Github Enterprise groups not propagated to SonarQube Developer edition when using GitHub PR decoration application

  • versions used (SonarQube, Scanner, Plugin, and any relevant extension)
    SQ: 8.3.0.34182

  • error observed (wrap logs/code around triple quote ``` for proper formatting)
    No error logged.

  • steps to reproduce
    Follow the steps on https://docs.sonarqube.org/latest/instance-administration/delegated-auth/ and then “Re-use GitHub PR decoration application”.
    On logon user will always be assigned to the default sonar-users groups regardless of the teams settings on Github Enterprise.

  • potential workaround
    Use the “Dedicated GitHub OAuth application” approach.

It would seem that the following statement is not true:

If you previously used a dedicated GitHub OAuth application for authentication, it can be removed.
Source: https://docs.sonarqube.org/latest/instance-administration/delegated-auth/

Hi @blazejpawlak,

Are you saying that GitHub groups are completely ignored, and your users are only part of sonar-users? Or do you mean that your users have their groups, and on top of that, they keep having sonar-users, and aren’t removed from that group?

If the latter, this is expected:

membership in the default group sonar-users remains (this is a built-in group) even if the group does not exist in the identity provider
(as per the docs)

Hi @Wouter_Admiraal,

GitHub Enterprise groups are ignored and on each logon to SonarQube Developer edition the user logging on is assigned to the default sonar-users group and no other groups are present.
The corresponding GitHubs are created in SonarQube, but users on logon are not assigned to them as they are to corresponding teams in Github.

Hi, could you give us an example of group names that you try to match (exact name on GHE and SQ)? A common mistake is to forget the organization name in the SQ group. For example, to match the group developers which belong to the SonarSource organization on Github, we created a SonarQube group SonarSource/developers (case sensitive).

To be really explicit here : to match groups, we do something equivalent to this call :

curl -H "Authorization: token Oauth2Token” https://api.github.com/user/teams

And to extract the groups, we build a string with "organization.login + / + slug. And we match that string with the exact SQ group name.

Hi @pierreguillot,

Yup, those match.
On our GitHub there is a team with slug back-end and the organization login is sc.
The group created on SonarQube is sc/back-end.

Again, the whole thing works if you define a dedicated OAuth application in GitHub. It does not work when I want to re-use the GitHub PR decoration application.

Hi @pierreguillot and others,

Confirmed that our version 8.3.1.34397 is also showing the same behaviour. Dedicated OAuth app works while the GH App for PR decoration does not populate groups correctly.

1 Like

Hi,

Could you please activate the DEBUG logs, then authenticate on SonarQube with any user, and then search for the line starting with “List of groups returned by the identity provider” in the logs/web.log file ?

Thanks

Hi,

Unfortunately I’m unable to do that as this Sonar instance is our production instance.

Regards,
Blaze