Gitlab auth broken after migration from 10.4 to 10.5

freddiN · April 17, 2024, 9:56am

Must-share information (formatted with Markdown):

which versions are you using: SonarQube 10.5, upgrading from 10.4.
how is SonarQube deployed: Docker
what are you trying to achieve: login with gitlab accounts
what have you tried so far to achieve this: Re-register gitlab application according to the sonarqube docs, creating a new gitlab application with a new application id+secret, increasing the Scopes of the application within GitLab beyong “api”, “read_api” and “read_user”

After switching from the 10.4. to 10.5 (no additional changes whatsoever, just using the latest community docker image), GitLab based authentication is not working any more. The stacktrace in SonarQube:

2024.04.17 09:36:34 WARN  web[fc2f94bc-48d6-4321-a6a2-4f41c04df002][o.s.s.a.AuthenticationError] Fail to callback authentication with 'gitlab'
java.lang.IllegalStateException: Fail to execute request 'https://git.XXXX.de/api/v4/groups?min_access_level=10&per_page=100'. HTTP code: 403, response: {"error":"insufficient_scope","error_description":"The request requires higher privileges than provided by the access token.","scope":"api read_api"}
        at org.sonar.auth.OAuthRestClient.unexpectedResponseCode(OAuthRestClient.java:103)
        at org.sonar.auth.OAuthRestClient.executeRequest(OAuthRestClient.java:54)
        at org.sonar.auth.OAuthRestClient.readPage(OAuthRestClient.java:77)
        at org.sonar.auth.OAuthRestClient.executePaginatedRequest(OAuthRestClient.java:67)
        at org.sonar.auth.gitlab.GitLabRestClient.getGroups(GitLabRestClient.java:47)
        at org.sonar.auth.gitlab.GitLabIdentityProvider.getGroups(GitLabIdentityProvider.java:156)
        at org.sonar.auth.gitlab.GitLabIdentityProvider.onCallback(GitLabIdentityProvider.java:128)
        at org.sonar.auth.gitlab.GitLabIdentityProvider.callback(GitLabIdentityProvider.java:104)
        at org.sonar.server.authentication.OAuth2CallbackFilter.handleOAuth2Provider(OAuth2CallbackFilter.java:87)
        at org.sonar.server.authentication.OAuth2CallbackFilter.handleProvider(OAuth2CallbackFilter.java:70)
        at org.sonar.server.authentication.OAuth2CallbackFilter.doFilter(OAuth2CallbackFilter.java:63)
        at org.sonar.server.platform.web.MasterServletFilter$JavaxFilterAdapter.doFilter(MasterServletFilter.java:227)
        at org.sonar.server.platform.web.MasterServletFilter$GodFilterChain.doFilter(MasterServletFilter.java:198)
        at org.sonar.server.platform.web.MasterServletFilter$HttpFilterChainAdapter.doFilter(MasterServletFilter.java:241)
        at org.sonar.server.authentication.DefaultAdminCredentialsVerifierFilter.doFilter(DefaultAdminCredentialsVerifierFilter.java:83)

Our setup did not change at all beyond “using the latest docker image”.
Granting all privileges on the gitlab side for that application does not help.
Executing the url provided in the logs looks fine.

I suspect some regression in that area, but I couldnt find details from the changelog.

Colin · April 17, 2024, 10:08am

Hey there.

10.5.1 is on the way (SONAR-22088)

See also here: Gitlab authentication with release 10.5.0.89998

freddiN · April 17, 2024, 10:48am

Oh, sorry, didnt see that.

Please close this as a duplicate, I will keep an eye out for 10.5.1.

Thanks for the swift reply!

Jaka_Luthar · April 30, 2024, 11:41am

Hi, when is 10.5.1 going to be released?

Jaka_Luthar · May 3, 2024, 1:38pm

I’ve just tested 10.5.1 today and gitlab login works ok. Thanks.