versions used (SonarQube, Scanner, Plugin, and any relevant extension)
error observed (wrap logs/code around triple quote ``` for proper formatting)
No error logged.
steps to reproduce
Follow the steps on Delegating Authentication | SonarQube Docs and then “Re-use GitHub PR decoration application”.
On logon user will always be assigned to the default
sonar-users groups regardless of the teams settings on Github Enterprise.
Use the “Dedicated GitHub OAuth application” approach.
It would seem that the following statement is not true:
If you previously used a dedicated GitHub OAuth application for authentication, it can be removed.
Source: Delegating Authentication | SonarQube Docs
Are you saying that GitHub groups are completely ignored, and your users are only part of sonar-users? Or do you mean that your users have their groups, and on top of that, they keep having sonar-users, and aren’t removed from that group?
If the latter, this is expected:
membership in the default group
sonar-users remains (this is a built-in group) even if the group does not exist in the identity provider
(as per the docs)
GitHub Enterprise groups are ignored and on each logon to SonarQube Developer edition the user logging on is assigned to the default
sonar-users group and no other groups are present.
The corresponding GitHubs are created in SonarQube, but users on logon are not assigned to them as they are to corresponding teams in Github.
Hi, could you give us an example of group names that you try to match (exact name on GHE and SQ)? A common mistake is to forget the organization name in the SQ group. For example, to match the group
developers which belong to the SonarSource organization on Github, we created a SonarQube group
SonarSource/developers (case sensitive).
To be really explicit here : to match groups, we do something equivalent to this call :
curl -H "Authorization: token Oauth2Token” https://api.github.com/user/teams
And to extract the groups, we build a string with "
slug. And we match that string with the exact SQ group name.
Yup, those match.
On our GitHub there is a team with
back-end and the organization login is
The group created on SonarQube is
Again, the whole thing works if you define a dedicated OAuth application in GitHub. It does not work when I want to re-use the GitHub PR decoration application.
Hi @pierreguillot and others,
Confirmed that our version 220.127.116.11397 is also showing the same behaviour. Dedicated OAuth app works while the GH App for PR decoration does not populate groups correctly.
Could you please activate the DEBUG logs, then authenticate on SonarQube with any user, and then search for the line starting with “List of groups returned by the identity provider” in the logs/web.log file ?
Unfortunately I’m unable to do that as this Sonar instance is our production instance.