Our Jenkins pipeline integration with Rally SA is failing authentication during automated deployments. We’re using the Jenkins Rally plugin to update user stories and defects post-deployment, but getting 401 Unauthorized errors intermittently.
The OAuth2 token configuration seems correct in Jenkins credentials, and we’ve set the workspace scope to match our Rally SA workspace ID. However, after the pipeline runs for about 45 minutes, the REST API calls start failing:
HTTP/1.1 401 Unauthorized
{"OperationResult": {"Errors": ["Invalid authentication token"]}}
Pipeline step failed: Rally update
This is blocking our deployment automation completely. The token expiry handling in the Jenkins Rally plugin doesn’t seem to refresh tokens automatically. Has anyone dealt with OAuth2 refresh token issues in Rally SA CI/CD integrations?
We had similar issues last quarter. One thing to check: workspace scope configuration in your OAuth2 app settings. Rally SA requires explicit workspace permissions in the token request. If your Jenkins credential store only has the client_id and client_secret without workspace context, the token won’t have the right scope after refresh. You might need to regenerate the OAuth2 credentials in Rally SA with proper workspace binding.
Here’s what worked for us after dealing with the same authentication failures:
OAuth2 Configuration Fix:
- Workspace Scope: In Rally SA, edit your OAuth2 application and ensure the workspace scope explicitly includes your target workspace ID. The scope string should look like: `workspace:12345678901 rally:read rally:write
- Refresh Token Handling: Enable ‘offline_access’ scope in your Rally SA OAuth2 app settings. This is critical for getting refresh tokens:
scopes: offline_access workspace:12345678901 rally:read rally:write
-
Jenkins Plugin Upgrade: Update to Jenkins Rally plugin 1.2.0 or later. This version includes automatic OAuth2 token refresh logic. The plugin will now detect token expiry (default 3600 seconds) and request a new token using the refresh token before making API calls.
-
Token Expiry Configuration: In your Jenkinsfile, set the token refresh threshold:
rallyUpdate(
apiKey: credentials('rally-oauth2'),
tokenRefreshThreshold: 300,
workspaceRef: '/workspace/12345678901'
)
The tokenRefreshThreshold: 300 tells the plugin to refresh the token 5 minutes before expiry.
- Credential Setup: In Jenkins, create a ‘Username with password’ credential where:
- Username = OAuth2 client_id from Rally SA
- Password = OAuth2 client_secret from Rally SA
- ID = rally-oauth2 (or whatever you reference in your pipeline)
Testing Token Refresh: After configuration, test with a deliberately long-running pipeline (70+ minutes) to verify the token refreshes automatically. Monitor Jenkins console output for “Refreshing Rally OAuth2 token” messages.
Alternative for Older Plugin Versions: If you can’t upgrade the plugin immediately, add a manual token refresh step every 45 minutes in your pipeline:
stage('Refresh Rally Token') {
script {
withCredentials([usernamePassword(credentialsId: 'rally-oauth2',
usernameVariable: 'CLIENT_ID',
passwordVariable: 'CLIENT_SECRET')]) {
// Request new token via Rally SA OAuth2 endpoint
// Store in environment variable for subsequent steps
}
}
}
This approach resolved our 401 errors completely. Our deployments now run for 2+ hours without authentication issues. The key was enabling offline_access scope and upgrading to plugin 1.2.0 for automatic token refresh.
The ‘Rally API Key’ credential type in Jenkins is for legacy API keys, not OAuth2. You need to use ‘Username with password’ credential type where username is the OAuth2 client_id and password is the client_secret. However, this still doesn’t handle refresh tokens automatically in older plugin versions. We solved this by implementing a custom token refresh step in our Jenkinsfile that requests a new token before the Rally update step runs. It’s a workaround but effective for long-running pipelines.