Migration to 8.9 LTS Gitlab Authentication

Hi,

We recently did an upgrade from SonarQube 7.5 Community Edition to 7.9 LTS, then from 7.9LTS to 8.9LTS, the DB was updated successfully each time, everything is working fine except one thing : the gitlab authentication.
In SonarQube 7.5, we were using the sonar-gitlab-plugin-4.0.0.jar, in 8.9 it is now embedded so I configured the gitlab auth in ALM Integration following the documentation. I enabled Gitlab Login and Allow users to sign up.

I can succesfully login as admin with a password, but the problem appears when an existing user (a user that used to connect with gitlab when we were using Sonarqube 7.5) tries to login with gitlab, it is correctly redirected but an error message appears :

You're not authorized to access this page. Please contact the administrator.

I tried to see the logs, in web.log there is nothing relevant. but in access.log I can see :

127.0.0.1 - - [03/Jan/2023:11:11:43 +0100] "GET /oauth2/callback/gitlab?code=620f436676985f2670cef4c4b5551e57da2442b0194642e9845e160905d01e22&state=vccrrjsmdfjq00b176ug6icn7i HTTP/1.1" 302 - "https://sonar.mycompany.org/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0" "AYVytPT9nfgXd7+XAAdv"
127.0.0.1 - - [03/Jan/2023:11:11:43 +0100] "GET /sessions/unauthorized HTTP/1.1" 200 - "https://gitlab.mycompany.org/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0" "AYVytPT9nfgXd7+XAAdw"

When I log as admin, the list of users is correct, I can see the gitlab logo under users that were already authenticated with gitlab, with their correct account name.

  • I tried to create a new user in the gitlab admin interface, in this case login with gitlab is successfull as the user was not existing in the sonarqube DB before

  • I tried to “update” existing users in the sonarqube’s users list following this forum post but the error message is the same.

However I noticed that the error message has changed if I call this curl command with the argument “newExternalIdentity=useremailAdress” instead of “newExternalIdentity=usernamegitlab”.

curl -X POST -u myTOKEN: 'http://localhost:9000/api/users/update_identity_provider?login=mylogin&newExternalIdentity=myemail@mycompany.org&newExternalProvider=gitlab'

in this case the error message is:

You're not authorized to access this page. Please contact the administrator.

Reason: This account is already associated with another authentication method. Sign in using the current authentication method, or contact your administrator to transfer your account to a different authentication method.

I guess it is because this user identity is registered as “mylogin” instead of “myemail@mycompany.org”

I haven’t tried to deactivate an account and recreate it. I think this will be the last solution,

If anyone has any tips, it would help me a lot!

Best Regards

Hi,

To recap:

  • You used to auth with GitLab via a plugin.
  • Now it’s built in so you’ve migrated your configuration to that.
  • GitLab users who hadn’t previously authenticated via the plugin are added properly and can access SonarQube
  • GitLab users who did auth via the plugin can’t log in even though you’ve update_identity_provider-ed their accounts

?

Assuming I’ve got that correct, could you look at an old and a new user and compare their logins? Are they the same in terms of format? E.G. does login end with @something and the other not? Are there any other noticeable differences between successful/new accounts and unsuccessful/old accounts?

 
Ann

P.S. Congrats on your upgrade journey to 8.9! Don’t forget that 9.9 LTS will be released on 7 Feb 2023. :smiley:

Hi,

Thanks for your answer, you got it right, I took a look at the usernames, they are the same in terms of format. I cannot see any difference in the log between old and new accounts, except the request is not /session/unauthorized when a new account is logging in, I will see if the redirect URL is exactly the same, I haven’t looked at the moment. I will also dig in debug log in both web and access.log, I only activated debug in web.log at the moment. If i find something I will make a new message so other users facing the problem can have this tip

PS: I am looking forward to that 9.9 LTS of course

Best Regards

1 Like

Hi,

I’m eager to see what, if anything your debug logs show when the unsuccessful folks try to log in.

 
Ann