Analysis still possible with a token of deleted/disabled user.

Question

Analysis still possible with a token of deleted/disabled user.

Closed this issue 4 years ago · 3 comments

My environment :

Sonarqube 7.9.1
Keycloak 7.0.0

Scenario:

I login in sonarqube with a user created in keycloak.
I create a user token in sonarqube.
I delete the user in keycloak
I can still run a successful analysis using the user token :

mvn --batch-mode --no-transfer-progress sonar:sonar \
-Dsonar.host.url=https://sonarqube.********* \
-Dsonar.login=8c404c14b99b************

Answer 1 · 2020-01-10T19:08:06.000Z

The user token is maintained by SonarQube. Keycloak is only involved during authentication - here the OIDC identity token (provided by Keycloak) contains the SonarQube user id.

So delete the SonarQube user and the corresponding user token is not usable any more.

Answer 2 · 2020-01-13T11:10:08.000Z

And when using an auth token, no way in the plugin to check with the auth server that the user is still valid ?

Answer 3 · 2020-01-18T14:37:26.000Z

And when using an auth token, no way in the plugin to check with the auth server that the user is still valid ?

Nope, the plugin is only called once by SonarQube - during authentication via OAuth2IdentityProvider.callback(). There's no other integration point with SonarQube used by the plugin.

Maybe you can open a feature request with SonarQube to extend their OAuth2IdentityProvider interface by another callback method to check with the IdP if the auth token is still valid. In this case SonarQube must store the auth token as well.