[JIRA] (JENKINS-59805) Error when integrate with Azure AD

Issue Type:	Bug
Assignee:	Azure DevOps
Components:	azure-ad-plugin
Created:	2019-10-16 12:49
Environment:	Azure AD
Priority:	Critical
Reporter:	patric Moore

I applied a certificate for jenkins then I followed the guidance here to integrate with Azure AD: https://wiki.jenkins.io/display/JENKINS/Azure+AD+Plugin

First I enabled the https by using the keystore:

 
                                                                openssl pkcs12 -export -out jenkins_keystore.p12 -passout 'pass:xxx' -inkey
example.key -in example.crt -certfile CertCA.crt -name example
keytool -importkeystore -srckeystore jenkins_keystore.p12 -srcstorepass 'xxx' -srcstoretype PKCS12 -srcalias example -deststoretype JKS -destkeystore jenkins_keystore.jks -deststorepass 'xxx' -destalias example

After I installed the Azure AD plugin, the error occurs:

```

This message was sent by Atlassian Jira (v7.13.6#713006-sha1:cc4451f)

gongjun.huang@citrix.com (JIRA)

unread,

Oct 16, 2019, 8:52:03 AM10/16/19

to jenkinsc...@googlegroups.com

patric Moore updated an issue

Jenkins /

Change By:	patric Moore

I applied a certificate for jenkins then I followed the guidance here to integrate with Azure AD: [https://wiki.jenkins.io/display/JENKINS/Azure+AD+Plugin]

First I enabled the https by using the keystore:

{code:java}

openssl pkcs12 -export -out jenkins_keystore.p12 -passout 'pass:xxx' -inkey
example.key -in example.crt -certfile CertCA.crt -name example
keytool -importkeystore -srckeystore jenkins_keystore.p12 -srcstorepass 'xxx' -srcstoretype PKCS12 -srcalias example -deststoretype JKS -destkeystore jenkins_keystore.jks -deststorepass 'xxx' -destalias example

{code}

After I installed the Azure AD plugin, the error occurs:

```
{code:java}
org.jose4j.jwt.consumer.InvalidJwtException: JWT (claims-> \ {"aud":"9533d0f1-2b45-4ca0-88d3-f68fbf14b959","iss":"https://sts.windows.net/4e1eab56-1e20-410c-9a33-208f4489fbd3/v2.0","iat":1571229543,"nbf":1571229543,"exp":1571233443,"cloud_instance_name":"microsoftonline.us","cloud_graph_host_name":"graph.windows.net","msgraph_host":"graph.microsoft.com","aio":"AWQAm/8EAAAA1CKvXcdx/kWs/H9GLm4BKBJkNd2hV7AiP07c00YPdCiqcsaVig9Oi674f0poQOIXwp0Y91z1vX0cAm03oW9p1p9nRlPdTC6z+JmFDaKX6NMLv9v+fIgdPer15Yas4idi","email":"xxx","name":"xxx","nonce":"wGtXIHVvwR","oid":"29979360-f175-4da8-808e-4c03db48be59","preferred_username":"xxx","sub":"tg4kqDvDX3um45hIsQfrfexxEllNVI5JnL9tOo","tid":"4e1eab56c-9a33-xx208f4489fbd3","uti":"3l8w0S49w0Whx4_5FM0FAA","ver":"2.0"}) rejected due to invalid claims. Additional details: [[12] Issuer (iss) claim value (https://sts.windows.net/4e1eab56-1e20-410c-9a33-208f4489fbd3/v2.0) doesn't match expected value of https://login.microsoftonline.com/4e1eab56-1e20-410c-9a33-208f4489fbd3/v2.0]
at org.jose4j.jwt.consumer.JwtConsumer.validate(JwtConsumer.java:449)
at org.jose4j.jwt.consumer.JwtConsumer.processContext(JwtConsumer.java:294)
at org.jose4j.jwt.consumer.JwtConsumer.process(JwtConsumer.java:416)
at org.jose4j.jwt.consumer.JwtConsumer.processToClaims(JwtConsumer.java:164)
at com.microsoft.jenkins.azuread.AzureSecurityRealm.validateAndParseIdToken(AzureSecurityRealm.java:237)
at com.microsoft.jenkins.azuread.AzureSecurityRealm.doFinishLogin(AzureSecurityRealm.java:203)
at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)
at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:396)
at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:408)
at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:212)
at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:145)
at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:535)
at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:747)
Caused: javax.servlet.ServletException
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:797)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:878)
at org.kohsuke.stapler.MetaClass$2.doDispatch(MetaClass.java:219)
at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:747)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:878)
at org.kohsuke.stapler.Stapler.invoke(Stapler.java:676)
at org.kohsuke.stapler.Stapler.service(Stapler.java:238)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:873)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1623)
at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
at jenkins.telemetry.impl.UserLanguages$AcceptLanguageFilter.doFilter(UserLanguages.java:128) {code}

```

Can someone please look into this issue, thanks very much!

gongjun.huang@citrix.com (JIRA)

unread,

Oct 16, 2019, 8:52:04 AM10/16/19

to jenkinsc...@googlegroups.com

patric Moore updated an issue

Jenkins /

Change By:	patric Moore

I applied a certificate for jenkins then I followed the guidance here to integrate with Azure AD: [https://wiki.jenkins.io/display/JENKINS/Azure+AD+Plugin]

First I enabled the https by using the keystore:

{code:java}
openssl pkcs12 -export -out jenkins_keystore.p12 -passout 'pass:xxx' -inkey
example.key -in example.crt -certfile CertCA.crt -name example
keytool -importkeystore -srckeystore jenkins_keystore.p12 -srcstorepass 'xxx' -srcstoretype PKCS12 -srcalias example -deststoretype JKS -destkeystore jenkins_keystore.jks -deststorepass 'xxx' -destalias example
{code}

After I installed the Azure AD plugin, the error occurs:

```

org.jose4j.jwt.consumer.InvalidJwtException: JWT (claims->\{"aud":"9533d0f1-2b45-4ca0-88d3-f68fbf14b959","iss":"https://sts.windows.net/4e1eab56-1e20-410c-9a33-208f4489fbd3/v2.0","iat":1571229543,"nbf":1571229543,"exp":1571233443,"cloud_instance_name":"microsoftonline.us","cloud_graph_host_name":"graph.windows.net","msgraph_host":"graph.microsoft.com","aio":"AWQAm/8EAAAA1CKvXcdx/kWs/H9GLm4BKBJkNd2hV7AiP07c00YPdCiqcsaVig9Oi674f0poQOIXwp0Y91z1vX0cAm03oW9p1p9nRlPdTC6z+JmFDaKX6NMLv9v+fIgdPer15Yas4idi","email":"xxx","name":"xxx","nonce":"wGtXIHVvwR","oid":"29979360-f175-4da8-808e-4c03db48be59","preferred_username":"xxx","sub":"tg4kqDvDX3um45hIsQfrfexxEllNVI5JnL9tOo","tid":"4e1eab56c-9a33-xx208f4489fbd3","uti":"3l8w0S49w0Whx4_5FM0FAA","ver":"2.0"}) rejected due to invalid claims. Additional details: [[12] Issuer (iss) claim value (https://sts.windows.net/4e1eab56-1e20-410c-9a33-208f4489fbd3/v2.0) doesn't match expected value of https://login.microsoftonline.com/4e1eab56-1e20-410c-9a33-208f4489fbd3/v2.0]

```

Can someone please look into this issue, thanks very much!

jieshe@microsoft.com (JIRA)

unread,

Oct 16, 2019, 10:31:02 PM10/16/19

to jenkinsc...@googlegroups.com

Jie Shen assigned an issue to Jie Shen

Jenkins /

Change By:	Jie Shen
Assignee:	Azure DevOps Jie Shen

jieshe@microsoft.com (JIRA)

unread,

Oct 16, 2019, 11:08:04 PM10/16/19

to jenkinsc...@googlegroups.com

Jie Shen commented on

Re: Error when integrate with Azure AD

There should be some configuration issues in the Azure AD App Registration.

Some similar issue at

https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/560

https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/575

gongjun.huang@citrix.com (JIRA)

unread,

Oct 17, 2019, 2:18:02 AM10/17/19

to jenkinsc...@googlegroups.com

patric Moore updated an issue

Jenkins /

Change By:	patric Moore
Attachment:	image-2019-10-17-14-17-54-279.png

gongjun.huang@citrix.com (JIRA)

unread,

Oct 17, 2019, 2:23:02 AM10/17/19

to jenkinsc...@googlegroups.com

patric Moore commented on