vaulttec/sonar-auth-oidc

Can't authorize under existing user

evgeniy-kharchenko opened this issue · 3 comments

evgeniy-kharchenko commented

Hi Everybody,
I've Keycloack instanse 9.0.3 version and SonarQube of 7.9.3.LTS.
This is configuration on Keycloack side
image
image
This is configuration on Sonar Qube side
image
image
image
image
When I trying to authorize under my account i face:
image
It seems that the system thinks that I'am a new user, but I want to login under existing.
How can I resolve the issue?

Thanks in advance!

tjuerge commented

Which version of the pugin you are using?

Version 2+ of this plugin is built for SonarQube version 8+ which does not support authenticating with external identity providers for existing users (Login generation strategy: Preferred username) any more. SonarSource disabled the corresponding API implementation. Please check the corresponding release notes for further details.

So for SonarQube version 7.x you could stay with version 1.x of this plugin. But after upgrading to SQ v8+ this plugin version will not work anymore.

evgeniy-kharchenko commented

Hi Torsten Juergeleit,
Thank you for your answer.

Firstly, I've downloaded "sonar-auth-oidc-plugin-2.0.0.jar" version of plugin.

A few minutes ago i've installed sonar-auth-oidc-plugin-1.1.0.jar.
And now when I trying to login I see:
image

Just to clarify (sorry for my misunderstanding): Does the plugin sonar-auth-oidc-plugin-1.1.0.jar support the sign in under existing user?

It looks that sonar thinks that I'am a new user... again.
What I do wrong?

(Login generation strategy: Preferred username) doesn't work any more since sonarqube 8?

tjuerge commented

I didn't read your detailed description thoroughly and jumped to the wrong conclusion. Sorry about that.

SonarQube's OAuth2IdentityProvider API (which is used by this plugin) is not able to associate existing (internally managed) user identities with identities managed by an external identity provider adequately. The plugin's login generation strategy option (used to generate the corresponding SQ username) is only a kludge (which is totally useless since the API change SONAR-12475 introduced in SQ 8).

So, no, you can't safely link existing user accounts with the user accounts created by the plugin's implementation of OAuth2IdentityProvider. To omit SQ's account association dialog (as shown in one of your screenshots) the plugin would need an login generation strategy which adheres to the exact username creation strategy of your existing accounts. SQ can only best-guess by the email address which accounts are related.

And starting with SQ 8+ pre-creating user accounts with usernames which are supported by the plugin's login generation strategy is not possible any more.