I am trying to follow the tutorial here: http://wiki.cloudbees.com/bin/view/Documentation/CloudBeesEclipseToolkit that describes how to configure your eclipse to use the CloudBees subversion respository. When I get to step 2, and try to validate my account username and password, I get:
Failed to validate your account.
Reason:
Failed to get account services info.
Authentication of user: xxxx failed.;
Details -
Unexpected response code:400. Message: Bad Request
I did use my google account (and oauth?) to create my cloudbees account. I am using my google username and password to try to validate.
The account name is what you see when you enter in cloudbees on the top right.
Regarding your missing password this is due to the fact that google and github sign in don't ask user to define a password - that's why you get an authentication failure.
Users can use https://grandcentral.cloudbees.com/account/forgot_password to request password reset and define the password.
I was able to fix this by clicking on the builds sectio of my account. This led me to some pages that told me I didn't have a password with cloudbees, and prompted me to create one.
When I used this password, instead of my gmail one, validation worked.
Also, I had to use my account name minus #gmaail.com to perform svn checkins, which wasn't the most intuative - it's not clear what un/ow and where
Related
I can ask this question in many ways, like
How to configure Jenkins credentials with Github Personal Access Token
How to clone Github repo in Jenkins using Github Personal Access Token
So this is the problem
The alternate solution that I am aware of
SSH connection
username password configuration in Jenkins. However,
use of a password with the GitHub API is now deprecated.
But My question is how to setup Github connection with Jenkins using Personal Access Token
[UPDATE]
The new solution proposed by git is
https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/
Which says:
Beginning August 13, 2021, we will no longer accept account passwords
when authenticating Git operations and will require the use of
token-based authentication, such as a personal access token (for
developers) or an OAuth or GitHub App installation token (for
integrators) for all authenticated Git operations on GitHub.com. You
may also continue using SSH keys where you prefer.
What you need to do:
https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations/#what-you-need-to-do-today
Basically, change the add URL as
https://<access token>#github.com/<userName>/<repository>.git
Something like this
https://<access token>#github.com/dupinder/NgnixDockerizedDevEnv.git
and set the credentials to none.
Thanks to #Gil Stal
[OLD Technique]
After many discussion on multiple threads from Stackoverflow
I found one thread that is useful.
Refer to this answer:
https://stackoverflow.com/a/61104603/5108695
Basically
Personal access token can be used as a password, as far as Jenkins is concerned at least. I added new credentials to the credential manager.
Go to Jenkins
Go to credentials > System > Global credentials > Add credentials a page will open.
In Kind drop-down select Username and password.
In User put a non-existing username like jenkins-user or user.
Add Personal Access Token in the password field
Now start configuring your project.
source code management tab, select new configured credentials from Drop-down near credential Under Repository URL
So this is how we can configure or setup Authentication between Jenkins and Github using Personal Access Token
References:
Git Clone in Jenkins with Personal Access Token idles forever
Change jenkins pipeline to use github instead of gitlab
The accepted answer wont work anymore because of this: https://github.blog/2020-12-15-token-authentication-requirements-for-git-operations.
You will need to:
Change the URL of the repo to: https://<access token>#github.com/<user-name>/<repo-name>.git (Replace every <...> with the real parameters)
Set the credentials to none.
As of August 2021 the answer posted by Dupinder Singh is accurate. The only thing I would add is that if you are part of a team, the url format appears to be a bit different. This is what worked for me:
https://<access token>#github.com/<team>/<repo>.git
for example
https://ghp_6dh3jdk394jsmbh299jjdg20fh87hd83ksk39#github.com/MyKuleTeam/KuleGuyCode.git
Note that if you use a personal access token you don't need to have any github credentials stored in jenkins.
As for credentials for Jenkins Github Plugin, please be aware only Personal access tokens are now accepted by this plugin.
To generate such a token, follow the Github docs (e.g. here). Don't save it, it can be regenerated in Github and updated in Jenkins if lost or when migrating to a different server.
To add the token do Jenkins credentials store, go to <JENKINS_URL:PORT>/credentials/store/system/domain/_/newCredentials and select Kind "Secret text" (not the default "Username and password"), then paste the token as Secret and choose some ID.
Testing: the credential should appear on the list of Credentials at <JENKINS_URL:PORT>/credentials/ and be selectable from the drop-down list at <JENKINS_URL:PORT>/configure/, where pressing the "Test connection" button should display "Credentials verified for user <GITHUB_USER>".
More info: see the Github plugin docs.
Caveats: Git Plugin has its long-standing issues, so if the newly created "Secret text" does not appear in your pipelines, try if this solution helps (with "the user who triggered the build" considered safer than "SYSTEM"):
client-and-managed-masters/why-credentials-are-not-listed-in-the-git-scm-section
There is (yet another) way to do this as of 2020/04 which is supposed to be superior to personal access tokens. The best part is that you can continue using a username/password-style credential, and the plugin will handle authenticating with GitHub in the background.
Benefits include:
Larger rate limits - The rate limit for a GitHub app scales with your organization size, whereas a user based token has a limit of 5000 regardless of how many repositories you have.
User-independent authentication - Each GitHub app has its own user-independent authentication. No more need for 'bot' users or figuring out who should be the owner of 2FA or OAuth tokens.
Improved security and tighter permissions - GitHub Apps offer much finer-grained permissions compared to a service user and its personal access tokens. This lets the Jenkins GitHub app require a much smaller set of privileges to run properly.
Access to GitHub Checks API - GitHub Apps can access the the GitHub Checks API to create check runs and check suites from Jenkins jobs and provide detailed feedback on commits as well as code annotation
Links:
https://www.jenkins.io/blog/2020/04/16/github-app-authentication/
https://github.com/jenkinsci/github-branch-source-plugin/blob/master/docs/github-app.adoc
I'm running drone on my Synology NAS and can't find any hint what the password might be. I started with this instruction and added --env=DRONE_USER_CREATE=username:Imperative,admin:true. In gogs personal access tokes, an entry drone is created. Also the logs state the admin account is being created:
{"admin":true,"level":"info","login":"Imperative","machine":false,"msg":"bootstrap: account created","time":"2019-08-26T17:40:17Z","token":"the_random_token"}
I can access the web frontend login at the specified url, but i don't know what login to use. Neither my gogs login or gogs user + the drone token work.
The drone documentation is very rare on the topic.
Edit:
One more observation: when using some random login name, it says Login Failed. Unauthorized. When using my gogs credentials it says Login Failed. Not Found.
I'd like to reach my repositories from my own Gitlab account via Sourcetree.
When I try to add a new account, I need to login into Gitlab, but the process is always failed.
The message is simple:
Authentication failed
The username and password are correct, I am 100% sure in it because I've tried them in a private session in Chrome.
I'd someone who can explain to me that why I need to login into my Gitlab account if I choose the "Personal Access Token".
I've already created a new token for Sourcetree, but it never asks me just only my basic login data.
Sourcetree is up to date: 3.0.17.2659
You can see a printscreen here about the login flow.
Unable to get the access token by directly passing the username and password
Endpoint : https://login.microsoftonline.com/{tenant_id}/oauth2/token
grant_type: password
client_id: APPLICATION_ID
resource: https://graph.microsoft.com/.default
username: <username#microsoft.com>
password: <password>
Scope : openid
App is created in https://apps.dev.microsoft.com/
Getting Invalid grant error:
{
"error": "invalid_grant",
"error_description": "AADSTS70002: Error validating credentials. AADSTS50126: Invalid username or password\r\nTrace ID: 1ff96bc3-29c8-48f1-b7cc-f77c01525500\r\nCorrelation ID: 9821fdf5-25dc-4b07-84b3-f084194ea123\r\nTimestamp: 2018-09-14 20:04:01Z",
"error_codes": [
70002,
50126
],
"timestamp": "2018-09-14 20:04:01Z",
"trace_id": "1ff96bc3-29c8-48f1-b7cc-f77c01525500",
"correlation_id": "9821fdf5-25dc-4b07-84b3-f084194ea123"
}
UPDATE
Looks like there are more than one issues in play here.
You were using Azure AD token endpoint but had registered your application with Azure AD B2C by mistake (so case 2 as per my original answer).
Now after correcting that one, you should be using clientid and client secret for this new application that is registered with Azure AD.
Make sure you have added Microsoft Graph permissions for your application in Azure AD under "required permissions" and at the end of selecting appropriate permissions, make sure you press on the "Grant Permissions" button to give consent.
Looking at the error message and code you are getting (invalid_grant and "AADSTS70002: Error validating credentials. AADSTS50126"), I tried out ROPC exactly like you from Postman with a test application of my own and I tried multiple different combinations of passing wrong inputs, but the exact error codes you see come only in scenario where either my password or the username is incorrect (as the message says :)). In all other cases, error code will be different.
So, for username - make sure you give fully qualified name e.g. rohitsaigal#mydomain.onmicrosoft.com
for password - pretty obvious.
Give it another try based on instructions above and lets see how it goes.
ORIGINAL ANSWER
App is created in https://apps.dev.microsoft.com/
This means that your application is registered with Azure AD B2C.
Where you have registered your application isn't matching with the token endpoint you are using.
Case 1 - You are looking to use Azure AD B2C
Resource Owner Password Credentials Grant is still in public preview and you will need to follow the instructions provided by Microsoft here -
Configure the resource owner password credentials flow in Azure AD B2C
The endpoint you will hit to get the token will also be different that the one you have mentioned.
https://yourtenant.b2clogin.com/<yourtenant.onmicrosoft.com>/oauth2/v2.0/token?p=B2C_1_ROPC_Auth
Case 2 - You are looking to use Azure AD B2B
In this case you are using the correct end point to get the token, but you have wrongly registered your application with Azure AD B2C, you will need to change that and register your application from Azure Portal.
Instructions and details here - Integrating applications with Azure Active Directory
Just in case you need to read up on differences between Azure AD B2B v/s B2C - look at this SO Post
Here is another useful SO Post that gives information about registering your application through Azure Portal v/s https://apps.dev.microsoft.com (New application registration portal)
It seems like you didn't Grant Permissions to your app. Make sure all of the users are added to the app and ensure that you have the correct web.config parameters.
Also, ensure that the username and password are correct for the managed domain to connect. I've gotten this error before using the incorrect user. A regular azure global admin user may not be able to authenticate. You need to make sure you are using a CSP admin user.
This works https://learn.microsoft.com/en-us/azure/active-directory-b2c/add-ropc-policy?tabs=app-reg-ga&pivots=b2c-user-flow
But keep in mind that there are limitations like:
You cannot use when a password is expired or needs to be changed.
MFA is not supported
Social logins are not supported
We have a code that logins to Sharepoint Online using :
https://login.microsoftonline.com/extSTS.srf or https://login.microsoftonline.com/RST2.srf, but recently we starting to get authentication failed saying that "Incorrect Username or Password" and after some retries it returns:
"0x80048823 message : AADSTS70002: Error validating credentials. AADSTS50053: You've tried to sign in too many times with an incorrect user ID or password."
While using same username and password to login in the browser works fine, and neither password or username were changed, also code didn't changed. As same code works fine for another Sharepoint tenants. Seems that something changed in the Microsoft login servers, where it's started to not accept user credentials, while web browser login works fine.
Please advise.
Thanks
Microsoft Rep has helped me get this far.
They had us create a "Cloud Only" user. This user was setup as "#" so if your name is bill and your corporate sharepoint site is name is FakeCompany.sharepoint.com then you would have the person as "bill#FakeCompany.onmicrosoft.com"
This user was able to login to https://login.microsoftonline.com/extSTS.srf by just passing username and password.
Our on prem AD users are still having issues, i mentioned this and got the following response.
There is no issue with sync as you are able to login to portal using the same account and password.
The solution you need is documented in https://learn.microsoft.com/en-gb/azure/active-directory/manage-apps/configure-authentication-for-federated-users-portal#enable-direct-authentication-for-legacy-applications
You need to create a home realm discovery (HRD) policy where "AllowCloudPasswordValidation":true.
We have not yet implemented the last solution but the creating of a cloud account may help some of you.
So I think I understand what they are trying to say. There are 2 paths that you are able to authenticate with according to the node-sp-auth example.
"Managed" and "Federated"
"Managed" was the easier version and allowed for you to be able to just provide username and credentials in a soap assertion to login.
Federated is a lot more complicated. You need to first perform a post to Microsoft to validate the user hitting your adfs server. https://adfs.XXXXXXX.com/adfs/services/trust/13/usernamemixed
Then you take the saml:Assertion from that response and put it into the "Token" section of the call you make to https://login.microsoftonline.com/extSTS.srf utilizing the templates from the node-sp-auth.
I have C# code that performs all these steps but I am getting an error
AADSTS70002: Error validating credentials. AADSTS50008: SAML token is invalid. AADSTS50006: Invalid signature. Signature verification failed.
Even though the signature is being generated by Microsoft in their SAML.
node-sp-auth code refrence is OnlineUserCredential.ts file.
If someone can figure out the last mile I can post a comprehensive C# solution.