We have a Jenkins Instance, behind Okta and we have a service account that we use to authenticate to Jenkins API. We use a token with this account. It’s been set like this for about 2 years.
Last month we started having a weird “Stopped after 10 redirects” error whenever we hit the API. But when we log into Jenkins UI as the service account, the error would go away for a few hours but then come back. The URL path looks like it’s appending the securityRealm 10 times. It look like this https://ourjenkins.net/api/securityRealm/securityRealm/securityRealm/securityRealm/securityRealm/securityRealm/securityRealm/securityRealm/securityRealm/securityRealm/commenceLogin
Any idea why? or how we can fix this? Nothing in the logs is showing useful./
Hello and welcome to this community, @ehuizar1028!
Expired or Invalid Service Account Token
If the token associated with the service account is expired or invalid, Jenkins may attempt to redirect the request through the securityRealm multiple times as it tries (and fails) to authenticate.
You could try to regenerate the API token for the service account and update any services or scripts that rely on it.
Make sure the token is correctly passed in the Authorization: Bearer header or as a query parameter.
SSO Reconfiguration or Metadata Expiry
If Okta or Jenkins’ SSO configuration has been recently updated (e.g., Okta’s signing certificates rotated or Jenkins’ SSO plugin was updated), the integration might have become unstable.
Verify the SSO configuration in Jenkins:
Go to Dashboard > Manage Jenkins > Security.
Check the SSO-related settings for the Okta integration.
Ensure that the Okta metadata (e.g., certificates, endpoints) is up-to-date.
Jenkins Plugin Issues
Jenkins uses plugins for authentication and SSO, such as SAML Plugin, OAuth Plugin, or OpenID Connect Plugin. A misconfiguration, outdated plugin version, or bug might cause the redirect loop.
Check all authentication-related plugins (e.g., SAML, Okta) are up to date.
Review the plugin documentation for any breaking changes or additional configurations required after an update.
Session Expiry Issue
Logging into the UI as the service account temporarily seems to resolve the issue. That seems to indicate that the act of logging in may be refreshing a session or token that the API relies on.
Investigate the session persistence settings:
Check the Session Timeout and Session Management settings in Jenkins.
Ensure that API requests are allowed to use tokens without requiring a session refresh.
API Path Misconfiguration
The /securityRealm path appending multiple times indicates that Jenkins might be erroneously redirecting the API request. This could happen if:
The base URL in Manage Jenkins > System > Jenkins Location is incorrect.
There’s a proxy misconfiguration (e.g., in your reverse proxy or Okta settings).
Confirm that the Jenkins base URL is set correctly
As you’re using a reverse proxy, ensure that:
Headers like X-Forwarded-For, X-Forwarded-Proto, and X-Forwarded-Host are correctly configured.
The reverse proxy is not appending securityRealm to the path unnecessarily.
