We recently did an upgrade from SonarQube 7.5 Community Edition to 7.9 LTS, then from 7.9LTS to 8.9LTS, the DB was updated successfully each time, everything is working fine except one thing : the gitlab authentication.
In SonarQube 7.5, we were using the sonar-gitlab-plugin-4.0.0.jar, in 8.9 it is now embedded so I configured the gitlab auth in ALM Integration following the documentation. I enabled Gitlab Login and Allow users to sign up.
I can succesfully login as admin with a password, but the problem appears when an existing user (a user that used to connect with gitlab when we were using Sonarqube 7.5) tries to login with gitlab, it is correctly redirected but an error message appears :
You're not authorized to access this page. Please contact the administrator.
I tried to see the logs, in web.log there is nothing relevant. but in access.log I can see :
127.0.0.1 - - [03/Jan/2023:11:11:43 +0100] "GET /oauth2/callback/gitlab?code=620f436676985f2670cef4c4b5551e57da2442b0194642e9845e160905d01e22&state=vccrrjsmdfjq00b176ug6icn7i HTTP/1.1" 302 - "https://sonar.mycompany.org/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0" "AYVytPT9nfgXd7+XAAdv" 127.0.0.1 - - [03/Jan/2023:11:11:43 +0100] "GET /sessions/unauthorized HTTP/1.1" 200 - "https://gitlab.mycompany.org/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0" "AYVytPT9nfgXd7+XAAdw"
When I log as admin, the list of users is correct, I can see the gitlab logo under users that were already authenticated with gitlab, with their correct account name.
I tried to create a new user in the gitlab admin interface, in this case login with gitlab is successfull as the user was not existing in the sonarqube DB before
I tried to “update” existing users in the sonarqube’s users list following this forum post but the error message is the same.
However I noticed that the error message has changed if I call this curl command with the argument “newExternalIdentity=useremailAdress” instead of “newExternalIdentity=usernamegitlab”.
curl -X POST -u myTOKEN: 'http://localhost:9000/api/users/update_identity_provider?login=mylogin&newExternalIdentityemail@example.com&newExternalProvider=gitlab'
in this case the error message is:
You're not authorized to access this page. Please contact the administrator. Reason: This account is already associated with another authentication method. Sign in using the current authentication method, or contact your administrator to transfer your account to a different authentication method.
I guess it is because this user identity is registered as “mylogin” instead of “firstname.lastname@example.org”
I haven’t tried to deactivate an account and recreate it. I think this will be the last solution,
If anyone has any tips, it would help me a lot!