Can't access SonarQube projects in web browsers: 403 Forbidden

I and some other users intermittently can’t access our Enterprise SonarQube server from a web browser. We get the “403 Forbidden” error.

I can’t tell you what version of SQ we’re using because I’m not an administrator and can’t access it right now.

The SQ admin within our company says it must be our browser sessions or something, as other users can access it. But if I delete the cookies for the server in my web browsers I still get 403. Weirdly, I can sometimes access it in one browser but not another. This is true with other users - but they might be able to access it in a different browser to me on that day.

But today I can’t access it in Chrome, Firefox or Edge from Windows 10, not even in incognito windows. I log into Microsoft and authenticate but then I just get 403 Forbidden.

This is a blocker for us as the Azure DevOps build is breaking because the SonarQube Quality Gate is failing, but we have no idea why! The SQ scans themselves appear to run fine.

What’s a common cause of this 403 error please? I’ll pursue with the SQ admin here too but I just wanted to know if this community has seen this before too.

Embarrassingly, I cleared the cookies for the SQ server in my Chrome browser, and then I was able to login to SQ as usual - not only in Chrome, but also in Firefox and Edge, without having to clear their cookies first!

Although this worked for me today, clearing cookies hasn’t worked in the past, and ideally I shouldn’t have to keep doing this workaround anyway.

Does anyone know why the 403 Forbidden keeps re-occuring?

Looks like we’re using SQ 9.2.4.

Hey there.

  • What system are you using for authentication to your SonarQube server? Local authentication, LDAP, SAML, something else?
  • You may want to check the access.log file of your SonarQube server to make sure the 403 is actually being returned by SonarQube, and not something else (a reverse proxy sitting between you and your SonarQube server, for example)
  • Are there multiple SonarQube instances running in your organization (such as a test environment and a production environment)? I’ve seen issues before where a different environment tries to use the authentication cookies that were set by the other environment

Thanks Colin. Unfortunately I’m not sure of the answer to some of your questions so I’ll get back to you after I’ve caught up with the SQ admin here (who’s unfortunately in a very different timezone to me).

I’m pretty sure there’s only one SQ server instance though.

@Colin - here are the admin’s responses:

  • We use the Azure Active Directory (AAD) plugin for authentication.
  • The access logs confirm it’s SonarQube that’s returning the 403 errors. The admin also said “There is an App Gateway sitting in front of Sonarqube. It has a WAF and acts as the TLS endpoint. But App Gateways don’t do authentication or authorization.”
  • We have a single SQ instance.

Today again I can’t access SQ from Chrome, even after deleting the server cookies. One of my colleagues has similar issues to me - intermittent access or 403 errors from different browsers. But my other colleague on the same projects has no problem accessing the projects from Chrome, Firefox or Edge!