of Jenkins w.r.t. crumbs, passwords, api-tokens and sessions, and how these relate to the legacy auth endpoint, the crumb issuer endpoint and API endpoints, it would be much appreciated. The docs don't seem to reflect reality, at least not for my install from the Jenkins Helm chart.