Skip to content

v2.100+ breaks auth flow (conf with pw -> conf with access token) when logging in with password #3445

Open
Open
v2.100+ breaks auth flow (conf with pw -> conf with access token) when logging in with password#3445
Labels
bugSomething isn't working
@nneul

Description

@nneul
nneul
opened on Apr 19, 2026

Describe the bug

Have filed this with support as 410604 fyi.

After 2.99 - the client is not successfully replacing login PW with a refreshable access token. Note that it does still work ok if you are logging in with a refToken, but not if the login is being set up with a password. This broke various workflows in weird/inconsistent ways - cause it "mostly works" - but the failures are triggering enough 401's that certain build patterns are getting into modes where it's not able to get past the error/retry behaviors/etc.

Current behavior

Test example:

export CI=TRUE
export JFROG_CLI_LOG_LEVEL=DEBUG
export JFROG_CLI_HOME_DIR=/tmp/jftest
rm -rf /tmp/jftest
jf c add artifactory --url https://artifactory.domain.com --user internal_build_velocity --password $PASSWORD
cat /tmp/jftest/jfrog-cli.conf.v6
jf rt s --count misc-binaries
cat /tmp/jftest/jfrog-cli.conf.v6

When I do that with a password, this is what I get:

11:33:53 [Debug] JFrog CLI version: 2.101.0
11:33:53 [Debug] OS/Arch: linux/amd64
11:33:53 [Debug] Trace ID for JFrog Platform logs: 4bf9021cc116b0a4
11:33:53 [Debug] Locking config file to run config AddOrEdit command.
11:33:53 [Debug] Creating lock in: /tmp/jftest/locks/config
11:33:53 [Debug] config file is released.
11:33:53 [Debug] Sending HTTP GET request to: https://artifactory.domain.com/artifactory/api/security/encryptedPassword
11:33:53 [Debug] Releasing lock: /tmp/jftest/locks/config/jfrog-cli.conf.lck.1907218.1776616433355778643
{
 "servers": [
  {
   "url": "https://artifactory.domain.com/",
   "artifactoryUrl": "https://artifactory.domain.com/artifactory/",
   "distributionUrl": "https://artifactory.domain.com/distribution/",
   "xrayUrl": "https://artifactory.domain.com/xray/",
   "missionControlUrl": "https://artifactory.domain.com/mc/",
   "pipelinesUrl": "https://artifactory.domain.com/pipelines/",
   "user": "internal_build_velocity",
   "password": "APxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxX",
   "tokenRefreshInterval": 60,
   "serverId": "artifactory",
   "isDefault": true
  }
 ],
 "version": "6"
}11:33:53 [Debug] JFrog CLI version: 2.101.0
11:33:53 [Debug] OS/Arch: linux/amd64
11:33:53 [Debug] Trace ID for JFrog Platform logs: 9bba5d1508ce98a0
11:33:53 [Debug] Using <artifactory> server-id configuration
11:33:53 [Debug] Creating lock in: /tmp/jftest/locks/config
11:33:53 [Debug] Sending HTTP POST request to: https://artifactory.domain.com/access/api/v1/tokens
11:33:54 [Debug] Sending HTTP POST request to: https://artifactory.domain.com/access/api/v1/tokens
11:33:54 [Debug] Access token creation with Bearer auth failed: server response: 401 Unauthorized
{
 "errors": [
  {
   "code": "UNAUTHORIZED",
   "message": "Invalid token, parse"
  }
 ]
}
11:33:54 [Debug] Releasing lock: /tmp/jftest/locks/config/jfrog-cli.conf.lck.1907238.1776616433663359796
11:33:54 [🔵Info] Searching artifacts...
11:33:54 [Debug] Sending HTTP GET request to: https://artifactory.domain.com/artifactory/api/system/version
11:33:54 [Debug] Sending HTTP GET request to: https://artifactory.domain.com/artifactory/api/system/version
11:33:54 [Debug] Artifactory response: 200 
11:33:54 [Debug] JFrog Artifactory version is: 7.146.7
11:33:54 [Debug] Searching Artifactory using AQL query:
 items.find({"$or":[{"$and":[{"repo":"misc-binaries","path":{"$match":"*"},"name":{"$match":"*"}}]}]}).include("name","repo","path","actual_md5","actual_sha1","sha256","size","type","modified","created","property")
11:33:54 [Debug] Sending HTTP POST request to: https://artifactory.domain.com/artifactory/api/search/aql
11:33:54 [Debug] Artifactory response: 200 
11:33:54 [Debug] Artifactory Call Home: Sending info...
11:33:54 [Debug] Sending HTTP POST request to: https://artifactory.domain.com/artifactory/api/system/usage
11:33:54 [Debug] Sending HTTP POST request to: https://artifactory.domain.com/jfconnect/api/v1/backoffice/metrics/log
11:33:55 [Debug] Artifactory response: 200 
11:33:55 [Debug] Streaming data to file...
11:33:55 [Debug] Finished streaming data successfully.
11:33:55 [🔵Info] Found 211 artifacts.
11:33:55 [Debug] Attempting to remove file: /tmp/jfrog.cli.temp.-1776616435-884548194
211
11:33:55 [Debug] Attempting to remove file: /tmp/jfrog.cli.temp.-1776616435-833335798
{
 "servers": [
  {
   "url": "https://artifactory.domain.com/",
   "artifactoryUrl": "https://artifactory.domain.com/artifactory/",
   "distributionUrl": "https://artifactory.domain.com/distribution/",
   "xrayUrl": "https://artifactory.domain.com/xray/",
   "missionControlUrl": "https://artifactory.domain.com/mc/",
   "pipelinesUrl": "https://artifactory.domain.com/pipelines/",
   "user": "internal_build_velocity",
   "password": "AxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxX",
   "tokenRefreshInterval": 60,
   "serverId": "artifactory",
   "isDefault": true
  }
 ],
 "version": "6"
}

Reproduction steps

Basic test:
Set up temp jf home env vars and debug
jf c add with url, username, pw
look at content of config - will have username and encrypted pw
jf s
look at content of config - willl still have username and encrypted pw
You'll see a 401 token error in the jf search.

Expected behavior

For it to work as it did before:

jf c add -> file with enc pw -> jf s -> config content replaced with refreshable access token

Here's what it does when it works:

nneul@optic:/local/spirent/jenkins-credential-tests/jenkins-ito$ rm -rf /tmp/jftest; jf c add artifactory --url https://artifactory.domain.com --user internal_build_velocity --password 0xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxd03; cat /tmp/jftest/jfrog-cli.conf.v6; jf rt s --count misc-binaries; cat /tmp/jftest/jfrog-cli.conf.v6
12:04:59 [Debug] JFrog CLI version: 2.99.0
12:04:59 [Debug] OS/Arch: linux/amd64
12:04:59 [Debug] Trace ID for JFrog Platform logs: 620f08efb61394cd
12:04:59 [Debug] Locking config file to run config AddOrEdit command.
12:04:59 [Debug] Creating lock in: /tmp/jftest/locks/config
12:04:59 [Debug] config file is released.
12:04:59 [Debug] Sending HTTP GET request to: https://artifactory.domain.com/artifactory/api/security/encryptedPassword
12:05:00 [Debug] Releasing lock: /tmp/jftest/locks/config/jfrog-cli.conf.lck.1912576.1776618299892418600
{
 "servers": [
  {
   "url": "https://artifactory.domain.com/",
   "artifactoryUrl": "https://artifactory.domain.com/artifactory/",
   "distributionUrl": "https://artifactory.domain.com/distribution/",
   "xrayUrl": "https://artifactory.domain.com/xray/",
   "missionControlUrl": "https://artifactory.domain.com/mc/",
   "pipelinesUrl": "https://artifactory.domain.com/pipelines/",
   "user": "internal_build_velocity",
   "password": "AxxxxxxxxxxxxwX",
   "tokenRefreshInterval": 60,
   "serverId": "artifactory",
   "isDefault": true
  }
 ],
 "version": "6"
}12:05:00 [Debug] JFrog CLI version: 2.99.0
12:05:00 [Debug] OS/Arch: linux/amd64
12:05:00 [Debug] Trace ID for JFrog Platform logs: b6f797ea1ccc3dc3
12:05:00 [Debug] Using <artifactory> server-id configuration
12:05:00 [Debug] Creating lock in: /tmp/jftest/locks/config
12:05:00 [Debug] Sending HTTP POST request to: https://artifactory.domain.com/artifactory/api/security/token
12:05:00 [Debug] Releasing lock: /tmp/jftest/locks/config/jfrog-cli.conf.lck.1912597.1776618300225727521
12:05:00 [🔵Info] Searching artifacts...
12:05:00 [Debug] Sending HTTP GET request to: https://artifactory.domain.com/artifactory/api/system/version
12:05:00 [Debug] Sending HTTP GET request to: https://artifactory.domain.com/artifactory/api/system/version
12:05:00 [Debug] Artifactory response: 200 
12:05:00 [Debug] Artifactory response: 200 
12:05:00 [Debug] JFrog Artifactory version is: 7.146.7
12:05:00 [Debug] Artifactory Call Home: Sending info...
12:05:00 [Debug] Searching Artifactory using AQL query:
 items.find({"$or":[{"$and":[{"repo":"misc-binaries","path":{"$match":"*"},"name":{"$match":"*"}}]}]}).include("name","repo","path","actual_md5","actual_sha1","sha256","size","type","modified","created","property")
12:05:00 [Debug] Sending HTTP POST request to: https://artifactory.domain.com/artifactory/api/search/aql
12:05:00 [Debug] Sending HTTP POST request to: https://artifactory.domain.com/artifactory/api/system/usage
12:05:00 [Debug] Sending HTTP POST request to: https://artifactory.domain.com/jfconnect/api/v1/backoffice/metrics/log
12:05:00 [Debug] Artifactory response: 200 
12:05:00 [Debug] Streaming data to file...
12:05:00 [Debug] Finished streaming data successfully.
12:05:01 [🔵Info] Found 211 artifacts.
12:05:01 [Debug] Attempting to remove file: /tmp/jfrog.cli.temp.-1776618300-1085820854
211
12:05:01 [Debug] Attempting to remove file: /tmp/jfrog.cli.temp.-1776618301-4195906315
{
 "servers": [
  {
   "url": "https://artifactory.domain.com/",
   "artifactoryUrl": "https://artifactory.domain.com/artifactory/",
   "distributionUrl": "https://artifactory.domain.com/distribution/",
   "xrayUrl": "https://artifactory.domain.com/xray/",
   "missionControlUrl": "https://artifactory.domain.com/mc/",
   "pipelinesUrl": "https://artifactory.domain.com/pipelines/",
   "user": "internal_build_velocity",
   "password": "APxxxxxxxxxxxxxxxxxwX",
   "accessToken": "xxxxx-xxxxxxxx",
   "artifactoryRefreshToken": "f643xxxxxxxxxxxxxxxxxxxxx1",
   "serverId": "artifactory",
   "isDefault": true
  }
 ],
 "version": "6"
}

You can see the correct flow, with no 401 failure on the initial token refresh.

JFrog CLI version

2.100

Operating system type and version

Debian 13

JFrog Artifactory version

7.146.7

JFrog Xray version

na

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions