GitLab ALM Integration error

I’ve just configured GitLab Authentication for SonarQube 8.4 and am running GitLab 13.1.
When I hit the link to “Log in with GitLab”, I get:

### An error has occurred

The requested scope is invalid, unknown, or malformed.

As per instructions, I configured a “SonarQube” application from within GitLab’s admin section using:
Application: SonarQube
Application ID
Callback URL
http://[sonarqube base url]/oauth2/callback/gitlab
*note- haven’t switched sonarqube to https yet
Trusted Y
Confidential Y
api (Access the authenticated user’s API)

The application ID and secret were then entered into the sonarqube side at admin > config > general > ALM > GitLab
I also checked “enabled” and entered our GitLab URL

What is potentially wrong here?

I increased the scope of permissions granted to the sonarqube application within gitlab. Following this change, logging into sonarqube via gitlab authentication started working. This indicates that there is a bug in sonarqube’s documentation on the required api scope of this feature simply being API access (this is clearly not true).


Hello @mlanders ,

I’m glad you have figured it out!

The docs are actually correct about Scopes, although they seems to provide some confusion in term of wording as they starts from groups sync rather than authentication.

Under Scopes , select api if you plan to enable group synchronization. You can instead select read_user if you only plan to delegate authentication.

So if you wanted to enable authentication only you should have read_user scope only. If you additionally wanted groups sync you should add api scope additionally, which means you should have both scopes.

I have created a ticket on our side, to make that point clear in docs: SONAR-13616

@jacek.poreda I had granted the api scope initially and it didn’t work (This is what my original post says). After adding additional undocumented scopes, it worked. The sonar documentation seems to be wrong.

Could you list what scopes did you add then?

I’ve tested it locally, and using read_user scope allowed me to log in. Have you tried with only this permission or with both read_user and api?