GitLab auth problems in 9.9 after using auth plugin in previous version

moisesarrona · March 21, 2023, 8:01pm

Hi, good morning, I had a problem implementing authentication with GitLab, I’m talking to you.

We are migrating from SonarQube version 7.9 to version 9.9, so I tried Sonar 9.9 without updating and checked that Gitlab authentication was working fine, among other things I did the update from 7.9 → 8.9 → 9.9 apparently everything went fine al incorporate authentication with GitLab and trying to log in appears on the screen

You are not authorized to access this page. Contact the administrator.
Reason: Failed to authenticate with login ‘user.name’

try to follow the solutions from other threads with this message,
I corrected the config url in gilab and SonarQube but apparently nothing works:

I attach the logs:

- - [21/mar./2023:12:50:04 -0700] "GET /sessions/init/gitlab?return_to=%2Fprojects HTTP/1.1" 302 - "http://url/sessions/new?return_to=%2Fprojects" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "AYcFtSIHcFPZmRT/AAAd"
- - [21/mar./2023:12:50:06 -0700] "GET /oauth2/callback/gitlab?code=f2c3ff4c19981ebd3c70162913f0b3b1fac4ff3ebe92a0e4b95510fe15b393b7&state=dg2gdq6pbh7l6qb5jqvuuk5er9 HTTP/1.1" 302 - "http://url/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "AYcFtSIHcFPZmRT/AAAe"
- - [21/mar./2023:12:50:06 -0700] "GET /sessions/unauthorized HTTP/1.1" 200 - "http://url/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "AYcFtSIHcFPZmRT/AAAf"
 - - [21/mar./2023:12:50:07 -0700] "GET /api/l10n/index?locale=es-ES HTTP/1.1" 200 - "http://url/sessions/unauthorized" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.0.0 Safari/537.36" "AYcFtSIHcFPZmRT/AAAg"

ganncamp · March 22, 2023, 3:49pm

Hi,

To make sure I understand:

You started up a fresh instance of 9.9 as a test and configured it for GitLab authentication, and everything worked fine.

And then you migrated your 7.9 instance through 8.9 to 9.9. You configured it for GitLab authentication with all the same values, and authentication fails.

If I got that right, were both instances in about the same place on the network with the same “helpful” things on the network between them and GitLab?

Ann

moisesarrona · March 23, 2023, 5:27pm

Yes, you understood correctly, the environment of the 9.9 instance is the same, so it’s rare that it doesn’t work.

the only change i made was to migrate from 7.9 → 8.9 → 9.9

I have tried several solutions but none work

ganncamp · March 23, 2023, 5:38pm

Hi,

Okay, thanks. I’ve flagged this for more expert attention.

Ann

moisesarrona · March 23, 2023, 11:37pm

perfect, thanks

jacek.poreda · March 24, 2023, 1:43pm

Hello @moisesarrona ,

What edition of SonarQube are you using?

Are you trying to connect to Gitlab.com or do you have gitlab on-premise installed?

I will try to reproduce your issue, though I need those information to be as close to your environment as possible.

Could you also explain how did you configure authentication with Gitlab in 7.9? Gitlab authentication feature has been introduced in 8.0.

moisesarrona · March 24, 2023, 3:21pm

GitLab is installed on our infrastructure.

In version 7.9 we used a plugin that authenticated with the GitLab API, this was the official plugin repository GitHub - gabrie-allaigre/sonar-auth-gitlab-plugin: Use GitLab OAuth login in SonarQube login page

jacek.poreda · March 24, 2023, 3:42pm

Okay, after upgrade to 8.9 have you uninstalled this plugin and configured authentication within SonarQube itself?

How was your upgrade process look like?

moisesarrona · March 24, 2023, 3:47pm

That’s right, updated to 8.9 and 9.9, in version 9.9 Gitlab authentication was configured. that is the process.

vdpuerik · April 6, 2023, 3:21pm

I had about the same issue …
but i could login but my collegues not.
I reverted snapshot and went step by step, and let my college login (via gitlab each time)
that was ok and we reached finaly sonarcube 9.9.0. was ok for both of us.
afterwards i asked another collegue to login … and he again had the error.
when i reverted my snapshot to sonar 8.9.1 he cold login (with 8.9.10 also issue for the 3th collegue)
will debug later on a bit further. The upgrade process itself gave no errors / warnings

jacek.poreda · April 7, 2023, 2:06pm

Hey @moisesarrona ,

Good news, we were able to reproduce that issue. It seems like the plugin you have been using is not compatible with the implementation of gitlab authentication done in SonarQube 8.9.

The problem is that external_id which is populated by a plugin is a username from Gtilab.

In SonarQube 8.9 implementation assumes it should be gitlab user id.

In order to migrate your users to be compatible with SonarQube you can try to map users by emails from your gitlab instance to SonarQube and execute following WS to migrate them:

curl -X POST -u admin_login:admin_password '/api/users/update_identity_provider?login=sonarqube_user.login&newExternalProvider=gitlab&newExternalIdentity=gitlab_user.id'

This call will change value of external_id column for the specific user to be user id instead of username which will allow users to authenticate.

moisesarrona · April 10, 2023, 5:23pm

Would I have to do it for each user?

In case of downgrading the version from 9.9 to 7.9:

Would this solution affect sonar 7.9 authentication?

jacek.poreda · April 11, 2023, 7:14am

@moisesarrona

Yes, you will need to migrate all users.

Yes, it might affect 7.9 authentication as you will be using external plugin.

Moreover it is not possible to get back to 7.9 once you have upgraded to 9.9 unless you have backup of your DB before you have upgraded.

system · May 18, 2023, 12:30am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.