GitHub authentication and provisioning

javiuria · July 9, 2025, 10:45am

Hi,

I´m using SonarQube Community Build version v25.1.0.102122 installed in a kubernetes cluster via Helm.

Everything works well except github authentication. I configure a github app as explained in GitHub authentication | SonarQube Community Build Documentation

I installed the githup app in several organizations. I keep just one organization in sonar configuration, and users that belong to this organization can login in sonarqube. I added a new organization (with Github app installed) and sonar can retrieve the data from both organizations (Configuration is valid for Just-in-Time provisioning. 2 organizations will be synced.) but users that don´t belong to this organization, can´t login. If I remove the organization from sonar, they can login again.

It seems that sonar can´t allows more than one organization. What I see in the logs it´s that sonar is trying to get data from github and It´s returning 403 error

2025.07.09 09:01:45 WARN  web[][o.s.a.c.GenericApplicationHttpClient] GET response did not have expected HTTP code (was 401): {"message":"A JSON web token could not be decoded","documentation_url":"https://docs.github.com/rest","status":"401"}
2025.07.09 09:06:10 WARN  web[60b34d6e-90c8-419e-91dd-9f2268b19968][o.s.s.a.AuthenticationError]  Fail to callback authentication with 'github'
java.lang.IllegalStateException: Fail to execute request 'https://api.github.com/orgs/organization2/members/usergithub01'. HTTP code: 403, response: {"message":"Resource protected by organization SAML enforcement. You must grant your OAuth token access to this organization.","documentation_url":"https://docs.github.com/articles/authenticating-to-a-github-organization-with-saml-single-sign-on/","status":"403"}
	at org.sonar.auth.github.GitHubRestClient.unexpectedResponseCode(GitHubRestClient.java:95)
	at org.sonar.auth.github.GitHubRestClient.isOrganizationMember(GitHubRestClient.java:90)
	at org.sonar.auth.github.GitHubIdentityProvider.isOrganizationsMember(GitHubIdentityProvider.java:165)
	at org.sonar.auth.github.GitHubIdentityProvider.isUserAuthorized(GitHubIdentityProvider.java:153)
	at org.sonar.auth.github.GitHubIdentityProvider.check(GitHubIdentityProvider.java:143)
	at org.sonar.auth.github.GitHubIdentityProvider.onCallback(GitHubIdentityProvider.java:126)
	at org.sonar.auth.github.GitHubIdentityProvider.callback(GitHubIdentityProvider.java:107)

user usergithub01 belongs to organization1 but it´s asking for organization2

Any ideas?

Thanks

ganncamp · July 10, 2025, 3:52pm

Hi,

Welcome to the community!

I’m looking at the docs:

Step 4: If your GitHub App is public, it is important that you enter the allowed organizations in the Organizations field.

For automatic provisioning, not entering the allowed organizations for a public App can let undesired users authenticate to your SonarQube Server instance, as public GitHub Apps can be installed by anyone.

When using Just-in-Time provisioning, if the allowed organizations are not entered, any user with a GitHub account can log in to the SonarQube Server instance, even if the GitHub App used for authentication is private.

What I take from this is that explicitly listing any organizations means that only those org members can log in. Can you try leaving the org list blank?

Ann

javiuria · July 11, 2025, 7:01am

Hi Ann,

Thank you. I´ve tried this and in Administration–>Configuration–>General Settings–>Authentication–>GitHub I can see the message “Configuration is valid for Just-in-Time provisioning. 5 organizations will be synced” what it´s correct because the GitHub App is installed in those 5 organizations. The problem is when a user that only belong to one of these organizations tries to login, it´s cheking that the user belong to one of the organizations that does´t belong to calling github api, https://api.github.com/orgs/organizationName/members/usergithub01 (see log) and it´s failing.
If I only keep one organization and the user belong to this organization, it works like a charm.

Thanks.

Regards

ganncamp · July 11, 2025, 1:09pm

Hi,

And what happens if you leave the organizations field blank?

Ann

javiuria · July 14, 2025, 8:54am

Hi,

It happens the same. Sonar gets all organizations where my githupapp is installed and when a user tries to log in, if it doesn´t belong to one of the organizations, it can´t login into the system.
As a workaround, I created one organization for sonar users and I sync only this organization in sonar. It´s a shame because I have to remember to add every new user to this organization, but It´s the only way I can work with.

regards.

ganncamp · July 14, 2025, 11:34am

Hi,

Okay, thanks for trying that. I’m going to flag this for more expert eyes.

Ann

aurelien.poscia · July 22, 2025, 3:11pm

Hi @javiuria,

This problem should not exist in the latest SonarQube Server version. It was also backported to SonarQube server 2025.1.1.

Could you retry with one of this versions?

Thanks in advance,
Aurélien

Colin · July 30, 2025, 5:59pm

Seeing that you’re using community build…

I suggest you upgrade to 25.7!

Topic		Replies	Views
Github authentication is not working for some users SonarQube Server / Community Build github , authentication	3	152	August 14, 2024
Cannot setup organization with multiple owners SonarQube Cloud sonarqube-cloud	7	805	April 9, 2020
Github & Sonarqube Integration SonarQube Server / Community Build github	1	712	February 16, 2021
GitHub Authentication for users without organizations SonarQube Server / Community Build github , authentication	3	195	August 29, 2024
Problem configuring Github organization to sonarcloud organization SonarQube Cloud administration	6	699	November 3, 2020

GitHub authentication and provisioning

Related topics