I recently upgraded to Jenkins 2.192, and my applications started failing with the following error:
HTTP Error 403: No valid crumb was included in the request
Reason: No valid crumb was included in the request
I do not see the problem after downgrading to Jenkins 2.189. I do not see the issue with Jenkins 2.189, 2.190, 2.191. I hit the issue with Jenkins 2.192 (also seen with 2.196)
SOMETHING CHANGED BETWEEN 2.191 AND 2.192 , causing the failure I observed.
You now have to forward the session id (present in the cookie response that generated the crumb) every time you use that crumb. Example code, hopefully illustrates it:
async function duplicateProject() {
const jenkinsAxios = axios.create({
baseURL: 'http://jenkins_url',
auth: {
username: 'MY-USERNAME',
password: "MY-PASSWORD"
}
});
const {data: existingJobConfig} = await jenkinsAxios.get('/job/existingJob/config.xml');
const crumbIssuer = await jenkinsAxios.get('/crumbIssuer/api/json');
await jenkinsAxios.post(`/createItem?name=MY_NEW_PROJECT`, existingJobConfig, {
headers: {
'Content-Type': 'application/xml',
[crumbIssuer.data.crumbRequestField]: crumbIssuer.data.crumb,
Cookie: crumbIssuer.headers['set-cookie'][0] // <--- THIS IS KEY!!!!
}
}
);
}
A simple solution without need of making changes to source code (validated with Jenkins v2.222):
A drawback is that this solution makes us dependent on the Strict Crumb Issuer plugin and removes a security feature. But since our application requires many other plugins and only runs behind the firewall without Internet access, this is acceptable.
Refer - https://support.cloudbees.com/hc/en-us/articles/219257077-CSRF-Protection-Explained
If you authenticate with a username and a user API token then a crumb is not needed from Jenkins 2.96 weekly/2.107 LTS. For more information please refer to CSRF crumb no longer required when authenticating using API token or JENKINS-22474.
After going through several articles I found a workaround...
step:-1
Go to Jenkins and create a token for the logged user in Jenkins
copy the token and user id
user id: admin
token id :- "*****"
step2:-
create a crumb using the below command
wget -q --auth-no-challenge --user admin --password "ur jenkins password" --output-document - 'http://urljenkinsurl:8080/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,":",//crumb)'
Here the output will your crumb eg:- "Jenkins-Crumb:****************"
step 3:-
Install the plugin in Jenkins "Strict Crumb Issuer Plugin"
step 4:-
Go to BitBucket and enter the URL as
http://admin:"your Jenkins token created in the above step"@3.22.23.32:8080/job/ur Job-name/build?crumb="created in the step 2"
step 5:-
Go to your Jenkins job , Go to configure--> select --> Build with BitBucket Push and Pull Request Plugin.
fill the allowed branches :- /*
eg:- /*master for master branch
step 6:-
that's it, try now pushing to the master branch and will see the build triggered.
Note:- Please remove "" in all steps and replace with your values
I had the same issue after upgrade to this version when queuing jenkins tasks from TFS with VSTS agents.
You can solve this temporarily by disabling CSRF security in Jenkins Server.
Just found this, may help: https://jenkins.io/doc/upgrade-guide/2.176/
October 2021.
In addition to the 'Cookie' tip by @acdcjunior, if you get the crumb using username/password, you will need to send them as auth. You don't need the token in this case.
It’s easy - and much more secure - to pass the crumb in your API calls. https://support.cloudbees.com/hc/en-us/articles/219257077-CSRF-Protection-Explained explains everything.
Also see Ansible jenkins_plugin module returns "HTTP Error 403: No valid crumb was included in the request" for a recent change in the crumb handling in Jenkins.
