in develop, jenkins can no loinger log into gitea (403: forbidden) #8
Comments
|
Caused by reload combined with CASC, credentials should come from Keycloak, changing credentials makes it work again. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We should use a service-account for this, now I use jenkins-git with a token, but that does not work, which is logical given the user definition has been removed from gitea. But when the user is added, it still does not work. Jenkins uses jenkins-git:netcicd to log in.
what should happen is that oidc is used: jenkins goes to keycloak to get an access token to log into gitea and uses this to log in.
It is called a client connection grant and needs thea service account to be present, see also https://www.appsdeveloperblog.com/keycloak-client-credentials-grant-example/
in other words: Jenkins does a http post to the /token endpoint for
curl --location --request POST 'http://localhost:8080/auth/realms/appsdeveloperblog/protocol/openid-connect/token'
--header 'Content-Type: application/x-www-form-urlencoded'
--data-urlencode 'client_id=gitea'
--data-urlencode 'client_secret=91813ee4-0769-4a7f-9dd3-a12f1f67631e'
--data-urlencode 'scope=email'
--data-urlencode 'grant_type=client_credentials'
it gets an access token in return, which can be used to access gitea. Gitea should have appropriate autorizations for the user in the access token )the Jenkins service account)
A normal Access token:
{
"exp": 1641413952,
"iat": 1641413652,
"auth_time": 1641413652,
"jti": "2f29bf6b-3d90-444f-8949-3476c93cbac9",
"iss": "http://keycloak.tooling.test:8080/auth/realms/netcicd",
"aud": [
"Jenkins",
"Nexus",
"account"
],
"sub": "0671f4cc-c4db-4abf-9d4e-56c0fa3dd7c7",
"typ": "Bearer",
"azp": "Gitea",
"session_state": "3bf78bce-8fd2-4161-a45d-795ced7c8c9a",
"acr": "1",
"allowed-origins": [
"http://gitea.tooling.test:3000/"
],
"realm_access": {
"roles": [
"offline_access",
"uma_authorization",
"default-roles-netcicd"
]
},
"resource_access": {
"Jenkins": {
"roles": [
"jenkins-admin"
]
},
"Nexus": {
"roles": [
"nexus-admin"
]
},
"Gitea": {
"roles": [
"gitea-admin"
]
},
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"scope": "openid email profile",
"sid": "3bf78bce-8fd2-4161-a45d-795ced7c8c9a",
"email_verified": false,
"name": "NetCICD Godmode Godmode",
"preferred_username": "netcicd",
"given_name": "NetCICD Godmode",
"family_name": "Godmode",
"email": "netcicd@tooling.test"
}
an access token with the client credentials grant flow:
{
"exp": 1641414283,
"iat": 1641413983,
"jti": "8878e5bd-a65e-4f8e-a61c-05cf9a263a54",
"iss": "http://keycloak.tooling.test:8080/auth/realms/netcicd",
"aud": "Jenkins",
"sub": "22df86d0-06c4-4557-ae2e-658e78b93aee",
"typ": "Bearer",
"azp": "Jenkins",
"acr": "1",
"allowed-origins": [
"http://jenkins.tooling.test:8084/"
],
"scope": "email profile",
"email_verified": false,
"clientHost": "172.16.11.1",
"clientId": "Jenkins",
"preferred_username": "service-account-jenkins",
"clientAddress": "172.16.11.1"
}
and when I permit the full scope:
{
"exp": 1641415151,
"iat": 1641414851,
"jti": "e7d3b8de-0297-4d54-9b1b-72f4fe2eb0e4",
"iss": "http://keycloak.tooling.test:8080/auth/realms/netcicd",
"aud": [
"Jenkins",
"Gitea",
"account"
],
"sub": "22df86d0-06c4-4557-ae2e-658e78b93aee",
"typ": "Bearer",
"azp": "Jenkins",
"acr": "1",
"allowed-origins": [
"http://jenkins.tooling.test:8084/"
],
"realm_access": {
"roles": [
"offline_access",
"uma_authorization",
"default-roles-netcicd"
]
},
"resource_access": {
"Gitea": {
"roles": [
"gitea-netcicd-read",
"gitea-netcicd-write",
"gitea-cicdtoolbox-read",
"gitea-cicdtoolbox-write"
]
},
"account": {
"roles": [
"manage-account",
"manage-account-links",
"view-profile"
]
}
},
"scope": "email profile",
"email_verified": false,
"clientHost": "172.16.11.1",
"clientId": "Jenkins",
"preferred_username": "service-account-jenkins",
"clientAddress": "172.16.11.1"
}
The text was updated successfully, but these errors were encountered: