Details
-
Bug
-
Status: Resolved (View Workflow)
-
Blocker
-
Resolution: Done
-
None
-
Production
Description
I 'm facing issue when try to login into Jenkins using Azure AD plugin. After user/password authentication throwing below error instead of showing Jenkins dashboard.
I tried authentication as Azure Active directory & OpenID both the cases error are same.
I'm using openjdk version "1.8.0_171" & Jenkins : 2.121
----------
A problem occurred while processing the request. Please check our bug tracker to see if a similar problem has already been reported. If it is already reported, please vote and put a comment on it to let us gauge the impact of the problem. If you think this is a new issue, please file a new issue. When you file an issue, make sure to add the entire stack trace, along with the version of Jenkins and relevant plugins. The users list might be also useful in understanding what has happened.
Stack trace
java.lang.IllegalStateException: Invalid nonce in the response at com.microsoft.jenkins.azuread.AzureSecurityRealm.validateAndParseIdToken(AzureSecurityRealm.java:239) at com.microsoft.jenkins.azuread.AzureSecurityRealm.doFinishLogin(AzureSecurityRealm.java:202) at java.lang.invoke.MethodHandle.invokeWithArguments(MethodHandle.java:627) at org.kohsuke.stapler.Function$MethodFunction.invoke(Function.java:343) at org.kohsuke.stapler.Function.bindAndInvoke(Function.java:184) at org.kohsuke.stapler.Function.bindAndInvokeAndServeResponse(Function.java:117) at org.kohsuke.stapler.MetaClass$1.doDispatch(MetaClass.java:129) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715) Caused: javax.servlet.ServletException at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:765) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845) at org.kohsuke.stapler.MetaClass$3.doDispatch(MetaClass.java:209) at org.kohsuke.stapler.NameBasedDispatcher.dispatch(NameBasedDispatcher.java:58) at org.kohsuke.stapler.Stapler.tryInvoke(Stapler.java:715) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:845) at org.kohsuke.stapler.Stapler.invoke(Stapler.java:649) at org.kohsuke.stapler.Stapler.service(Stapler.java:238) at javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:860) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1650) at hudson.util.PluginServletFilter$1.doFilter(PluginServletFilter.java:154) at hudson.util.PluginServletFilter.doFilter(PluginServletFilter.java:157) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at com.microsoft.jenkins.azuread.AzureSecurityRealm$CrumbExempt.process(AzureSecurityRealm.java:343) at hudson.security.csrf.CrumbFilter.doFilter(CrumbFilter.java:73) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:84) at hudson.security.UnwrapSecurityExceptionFilter.doFilter(UnwrapSecurityExceptionFilter.java:51) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:117) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:135) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:271) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at jenkins.security.BasicHeaderProcessor.doFilter(BasicHeaderProcessor.java:93) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:249) at hudson.security.HttpSessionContextIntegrationFilter2.doFilter(HttpSessionContextIntegrationFilter2.java:67) at hudson.security.ChainedServletFilter$1.doFilter(ChainedServletFilter.java:87) at hudson.security.ChainedServletFilter.doFilter(ChainedServletFilter.java:90) at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at hudson.util.CharacterEncodingFilter.doFilter(CharacterEncodingFilter.java:82) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at org.kohsuke.stapler.DiagnosticThreadNameFilter.doFilter(DiagnosticThreadNameFilter.java:30) at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1637) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:524) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:190) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595) at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:188) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1253) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:168) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564) at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:166) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1155) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) at org.eclipse.jetty.server.Server.handle(Server.java:530) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:347) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:256) at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:279) at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:102) at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:124) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:247) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.produce(EatWhatYouKill.java:140) at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:131) at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:382) at winstone.BoundedExecutorService$1.run(BoundedExecutorService.java:77) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:748)
Attachments
Activity
I am trying to integrate Jenkins with AAD. I am getting this same error. When I look at the nonce in the URL, it is ZtwytiBakY. When I look at the payload, I get the same:
"nonce": "ZtwytiBakY"
What am I doing wrong? The server currently has a bad cert, so I get the:
Jonathan Burbano
added a comment - - edited I am trying to integrate Jenkins with AAD. I am getting this same error. When I look at the nonce in the URL, it is ZtwytiBakY. When I look at the payload, I get the same:
"nonce": "ZtwytiBakY"
What am I doing wrong? The server currently has a bad cert, so I get the:
There is a problem with this website’s security certificate.
Badal Kotecha
added a comment - Facing the same exact issue. What could we be doing wrong? the nonce matches from the request to the one returned in ID Token.
Badal Kotecha
added a comment - Facing the same exact issue. What could we be doing wrong? the nonce matches from the request to the one returned in ID Token. Badal Kotecha
added a comment - I found why the issue actually occurs. For my Jenkins VM on Azure I have used a DNS and I initially created a service principal with Reply URL which had the dns name(e.g. http://myjenkins.eastus.cloudapp.azure.com:8080/securityRealm/finishLogin). Post configuration I was getting an error "The reply url specified in the request does not match the reply urls configured for the application". I realized that the Reply url and the actual url was not matching as azure ad is trying to send the response to a URL with public IP of the jenkins VM. I had to configure the reply url using the IP.
Once I fixed it I got this above issue when I was still trying to access jenkins instance (initial request) with dns (e.g. myjenkins.eastus.cloudapp.azure.com). I switched from DNS to IP based request in browser and it started working without any problems (e.g. http://40.x.x.232:8080)
I am wondering though what would it take to configure it based on the DNS? Why it doesn't work?
Regards
Badal
Badal Kotecha
added a comment - I found why the issue actually occurs. For my Jenkins VM on Azure I have used a DNS and I initially created a service principal with Reply URL which had the dns name(e.g. http://myjenkins.eastus.cloudapp.azure.com:8080/securityRealm/finishLogin ). Post configuration I was getting an error "The reply url specified in the request does not match the reply urls configured for the application". I realized that the Reply url and the actual url was not matching as azure ad is trying to send the response to a URL with public IP of the jenkins VM. I had to configure the reply url using the IP.
Once I fixed it I got this above issue when I was still trying to access jenkins instance (initial request) with dns (e.g. myjenkins.eastus.cloudapp.azure.com). I switched from DNS to IP based request in browser and it started working without any problems (e.g. http://40.x.x.232:8080)
I am wondering though what would it take to configure it based on the DNS? Why it doesn't work?
Regards
Badal Looks like Jenkins redirection to IdP is passing redirect URI with public IP and not honoring the DNS names. This is what is causing the issue when Azure AD is posting back the ID token back to Jenkins as service principal is configured with proper host name but the redirect URI mentioned it with public IP and hence it is not matching. How do we fix this on the Jenkins side?
Badal Kotecha
added a comment - - edited Looks like Jenkins redirection to IdP is passing redirect URI with public IP and not honoring the DNS names. This is what is causing the issue when Azure AD is posting back the ID token back to Jenkins as service principal is configured with proper host name but the redirect URI mentioned it with public IP and hence it is not matching. How do we fix this on the Jenkins side? Badal Kotecha
added a comment - I got this resolved by changing the jenkins.model.JenkinsLocationConfiguration.xml and adding my host name in jenkinsUrl (e.g. <jenkinsUrl>http://myjenkins.eastus.cloudapp.azure.com:8080/</jenkinsUrl>)
Now in my azure service principal application I have given the reply URL as a complete host name / DNS and it is working
Regards
Badal
Badal Kotecha
added a comment - I got this resolved by changing the jenkins.model.JenkinsLocationConfiguration.xml and adding my host name in jenkinsUrl (e.g. <jenkinsUrl> http://myjenkins.eastus.cloudapp.azure.com:8080/ </jenkinsUrl>)
Now in my azure service principal application I have given the reply URL as a complete host name / DNS and it is working
Regards
Badal 
Azure DevOps
added a comment - we can update the doc at least. badalk also writes an awesome blog on how to use Azure-ad-plugin. You can get it from here . Thanks again for his great contribution!
It means the Jenkins generated nonce is different from the one Azure sent back.
Could you please check the value of two nonces?
The generated one can be found in your browser request like: https://login.microsoftonline.com/8b0be46a-d471-47ce-9d26-66bb1f4875b3/oauth2/authorize?nonce=tZGHszaEx1&response_mode=....
And the second one can be found in the request to http://<your host>/securityRealm/finishLogin. The id_token field in the form data is a JWT string which you can decode with https://jwt.io/