Migration to 8.9 LTS Gitlab Authentication

thibrom · January 3, 2023, 10:38am

Hi,

We recently did an upgrade from SonarQube 7.5 Community Edition to 7.9 LTS, then from 7.9LTS to 8.9LTS, the DB was updated successfully each time, everything is working fine except one thing : the gitlab authentication.
In SonarQube 7.5, we were using the sonar-gitlab-plugin-4.0.0.jar, in 8.9 it is now embedded so I configured the gitlab auth in ALM Integration following the documentation. I enabled Gitlab Login and Allow users to sign up.

I can succesfully login as admin with a password, but the problem appears when an existing user (a user that used to connect with gitlab when we were using Sonarqube 7.5) tries to login with gitlab, it is correctly redirected but an error message appears :

You're not authorized to access this page. Please contact the administrator.

I tried to see the logs, in web.log there is nothing relevant. but in access.log I can see :

127.0.0.1 - - [03/Jan/2023:11:11:43 +0100] "GET /oauth2/callback/gitlab?code=620f436676985f2670cef4c4b5551e57da2442b0194642e9845e160905d01e22&state=vccrrjsmdfjq00b176ug6icn7i HTTP/1.1" 302 - "https://sonar.mycompany.org/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0" "AYVytPT9nfgXd7+XAAdv"
127.0.0.1 - - [03/Jan/2023:11:11:43 +0100] "GET /sessions/unauthorized HTTP/1.1" 200 - "https://gitlab.mycompany.org/" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) Gecko/20100101 Firefox/108.0" "AYVytPT9nfgXd7+XAAdw"

When I log as admin, the list of users is correct, I can see the gitlab logo under users that were already authenticated with gitlab, with their correct account name.

I tried to create a new user in the gitlab admin interface, in this case login with gitlab is successfull as the user was not existing in the sonarqube DB before
I tried to “update” existing users in the sonarqube’s users list following this forum post but the error message is the same.

However I noticed that the error message has changed if I call this curl command with the argument “newExternalIdentity=useremailAdress” instead of “newExternalIdentity=usernamegitlab”.

curl -X POST -u myTOKEN: 'http://localhost:9000/api/users/update_identity_provider?login=mylogin&newExternalIdentity=myemail@mycompany.org&newExternalProvider=gitlab'

in this case the error message is:

You're not authorized to access this page. Please contact the administrator.

Reason: This account is already associated with another authentication method. Sign in using the current authentication method, or contact your administrator to transfer your account to a different authentication method.

I guess it is because this user identity is registered as “mylogin” instead of “myemail@mycompany.org”

I haven’t tried to deactivate an account and recreate it. I think this will be the last solution,

If anyone has any tips, it would help me a lot!

Best Regards

ganncamp · January 4, 2023, 4:32pm

Hi,

To recap:

You used to auth with GitLab via a plugin.
Now it’s built in so you’ve migrated your configuration to that.
GitLab users who hadn’t previously authenticated via the plugin are added properly and can access SonarQube
GitLab users who did auth via the plugin can’t log in even though you’ve update_identity_provider-ed their accounts

?

Assuming I’ve got that correct, could you look at an old and a new user and compare their logins? Are they the same in terms of format? E.G. does login end with @something and the other not? Are there any other noticeable differences between successful/new accounts and unsuccessful/old accounts?

Ann

P.S. Congrats on your upgrade journey to 8.9! Don’t forget that 9.9 LTS will be released on 7 Feb 2023.

thibrom · January 9, 2023, 11:29am

Hi,

Thanks for your answer, you got it right, I took a look at the usernames, they are the same in terms of format. I cannot see any difference in the log between old and new accounts, except the request is not /session/unauthorized when a new account is logging in, I will see if the redirect URL is exactly the same, I haven’t looked at the moment. I will also dig in debug log in both web and access.log, I only activated debug in web.log at the moment. If i find something I will make a new message so other users facing the problem can have this tip

PS: I am looking forward to that 9.9 LTS of course

Best Regards

ganncamp · January 9, 2023, 4:26pm

Hi,

I’m eager to see what, if anything your debug logs show when the unsuccessful folks try to log in.

Ann

Vladyslav_Tokar · March 17, 2023, 5:49pm

Hi Thibaut, have you solved the problem? I faced exactly the same issue.

thibrom · March 20, 2023, 10:24am

Hi,

Unfortunately I have not found any solution but deleting the users one by one in the list, and recreating them, they cannot login via gitlab but with the good old login/password which is not a problem in our use cases as we rarely need to authenticate, we just look at the quality results of our project

If someone has found a solution I will be glad to know. We will be upgrading to the 9.9 LTS in the coming months, maybe the problem will be solved I will let you know on this topic

Best regards

Topic		Replies	Views
GitLab auth problems in 9.9 after using auth plugin in previous version SonarQube Server / Community Build sonarqube , gitlab , authentication	13	978	April 11, 2023
Authenticating with GitLab: SonarQube Server / Community Build gitlab , authentication	2	2201	February 16, 2022
Not authorized to access sonarqube using gitlab credential SonarQube Server / Community Build sonarqube	3	3949	January 22, 2021
Gitlab authentication with release 10.5.0.89998 SonarQube Server / Community Build	14	1207	May 10, 2024
You're not authorized to acces this page. Sonarqube/Gitlab oauth after upgrading Sonarqube to version 8.9.6 LTS SonarQube Server / Community Build sonarqube , gitlab	0	787	January 20, 2022

Migration to 8.9 LTS Gitlab Authentication

Related topics