Here are my tests on SonarCloud.io, trying to access a private resource:
No credentials provided:
$ curl -v https://sonarcloud.io/api/settings/values?component=com.sonarsource.vbnet%3Asonar-vbnet-plugin
[...]
HTTP/1.1 403
[...]
Wrong credentials provided:
$ curl -v --user "foo:bar" https://sonarcloud.io/api/settings/values?component=com.sonarsource.vbnet%3Asonar-vbnet-plugin
[...]
Authorization: Basic Zm9vOmJhcg==
[...]
HTTP/1.1 401
[...]
Using a generated token (I have revoked it, so that’s expected you can’t reproduce):
$ curl -v --user "18d7a965611b571ddc2d18b02a1a9d5ae284c233:" https://sonarcloud.io/api/settings/values?component=com.sonarsource.vbnet%3Asonar-vbnet-plugin
[...]
Authorization: Basic MThkN2E5NjU2MTFiNTcxZGRjMmQxOGIwMmExYTlkNWFlMjg0YzIzMzo=
[...]
HTTP/1.1 200
[…]
Switching from Basic to Bearer:
$ curl -v -H "Authorization: Bearer MThkN2E5NjU2MTFiNTcxZGRjMmQxOGIwMmExYTlkNWFlMjg0YzIzMzo=" https://sonarcloud.io/api/settings/values?component=com.sonarsource.vbnet%3Asonar-vbnet-plugin
[...]
Authorization: Bearer MThkN2E5NjU2MTFiNTcxZGRjMmQxOGIwMmExYTlkNWFlMjg0YzIzMzo=
[...]
HTTP/1.1 403
So in my opinion you are looking in the wrong direction. The issue is not the authentication type, but more the fact that the authentication is tried with username = token + password. This might be a sign that your endpoint is not correctly configured.
I’m sorry to ask you again, but could you please:
- delete your SonarQube endpoint definition
- create a new one, choosing token authentication mode
- ensure that authentication header is
Authorization: Basic base64(<token>:)