Hi Jie Shen, even with adding specific user and granting overall read permissions, when i keep the user id as Azure AD user id (i.e. email address) I am not able to invoke the API. It gives me 403 forbidden - Access Denied error indicating <user> is missing the Overall/Read permission.
Alternatively, When invoking the API with object id as the user id i get 500 Server error as indicated below
java.lang.IllegalStateException: Unexpected authentication type: org.acegisecurity.providers.UsernamePasswordAuthenticationToken@95ed46cf: Username: <objectID>; Password: [PROTECTED]; Authenticated: false; Details: org.acegisecurity.ui.WebAuthenticationDetails@7798: RemoteIpAddress: 126.96.36.199; SessionId: null; Not granted any authorities
Can you confirm it works for individual user at least? (not the group) and if I am missing anything?
Note: I am using Azure Active Directory Matrix-based security
This was working with Object ID as the user ID before I upgraded Azure AD plug-in but as per your suggestion when I updated the plugin and restarted the jenkins service (and even the VM), its not working either ways
Interestingly, after further investigation the reason why it works is because anonymous user is granted an admin permission earlier. I realized this after removing Azure AD configuration from manage global security and re-configured everything from scratch. By default anonymous user is granted an admin permission, the moment I remove it, even of individual user the remote API call (despite of having overall read permissions), gives forbidden error. For sake of trying I turned on overall read permissions for Anonymous (not admin) and it started working again.. so granting permissions for individual users does not have any impact, you need to grant permissions to anonymous users to have overall read permissions. I think its a bug !!