Details
-
Bug
-
Status: Resolved (View Workflow)
-
Major
-
Resolution: Duplicate
-
Jenkins Version 2.18
Description
When CSRF protection is enabled, it's no longer possible to trigger builds/parametrized builds with the project api token (Returns Error 403 No valid crumb was included in the request).
Attachments
Issue Links
- duplicates
-
-
- Resolved
-
Activity
It's actually a duplicate of #22474. Sorry I didn't find that one when reporting the bug (yes, I did a search before). As that one lingers since more than two years, I don't expect it to be resolved too soon. 
Would you mind to extend your reasoning / clarify the jenkins position in the original issue?
I think csrf token is not correctly implemented in jenkins. The goal is to prevent csrf attacks in session-based requests (that is, authenticate once with user/password, protected against subsequent csrf attacks by requiring token with each request.
API usage by token based authentication is a completely different thing, however - the authentication is done with each request by providing the api token. There is no way to attack this scheme by csrf anyways, as there is no session involved. Requiring the csrf token in this case does not provide additional security - it just requires the api user to do an additional request for the csrf token prior to making the api call.
Without knowledge of the api token, the api call is not vulnerable. With knowledge of the api token, the csrf token is no additional protection.
Please note that JENKINS-22474 is still around and open. We're not rejecting it.
Ok, thank you. I was just unsure as to what 'official' position regarding the issue was, as there was no obvious activity for some time now. I assume that the issue will be fixed then sooner or later 
.
Where's the bug here? If you POST, you're expected to provide a token. /crumbIssuer/api/xml exists for that reason.