[JIRA] (JENKINS-58809) CLI and API call do not work with SAML Realm
Title: Message Title
Guillaume Dupin commented on JENKINS-58809
Re: CLI and API call do not work with SAML Realm
Ivan Fernandez Calvo FYI (and for people that might encounter the same issue and land on this page), the problem came from 2 points :
the configuration of the nginx reverse-proxy in front of jenkins (this page helped me : https://wiki.jenkins.io/display/JENKINS/Jenkins+behind+an+NGinX+reverse+proxy)
server {
listen 8080;
server_tokens off;
location / {
proxy_pass http://jenkins:8080;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host $host;
proxy_http_version 1.1;
proxy_request_buffering off;
}
}
the "Name ID Format" configured in my SAML IdP provider (Keycloak) that was set to "email" and not to "username" : this attribute is the one that will be referenced in Jenkins as the user login and you must use it in your API authentication (mine was set to "email" so I had to use the email as the user id)
Thank you again for your time
Add Comment
This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d)
--
You received this message because you are subscribed to the Google Groups "Jenkins Issues" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
[JIRA] (JENKINS-58809) CLI and API call do not work with SAML Realm
Title: Message Title Guillaume Dupin commented on JENKINS-58809 Re: CLI and API call do not work with SAML Realm Thanks for the help Indeed, the test you indicated is working well. So maybe in my case the problem comes from Keycloak SAML configuration... ? Or from the configuration of my reverse-proxy ? (my jenkins is behind an AWS LB + a NGINX reverse-proxy) Anyway, your test will give me a reference to compare to in my investigation ! Thank you again Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.201120.156500429.8954.1565108820226%40Atlassian.JIRA.
[JIRA] (JENKINS-58809) CLI and API call do not work with SAML Realm
Title: Message Title Ivan Fernandez Calvo closed an issue as Not A Defect Jenkins / JENKINS-58809 CLI and API call do not work with SAML Realm Change By: Ivan Fernandez Calvo Status: Reopened Closed Resolution: Not A Defect Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.201120.156500429.8750.1565091840434%40Atlassian.JIRA.
[JIRA] (JENKINS-58809) CLI and API call do not work with SAML Realm
Title: Message Title Ivan Fernandez Calvo commented on JENKINS-58809 Re: CLI and API call do not work with SAML Realm I have tested the issue with the environment at https://github.com/kuisathaverat/jenkins-issues/tree/master/JENKINS-58809/jenkins-2.176.2, I make the following steps: 1 - start docker-compose environment running the up.sh script 2 - add jenkins.example.com and saml host to my_ /etc/hosts_ pointing to 127.0.0.1 3 - Enter on http://jenkins.example.com:8080 and log in with the user tesla and password password 4 - Create an API Token for the user tesla 5 - run in a terminal the command curl -L $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)' works as expected, it returns the crumb 6 - run in a terminal the command curl -u tesla:11d8ab0b87fff558fd48ebe51f9c43d352 $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)' works as expected, it returns the crumb 7 - run the command java -jar jenkins-cli.jar -s $JENKINS_URL -http -auth tesla:11d8ab0b87fff558fd48ebe51f9c43d352 who-am-i works as expected, it returns the user info noted that I added the parameter `-http` to the jenkins-cli and I've used the jenkins-cli that comes with Jenkins core 2.176.2 see https://jenkins.io/blog/2017/04/11/new-cli/ , so there is no issue the two request works as expected Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.201120.156500429.8745.1565091840348%40Atlassian.JIRA.
[JIRA] (JENKINS-58809) CLI and API call do not work with SAML Realm
Title: Message Title Ivan Fernandez Calvo commented on JENKINS-58809 Re: CLI and API call do not work with SAML Realm I just remember that I have seen something about Jenkins CLI on the releases notes https://jenkins.io/blog/2019/02/17/remoting-cli-removed/ there are some services removed on 2.176.2, Which version of Jenkins-CLI you are using? Is it the latest? I'm gonna test it Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.201120.156500429.8691.1565088180277%40Atlassian.JIRA.
[JIRA] (JENKINS-58809) CLI and API call do not work with SAML Realm
Title: Message Title Guillaume Dupin reopened an issue Is does not work even with the API token Jenkins / JENKINS-58809 CLI and API call do not work with SAML Realm Change By: Guillaume Dupin Resolution: Not A Defect Status: Closed Reopened Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.201120.156500429.8565.1565081700642%40Atlassian.JIRA.
[JIRA] (JENKINS-58809) CLI and API call do not work with SAML Realm
Title: Message Title Guillaume Dupin updated an issue Jenkins / JENKINS-58809 CLI and API call do not work with SAML Realm Change By: Guillaume Dupin Comment: Is does not work even with the API token Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.201120.156500429.8567.1565081700695%40Atlassian.JIRA.
[JIRA] (JENKINS-58809) CLI and API call do not work with SAML Realm
Title: Message Title Guillaume Dupin edited a comment on JENKINS-58809 Re: CLI and API call do not work with SAML Realm [~ifernandezcalvo] thanks for your help.I did try to use an API token generated for the 'jenkins_admin' user but it is the same result ( . In fact, in my initial post, I tested to use both the password and the API token of the user in place of the "X" ) but it behaves the same way. Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.201120.156500429.8507.1565077020125%40Atlassian.JIRA.
[JIRA] (JENKINS-58809) CLI and API call do not work with SAML Realm
Title: Message Title Guillaume Dupin commented on JENKINS-58809 Re: CLI and API call do not work with SAML Realm Ivan Fernandez Calvo thanks for your help. I did try to use API token for the 'jenkins_admin' user but it is the same result (in my initial post, I tested to use both the password and the API token of the user in place of the "X") but it behaves the same way. Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.201120.156500429.8505.1565076960174%40Atlassian.JIRA.
[JIRA] (JENKINS-58809) CLI and API call do not work with SAML Realm
Title: Message Title Ivan Fernandez Calvo closed an issue as Not A Defect because of how SAML works user and password thought and API cal will not work (redirection to the IdP to authenticate), you have to use API tokens that work. Jenkins / JENKINS-58809 CLI and API call do not work with SAML Realm Change By: Ivan Fernandez Calvo Status: Open Closed Resolution: Not A Defect Add Comment This message was sent by Atlassian Jira (v7.11.2#711002-sha1:fdc329d) -- You received this message because you are subscribed to the Google Groups "Jenkins Issues" group. To unsubscribe from this group and stop receiving emails from it, send an email to jenkinsci-issues+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-issues/JIRA.201120.156500429.7895.1565012520349%40Atlassian.JIRA.
[JIRA] (JENKINS-58809) CLI and API call do not work with SAML Realm
Title: Message Title
Guillaume Dupin updated an issue
Jenkins / JENKINS-58809
CLI and API call do not work with SAML Realm
Change By:
Guillaume Dupin
Jenkins is configured with SAML 2.0 security realm (to connect to a Keycloak Identity Provider), and I can access to the GUI as a user 'jenkins_admin' created in Keycloak without problem.But when I try to get the "Crumb" to do API calls or to use "jenkins-cli.jar" by authenticating with the user/password of the keycloak user, I get errors as mentionned below : *+As Anonymous : OK+**{{$ java -jar jenkins-cli.jar -s $JENKINS_URL who-am-i}}*{{Aug 05, 2019 1:16:21 PM org.apache.sshd.common.util.security.AbstractSecurityProviderRegistrar getOrCreateProvider}} {{INFO: getOrCreateProvider(EdDSA) created instance of net.i2p.crypto.eddsa.EdDSASecurityProvider}} {{Authenticated as: anonymous}} {{Authorities:}} *{{$ wget -q --auth-no-challenge --output-document - $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'}}*{{Jenkins-Crumb:bc52953b81fdd89d445a6a898440a766%}} *+As SAML user : KO+**{{$ java -jar jenkins-cli.jar -s $JENKINS_URL -auth jenkins_admin:X who-am-i}}* {{ Aug 05, 2019 1:17:59 PM org.apache.sshd.common.util.security.AbstractSecurityProviderRegistrar getOrCreateProviderINFO: getOrCreateProvider(EdDSA) created instance of net.i2p.crypto.eddsa.EdDSASecurityProviderjava.io.IOException: Server returned HTTP response code: 401 for URL: [https:// /cli?remoting=false|https:// test-jenkins.tooling.prod.cdsf.io/cli?remoting=false] at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1894) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:263) at hudson.cli.FullDuplexHttpStream.(FullDuplexHttpStream.java:72) at hudson.cli.CLI.plainHttpConnection(CLI.java:279) at hudson.cli.CLI._main(CLI.java:271) at hudson.cli.CLI.main(CLI.java:83)}} * {{ $ wget }}{{ *{{$ wget -q --auth-no-challenge }}{{ - - user jenkins_admin --password X --output-document - $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'}} * _{{<>}}_ I configured all permissions for this user in the autorization authorization .When I switch back to a local user, all above commands work perfectly.
[JIRA] (JENKINS-58809) CLI and API call do not work with SAML Realm
Title: Message Title
Guillaume Dupin updated an issue
Jenkins / JENKINS-58809
CLI and API call do not work with SAML Realm
Change By:
Guillaume Dupin
Jenkins is configured with SAML 2.0 security realm (to connect to a Keycloak Identity Provider), and I can access to the GUI as a user 'jenkins_admin' created in Keycloak without problem.But when I try to get the "Crumb" to do API calls or to use "jenkins-cli.jar" by authenticating with the user/password of the keycloak user, I get errors as mentionned below : *+As Anonymous : OK+**{{$ java -jar jenkins-cli.jar -s $JENKINS_URL who-am-i}}*{{Aug 05, 2019 1:16:21 PM org.apache.sshd.common.util.security.AbstractSecurityProviderRegistrar getOrCreateProvider}} {{INFO: getOrCreateProvider(EdDSA) created instance of net.i2p.crypto.eddsa.EdDSASecurityProvider}} {{Authenticated as: anonymous}} {{Authorities:}} *{{$ wget -q --auth-no-challenge --output-document - $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'}}*{{Jenkins-Crumb:bc52953b81fdd89d445a6a898440a766%}} *+As SAML user : KO+**{{$ java -jar jenkins-cli.jar -s $JENKINS_URL -auth jenkins_admin:X who-am-i}}*{{ Aug 05, 2019 1:17:59 PM org.apache.sshd.common.util.security.AbstractSecurityProviderRegistrar getOrCreateProviderINFO: getOrCreateProvider(EdDSA) created instance of net.i2p.crypto.eddsa.EdDSASecurityProviderjava.io.IOException: Server returned HTTP response code: 401 for URL: [https://test-jenkins.tooling.prod.cdsf.io/cli?remoting=false] at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1894) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:263) at hudson.cli.FullDuplexHttpStream.(FullDuplexHttpStream.java:72) at hudson.cli.CLI.plainHttpConnection(CLI.java:279) at hudson.cli.CLI._main(CLI.java:271) at hudson.cli.CLI.main(CLI.java:83)}}{{ }}{{*{{$ wget -q --auth-no-challenge- -user jenkins_admin --password X --output-document - $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'}} *}} _{{<>}}_ I configured all permissions for this user in the autorization.When I switch back to a local user, all above commands work perfectly.
[JIRA] (JENKINS-58809) CLI and API call do not work with SAML Realm
Title: Message Title
Guillaume Dupin updated an issue
Jenkins / JENKINS-58809
CLI and API call do not work with SAML Realm
Change By:
Guillaume Dupin
Jenkins is configured with SAML 2.0 security realm (to connect to a Keycloak Identity Provider), and I can access to the GUI as a user 'jenkins_admin' created in Keycloak without problem. But when I try to get the "Crumb" to do API calls or to use "jenkins-cli.jar" by authenticating with the user/password of the keycloak user, I get errors as mentionned below : *+As Anonymous : OK+**{{$ java -jar jenkins-cli.jar -s $JENKINS_URL who-am-i}}* {{Aug 05, 2019 1:16:21 PM org.apache.sshd.common.util.security.AbstractSecurityProviderRegistrar getOrCreateProvider}}{{INFO: getOrCreateProvider(EdDSA) created instance of net.i2p.crypto.eddsa.EdDSASecurityProvider}}{{Authenticated as: anonymous}}{{Authorities:}} *{{$ wget -q --auth-no-challenge --output-document - $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'}}* {{Jenkins-Crumb:bc52953b81fdd89d445a6a898440a766%}} *+As SAML user : KO+**{{$ java -jar jenkins-cli.jar -s $JENKINS_URL -auth jenkins_admin:X who-am-i}}* {{ Aug 05, 2019 1:17:59 PM org.apache.sshd.common.util.security.AbstractSecurityProviderRegistrar getOrCreateProviderINFO: getOrCreateProvider(EdDSA) created instance of net.i2p.crypto.eddsa.EdDSASecurityProviderjava.io.IOException: Server returned HTTP response code: 401 for URL: [ https://test-jenkins.tooling.prod.cdsf.io/cli?remoting=false ] at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1894) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:263) at hudson.cli.FullDuplexHttpStream.(FullDuplexHttpStream.java:72) at hudson.cli.CLI.plainHttpConnection(CLI.java:279) at hudson.cli.CLI._main(CLI.java:271) at hudson.cli.CLI.main(CLI.java:83)}} {{ }}{{ *{{$ wget -q --auth-no-challenge - - - user jenkins_admin --password X --output-document - $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'}}* }} _{{<>}}_ I configured all permissions for this user in the autorization.When I switch back to a local user, all above commands work perfectly.
[JIRA] (JENKINS-58809) CLI and API call do not work with SAML Realm
Title: Message Title
Guillaume Dupin created an issue
Jenkins / JENKINS-58809
CLI and API call do not work with SAML Realm
Issue Type:
Bug
Assignee:
Ivan Fernandez Calvo
Components:
saml-plugin
Created:
2019-08-05 11:24
Environment:
Jenkins ver. 2.176.2 saml-plugin 1.1.2
Labels:
cli client crumb SAML2 saml
Priority:
Major
Reporter:
Guillaume Dupin
Jenkins is configured with SAML 2.0 security realm (to connect to a Keycloak Identity Provider), and I can access to the GUI as a user 'jenkins_admin' created in Keycloak without problem. But when I try to get the "Crumb" to do API calls or to use "jenkins-cli.jar" by authenticating with the user/password of the keycloak user, I get errors as mentionned below : As Anonymous : OK $ java -jar jenkins-cli.jar -s $JENKINS_URL who-am-i Aug 05, 2019 1:16:21 PM org.apache.sshd.common.util.security.AbstractSecurityProviderRegistrar getOrCreateProvider INFO: getOrCreateProvider(EdDSA) created instance of net.i2p.crypto.eddsa.EdDSASecurityProvider Authenticated as: anonymous Authorities: $ wget -q --auth-no-challenge --output-document - $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)' Jenkins-Crumb:bc52953b81fdd89d445a6a898440a766% As SAML user : KO $ java -jar jenkins-cli.jar -s $JENKINS_URL -auth jenkins_admin:X who-am-i {{ Aug 05, 2019 1:17:59 PM org.apache.sshd.common.util.security.AbstractSecurityProviderRegistrar getOrCreateProviderINFO: getOrCreateProvider(EdDSA) created instance of net.i2p.crypto.eddsa.EdDSASecurityProviderjava.io.IOException: Server returned HTTP response
