Keycloak group not synced when logged into sonar

Question

Keycloak group not synced when logged into sonar

Closed this issue 2 years ago · 10 comments

Sonar version 9.2
Plugin version 2.1.1

Keycloak is used as the OIDC provider
We have a user with a group and have added the group mapper.
We have a corresponding group in sonarqube too.

However when the user is logged into Sonar his group is not synced and the user is placed in the sonar-users group.
With debug logging enabled we don't see any logs related to OIDC.
But I do see the following log repeatedly printed
login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local][IP|10.128.0.2|10.118.48.4][login|]

Even though that log is printed the user is able to log into sonarqube.
But I feel the above error indicates that the authentication process doesn't complete properly hence the groups are not fetched.

Answer 1 · 2022-01-29T19:20:05.000Z

With debug logging enabled we don't see any logs related to OIDC.

Is the plugin installed, enabled and configured properly? Is the plugins login button (with auto-login disabled) visible in SQ?

Answer 2 · 2022-08-23T09:22:02.000Z

With debug logging enabled we don't see any logs related to OIDC.

Is the plugin installed, enabled and configured properly? Is the plugins login button (with auto-login disabled) visible in SQ?

Same problem! I had checked whether the plugin was installed, enabled and configured.
And the plugins login button is visible.
I also created a mapper in keycloak idp, but still made no sense.
In fact, I have another question that the plugin can not associate with user existed in SonaQube.

Answer 3 · 2022-08-23T12:18:23.000Z

Same problem! I had checked whether the plugin was installed, enabled and configured. And the plugins login button is visible. I also created a mapper in keycloak idp, but still made no sense.

Please check SonarQube's debug log.

In fact, I have another question that the plugin can not associate with user existed in SonaQube.

Starting with SQ 8 (due to SONAR-12475) it's not possible anymore to create users in SQ with specific login name to associate it with an existing user. More details can be found in the comments to #41 or #42.

Answer 4 · 2022-08-24T01:12:42.000Z

Please check SonarQube's debug log.

I checked the SQ's debug log and found records below.

2022.08.24 00:56:29 DEBUG web[AYLNWLF9BTuMz4k1AAAc][o.v.s.a.o.OidcClient] User info: {"at_hash":"ezSVbyWqV5xu51v9bytStA","sub":"f1277534-78c8-4664-af06-547d62afce9a","email_verified":false,"iss":"","typ":"ID","preferred_username":"","given_name":"fade","sid":"e31994a1-50fa-4ff6-bafc-255a38b67487","aud":"SonarQube-oidc","acr":"1","azp":"SonarQube-oidc","auth_time":1661302589,"name":"","exp":1661302889,"session_state":"e31994a1-50fa-4ff6-bafc-255a38b67487","iat":1661302589,"family_name":"","jti":"53c8cb6b-c497-419f-b3f3-2b57a8ba480a","email":"","group":"sonar-administrators"}
2022.08.24 00:56:29 DEBUG web[AYLNWLF9BTuMz4k1AAAc][o.v.s.a.o.OidcIdentityProvider] Authenticating user '' with groups []

As you can see, you can see my custom claim group at the end of the first line.
However, the second line shows that it authenticated user with groups.
Here is the screenshot of my SQ's configuration:

Any useful tips?

Answer 5 · 2022-08-24T10:18:43.000Z

However, the second line shows that it authenticated user with groups.

It shows that no user login was generated by the plugin (empty single quotes). Which login generation strategy did you select in the plugin's settings? Depending on the selected login generation strategy your IdP must provide the required data in the UserInfo, e.g. preferred_username or email.

Answer 6 · 2022-08-24T11:04:41.000Z

However, the second line shows that it authenticated user with groups.

It shows that no user login was generated by the plugin (empty single quotes). Which login generation strategy did you select in the plugin's settings? Depending on the selected login generation strategy your IdP must provide the required data in the UserInfo, e.g. preferred_username or email.

sorry for disturbing you, I had deleted sensitive info when I commented. I can actually log in SQ, just can not use custom group claim

Answer 7 · 2022-08-24T22:48:20.000Z

I can actually log in SQ, just can not use custom group claim

The groups claim is expected to be marshalled as a JSON string array (explained in #42). This is also valid for a single group.

Answer 8 · 2022-08-24T23:06:17.000Z

I can actually log in SQ, just can not use custom group claim

The groups claim is expected to be marshalled as a JSON string array (explained in #42). This is also valid for a single group.

Support for groups claim marshalled as a JSON string (instead of a JSON string array) is implemented in #64.

Answer 9 · 2022-08-26T02:23:06.000Z

I can actually log in SQ, just can not use custom group claim

The groups claim is expected to be marshalled as a JSON string array (explained in #42). This is also valid for a single group.

Support for groups claim marshalled as a JSON string (instead of a JSON string array) is implemented in #64.

Thanks, I have tested it, it works

Answer 10 · 2022-08-26T11:15:48.000Z

Thanks, I have tested it, it works

Cool, then we can close this ticket as well 👍