Jenkins: 403 No valid crumb was included in the request

Question

I configured jenkins in spinnaker as follows and setup spinnaker pipeline.

 jenkins:
    # If you are integrating Jenkins, set its location here using the bas         


        

Answer 1

I did get the same "403 No valid crumb was included in request" error when I create a jenkins job from a java program using jenkins-client library i.e. com.offbytwo.jenkins. Then I used jenkins api token instead of password in following code. Now, the issue is fixed.

JenkinsServer jServer = new JenkinsServer(new URI(jenkins_url), jnkn_username, jnkn_password);

We can generate API Token from Jenkins console. Profile > Configure > API Token (Add new token)

Answer 2

According to Jenkins Directive First you have to check your Jenkins version if the version is < 2.176.2 then per Jenkins guideline CSRF tokens (crumbs) are now only valid for the web session they were created in to limit the impact of attackers obtaining them. Scripts that obtain a crumb using the /crumbIssuer/api URL will now fail to perform actions protected from CSRF unless the scripts retain the web session ID in subsequent requests.

Alternatively, you can install the Strict Crumb Issuer Plugin which provides more options to customize the crumb validation. It allows excluding the web session ID from the validation criteria, and instead e.g. replacing it with time-based expiration for similar (or even better) protection from CSRF.

Steps :

• you have to installed the plugin called "Strict Crumb Issuer"
• Once installed restart the jenkins service
• got to "Manage Jenkins" --> "Configure Global Security" --> Under CSRF Protection, select "Strict Crumb Issue" from the drop down list --> Click on Advance and uncheck everything but select "Prevent Breach Attack" option. --> Apply and save.
• Now run you crumb script.

It should work now.

Check this image for your reference

Answer 3

I solved by using API TOKEN as basic authentication password. Here is how

curl -v -X POST http://jenkins-url:8080/job/<job-name>/buildWithParameters?param=value --user <username>:<token>

Note: To Created the API TOKEN under Accounts icon -> configure -> API Token -> Add New token

Answer 4

Head over to Manage Jenkins => Configure global security.

Then uncheck "Prevent Cross Site Request Forgery exploits"

Answer 5

This guide explains how to generate a Jenkins crumb, save the cookies and use both the crumb and the saved cookies in the subsequent requests that require authentication. This is a must for Jenkins after V2.176.2

Answer 6

I lost a bunch of time trying to figure this out. At the end I just installed this plugin https://plugins.jenkins.io/build-token-root/ and enabled build permission to anonymous users. At the end doesn't really mather because the jenkins instance is behind a VPN and I'm using https://smee.io to forward the webhook to the Jenkins instance. Also the Jenkins instance is behind a reverse proxy so the "Enable proxy compatibility" option is checked as well, and the "ignore_invalid_headers" setting set to off in Nginx configuration at server level. Sharing my solution just in case someone else is struggling as well. I'm sure there are better ways to do it but this is one option.

Note that with this plugin the build url is set to buildByToken/build?job=JobName&token=TokenValue and the token is generated in the job settings.

This is in Jenkins 2.235.2 which doesn't have an option to disable CSRF.