Difference between entering credentials and token value while connecting to SonarQube

security
sonarlint
authentication
tokens

(Andrews) #1

Hey,
While connecting to the SonarQube server through various IDEs, we get two options to connect to it i.e., either enter your username/password or enter the token value. I want to know what is the difference between the two things, cause both are unique to an individual?

Thanks,
Andrew


(Nicolas Bontoux) #2

Hey Andrew,

That is correct, however both are not unique to SonarQube specifically:

  • the token is: it’s defined in SonarQube, only makes sense for SonarQube considerations
  • the username/password pair is not: imagine if you’re using LDAP integration, then credentials are not specific to SonarQube, they can let you in many other applications

Hence the very existence of tokens, as a security best practice (independently from SonarQube). It’s in fact recommended to use tokens for any external integration, as you can revoke them anytime if something bad happens (contrary to credentials, which you might use in other applications).