GitLab Automatic User Provisioning Concern


I have configured without any problem the automatic provisioning of GitLab groups and users in SonarQube CE, but I have some doubts about its use.

According to the documentation, when group synchronization is configured, group membership can only be managed from the delegated authentication source.

So, if I fully delegate authentication to GitLab, what would happen when the GitLab token expires in SonarQube? If I remove the local users and groups, I’m totally sold, right? Maybe I’m missing something, but I’d like to know your opinion on this matter.

Hey there.

What this intends to say is that if you configure group mapping between SonarQube and GitLab – you can no longer put users in locally created SonarQube groups. They’ll be yanked out each time they login (because they pull group info from SonarQube).

I don’t really understand this point. In the context of my explanation above, do you still have a concern?


Yes. When this GitLab syncronization is made, you can no longer create local users but you still can delete the old ones. If those old local users are deleted, then you completely depend on GitLab user provisioning. This provisioning is dependant on the GitLab’s access token, which has a maximum duration of 1 year. So, if this token expires and no local user exists, then I assume you can end-up locked out of SonarQube without being able to update that token.


You can create new local users even when you delegate authentication to Gitlab, and login to SonarQube with them.

Gitlab Authentication is also handled via a Gitlab Oauth 2 app, which I don’t think has any notion of token expiry.

According to my SonarQube CE instance, you can not create local users when automatic user provisioning is enabled:

Your instance is managed by gitlab. No modification is allowed except for tokens and SCM account information. You can still delete local users. All other operations should be done on your identity provider. See documentation for help managing users.

You are required to provide a provisioning token from GitLab, in order to enable the automatic user and group provisioning.