Trigger Build with Api Token

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Trigger Build with Api Token

Simon Turner
The docs at https://www.jenkins.io/doc/book/system-administration/authenticating-scripted-clients/ and https://www.jenkins.io/doc/book/using/remote-access-api/ both strongly imply that you don't need to supply a crumb when calling the API from scripted clients, if you use an API token. They both illustrate curl/wget calls with API tokens and no crumb header, and the latter says "API tokens are preferred *instead of* crumbs for CSRF protection"

This seems to be true for GET requests - I can make a GET to $JENKINS_URL/job/myjob/changes with a valid user/ApiToken and it succeeds. However, when I POST to trigger that job, I get "HTTP ERROR 403 No valid crumb was included in the request"

(Problem for me is that this seems to break Spinnaker's ability to trigger Jenkins jobs unless I disable CSRF completely, which obviously I don't want to do.)

Is it by design that even an ApiToken must be combined with a crumb to do POSTs? Can this be disabled? Is this anything to do with https://www.jenkins.io/doc/upgrade-guide/2.204/#upgrading-to-jenkins-lts-2-204-6?


Thanks


--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/7c49a7e2-b666-48da-965d-02ad03fee858n%40googlegroups.com.
Reply | Threaded
Open this post in threaded view
|

Re: Trigger Build with Api Token

Simon Turner
Just an update for anyone with the particular problem I had with Spinnaker: the docs https://spinnaker.io/setup/ci/jenkins/ indicate that Spinnaker can only connect to Jenkins if:

1. csrf=true on the Spinnaker connection to Jenkins
2. Jenkins's 'strict' crumb issuer is installed rather than the default issuer and set to *not* check the session

So that would imply that even with an Api token you still need to get and pass a crumb for API calls (and by default a valid session as well?!)

If anyone can clarify the current state of Jenkins w.r.t. crumbs, passwords, api-tokens and sessions, and how these relate to the legacy auth endpoint, the crumb issuer endpoint and API endpoints, it would be much appreciated. The docs don't seem to reflect reality, at least not for my install from the Jenkins Helm chart.

On Friday, August 28, 2020 at 6:57:20 PM UTC+1 Simon Turner wrote:
The docs at https://www.jenkins.io/doc/book/system-administration/authenticating-scripted-clients/ and https://www.jenkins.io/doc/book/using/remote-access-api/ both strongly imply that you don't need to supply a crumb when calling the API from scripted clients, if you use an API token. They both illustrate curl/wget calls with API tokens and no crumb header, and the latter says "API tokens are preferred *instead of* crumbs for CSRF protection"

This seems to be true for GET requests - I can make a GET to $JENKINS_URL/job/myjob/changes with a valid user/ApiToken and it succeeds. However, when I POST to trigger that job, I get "HTTP ERROR 403 No valid crumb was included in the request"

(Problem for me is that this seems to break Spinnaker's ability to trigger Jenkins jobs unless I disable CSRF completely, which obviously I don't want to do.)

Is it by design that even an ApiToken must be combined with a crumb to do POSTs? Can this be disabled? Is this anything to do with https://www.jenkins.io/doc/upgrade-guide/2.204/#upgrading-to-jenkins-lts-2-204-6?


Thanks


--
You received this message because you are subscribed to the Google Groups "Jenkins Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to [hidden email].
To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/436ef871-f047-4de3-84c2-1e149c8265a0n%40googlegroups.com.