Jenkins API not accessible(403 Forbidden error) with access token generated from azure ad

[sanith01988]

Jenkins and plugins versions report

Environment

Paste the output here

What Operating System are you using (both controller, and any agents involved in the problem)?

docker jenkins

Reproduction steps

We're using azure ad app as security relam for our jenkins.Using the azure ad plugin through browser we're able to access the jenkins without any issue(We're not using graph api permission, instead our azure ad app assigned group configured via matrix authorization strategy). Now we need to call the jenkins api,for this we're having a technical account in entra and we're able to create access token for this user.But when we're using this access token for the jenkins api request we're getting 'Error accessing the API: 403 Client Error: Forbidden'.

Expected Results

Jenkins api access with azure ad access token

Actual Results

Error accessing the API: 403 Client Error: Forbidden

Anything else?

No response

Are you interested in contributing a fix?

No response

[timja]

I think you need Graph API permission for the API to work.

[sanith01988]

@timja Do I need to set graph api permission to the app registration which is using in security relam of Jenkins.

[timja]

yes https://github.com/jenkinsci/azure-ad-plugin#setup-microsoft-entra-id-permissions-optional-but-recommended

This is used for:

• Jenkins looking up the user, e.g. when you use the Rest API

[sanith01988]

@timja

I've enabled the entra id permission. Still I'm getting 403 error.
`403

<script id='redirect' data-redirect-url='/securityRealm/commenceLogin?from=%2Fapi%2Fjson' src='/static/63c61884/scripts/redirect.js'></script> Authentication required ` In jenkins log I couldn't see any errors related to it.

[timja]

can you talk me through step by step what you've got setup?

[sanith01988]

@timja

1. Set up jenkins with azure ad plugin as security relay using jenkins.yaml configured below details.

jenkins:
  securityRealm:
    azureSecurityRealm:
      clientId: ''
      clientSecret: ''
      tenant: ''
      cacheduration: 0
      fromrequest: true

  authorizationStrategy:
    projectMatrix:
      entries:
        - group:
            name: <object-id>
            permissions:
              - Overall/Administer
        - user:
            name: <object-id>
            permissions:
              - Overall/Administer

2. Configured http::///securityRealm/finishLogin as redirect uri in entra app registration
3. Added group & user to app registartion
   4.Then throuh browser I'm able to access without any issue
4. then using a python script accessing the access_token with a technical user and using the access_ token try to access the "http::///api/json"
   token_endpoint = https://login.microsoftonline.com/<tenant_id>/oauth2/v2.0/token
   response = requests.post(issuer["token_endpoint"], data={
   "client_id": '',
   'client_secret': '',
   'audience': ',
   'redirect_url': 'https://',
   "grant_type": "password",
   "username": 'technical_user',
   "password": 'password',
   "scope": "openid"
   })
   access_token = response.json()['access_token']
   url = "http:///api/json"
   headers = {
   "Authorization": f"Bearer {access_token}",
   "Accept": "application/json"
   }

api_response = requests.get(url, headers=headers, verify=False)

[timja]

The Jenkins API uses a Jenkins API token and not a Microsoft access token.

Go to the Users profile in Jenkins and generate an API token