Sonalint authentication issue

Please provide

  • IJ IDEA version: 2023.1.2 Build #IU-231.9011.34, built on May 16, 2023
  • Operating system: MacOSX
  • SonarLint plugin version: 8.3.0
  • Programming language you’re coding in: Java/Kotlin
  • Is connected mode used:
    • Connected to SonarCloud or SonarQube (and which version): Sonarqube server v9.9.1

And a thorough description of the problem / question:
When adding a new connection the it 's impossible to get a succesful authentication by user crdentials or token

1 Like

Hi @ludovik,

Are you able to log in directly on your SonarQube with the credentials you provided on SonarLint and was your token generated via the Create token button, or was it manually copy-pasted?

Also, has your SonarQube any network specificities like running behind a proxy for example?

Thank you!

Hi

Logging in Sonarqube directly works with credentials. The issue happens only from the Sonarlint connection:

  • Token creation from the Sonarlint button is working, however the log in error is still happening afterwards.
  • Manual creation of the token has been tried but gives the same output in sonarlint
  • SQ Server runs behind a reverse proxy in our VPC, this one being proxified by Cloudflare.

Thankss

Thank you for the detailed information!

Could it be possible for you to retrieve the SonarQube logs about this issue and share them with us? In the meantime, I will investigate the case.

Hi,

There is no server logs dealing with that issue. Is there a way to capture plugins logs ? it looks the issue is located on plugin side only, or am I missing something ?

Thanks

Hi @ludovik,

When connecting to SonarQube, do you have any kind of SSO page or interface between you and the server?

One thing to check would be the access.log of your SonarQube, can you see the request coming to the endpoint /api/authentication/validate and what is the result? For example:

127.0.0.1 - - [04/Jul/2023:14:38:02 +0200] "GET /api/authentication/validate HTTP/1.1" 200 14 "-" "PostmanRuntime/7.32.3" "AYkg4wJFpiunoy4eAABG"

You could also try to curl directly the server with your token or credentials and see if it works. If it doesn’t work then it’s not linked to SonarLint unfortunately. Here is a basic example command:

curl --location '<YOUR_SONARQUBE>/api/authentication/validate' --header 'Authorization: Basic <YOUR_TOKEN_BASE64>'

Lastly, if that’s still an issue, we could provide you a custom build with logging enabled on our HttpClient so we can make sure what is going on on the IDE side.

Hi Nicolas,

Indeed, there is a SSO gateway provided by SSO and a Cloudflare proxy to connect to the SQ server.

In the access log I can retrieve the status code ok for the GET request sent from the SLint plugin:

10.0.2.71 - - [11/Jul/2023:07:18:29 +0000] "GET /sonarqube/api/system/status HTTP/1.0" 200 - "-" "SonarLint IntelliJ 8.3.0.71062" "AYh8ZCf4qvFquMZrCj75"
10.0.2.71 - - [11/Jul/2023:07:18:30 +0000] "GET /sonarqube/api/authentication/validate?format=json HTTP/1.0" 200 15 "-" "SonarLint IntelliJ 8.3.0.71062" "AYh8ZCf4qvFquMZrCj76"

Dealing with the Curl operation above, the response is {"valid":false}
Having a custom build with logging enabled would be a good option imho.
Thanks by advance

Hi @ludovik,

The issue is probably due to the SSO gateway as shown by the curl command output.

We currently don’t support such flow, the only way to authenticate to the SonarQube web API is via HTTP Basic Authentication. This isn’t easy to handle because while most SSOs use standard protocols like HTTP Basic, Digest, or NTLM authentication, others use their own custom HTTP-based login protocol, requiring session cookies, CSRF-Token…

I’d recommend whitelisting SonarQube web APIs not to require login via SSO.

Maybe you could provide more information on your SSO provider, like the protocol used, so we could try to find a workaround.

Thanks

1 Like

hi
I’ve whitelisted the Sonarqube API endpoint regarding SSO login, then it’s now possible to request behind a VPN only. A simple Curl to system status results well with

{“id”:“97FXXXX-AWwgZqGR94ytVRPFXXX”,“version”:“9.9.1.69595”,“status”:“UP”}

However , connecting the Server from the the SonarLint IJ plugin sends an authentication failure.
May the reverse proxy running being an issue for the plugin ?

Hi @ludovik,

The system status endpoint does not require authentication, could you please try the curl against /api/authentication/validate endpoint as it was previously done?

Thank you

Hi
Curl results with {"valid":false}, the SSO has been disabled on the endpoint however.
Please let me know if any action can be taken to tackle the issue.

Hi @ludovik

SonarLint can only authenticate using a token or username/password through BASIC authentication.

If you are using a custom authentication plugin on SonarQube side, that for example is expecting a custom HTTP header to be present, then it won’t work.

I am having similar problem. Not able to link SonarLint with SonarQube server running behind cloudflare. Cloudflare authentication works with mTLS certificate but I am finding no option to configure the certificate while binding.
Considering this would be a common use case in present day, please help to overcome the challenge.

Hi @Prosenjit_Roy

We made an update to our documentation to mention the way to provide client SSL certificates. May I let you read Advanced configuration for Connected Mode and SonarLint and let us know if this is clear enough for your use case?

Thanks!

2 Likes

Thank you!
We in fact followed these steps a week back and it solved the problem.

3 Likes