[JENKINS-58809] CLI and API call do not work with SAML Realm

Type: Bug
Resolution: Not A Defect
Priority: Major
Component/s: saml-plugin
Labels:
- SAML2
- cli
- client
- crumb
- saml
Environment:
Jenkins ver. 2.176.2
saml-plugin 1.1.2

Similar Issues:
Powered by SuggestiMate

Show

Jenkins is configured with SAML 2.0 security realm (to connect to a Keycloak Identity Provider), and I can access to the GUI as a user 'jenkins_admin' created in Keycloak without problem.

But when I try to get the "Crumb" to do API calls or to use "jenkins-cli.jar" by authenticating with the user/password of the keycloak user, I get errors as mentionned below :

As Anonymous : OK

$ java -jar jenkins-cli.jar -s $JENKINS_URL who-am-i

Aug 05, 2019 1:16:21 PM org.apache.sshd.common.util.security.AbstractSecurityProviderRegistrar getOrCreateProvider
INFO: getOrCreateProvider(EdDSA) created instance of net.i2p.crypto.eddsa.EdDSASecurityProvider
Authenticated as: anonymous
Authorities:

$ wget -q --auth-no-challenge --output-document - $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'

Jenkins-Crumb:bc52953b81fdd89d445a6a898440a766%

As SAML user : KO

$ java -jar jenkins-cli.jar -s $JENKINS_URL -auth jenkins_admin:XXXXX who-am-i

Aug 05, 2019 1:17:59 PM org.apache.sshd.common.util.security.AbstractSecurityProviderRegistrar getOrCreateProviderINFO: getOrCreateProvider(EdDSA) created instance of net.i2p.crypto.eddsa.EdDSASecurityProviderjava.io.IOException: Server returned HTTP response code: 401 for URL: https://<jenkinsUrl>/cli?remoting=false at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1894) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:263) at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:72) at hudson.cli.CLI.plainHttpConnection(CLI.java:279) at hudson.cli.CLI._main(CLI.java:271) at hudson.cli.CLI.main(CLI.java:83)

$ wget -q --auth-no-challenge{{ -user jenkins_admin --password XXXXX --output-document - $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'}}

<<NO OUTPUT>>

I configured all permissions for this user in the authorization.

When I switch back to a local user, all above commands work perfectly.

Guillaume Dupin created issue - 2019-08-05 11:24

Guillaume Dupin made changes - 2019-08-05 11:25

Description

Original: Jenkins is configured with SAML 2.0 security realm (to connect to a Keycloak Identity Provider), and I can access to the GUI as a user 'jenkins_admin' created in Keycloak without problem.

But when I try to get the "Crumb" to do API calls or to use "jenkins-cli.jar" by authenticating with the user/password of the keycloak user, I get errors as mentionned below :

*+As Anonymous : OK+*

*{{$ java -jar jenkins-cli.jar -s $JENKINS_URL who-am-i}}*

{{Aug 05, 2019 1:16:21 PM org.apache.sshd.common.util.security.AbstractSecurityProviderRegistrar getOrCreateProvider}}
{{INFO: getOrCreateProvider(EdDSA) created instance of net.i2p.crypto.eddsa.EdDSASecurityProvider}}
{{Authenticated as: anonymous}}
{{Authorities:}}

*{{$ wget -q --auth-no-challenge --output-document - $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'}}*

{{Jenkins-Crumb:bc52953b81fdd89d445a6a898440a766%}}

*+As SAML user : KO+*

*{{$ java -jar jenkins-cli.jar -s $JENKINS_URL -auth jenkins_admin:XXXXX who-am-i}}*

{{
Aug 05, 2019 1:17:59 PM org.apache.sshd.common.util.security.AbstractSecurityProviderRegistrar getOrCreateProviderINFO: getOrCreateProvider(EdDSA) created instance of net.i2p.crypto.eddsa.EdDSASecurityProviderjava.io.IOException: Server returned HTTP response code: 401 for URL: https://test-jenkins.tooling.prod.cdsf.io/cli?remoting=false at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1894) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:263) at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:72) at hudson.cli.CLI.plainHttpConnection(CLI.java:279) at hudson.cli.CLI._main(CLI.java:271) at hudson.cli.CLI.main(CLI.java:83)}}

*{{$ wget -q --auth-no-challenge --user jenkins_admin --password XXXXX --output-document - $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'}}*

_{{<<NO OUTPUT>>}}_

I configured all permissions for this user in the autorization.

When I switch back to a local user, all above commands work perfectly.

New: Jenkins is configured with SAML 2.0 security realm (to connect to a Keycloak Identity Provider), and I can access to the GUI as a user 'jenkins_admin' created in Keycloak without problem.

But when I try to get the "Crumb" to do API calls or to use "jenkins-cli.jar" by authenticating with the user/password of the keycloak user, I get errors as mentionned below :

*+As Anonymous : OK+*

*{{$ java -jar jenkins-cli.jar -s $JENKINS_URL who-am-i}}*

{{Aug 05, 2019 1:16:21 PM org.apache.sshd.common.util.security.AbstractSecurityProviderRegistrar getOrCreateProvider}}
{{INFO: getOrCreateProvider(EdDSA) created instance of net.i2p.crypto.eddsa.EdDSASecurityProvider}}
{{Authenticated as: anonymous}}
{{Authorities:}}

*{{$ wget -q --auth-no-challenge --output-document - $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'}}*

{{Jenkins-Crumb:bc52953b81fdd89d445a6a898440a766%}}

*+As SAML user : KO+*

*{{$ java -jar jenkins-cli.jar -s $JENKINS_URL -auth jenkins_admin:XXXXX who-am-i}}*

{{ Aug 05, 2019 1:17:59 PM org.apache.sshd.common.util.security.AbstractSecurityProviderRegistrar getOrCreateProviderINFO: getOrCreateProvider(EdDSA) created instance of net.i2p.crypto.eddsa.EdDSASecurityProviderjava.io.IOException: Server returned HTTP response code: 401 for URL: [https://test-jenkins.tooling.prod.cdsf.io/cli?remoting=false] at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1894) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:263) at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:72) at hudson.cli.CLI.plainHttpConnection(CLI.java:279) at hudson.cli.CLI._main(CLI.java:271) at hudson.cli.CLI.main(CLI.java:83)}}{{ }}{{*{{$ wget -q --auth-no-challenge- -user jenkins_admin --password XXXXX --output-document - $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'}}*}}

_{{<<NO OUTPUT>>}}_

I configured all permissions for this user in the autorization.

When I switch back to a local user, all above commands work perfectly.

Guillaume Dupin made changes - 2019-08-05 11:26

Description

Original: Jenkins is configured with SAML 2.0 security realm (to connect to a Keycloak Identity Provider), and I can access to the GUI as a user 'jenkins_admin' created in Keycloak without problem.

But when I try to get the "Crumb" to do API calls or to use "jenkins-cli.jar" by authenticating with the user/password of the keycloak user, I get errors as mentionned below :

*+As Anonymous : OK+*

*{{$ java -jar jenkins-cli.jar -s $JENKINS_URL who-am-i}}*

{{Aug 05, 2019 1:16:21 PM org.apache.sshd.common.util.security.AbstractSecurityProviderRegistrar getOrCreateProvider}}
{{INFO: getOrCreateProvider(EdDSA) created instance of net.i2p.crypto.eddsa.EdDSASecurityProvider}}
{{Authenticated as: anonymous}}
{{Authorities:}}

*{{$ wget -q --auth-no-challenge --output-document - $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'}}*

{{Jenkins-Crumb:bc52953b81fdd89d445a6a898440a766%}}

*+As SAML user : KO+*

*{{$ java -jar jenkins-cli.jar -s $JENKINS_URL -auth jenkins_admin:XXXXX who-am-i}}*

{{ Aug 05, 2019 1:17:59 PM org.apache.sshd.common.util.security.AbstractSecurityProviderRegistrar getOrCreateProviderINFO: getOrCreateProvider(EdDSA) created instance of net.i2p.crypto.eddsa.EdDSASecurityProviderjava.io.IOException: Server returned HTTP response code: 401 for URL: [https://test-jenkins.tooling.prod.cdsf.io/cli?remoting=false] at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1894) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:263) at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:72) at hudson.cli.CLI.plainHttpConnection(CLI.java:279) at hudson.cli.CLI._main(CLI.java:271) at hudson.cli.CLI.main(CLI.java:83)}}{{ }}{{*{{$ wget -q --auth-no-challenge- -user jenkins_admin --password XXXXX --output-document - $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'}}*}}

_{{<<NO OUTPUT>>}}_

I configured all permissions for this user in the autorization.

When I switch back to a local user, all above commands work perfectly.

New: Jenkins is configured with SAML 2.0 security realm (to connect to a Keycloak Identity Provider), and I can access to the GUI as a user 'jenkins_admin' created in Keycloak without problem.

But when I try to get the "Crumb" to do API calls or to use "jenkins-cli.jar" by authenticating with the user/password of the keycloak user, I get errors as mentionned below :

*+As Anonymous : OK+*

*{{$ java -jar jenkins-cli.jar -s $JENKINS_URL who-am-i}}*

{{Aug 05, 2019 1:16:21 PM org.apache.sshd.common.util.security.AbstractSecurityProviderRegistrar getOrCreateProvider}}
{{INFO: getOrCreateProvider(EdDSA) created instance of net.i2p.crypto.eddsa.EdDSASecurityProvider}}
{{Authenticated as: anonymous}}
{{Authorities:}}

*{{$ wget -q --auth-no-challenge --output-document - $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'}}*

{{Jenkins-Crumb:bc52953b81fdd89d445a6a898440a766%}}

*+As SAML user : KO+*

*{{$ java -jar jenkins-cli.jar -s $JENKINS_URL -auth jenkins_admin:XXXXX who-am-i}}*

{{ Aug 05, 2019 1:17:59 PM org.apache.sshd.common.util.security.AbstractSecurityProviderRegistrar getOrCreateProviderINFO: getOrCreateProvider(EdDSA) created instance of net.i2p.crypto.eddsa.EdDSASecurityProviderjava.io.IOException: Server returned HTTP response code: 401 for URL: [https://test-jenkins.tooling.prod.cdsf.io/cli?remoting=false] at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1894) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:263) at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:72) at hudson.cli.CLI.plainHttpConnection(CLI.java:279) at hudson.cli.CLI._main(CLI.java:271) at hudson.cli.CLI.main(CLI.java:83)}}{{ }}{{*{{$ wget -q --auth-no-challenge- -user jenkins_admin --password XXXXX --output-document - $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'}}

_{{<<NO OUTPUT>>}}_

I configured all permissions for this user in the autorization.

When I switch back to a local user, all above commands work perfectly.

Guillaume Dupin made changes - 2019-08-05 11:28

Description

Original: Jenkins is configured with SAML 2.0 security realm (to connect to a Keycloak Identity Provider), and I can access to the GUI as a user 'jenkins_admin' created in Keycloak without problem.

But when I try to get the "Crumb" to do API calls or to use "jenkins-cli.jar" by authenticating with the user/password of the keycloak user, I get errors as mentionned below :

*+As Anonymous : OK+*

*{{$ java -jar jenkins-cli.jar -s $JENKINS_URL who-am-i}}*

{{Aug 05, 2019 1:16:21 PM org.apache.sshd.common.util.security.AbstractSecurityProviderRegistrar getOrCreateProvider}}
{{INFO: getOrCreateProvider(EdDSA) created instance of net.i2p.crypto.eddsa.EdDSASecurityProvider}}
{{Authenticated as: anonymous}}
{{Authorities:}}

*{{$ wget -q --auth-no-challenge --output-document - $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'}}*

{{Jenkins-Crumb:bc52953b81fdd89d445a6a898440a766%}}

*+As SAML user : KO+*

*{{$ java -jar jenkins-cli.jar -s $JENKINS_URL -auth jenkins_admin:XXXXX who-am-i}}*

{{ Aug 05, 2019 1:17:59 PM org.apache.sshd.common.util.security.AbstractSecurityProviderRegistrar getOrCreateProviderINFO: getOrCreateProvider(EdDSA) created instance of net.i2p.crypto.eddsa.EdDSASecurityProviderjava.io.IOException: Server returned HTTP response code: 401 for URL: [https://test-jenkins.tooling.prod.cdsf.io/cli?remoting=false] at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1894) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:263) at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:72) at hudson.cli.CLI.plainHttpConnection(CLI.java:279) at hudson.cli.CLI._main(CLI.java:271) at hudson.cli.CLI.main(CLI.java:83)}}{{ }}{{*{{$ wget -q --auth-no-challenge- -user jenkins_admin --password XXXXX --output-document - $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'}}

_{{<<NO OUTPUT>>}}_

I configured all permissions for this user in the autorization.

When I switch back to a local user, all above commands work perfectly.

New: Jenkins is configured with SAML 2.0 security realm (to connect to a Keycloak Identity Provider), and I can access to the GUI as a user 'jenkins_admin' created in Keycloak without problem.

But when I try to get the "Crumb" to do API calls or to use "jenkins-cli.jar" by authenticating with the user/password of the keycloak user, I get errors as mentionned below :

*+As Anonymous : OK+*

*{{$ java -jar jenkins-cli.jar -s $JENKINS_URL who-am-i}}*

{{Aug 05, 2019 1:16:21 PM org.apache.sshd.common.util.security.AbstractSecurityProviderRegistrar getOrCreateProvider}}
{{INFO: getOrCreateProvider(EdDSA) created instance of net.i2p.crypto.eddsa.EdDSASecurityProvider}}
{{Authenticated as: anonymous}}
{{Authorities:}}

*{{$ wget -q --auth-no-challenge --output-document - $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'}}*

{{Jenkins-Crumb:bc52953b81fdd89d445a6a898440a766%}}

*+As SAML user : KO+*

*{{$ java -jar jenkins-cli.jar -s $JENKINS_URL -auth jenkins_admin:XXXXX who-am-i}}*

{{Aug 05, 2019 1:17:59 PM org.apache.sshd.common.util.security.AbstractSecurityProviderRegistrar getOrCreateProviderINFO: getOrCreateProvider(EdDSA) created instance of net.i2p.crypto.eddsa.EdDSASecurityProviderjava.io.IOException: Server returned HTTP response code: 401 for URL: [https://<jenkinsUrl>/cli?remoting=false|https://test-jenkins.tooling.prod.cdsf.io/cli?remoting=false] at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1894) at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1492) at sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:263) at hudson.cli.FullDuplexHttpStream.<init>(FullDuplexHttpStream.java:72) at hudson.cli.CLI.plainHttpConnection(CLI.java:279) at hudson.cli.CLI._main(CLI.java:271) at hudson.cli.CLI.main(CLI.java:83)}}

*{{$ wget }}{{-q --auth-no-challenge}}{{ -user jenkins_admin --password XXXXX --output-document - $JENKINS_URL'/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'}}*

_{{<<NO OUTPUT>>}}_

I configured all permissions for this user in the authorization.

When I switch back to a local user, all above commands work perfectly.

Ivan Fernandez Calvo added a comment - 2019-08-05 13:41

because of how SAML works user and password thought and API cal will not work (redirection to the IdP to authenticate), you have to use API tokens that work.

Ivan Fernandez Calvo added a comment - 2019-08-05 13:41 because of how SAML works user and password thought and API cal will not work (redirection to the IdP to authenticate), you have to use API tokens that work.

Ivan Fernandez Calvo made changes - 2019-08-05 13:41

Resolution		New: Not A Defect [ 7 ]
Status	Original: Open [ 1 ]	New: Closed [ 6 ]

Guillaume Dupin added a comment - 2019-08-06 07:35 - edited

ifernandezcalvo thanks for your help.

I did try to use an API token generated for the 'jenkins_admin' user but it is the same result. In fact, in my initial post, I tested to use both the password and the API token of the user in place of the "XXXXX" but it behaves the same way.

Guillaume Dupin added a comment - 2019-08-06 07:35 - edited ifernandezcalvo thanks for your help. I did try to use an API token generated for the 'jenkins_admin' user but it is the same result. In fact, in my initial post, I tested to use both the password and the API token of the user in place of the "XXXXX" but it behaves the same way.

Guillaume Dupin made changes - 2019-08-06 08:54

Resolution	Original: Not A Defect [ 7 ]
Status	Original: Closed [ 6 ]	New: Reopened [ 4 ]

Guillaume Dupin made changes - 2019-08-06 08:54

Comment

[ Is does not work even with the API token ]

Ivan Fernandez Calvo added a comment - 2019-08-06 10:42

I just remember that I have seen something about Jenkins CLI on the releases notes https://jenkins.io/blog/2019/02/17/remoting-cli-removed/ there are some services removed on 2.176.2, Which version of Jenkins-CLI you are using? Is it the latest? I'm gonna test it

Ivan Fernandez Calvo added a comment - 2019-08-06 10:42 I just remember that I have seen something about Jenkins CLI on the releases notes https://jenkins.io/blog/2019/02/17/remoting-cli-removed/ there are some services removed on 2.176.2, Which version of Jenkins-CLI you are using? Is it the latest? I'm gonna test it

Assignee:: Ivan Fernandez Calvo

Reporter:: Guillaume Dupin

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2019-08-05 11:24

Updated:: 2019-08-13 09:24

Resolved:: 2019-08-06 11:43

Jenkins

Details

Description

Attachments

Activity

Collapse comment: Ivan Fernandez Calvo added a comment - 2019-08-05 13:41

Expand comment: Ivan Fernandez Calvo added a comment - 2019-08-05 13:41

Collapse comment: Guillaume Dupin added a comment - 2019-08-06 07:35, Edited by Guillaume Dupin - 2019-08-06 07:36

Expand comment: Guillaume Dupin added a comment - 2019-08-06 07:35, Edited by Guillaume Dupin - 2019-08-06 07:36

Collapse comment: Ivan Fernandez Calvo added a comment - 2019-08-06 10:42

Expand comment: Ivan Fernandez Calvo added a comment - 2019-08-06 10:42

People

Dates