After upgrading to Jenkins LTS 2.222.1 + role-strategy-plugin 2.16, REST API calls have stopped working. On the Log we can see
which is exactly what we get through the REST API
inetic has Admin permissions granted to a role, set throuch role-strategy-plugin and is able to execute any jobs through the UI.
We're using user+token for auth, which should not need Jenkins-Crumb header. Nevertheless, we've also tried user+password+crumb and user+token+crumb and we get the same results. We've also tried setting hudson.security.csrf.GlobalCrumbIssuerConfiguration.DISABLE_CSRF_PROTECTION to either true or false, but again, it makes no difference.
May be the security hardening done on 2.222.1 / 2.204.6 affects the role-strategy-plugin?
Only workaround found so far is to set global Read + Build permissions, however that allows every user to execute everything without being logged which is not so funny.
EDIT: forgot to add, $JENKINS/whoAmI for user yields: