'Jenkins: 403 No valid crumb was included in the request

I configured jenkins in spinnaker as follows and setup spinnaker pipeline.

 jenkins:
    # If you are integrating Jenkins, set its location here using the baseUrl
    # field and provide the username/password credentials.
    # You must also enable the "igor" service listed separately.
    #
    # If you have multiple jenkins servers, you will need to list
    # them in an igor-local.yml. See jenkins.masters in config/igor.yml.
    #
    # Note that jenkins is not installed with Spinnaker so you must obtain this
    # on your own if you are interested.
    enabled: ${services.igor.enabled:false}
    defaultMaster:
      name: default
      baseUrl: http://server:8080
      username: spinnaker
      password: password

But I am seeing following error when trying to run spinnaker pipeline.

Exception ( Start Jenkins Job ) 403 No valid crumb was included in the request



Solution 1:[1]

Finally, this post helped me to do away with the crumb problem but still securing Jenkins from CSRF attack.

Solution for no-valid crumb included in the request issue

Basically, we need to first request for crumb with authentication and then issue POST api calls with crumb as a header along with authentication again.

This is how I did it,

curl -v -X GET http://jenkins-url:8080/crumbIssuer/api/json --user <username>:<password>

Response was,

{
"_class":"hudson.security.csrf.DefaultCrumbIssuer",
"crumb":"0db38413bd7ec9e98974f5213f7ead8b",
"crumbRequestField":"Jenkins-Crumb"
}

Then the POST api with above crumb information in it.

curl -X POST http://jenkins-url:8080/job/<job-name>/build --user <username>:<password> -H 'Jenkins-Crumb: 0db38413bd7ec9e98974f5213f7ead8b'

Solution 2:[2]

This solution is SAFE to use

came along this issue when we changed jenkins to be accessible via reverse proxy.

There is an option in the "Configure Global Security" that "Enable proxy compatibility" This helped with my issue.

enter image description here

Other Solution

in Github payload URL make your url look like this
https://jenkins:8080/github-webhook/ Dont forget to metion / at the end

Solution 3:[3]

To resolve this issue I unchecked "Prevent Cross Site Request Forgery exploits" in jenkins.com/configureSecurity section and it started working.

Prevent Cross Site Request Forgery exploits

Solution 4:[4]

I solved this by using API TOKEN as a basic authentication password. Here is how

curl -v -X POST http://jenkins-url:8080/job/<job-name>/buildWithParameters?param=value --user <username>:<token>

Note: To Create the API TOKEN under Accounts icon -> configure -> API Token -> Add New token

Solution 5:[5]

Crumb is nothing but access-token. Below is the api to get the crumb

https://jenkins.xxx.xxx.xxx/crumbIssuer/api/json // replace it with your jenkins url and make a GET call in your postman or rest-api caller.

This will generate output like :

{
    "_class": "hudson.security.csrf.DefaultCrumbIssuer",
    "crumb": "ba4742b9d92606f4236456568a",
    "crumbRequestField": "Jenkins-Crumb"
}

Below are more details and link related to same: How to request for Crumb issuer for jenkins Jenkins wiki page : https://wiki.jenkins-ci.org/display/jenkins/remote+access+api

If you are calling the same via rest-api call, checkout the below link where it is explained how to call rest call using jenkins-crumb

https://blog.dahanne.net/2016/05/17/how-to-update-a-jenkins-job-posting-config-xml/

Example :

curl -X POST http://anthony:anthony@localhost:8080/jenkins/job/pof/config.xml --data-binary "@config.xml" -data ".crumb=6bbabc426436b72ec35e5ad4a4344687"

Solution 6:[6]

For the new release of Jenkins you should follow the solution below:

https://jenkins.io/doc/upgrade-guide/2.176/#upgrading-to-jenkins-lts-2-176-3

Upgrading to Jenkins 2.176.2 Improved CSRF protection

SECURITY-626

CSRF tokens (crumbs) are now only valid for the web session they were created in to limit the impact of attackers obtaining them. Scripts that obtain a crumb using the /crumbIssuer/api URL will now fail to perform actions protected from CSRF unless the scripts retain the web session ID in subsequent requests. Scripts could instead use an API token, which has not required a CSRF token (crumb) since Jenkins 2.96.

To disable this improvement you can set the system property hudson.security.csrf.DefaultCrumbIssuer.EXCLUDE_SESSION_ID to true. Alternatively, you can install the Strict Crumb Issuer Plugin which provides more options to customize the crumb validation. It allows excluding the web session ID from the validation criteria, and instead e.g. replacing it with time-based expiration for similar (or even better) protection from CSRF

In my case helped installation of the Strict Crumb Issuer Plugin, rebooting jenkins and applying a less strict policy for the web interface of Jenkins as it is suggested on the vendor's site.

Solution 7:[7]

According to Jenkins Directive First you have to check your Jenkins version if the version is < 2.176.2 then per Jenkins guideline CSRF tokens (crumbs) are now only valid for the web session they were created in to limit the impact of attackers obtaining them. Scripts that obtain a crumb using the /crumbIssuer/api URL will now fail to perform actions protected from CSRF unless the scripts retain the web session ID in subsequent requests.

Alternatively, you can install the Strict Crumb Issuer Plugin which provides more options to customize the crumb validation. It allows excluding the web session ID from the validation criteria, and instead e.g. replacing it with time-based expiration for similar (or even better) protection from CSRF.

Steps :

  • you have to installed the plugin called "Strict Crumb Issuer"
  • Once installed restart the jenkins service
  • got to "Manage Jenkins" --> "Configure Global Security" --> Under CSRF Protection, select "Strict Crumb Issue" from the drop down list --> Click on Advance and uncheck everything but select "Prevent Breach Attack" option. --> Apply and save.
  • Now run you crumb script.

It should work now.

Check this image for your reference

Solution 8:[8]

I lost a bunch of time trying to figure this out. At the end I just installed this plugin https://plugins.jenkins.io/build-token-root/ and enabled build permission to anonymous users. At the end doesn't really mather because the jenkins instance is behind a VPN and I'm using https://smee.io to forward the webhook to the Jenkins instance. Also the Jenkins instance is behind a reverse proxy so the "Enable proxy compatibility" option is checked as well, and the "ignore_invalid_headers" setting set to off in Nginx configuration at server level. Sharing my solution just in case someone else is struggling as well. I'm sure there are better ways to do it but this is one option.

Note that with this plugin the build url is set to buildByToken/build?job=JobName&token=TokenValue and the token is generated in the job settings.

This is in Jenkins 2.235.2 which doesn't have an option to disable CSRF.

Solution 9:[9]

I did get the same "403 No valid crumb was included in request" error when I create a jenkins job from a java program using jenkins-client library i.e. com.offbytwo.jenkins. Then I used jenkins api token instead of password in following code. Now, the issue is fixed.

JenkinsServer jServer = new JenkinsServer(new URI(jenkins_url), jnkn_username, jnkn_password);

We can generate API Token from Jenkins console. Profile > Configure > API Token (Add new token)

The same API token can be used instead of password with curl also.

curl -v -X POST http://jenkins-url:port/job/<job-name>/buildWithParameters?param=value --user <jen_username>:<jenkins_api_token>

Solution 10:[10]

You need a 2 step procedure to first get a crumb from the server and then use it. I am using this bash script and curl for that:

#!/bin/bash
# buildme.sh    Runs a build Jenkins build job that requires a crumb
# e.g.
# $ ./buildme.sh 'builderdude:monkey123' 'awesomebuildjob' 'http://paton.example.com:8080'
# Replace with your admin credentials, build job name and Jenkins URL
#
# More background:
# https://support.cloudbees.com/hc/en-us/articles/219257077-CSRF-Protection-Explained
USERPASSWORD=$1
JOB=$2
SERVER=$3
# File where web session cookie is saved
COOKIEJAR="$(mktemp)"
CRUMB=$(curl -f -u "$USERPASSWORD" --cookie-jar "$COOKIEJAR" "$SERVER/crumbIssuer/api/xml?xpath=concat(//crumbRequestField,%22:%22,//crumb)")
status=$?
if [[ $status -eq 0 ]] ; then
  curl -f -X POST -u "$USERPASSWORD" --cookie "$COOKIEJAR" -H "$CRUMB" "$SERVER"/job/"$JOB"/build
  status=$?
fi
rm "$COOKIEJAR"
exit $status

Here is an example of executing this script with the parameters you need:

$ ./buildme.sh 'builderdude:monkey123' 'awesomebuildjob' 'http://paton.example.com:8080'

This script will return an error code if one of the curl command fails for any reason.

More details can be found from cloudbees

Solution 11:[11]

Since this question is the first SO link when searching for "No valid crumb was included in the request" in Google, I think it's worth mentioning that the same error is generated if you omit/forget the Authorization HTTP header or use a blank username/password: Screenshot showing error with omitted Authorization HTTP header

Relevant error messages related to the Authorization header are only generated when a value is passed: Screenshot showing errors related to the Authorization header

And, yes, the crumb passed in the first screenshots is actually valid; everything works with the correct username/password: Screenshot showing the crumb used earlier is valid

So, not sure if that's a bug or not, but "No valid crumb was included in the request" could also mean you accidentally forgot the Authorization header.

Jenkins 2.222.3, Ubuntu Server 20.04, Java Runtime 1.8.0_252-8u252-b09-1ubuntu1-b09

Solution 12:[12]

Visiting jenkins with https://... instead of http://... solved the problem for me

Solution 13:[13]

For me below solutions work in bitbucket:

Updated the URL to:

http://jenkinsurl:8080/bitbucket-hook/

Bitbucket Webhook: Edit webhook

Solution 14:[14]

For java codes to access Jenkins API I will let my advise.

The answer of @Santhosh (https://stackoverflow.com/a/60221003/5940655) do resolve the problem, that consists in changing tbe password for token, but as far as I know, token now is a legacy manner to do it. So I tried other way, and find out a solution inside java code.

Here how I did it. In my java code I use "com.offbytwo.jenkins" package and the class that I use is "JenkinsServer".

My problem was to create a job in jenkins because I was getting error: "403 No valid crumb was included in request"

Then I found a boolean parameter called crumbFlag and passed "true" on it and everything worked.

My code was like this:

jenkins.createJob(job.getName(), config);

Then, I changed for this ans worked like a charm:

jenkins.createJob(job.getName(), config, true);

This parameter is inside almost all methods of this package, by example:

  • createJob(String jobName, String jobXml, Boolean crumbFlag)
  • updateJob(String jobName, String jobXml, boolean crumbFlag)
  • renameJob(String oldJobName, String newJobName, Boolean crumbFlag)
  • Others.

The technical documentation inside the code is:

@param crumbFlag true to add crumbIssuer * false otherwise.

I understood if you pass "true" for this parameter it will issue a crumb automatically.

Well, the official documentation has this information on details, if you wish, take a look here:

https://javadoc.io/doc/com.offbytwo.jenkins/jenkins-client/latest/com/offbytwo/jenkins/JenkinsServer.html

Solution 15:[15]

This guide explains how to generate a Jenkins crumb, save the cookies and use both the crumb and the saved cookies in the subsequent requests that require authentication. This is a must for Jenkins after V2.176.2

Solution 16:[16]

I had the same issue when trying to setup a GitHub project with GitHub Pull Request Builder plugin

  • Here is an example of the response i was getting from my Jenkins server

enter image description here

  • response content

enter image description here

  • The problem was happening because my Payload URL was missing a forward slash at the end /.

  • adding a forward slash at the end of the url solves the problem

  • your payload url should look like this https://jenkins.host.com/ghprbhook/

  • examples after adding forward slash

enter image description here

enter image description here

Solution 17:[17]

Here is my solution to this issue ( git hook to launch jenkins job behind a reverse proxy )

#get the CRUMB from a first call and store the sessionid in cookie jar:

CRUMB=$(/usr/bin/curl --cookie-jar ./cookie -sX GET https://******.net/crumbIssuer/api/json|cut -d'"' -f8)

#launch the JOB:

/usr/bin/curl --cookie ./cookie -X POST https://******.net/job/PROJECTNAME/build -H "Jenkins-Crumb: $CRUMB"

Solution 18:[18]

For me the solution was to pass the X-Forwarded-Host and X-Forwarded-Port headers as suggested in the reverse-proxy-configuration-troubleshooting chapter of the Handbook.

HaProxy config, inside the frontend section:

http-request set-header  X-Forwarded-Host  %[hdr(host)]
http-request set-header  X-Forwarded-Port  %[dst_port]

Solution 19:[19]

Me too faced similar problem, I was using password instead of token. When updated solved my problem, no need to uncheck anything and make it insecure. Below are the complete steps that I followed to have jenkins CLI working-

step -1:- prepare ENV vars

export JENKINS_URL=http://localhost:8080/
export JENKINS_USER=admin
export JENKINS_PASSWORD=b7f04f4efe5ee117912a1.....
export JENKINS_CRUMB=f360....
export FOLDER=test

Obtain token as- How to get the API Token for Jenkins

get CRUMB as- http://localhost:8080/crumbIssuer/api/json

step-2 :- prepare XML file, file name creds.xml

<com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>      
  <scope>GLOBAL</scope>                  
  <id>TEST-CLI</id>            
  <username>test</username>    
  <password>test123</password>
  <description>this secret if created confirms that jenkins-cli is working</description>        
</com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>

step 3:- POST using curl

curl -X POST -u $JENKINS_USER:$JENKINS_PASSWORD -H "Jenkins-Crumb:${JENKINS_CRUMB}" -H 'content-type:application/xml' -d @creds.xml "$JENKINS_URL/job/$FOLDER/credentials/store/folder/domain/_/createCredentials"

Solution 20:[20]

In my case, I was able to bypass the error by using Remote Desktop into the Jenkins server directly and using localhost based URL instead of trying to go through the corporate proxy from my computer.

Solution 21:[21]

I am running with reverse proxy with nignx. Changed jenkins option in the "Configure Global Security" that "Enable proxy compatibility" This fixed with my issue.

Solution 22:[22]

First create a user API token by going to user-->API Token-->Add new token.

Then use the below script for triggering.

import jenkins,requests
job_name='sleep_job'
jenkins_url = "http://10.10.10.294:8080"
auth = ("jenkins","1143e7efc9371dde2e4f312345bec")
request_url = "{0:s}/job/{1:s}/buildWithParameters".format(jenkins_url, 
job_name, )
crumb_data = requests.get("{0:s}/crumbIssuer/api/json".format(jenkins_url), 
auth=auth, ).json()
headers = {'Jenkins-Crumb': crumb_data['crumb']}
jenkins_job_params={}
jenkins_job_params['NODE_NAME']='10_10_1_29'
jenkins_job_params['SLEEP_TIME']='1h'
response = requests.post(request_url, data=jenkins_job_params, auth=auth, )
response.raise_for_status()

Solution 23:[23]

Head over to Manage Jenkins => Configure global security.

Then uncheck "Prevent Cross Site Request Forgery exploits"