Credentials in URL

[jamesj2]

We have a Jenkins server that's behind a global HTTP basic authentication scheme for the whole domain and has a web form for logging into Jenkins. When I try to add the HTTP basic authentication I get and error saying "[Fail] Credentials should not be embedded in the url. Use the above form instead." Is there any possibility to having both a HTTP basic authentication and form based authentication?

Thanks!

[zhouyijiaren]

hi, Are there some solutions to fix this?

[MCMicS]

Currenttly not

But I can look after my current issue

[lee-peuker]

I would love to use this plugin, but I have the same issue, not possible with basic authentication as far as I see.

[MCMicS]

I will have a look do you have test environment to test against?

[lee-peuker]

No sorry we have no public test environment, only our internal company instance.

I can reproduce the issue without valid jenkins url/credentials like this

[MCMicS]

Ok i have to setup a test environment for this then. so for clarifying. If you visit the jenkins via browser it will ask with basic auth to login and you see the jenkins login screen or will you be logged in then?

[lee-peuker]

The web server requires basic auth and jenkins itself requires user login. These processes are not related to each other as far as I see in our case. Visiting via browser prompts for basic auth and loads the login page

[MCMicS]

Ok i will setup this on my machine and test it. But it take some time. I guess I can test it in 1-2 week. But I will look into it for one of next releases

[MCMicS]

@lee-peuker Sorry for bothering but do you know if the basic auth is handled via a proxy?

maybe you can check with curl -v and check the header in response.

If it is a proxy it could maybe help to configure proxy in IDE with credentials.

But I will setup an environment next week too with a simple basic auth front of Jenkins

[lee-peuker]

@MCMicS Hey no problem. We have a reverse proxy (nginx) in front of of Jenkins, which uses the standard auth_basic module and proxy_pass to connect to Jenkins.

If it is a proxy it could maybe help to configure proxy in IDE with credentials

Edit: Where should I configure this? I only see HTTP Proxy in the System Settings, but I think this is to configure how PhpStorm connects to the internet, which does not help here, because I would only need this for connecting to Jenkins :thinking:

[MCMicS]

Can you share part of your proxy settings? Do you modify headers or simply use proxy_pass or any header modification?

What plugins are installed on jenkins. maybe something like https://plugins.jenkins.io/reverse-proxy-auth-plugin/

[lee-peuker]

I have removed and censored a few things from the nginx config

server {
    listen 443 ssl http2;

    server_name [...];

    root [...];

    access_log /var/log/nginx/ci.access_log;
    error_log  /var/log/nginx/ci.error_log;

    proxy_intercept_errors  on;

    ignore_invalid_headers off;
    sendfile off;

    location / {
        auth_basic "Protected Area";
        auth_basic_user_file [...];

        allow [...];
        satisfy any;

        if (!-f $request_filename) {
            proxy_pass          http://app_server;
            break;
        }
            proxy_pass          http://app_server;
            break;

        proxy_redirect http:// https://;
        proxy_http_version 1.1;
        proxy_max_temp_file_size 0;

        client_max_body_size       10m;
        client_body_buffer_size    128k;

        proxy_connect_timeout      90;
        proxy_send_timeout         90;
        proxy_read_timeout         90;
        proxy_request_buffering    off; # Required for HTTP CLI commands in Jenkins > 2.54

        proxy_set_header Host $host:$server_port;

        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        Authorization   "";
        proxy_redirect          off;

        # workaround for https://issues.jenkins-ci.org/browse/JENKINS-45651
        add_header 'X-SSH-Endpoint' 'jenkins.domain.tld:50022' always;

        #mixed content jenkins to non https
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

I think relevant is probably proxy_set_header Authorization ""; -> jenkins knows nothing about the basic auth done by nginx as far as I see

If I search the installed plugins I found no match containing the word proxy or reverse.

[MCMicS]

thanks for this i try to setup this. and yes it looks like removing existing Authorization header. so jenkins wiull not know the auth which is configured in IDE

I try to find a a solution. Is a change on then proxy configuration püossible. So if I send a different header which will be delegated to the jenkins after the basic proxy auth.,

[lee-peuker]

Is a change on then proxy configuration püossible

Hm, maybe, but I am not sure. I can ask when I have something concrete to propose.

[MerlinFTW]

Hello, I hope this may help you identify the root cause I'm facing the same issue and in my opinion it's not related to ingress, I'll explain.

In June 2023 I created an API token for my account and I still, now, can use it with basic auth. This API token is no more visible in jenkins UI.

In July 2023 we did an upgrade of Jenkins (from 2.375.2 to 2.401.2) Starting from that date, all newly created API tokens are not working with basic auth. (401 unauthorized)

In September 2023, we did another upgrade (current Jenkins version 2.414.1), and the issue remains.

[MCMicS]

@MerlinFTW Your Api token not works anymore? if it is please file a new issue. This issue is about credentials in url for infront proxy for example

But API toekn will work for current jenkins and plugin Versions

[MerlinFTW]

The API token I created before June 2023 is still working (basic auth) but it does not appear in Jenkins UI. The new API tokens I create (since upgrade to 2.401.2) are not working.

Do you think it require a new issue ? if so I'll open one

[MCMicS]

Yes please. It seems than not belong to credentials in url