Several operations throw java.lang.IllegalArgumentException: A granted authority textual representation is required

[meiswjn]

Jenkins and plugins versions report

Jenkins: 2.332.3
OS: Windows Server 2012 R2 - 6.3
---
Office-365-Connector:4.16.1
ace-editor:1.1
analysis-model-api:10.12.0
ansicolor:1.0.1
ant:475.vf34069fef73c
antisamy-markup-formatter:2.7
apache-httpcomponents-client-4-api:4.5.13-1.0
artifactory:3.16.2
audit-trail:3.10
authentication-tokens:1.4
azure-ad:234.vb_ece34ecd5ff
azure-credentials:216.ve0b_4a_485ffc2
azure-sdk:106.v552de1e64d56
basic-branch-build-strategies:1.3.2
blueocean:1.25.5
blueocean-autofavorite:1.2.5
blueocean-bitbucket-pipeline:1.25.5
blueocean-commons:1.25.5
blueocean-config:1.25.5
blueocean-core-js:1.25.5
blueocean-dashboard:1.25.5
blueocean-display-url:2.4.1
blueocean-events:1.25.5
blueocean-git-pipeline:1.25.5
blueocean-github-pipeline:1.25.5
blueocean-i18n:1.25.5
blueocean-jwt:1.25.5
blueocean-personalization:1.25.5
blueocean-pipeline-api-impl:1.25.5
blueocean-pipeline-editor:1.25.5
blueocean-pipeline-scm-api:1.25.5
blueocean-rest:1.25.5
blueocean-rest-impl:1.25.5
blueocean-web:1.25.5
bootstrap5-api:5.1.3-6
bouncycastle-api:2.25
branch-api:2.1046.v0ca_37783ecc5
build-blocker-plugin:1.7.8
build-discarder:60.v1747b0eb632a
build-monitor-plugin:1.13+build.202205140447
build-user-vars-plugin:1.9-rc127.da32fb9ecc2a
build-with-parameters:1.6
caffeine-api:2.9.3-65.v6a_47d0f4d1fe
checks-api:1.7.4
cloudbees-bitbucket-branch-source:773.v4b_9b_005b_562b_
cloudbees-disk-usage-simple:0.10
cloudbees-folder:6.729.v2b_9d1a_74d673
code-coverage-api:2.0.4
command-launcher:84.v4a_97f2027398
conditional-buildstep:1.4.2
config-file-provider:3.10.0
confluence-publisher:136.vc30a_a_0d845d7
copyartifact:1.46.4
credentials:1087.1089.v2f1b_9a_b_040e4
credentials-binding:523.vd859a_4b_122e6
dashboard-view:2.432.va_712ce35862d
data-tables-api:1.12.1-1
dependency-check-jenkins-plugin:5.1.2
display-url-api:2.3.6
docker-commons:1.18
docker-java-api:3.1.5.2
docker-plugin:1.2.6
docker-workflow:1.26
dtkit-api:3.0.1
durable-task:496.va67c6f9eefa7
echarts-api:5.3.2-1
email-ext:2.88
envinject:2.866.v5c0403e3d4df
envinject-api:1.199.v3ce31253ed13
extended-choice-parameter:346.vd87693c5a_86c
extended-read-permission:3.2
external-monitor-job:191.v363d0d1efdf8
extra-columns:1.25
favorite:2.4.1
file-operations:1.11
file-parameters:205.vf6ce13b_e5dee
font-awesome-api:6.0.0-1
forensics-api:1.15.1
git:4.11.3
git-client:3.11.0
github:1.34.3
github-api:1.303-400.v35c2d8258028
github-branch-source:1637.vd833b_7ca_7654
github-checks:1.0.18
gradle:1.39.1
groovy:2.4
handlebars:3.0.8
handy-uri-templates-2-api:2.1.8-22.v77d5b_75e6953
htmlpublisher:1.30
http_request:1.15
integrity-plugin:2.4
ivy:2.2
jackson2-api:2.13.3-285.vc03c0256d517
jacoco:3.3.2
javadoc:217.v905b_86277a_2a_
javax-activation-api:1.2.0-3
javax-mail-api:1.6.2-6
jaxb:2.3.6-1
jdk-tool:1.5
jenkins-design-language:1.25.5
jira:3.7.1
jjwt-api:0.11.2-71.v2722b_b_06a_2a_f
job-restrictions:0.8
jobConfigHistory:1139.v888b_656ca_f6d
jquery:1.12.4-1
jquery3-api:3.6.0-3
jsch:0.1.55.2
junit:1119.va_a_5e9068da_d7
ldap:2.9
list-git-branches-parameter:0.0.9
locale:144.v1a_998824ddb_3
lockable-resources:2.15
mailer:414.vcc4c33714601
mask-passwords:3.3
matlab:2.8.0
matrix-auth:3.1.2
matrix-project:771.v574584b_39e60
maven-plugin:3.19
metrics:4.1.6.2
momentjs:1.1.1
monitoring:1.91.0
msbuild:1.30
next-executions:1.0.15
nodejs:1.5.1
nuget:1.1
okhttp-api:4.9.3-105.vb96869f8ac3a
parameterized-scheduler:1.0
parameterized-trigger:2.44
parasoft-findings:10.5.3
pipeline-build-step:2.18
pipeline-github:2.8-138.d766e30bb08b
pipeline-graph-analysis:195.v5812d95a_a_2f9
pipeline-groovy-lib:593.va_a_fc25d520e9
pipeline-input-step:448.v37cea_9a_10a_70
pipeline-milestone-step:101.vd572fef9d926
pipeline-model-api:2.2097.v33db_b_de764b_e
pipeline-model-definition:2.2097.v33db_b_de764b_e
pipeline-model-extensions:2.2097.v33db_b_de764b_e
pipeline-rest-api:2.24
pipeline-stage-step:293.v200037eefcd5
pipeline-stage-tags-metadata:2.2097.v33db_b_de764b_e
pipeline-stage-view:2.24
pipeline-utility-steps:2.12.2
plain-credentials:1.8
plot:2.1.10
plugin-usage-plugin:3.0
plugin-util-api:2.16.0
popper-api:1.16.1-3
popper2-api:2.11.5-1
powershell:1.7
prism-api:1.28.0-2
pubsub-light:1.16
resource-disposer:0.19
robot:3.1.0
run-condition:1.5
scm-api:608.vfa_f971c5a_a_e9
script-security:1175.v4b_d517d6db_f0
snakeyaml-api:1.30.1
sonar:2.14
splunk-devops:1.9.9
sse-gateway:1.25
ssh-agent:295.v9ca_a_1c7cc3a_a_
ssh-credentials:277.v95c2fec1c047
ssh-slaves:1.814.vc82988f54b_10
ssh-steps:2.0.0
sshd:3.228.v4c9f9e652c86
structs:318.va_f3ccb_729b_71
thinBackup:1.10
timestamper:1.17
token-macro:293.v283932a_0a_b_49
trilead-api:1.57.v6e90e07157e1
uno-choice:2.6.1
variant:1.4
versioncolumn:2.2
warnings-ng:9.13.0
windows-slaves:1.8.1
workflow-aggregator:581.v0c46fa_697ffd
workflow-api:1164.v760c223ddb_32
workflow-basic-steps:948.v2c72a_091b_b_68
workflow-cps:2725.v7b_c717eb_12ce
workflow-durable-task-step:1146.v1a_d2e603f929
workflow-job:1186.v8def1a_5f3944
workflow-multibranch:716.vc692a_e52371b_
workflow-scm-step:400.v6b_89a_1317c9a_
workflow-step-api:625.vd896b_f445a_f8
workflow-support:820.vd1a_6cc65ef33
ws-cleanup:0.42
xunit:3.0.8 

What Operating System are you using (both controller, and any agents involved in the problem)?

Windows Server 2012

Reproduction steps

I have seen this issue when accessing /asynchPeople and when accessing /computer/agent_id/api/json (Both with full admin perms)

Expected Results

The API response.

Actual Results

For /asynchPeople a few users are loaded but then it gets stuck.

2022-06-20 12:09:19.997+0000 [id=107]	WARNING	j.util.ProgressiveRendering$1#run: failed to compute /asynchPeople/
java.lang.IllegalArgumentException: A granted authority textual representation is required
	at org.springframework.util.Assert.hasText(Assert.java:289)
	at org.springframework.security.core.authority.SimpleGrantedAuthority.<init>(SimpleGrantedAuthority.java:39)
	at com.microsoft.jenkins.azuread.AzureAdUser.setAuthorities(AzureAdUser.java:134)
	at com.microsoft.jenkins.azuread.AzureSecurityRealm.lambda$null$5(AzureSecurityRealm.java:513)
	at com.github.benmanes.caffeine.cache.BoundedLocalCache.lambda$doComputeIfAbsent$14(BoundedLocalCache.java:2406)
	at java.util.concurrent.ConcurrentHashMap.compute(Unknown Source)
	at com.github.benmanes.caffeine.cache.BoundedLocalCache.doComputeIfAbsent(BoundedLocalCache.java:2404)
	at com.github.benmanes.caffeine.cache.BoundedLocalCache.computeIfAbsent(BoundedLocalCache.java:2387)
	at com.github.benmanes.caffeine.cache.LocalCache.computeIfAbsent(LocalCache.java:108)
	at com.github.benmanes.caffeine.cache.LocalManualCache.get(LocalManualCache.java:62)
	at com.microsoft.jenkins.azuread.AzureSecurityRealm.lambda$createSecurityComponents$6(AzureSecurityRealm.java:490)
	at hudson.security.SecurityRealm.loadUserByUsername2(SecurityRealm.java:416)
	at jenkins.security.UserDetailsCache$Retriever.call(UserDetailsCache.java:170)
	at jenkins.security.UserDetailsCache$Retriever.call(UserDetailsCache.java:159)
	at com.google.common.cache.LocalCache$LocalManualCache$1.load(LocalCache.java:4868)
	at com.google.common.cache.LocalCache$LoadingValueReference.loadFuture(LocalCache.java:3533)
	at com.google.common.cache.LocalCache$Segment.loadSync(LocalCache.java:2282)
	at com.google.common.cache.LocalCache$Segment.lockedGetOrLoad(LocalCache.java:2159)
	at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2049)
Caused: com.google.common.util.concurrent.UncheckedExecutionException
	at com.google.common.cache.LocalCache$Segment.get(LocalCache.java:2055)
	at com.google.common.cache.LocalCache.get(LocalCache.java:3966)
	at com.google.common.cache.LocalCache$LocalManualCache.get(LocalCache.java:4863)
	at jenkins.security.UserDetailsCache.loadUserByUsername(UserDetailsCache.java:127)
	at hudson.model.User$UserIDCanonicalIdResolver.resolveCanonicalId(User.java:1254)
	at hudson.model.User$CanonicalIdResolver.resolve(User.java:1195)
	at hudson.model.User.get(User.java:524)
	at hudson.plugins.git.GitChangeSet.findOrCreateUser(GitChangeSet.java:417)
	at hudson.plugins.git.GitChangeSet.getAuthor(GitChangeSet.java:546)
	at hudson.model.View$AsynchPeople.compute(View.java:866)
	at jenkins.util.ProgressiveRendering$1.run(ProgressiveRendering.java:121)
	at jenkins.security.ImpersonatingScheduledExecutorService$1.run(ImpersonatingScheduledExecutorService.java:67)
	at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
	at java.util.concurrent.FutureTask.run(Unknown Source)
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$201(Unknown Source)
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
	at java.lang.Thread.run(Unknown Source)

Anything else?

No response

[kevinkrol]

Getting the same error when trying to queue a build:

java.lang.IllegalArgumentException: A granted authority textual representation is required
	at org.springframework.util.Assert.hasText(Assert.java:289)
	at org.springframework.security.core.authority.SimpleGrantedAuthority.<init>(SimpleGrantedAuthority.java:39)
	at com.microsoft.jenkins.azuread.AzureAdUser.setAuthorities(AzureAdUser.java:134)
	at com.microsoft.jenkins.azuread.AzureSecurityRealm.lambda$null$5(AzureSecurityRealm.java:513)
	at com.github.benmanes.caffeine.cache.BoundedLocalCache.lambda$doComputeIfAbsent$14(BoundedLocalCache.java:2431)
	at java.base/java.util.concurrent.ConcurrentHashMap.compute(ConcurrentHashMap.java:1932)
	at com.github.benmanes.caffeine.cache.BoundedLocalCache.doComputeIfAbsent(BoundedLocalCache.java:2404)
	at com.github.benmanes.caffeine.cache.BoundedLocalCache.computeIfAbsent(BoundedLocalCache.java:2387)
	at com.github.benmanes.caffeine.cache.LocalCache.computeIfAbsent(LocalCache.java:108)
	at com.github.benmanes.caffeine.cache.LocalManualCache.get(LocalManualCache.java:62)
	at com.microsoft.jenkins.azuread.AzureSecurityRealm.lambda$createSecurityComponents$6(AzureSecurityRealm.java:490)
	at jenkins.security.ImpersonatingUserDetailsService2.loadUserByUsername(ImpersonatingUserDetailsService2.java:29)
	at hudson.model.User.getUserDetailsForImpersonation2(User.java:407)
	at hudson.model.User.impersonate2(User.java:375)
	at hudson.model.User.impersonate(User.java:385)
	at org.jenkinsci.plugins.authorizeproject.strategy.TriggeringUsersAuthorizationStrategy.authenticate(TriggeringUsersAuthorizationStrategy.java:75)
	at org.jenkinsci.plugins.authorizeproject.GlobalQueueItemAuthenticator.authenticate(GlobalQueueItemAuthenticator.java:38)
	at jenkins.security.QueueItemAuthenticator.authenticate2(QueueItemAuthenticator.java:50)
	at hudson.model.Queue$Item.authenticate2(Queue.java:2362)
	at hudson.model.Node.canTake(Node.java:411)
	at hudson.model.Queue.makeFlyWeightTaskBuildable(Queue.java:1742)
	at hudson.model.Queue.makeBuildable(Queue.java:1704)
	at hudson.model.Queue.maintain(Queue.java:1573)
	at hudson.model.Queue$1.call(Queue.java:330)
	at hudson.model.Queue$1.call(Queue.java:327)
	at jenkins.util.AtmostOneTaskExecutor$1.call(AtmostOneTaskExecutor.java:109)
	at jenkins.util.AtmostOneTaskExecutor$1.call(AtmostOneTaskExecutor.java:99)
	at jenkins.security.ImpersonatingExecutorService$2.call(ImpersonatingExecutorService.java:80)
	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
	at hudson.remoting.AtmostOneThreadExecutor$Worker.run(AtmostOneThreadExecutor.java:121)
	at java.base/java.lang.Thread.run(Thread.java:829)

[timja]

What attributes do your users have @kevinkrol ?

[kevinkrol]

@timja The user I'm testing with has full administrator permissions. For the group, the SSO provides these permissions:

• Group.Read.All
• People.Read.All
• User.Read
• User.Read.All

[timja]

This is likely the Azure AD attributes causing an issue not the Jenkins permissions

[dyutis]

I am also facing the same issue, which seemed to be working with Azure AD Plugin: 191 version but giving this issue with 234 version.

https://updates.jenkins-ci.org/download/plugins/azure-ad/

With this plugin version 234, for some users when trying to do REST call with the API token generated in jenkins, it is throwing HTTP response code 500, however if we try to login to jenkins console with that same user, we are being able to.

[andrewlorien]

I have the same issue.

#011SEVERE#011c.m.j.azuread.AzureSecurityRealm#doFinishLogin: error
java.lang.IllegalArgumentException: A granted authority textual representation is required
    at org.springframework.util.Assert.hasText(Assert.java:289)
    at org.springframework.security.core.authority.SimpleGrantedAuthority.<init>(SimpleGrantedAuthority.java:39)

Jenkins versions jenkins-2.346.2-1.1.noarch and jenkins-2.332.3-1.1.noarch (on Linux), and Azure-AD versions 241.vb_e5cd7c35b_2e and 234.vb_ece34ecd5ff.
When I roll back to Azure-AD 218.v90f6a_980b_a_61 I can log in without the error.

I suspect the change from
newAuthorities.add(new SimpleGrantedAuthority(group.getObjectId()));
to
newAuthorities.add(new SimpleGrantedAuthority(group.getGroupName()));
in bece34e means the attributes returned by AD are different.

If you're just looking for a quick way to roll back, here it is

sudo ls -l /var/lib/jenkins/plugins/ |grep azure
sudo cp /var/lib/jenkins/plugins/azure-ad.jpi /var/lib/jenkins/plugins/azure-ad_broken.hpi
sudo curl -L https://updates.jenkins.io/download/plugins/azure-ad/218.v90f6a_980b_a_61/azure-ad.hpi -o /var/lib/jenkins/plugins/azure-ad_218.v90f6a_980b_a_61.hpi 
sudo cp /var/lib/jenkins/plugins/azure-ad_218.v90f6a_980b_a_61.hpi  /var/lib/jenkins/plugins/azure.jpi
sudo service jenkins restart

[timja]

in bece34e means the attributes returned by AD are different.

It won't be that change as that change is a no-op for object id, line 124 adds the group as an authority and the getAuthority method returns the object id

azure-ad-plugin/src/main/java/com/microsoft/jenkins/azuread/AzureAdGroup.java

Line 23 in e0e5ad9

return getObjectId();

[timja]

I'm going to close this as there's no steps to reproduce provided.

Please provide a method of reproducing from scratch including in AAD.

I have tried reproducing this and have not been able to.
This may be a duplicate / related to #190 which I did manage to reproduce one case from it

[andrewlorien]

This is no longer an issue with
AzureAD 234.vb_ece34ecd5ff / Jenkins 2.375.1
AzureAD 303.va_91ef20ee49f / Jenkins 2.375.1
Upgrading Jenkins from 2.346 (where we had the problem) to 2.375 required updating to Java 11, which was a huge jump. I suspect that has fixed it.