azure-ad-plugin icon indicating copy to clipboard operation
azure-ad-plugin copied to clipboard

Published 20 hours ago verified publisher icon jenkinsci

Jenkins API not accessible(403 Forbidden error) with access token generated from azure ad

Open sanith01988 opened this issue 9 months ago • 7 comments

Jenkins and plugins versions report

Environment 
Paste the output here

What Operating System are you using (both controller, and any agents involved in the problem)?

docker jenkins

Reproduction steps

We're using azure ad app as security relam for our jenkins.Using the azure ad plugin through browser we're able to access the jenkins without any issue(We're not using graph api permission, instead our azure ad app assigned group configured via matrix authorization strategy). Now we need to call the jenkins api,for this we're having a technical account in entra and we're able to create access token for this user.But when we're using this access token for the jenkins api request we're getting 'Error accessing the API: 403 Client Error: Forbidden'.

Expected Results

Jenkins api access with azure ad access token

Actual Results

Error accessing the API: 403 Client Error: Forbidden

Anything else?

No response

Are you interested in contributing a fix?

No response

sanith01988 avatar May 16 '24 10:05 sanith01988

I think you need Graph API permission for the API to work.

timja avatar May 16 '24 10:05 timja

@timja Do I need to set graph api permission to the app registration which is using in security relam of Jenkins.

sanith01988 avatar May 16 '24 10:05 sanith01988

yes https://github.com/jenkinsci/azure-ad-plugin#setup-microsoft-entra-id-permissions-optional-but-recommended

This is used for:

  • Jenkins looking up the user, e.g. when you use the Rest API

timja avatar May 16 '24 11:05 timja

@timja

I've enabled the entra id permission. Still I'm getting 403 error. `403

Authentication required ` In jenkins log I couldn't see any errors related to it.

sanith01988 avatar May 17 '24 08:05 sanith01988

can you talk me through step by step what you've got setup?

timja avatar May 17 '24 10:05 timja

@timja

  1. Set up jenkins with azure ad plugin as security relay using jenkins.yaml configured below details.
jenkins:
  securityRealm:
    azureSecurityRealm:
      clientId: ''
      clientSecret: ''
      tenant: ''
      cacheduration: 0
      fromrequest: true

  authorizationStrategy:
    projectMatrix:
      entries:
        - group:
            name: <object-id>
            permissions:
              - Overall/Administer
        - user:
            name: <object-id>
            permissions:
              - Overall/Administer
  1. Configured http::///securityRealm/finishLogin as redirect uri in entra app registration
  2. Added group & user to app registartion 4.Then throuh browser I'm able to access without any issue
  3. then using a python script accessing the access_token with a technical user and using the access_ token try to access the "http::///api/json" token_endpoint = https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token response = requests.post(issuer["token_endpoint"], data={ "client_id": '', 'client_secret': '', 'audience': ', 'redirect_url': 'https://', "grant_type": "password", "username": 'technical_user', "password": 'password', "scope": "openid" }) access_token = response.json()['access_token'] url = "http:///api/json" headers = { "Authorization": f"Bearer {access_token}", "Accept": "application/json" }

api_response = requests.get(url, headers=headers, verify=False)

sanith01988 avatar May 17 '24 10:05 sanith01988

The Jenkins API uses a Jenkins API token and not a Microsoft access token.

Go to the Users profile in Jenkins and generate an API token

timja avatar May 17 '24 10:05 timja