Jenkins 2.192: HTTP Error 403: No valid crumb was included in the request

Question

I recently upgraded to Jenkins 2.192, and my applications started failing with the following error:

HTTP Error 403: No valid crumb was included in the reques         


        

Answer 1

After going through several articles I found a workaround...

step:-1

Go to Jenkins and create a token for the logged user in Jenkins

copy the token and user id

user id: admin
token id :- "*****"

step2:-

create a crumb using the below command

wget -q --auth-no-challenge --user admin --password "ur jenkins password" --output-document - 'http://urljenkinsurl:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'

Here the output will your crumb eg:- "Jenkins-Crumb:****************"

step 3:-

Install the plugin in Jenkins "Strict Crumb Issuer Plugin"

step 4:-

Go to BitBucket and enter the URL as

http://admin:"your Jenkins token created in the above step"@3.22.23.32:8080/job/ur Job-name/build?crumb="created in the step 2"

step 5:-

Go to your Jenkins job , Go to configure--> select --> Build with BitBucket Push and Pull Request Plugin.

fill the allowed branches :- /*

eg:- /*master for master branch

step 6:-

that's it, try now pushing to the master branch and will see the build triggered.

Note:- Please remove "" in all steps and replace with your values

Answer 2

You now have to forward the session id (present in the cookie response that generated the crumb) every time you use that crumb. Example code, hopefully illustrates it:

async function duplicateProject() {
  const jenkinsAxios = axios.create({
    baseURL: 'http://jenkins_url',
    auth: {
      username: 'MY-USERNAME',
      password: "MY-PASSWORD"
    }
  });

  const {data: existingJobConfig} = await jenkinsAxios.get('/job/existingJob/config.xml');

  const crumbIssuer = await jenkinsAxios.get('/crumbIssuer/api/json');

  await jenkinsAxios.post(`/createItem?name=MY_NEW_PROJECT`, existingJobConfig, {
      headers: {
        'Content-Type': 'application/xml',
        [crumbIssuer.data.crumbRequestField]: crumbIssuer.data.crumb,
        Cookie: crumbIssuer.headers['set-cookie'][0]              // <--- THIS IS KEY!!!!
      }
    }
  );
}

Answer 3

Refer - https://support.cloudbees.com/hc/en-us/articles/219257077-CSRF-Protection-Explained

If you authenticate with a username and a user API token then a crumb is not needed from Jenkins 2.96 weekly/2.107 LTS. For more information please refer to CSRF crumb no longer required when authenticating using API token or JENKINS-22474.

Answer 4

A simple solution without need of making changes to source code (validated with Jenkins v2.222):

1. Install the Strict Crumb Issuer plugin (https://plugins.jenkins.io/strict-crumb-issuer/)
2. Enable this plugin and uncheck 'Check the session ID' from its configuration (Under Jenkins Configure Global Security)

A drawback is that this solution makes us dependent on the Strict Crumb Issuer plugin and removes a security feature. But since our application requires many other plugins and only runs behind the firewall without Internet access, this is acceptable.

Answer 5

I had the same issue after upgrade to this version when queuing jenkins tasks from TFS with VSTS agents.

You can solve this temporarily by disabling CSRF security in Jenkins Server.

Just found this, may help: https://jenkins.io/doc/upgrade-guide/2.176/

Answer 6

It’s easy - and much more secure - to pass the crumb in your API calls. https://support.cloudbees.com/hc/en-us/articles/219257077-CSRF-Protection-Explained explains everything.

Also see Ansible jenkins_plugin module returns "HTTP Error 403: No valid crumb was included in the request" for a recent change in the crumb handling in Jenkins.