Azure Frontdoor WAF Managed Policy conflict with github OIDC

  • which versions are you using:
    SonarQube 9.9.1-enterprise

  • how is SonarQube deployed:
    Azure App Service (Docker)

  • what are you trying to achieve:
    Link Sonarqube with Github trough OIDC. The running App Service Instance of Sonarqube is accessed trough a DNS that is routed over Azure FrontDoor. On the FrontDoor the WAF manages policies of azure are active. Once these policies are active, the login on sonarqube is not possible anymore with github unless I deactivate the policies again.

Error: “You are not authorized to view this page. Please contact Administrator.”

Looks like the active policies block the protocol or some header values that are used for the exchange between sonar and github.

I’m using the Azure Default Rule Set 2.0.

  • what have you tried so far to achieve this:
    I tried disabling one by one of the azure managed policies to see which one causes the issue, and could get steps further. But it kept blocking parts in later stages.

Do you have any recommendation for such scenario and can help me find the policies that are causing this issue?

Hey there.

Is it that you’re using GitHub - vaulttec/sonar-auth-oidc: OpenID Connect (OIDC) Plugin for SonarQube, or are you using a GitHub App for the authentication?

Hi Colin,

I guess the first one.
Basically in Sonarqube from the Menubar select “Administration” and then in the sidebar select “Authentication”. There I selected the register “GitHub” and enabled the needed configs to connect to a github organisation.

In that case, I would suggest raising an issue with the maintainer, as they are handling that interface between SonarQube and GitHub/OIDC. Issues · vaulttec/sonar-auth-oidc · GitHub

Hi Colin,
Had to cross check, we actually do use Github App. What I explained in the previous comment, actually matches exactly what is explained in the url you shared about Github app.
What would be your suggestion then to proceed?
Thanks, F