The docs at https://www.jenkins.io/doc/book/system-administration/authenticating-scripted-clients/ and https://www.jenkins.io/doc/book/using/remote-access-api/ both strongly imply that you don't need to supply a crumb when calling the API from scripted clients, if you use an API token. They both illustrate curl/wget calls with API tokens and no crumb header, and the latter says "API tokens are preferred *instead of* crumbs for CSRF protection"
This seems to be true for GET requests - I can make a GET to $JENKINS_URL/job/myjob/changes with a valid user/ApiToken and it succeeds. However, when I POST to trigger that job, I get "HTTP ERROR 403 No valid crumb was included in the request" (Problem for me is that this seems to break Spinnaker's ability to trigger Jenkins jobs unless I disable CSRF completely, which obviously I don't want to do.) Is it by design that even an ApiToken must be combined with a crumb to do POSTs? Can this be disabled? Is this anything to do with https://www.jenkins.io/doc/upgrade-guide/2.204/#upgrading-to-jenkins-lts-2-204-6? I'm on Jenkins 2.235.5 <https://jenkins.io/> Thanks -- You received this message because you are subscribed to the Google Groups "Jenkins Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/jenkinsci-users/7c49a7e2-b666-48da-965d-02ad03fee858n%40googlegroups.com.
