Unable to create a new OIDC user with the Web API of SonarQube v8
Closed this issue · 2 comments
Hi
Is it possible to create with the Web API (or other way) a new user who will authenticate to SonarQube v8 with the OIDC plugin?
Our goal is to create users of SonarQube (among other tools) outside SonarQube.
With SQ 7.9 and OIDC plugin 1.04, we could create an account with the WebService api (/api/users/create) and as this account had the same login as the Open-ID one, the SQ and OIDC logins were merged the first time the user logs in SQ (with the parameter “allow-users to sign-up” off).
Since SQ v8.0 and the “auto-generation of the login of an user using an Identiy Provider” (https://jira.sonarsource.com/browse/SONAR-12475), it looks like the only way to create a new user is to login from SonarQube (and with the parameter “allow OIDC users to sign up” on).
Regardless the user precreated (not local, email) with the API, a new SQ user login needs to be created the first time the user want to log in SonarQube.
If an existing user has already the email of the Open-ID user, then a message indicates this email is already associated to this existing account and then if the user wants to associate the email to his new account.
And then, if it is not allowed for OIDC users to sign-up, he got the following error message:
You're not authorized to access this page. Please contact the administrator.
Reason: 'oidc' users are not allowed to sign up.
So I would like to know how to precreate a SQ user that will login via the OIDC plugin.
Thanks.
Starting with SQ 8 (due to SONAR-12475) it's not possible anymore to create users in SQ with specific login name. This was the reason for creating v2.0 of this plugin with breaking API changes (details in #31).
Sorry, I've no clue how to pre-populate SQ 8+ with users which are aligned with other systems, e.g. IdPs (like Keycloak) or SCMs (like GitHub or GitLab) or enterprise directories (like Active Directory). With SONAR-12475 the username of the SQ user is always auto-generated and can not be populated with an existing username like Active Directory's SAMAccountName.
Your question is a valid one. But this question can only be answered by SQ's devs. So how about creating a ticket in SQ's Jira or ask this question in SQ's user forum?
If you find a solution then please update this issue.
Hi, there is now another call to "migrate" a user to a new identity provider. So just create the user like this:
curl -n -i https://sonarqube.example.com/api/users/create -dlogin=ibitzi -dlocal=false -dname="Itzi Bitzi"
curl -n -i https://sonarqube-test.mamdev.server.lan/api/users/update_identity_provider -dlogin=ibitzi -dnewExternalProvider=oidc