Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-58809

CLI and API call do not work with SAML Realm

    Details

    • Similar Issues:

      Description

      Jenkins is configured with SAML 2.0 security realm (to connect to a Keycloak Identity Provider), and I can access to the GUI as a user 'jenkins_admin' created in Keycloak without problem.

      But when I try to get the "Crumb" to do API calls or to use "jenkins-cli.jar" by authenticating with the user/password of the keycloak user, I get errors as mentionned below :

       

      As Anonymous : OK

      $ java -jar jenkins-cli.jar -s $JENKINS_URL who-am-i

      Aug 05, 2019 1:16:21 PM org.apache.sshd.common.util.security.AbstractSecurityProviderRegistrar getOrCreateProvider
      INFO: getOrCreateProvider(EdDSA) created instance of net.i2p.crypto.eddsa.EdDSASecurityProvider
      Authenticated as: anonymous
      Authorities:

       

      $ wget -q --auth-no-challenge --output-document - $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'

      Jenkins-Crumb:bc52953b81fdd89d445a6a898440a766%

       

      As SAML user : KO

      $ java -jar jenkins-cli.jar -s $JENKINS_URL -auth jenkins_admin:XXXXX who-am-i

      Aug 05, 2019 1:17:59 PM org.apache.sshd.common.util.security.AbstractSecurityProviderRegistrar getOrCreateProviderINFO: getOrCreateProvider(EdDSA) created instance of net.i2p.crypto.eddsa.EdDSASecurityProviderjava.io.IOException: Server returned HTTP response code: 401 for URL: https://<jenkinsUrl>/cli?remoting=false at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1894) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:263) at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:72) at hudson.cli.CLI.plainHttpConnection(CLI.java:279) at hudson.cli.CLI._main(CLI.java:271) at hudson.cli.CLI.main(CLI.java:83)

       

      $ wget -q --auth-no-challenge{{ -user jenkins_admin --password XXXXX --output-document - $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'}}

      <<NO OUTPUT>>

       

      I configured all permissions for this user in the authorization.

      When I switch back to a local user, all above commands work perfectly.

        Attachments

          Activity

          Hide
          ifernandezcalvo Ivan Fernandez Calvo added a comment -

          because of how SAML works user and password thought and API cal will not work (redirection to the IdP to authenticate), you have to use API tokens that work.

          Show
          ifernandezcalvo Ivan Fernandez Calvo added a comment - because of how SAML works user and password thought and API cal will not work (redirection to the IdP to authenticate), you have to use API tokens that work.
          Hide
          yogeek Guillaume Dupin added a comment - - edited

          Ivan Fernandez Calvo thanks for your help.

          I did try to use  an API token generated for the 'jenkins_admin' user but it is the same result. In fact, in my initial post, I tested to use both the password and the API token of the user in place of the "XXXXX" but it behaves the same way.

          Show
          yogeek Guillaume Dupin added a comment - - edited Ivan Fernandez Calvo thanks for your help. I did try to use  an API token generated for the 'jenkins_admin' user but it is the same result. In fact, in my initial post, I tested to use both the password and the API token of the user in place of the "XXXXX" but it behaves the same way.
          Hide
          ifernandezcalvo Ivan Fernandez Calvo added a comment -

          I just remember that I have seen something about Jenkins CLI on the releases notes https://jenkins.io/blog/2019/02/17/remoting-cli-removed/ there are some services removed on 2.176.2, Which version of Jenkins-CLI you are using? Is it the latest? I'm gonna test it

          Show
          ifernandezcalvo Ivan Fernandez Calvo added a comment - I just remember that I have seen something about Jenkins CLI on the releases notes https://jenkins.io/blog/2019/02/17/remoting-cli-removed/ there are some services removed on 2.176.2, Which version of Jenkins-CLI you are using? Is it the latest? I'm gonna test it
          Hide
          ifernandezcalvo Ivan Fernandez Calvo added a comment -

          I have tested the issue with the environment at https://github.com/kuisathaverat/jenkins-issues/tree/master/JENKINS-58809/jenkins-2.176.2, I make the following steps:

          1 - start docker-compose environment running the up.sh script
          2 - add jenkins.example.com and saml host to my_ /etc/hosts_ pointing to 127.0.0.1
          3 - Enter on http://jenkins.example.com:8080 and log in with the user tesla and password password
          4 - Create an API Token for the user tesla
          5 - run in a terminal the command curl -L $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)' works as expected, it returns the crumb
          6 - run in a terminal the command curl -u tesla:11d8ab0b87fff558fd48ebe51f9c43d352 $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)' works as expected, it returns the crumb
          7 - run the command java -jar jenkins-cli.jar -s $JENKINS_URL -http -auth tesla:11d8ab0b87fff558fd48ebe51f9c43d352 who-am-i works as expected, it returns the user info

          noted that I added the parameter `-http` to the jenkins-cli and I've used the jenkins-cli that comes with Jenkins core 2.176.2 see https://jenkins.io/blog/2017/04/11/new-cli/ , so there is no issue the two request works as expected

          Show
          ifernandezcalvo Ivan Fernandez Calvo added a comment - I have tested the issue with the environment at https://github.com/kuisathaverat/jenkins-issues/tree/master/JENKINS-58809/jenkins-2.176.2 , I make the following steps: 1 - start docker-compose environment running the up.sh script 2 - add jenkins.example.com and saml host to my_ /etc/hosts_ pointing to 127.0.0.1 3 - Enter on http://jenkins.example.com:8080 and log in with the user tesla and password password 4 - Create an API Token for the user tesla 5 - run in a terminal the command curl -L $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)' works as expected, it returns the crumb 6 - run in a terminal the command curl -u tesla:11d8ab0b87fff558fd48ebe51f9c43d352 $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)' works as expected, it returns the crumb 7 - run the command java -jar jenkins-cli.jar -s $JENKINS_URL -http -auth tesla:11d8ab0b87fff558fd48ebe51f9c43d352 who-am-i works as expected, it returns the user info noted that I added the parameter `-http` to the jenkins-cli and I've used the jenkins-cli that comes with Jenkins core 2.176.2 see https://jenkins.io/blog/2017/04/11/new-cli/ , so there is no issue the two request works as expected
          Hide
          yogeek Guillaume Dupin added a comment -

          Thanks for the help Indeed, the test you indicated is working well.

          So maybe in my case the problem comes from Keycloak SAML configuration... ?

          Or from the configuration of my reverse-proxy ? (my jenkins is behind an AWS LB + a NGINX reverse-proxy)

          Anyway, your test will give me a reference to compare to in my investigation !

          Thank you again

          Show
          yogeek Guillaume Dupin added a comment - Thanks for the help Indeed, the test you indicated is working well. So maybe in my case the problem comes from Keycloak SAML configuration... ? Or from the configuration of my reverse-proxy ? (my jenkins is behind an AWS LB + a NGINX reverse-proxy) Anyway, your test will give me a reference to compare to in my investigation ! Thank you again
          Hide
          yogeek Guillaume Dupin added a comment -

          Ivan Fernandez Calvo FYI (and for people that might encounter the same issue and land on this page), the problem came from 2 points :

          server {    
            listen 8080;    
            server_tokens off;
            
            location / {
                  proxy_pass http://jenkins:8080;
                  proxy_set_header Host $host;
                  proxy_set_header X-Forwarded-Proto https;
                  proxy_set_header X-Forwarded-Host $host;
                  proxy_http_version 1.1;
                  proxy_request_buffering off;
            }
          }
          • the "Name ID Format" configured in my SAML IdP provider (Keycloak) that was set to "email" and not to "username" : this attribute is the one that will be referenced in Jenkins as the user login and you must use it in your API authentication (mine was set to "email" so I had to use the email as the user id)

          Thank you again for your time

          Show
          yogeek Guillaume Dupin added a comment - Ivan Fernandez Calvo FYI (and for people that might encounter the same issue and land on this page), the problem came from 2 points : the configuration of the nginx reverse-proxy in front of jenkins (this page helped me :  https://wiki.jenkins.io/display/JENKINS/Jenkins+behind+an+NGinX+reverse+proxy ) server {    listen 8080;    server_tokens off;   location / {         proxy_pass http: //jenkins:8080;         proxy_set_header Host $host;         proxy_set_header X-Forwarded-Proto https;         proxy_set_header X-Forwarded-Host $host;         proxy_http_version 1.1;         proxy_request_buffering off;   } } the "Name ID Format" configured in my SAML IdP provider (Keycloak) that was set to "email" and not to "username" : this attribute is the one that will be referenced in Jenkins as the user login and you must use it in your API authentication (mine was set to "email" so I had to use the email as the user id) Thank you again for your time

            People

            • Assignee:
              ifernandezcalvo Ivan Fernandez Calvo
              Reporter:
              yogeek Guillaume Dupin
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: