Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-59805

Error when integrate with Azure AD

    Details

    • Type: Bug
    • Status: Resolved (View Workflow)
    • Priority: Critical
    • Resolution: Won't Fix
    • Component/s: azure-ad-plugin
    • Labels:
      None
    • Environment:
      Azure AD
    • Similar Issues:

      Description

      I applied a certificate for jenkins then I followed the guidance here to integrate with Azure AD: https://wiki.jenkins.io/display/JENKINS/Azure+AD+Plugin

       

      First I enabled the https by using the keystore:

       

      openssl pkcs12 -export -out jenkins_keystore.p12 -passout 'pass:xxx' -inkey
      example.key -in example.crt -certfile CertCA.crt -name example
      keytool -importkeystore -srckeystore jenkins_keystore.p12 -srcstorepass 'xxx' -srcstoretype PKCS12 -srcalias example -deststoretype JKS -destkeystore jenkins_keystore.jks -deststorepass 'xxx' -destalias example
      

       

      After I installed the Azure AD plugin, the error occurs:

       

      org.jose4j.jwt.consumer.InvalidJwtException: JWT (claims->{"aud":"9533d0f1-2b45-4ca0-88d3-f68fbf14b959","iss":"https://sts.windows.net/4e1eab56-1e20-410c-9a33-208f4489fbd3/v2.0","iat":1571229543,"nbf":1571229543,"exp":1571233443,"cloud_instance_name":"microsoftonline.us","cloud_graph_host_name":"graph.windows.net","msgraph_host":"graph.microsoft.com","aio":"AWQAm/8EAAAA1CKvXcdx/kWs/H9GLm4BKBJkNd2hV7AiP07c00YPdCiqcsaVig9Oi674f0poQOIXwp0Y91z1vX0cAm03oW9p1p9nRlPdTC6z+JmFDaKX6NMLv9v+fIgdPer15Yas4idi","email":"xxx","name":"xxx","nonce":"wGtXIHVvwR","oid":"29979360-f175-4da8-808e-4c03db48be59","preferred_username":"xxx","sub":"tg4kqDvDX3um45hIsQfrfexxEllNVI5JnL9tOo","tid":"4e1eab56c-9a33-xx208f4489fbd3","uti":"3l8w0S49w0Whx4_5FM0FAA","ver":"2.0"}) rejected due to invalid claims. Additional details: [[12] Issuer (iss) claim value (https://sts.windows.net/4e1eab56-1e20-410c-9a33-208f4489fbd3/v2.0) doesn't match expected value of https://login.microsoftonline.com/4e1eab56-1e20-410c-9a33-208f4489fbd3/v2.0]
       at org.jose4j.jwt.consumer.JwtConsumer.validate(JwtConsumer.java:449)
       at org.jose4j.jwt.consumer.JwtConsumer.processContext(JwtConsumer.java:294)
       at org.jose4j.jwt.consumer.JwtConsumer.process(JwtConsumer.java:416)
       at org.jose4j.jwt.consumer.JwtConsumer.processToClaims(JwtConsumer.java:164)
       at com.microsoft.jenkins.azuread.AzureSecurityRealm.validateAndParseIdToken(AzureSecurityRealm.java:237)
       at com.microsoft.jenkins.azuread.AzureSecurityRealm.doFinishLogin(AzureSecurityRealm.java:203)
       at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627)
       at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:396)
       at org.kohsuke.stapler.Function$InstanceFunction.invoke(Function.java:408)
       at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:212)
       at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:145)
       at org.kohsuke.stapler.MetaClass$11.doDispatch(MetaClass.java:535)
       at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
       at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:747)
      Caused: javax.servlet.ServletException
       at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:797)
       at org.kohsuke.stapler.Stapler.invoke(Stapler.java:878)
       at org.kohsuke.stapler.MetaClass$2.doDispatch(MetaClass.java:219)
       at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58)
       at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:747)
       at org.kohsuke.stapler.Stapler.invoke(Stapler.java:878)
       at org.kohsuke.stapler.Stapler.invoke(Stapler.java:676)
       at org.kohsuke.stapler.Stapler.service(Stapler.java:238)
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:790)
       at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:873)
       at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1623)
       at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154)
       at jenkins.telemetry.impl.UserLanguages$AcceptLanguageFilter.doFilter(UserLanguages.java:128)

       

      Can someone please look into this issue, thanks very much!

        Attachments

          Activity

          Hide
          jieshe Jie Shen added a comment -

          There should be some configuration issues in the Azure AD App Registration. 

           

          Some similar issue at 

          https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/560

          https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/575

          Show
          jieshe Jie Shen added a comment - There should be some configuration issues in the Azure AD App Registration.    Some similar issue at  https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/560 https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/issues/575
          Hide
          goosling patric Moore added a comment -

          Hi Jie Shen,

          It is a Azure gov environment.

          I have modified my application but I still got this issue:

          I enabled the https by using these commands:
          openssl pkcs12 -inkey coretesting_govops.key -in coretesting_govops.crt -export -out keys.pkcs12
          keytool -importkeystore -srckeystore keys.pkcs12 -srcstoretype pkcs12 -destkeystore jenkins.jks
          Then I changed the JENKINS_ARGS and restart jenkins:

          JENKINS_ARGS="--webroot=/var/cache/$NAME/war --httpPort=-1 --httpsPort=8443 --httpsKeyStore=/var/lib/jenkins/jenkins.jks --httpsKeyStorePassword=xxx"

          Then I can visit jenkins by https://jenkins.coretesting.govops.us:8443

          After configured Azure AD with jenkins, the error above error, this is what all I have done about the configuration, can you help me check it? Thanks.

          Show
          goosling patric Moore added a comment - Hi  Jie Shen , It is a Azure gov environment. I have modified my application but I still got this issue: I enabled the https by using these commands: openssl pkcs12 -inkey coretesting_govops.key -in coretesting_govops.crt -export -out keys.pkcs12 keytool -importkeystore -srckeystore keys.pkcs12 -srcstoretype pkcs12 -destkeystore jenkins.jks Then I changed the JENKINS_ARGS and restart jenkins: JENKINS_ARGS= "--webroot=/ var /cache/$NAME/war --httpPort=-1 --httpsPort=8443 --httpsKeyStore=/ var /lib/jenkins/jenkins.jks --httpsKeyStorePassword=xxx" Then I can visit jenkins by https://jenkins.coretesting.govops.us:8443 After configured Azure AD with jenkins, the error above error, this is what all I have done about the configuration, can you help me check it? Thanks.
          Hide
          jieshe Jie Shen added a comment -

          patric Moore This plugin has never been tested on Azure gov environment. So I am afraid it cannot support such scenario yet.

          Show
          jieshe Jie Shen added a comment - patric Moore This plugin has never been tested on Azure gov environment. So I am afraid it cannot support such scenario yet.
          Hide
          goosling patric Moore added a comment -

          Thanks Jie Shen for the help, since the Azure Gov seems don't support the jenkins integration, we will find some other ways to do it.

          Show
          goosling patric Moore added a comment - Thanks Jie Shen for the help, since the Azure Gov seems don't support the jenkins integration, we will find some other ways to do it.
          Hide
          jieshe Jie Shen added a comment -

          No plan for Azure gov environment.

          Show
          jieshe Jie Shen added a comment - No plan for Azure gov environment.

            People

            • Assignee:
              jieshe Jie Shen
              Reporter:
              goosling patric Moore
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: