SSO HTTP Header Authentication for the web interface

web
authentication
sso

(Federico Marcos) #1

Hi, I’m trying to set up auth in the latest version of SonarQube community edition. I want to handle authorization separately, so I’m trying to set up http header authentication. It seems to work fine for the API but not for accessing the dashboard, and the web UI in general. Is there a way to access the web interface without logging in at /login username and password?

Basically, I want to provide my users a link to the web interface, but without providing them a sonarqube username and password, as they are already logged in on my platform, so I’m trying to find a way to proxy the request to my backend, get the corresponding sonarqube user.login for that user, and redirect them to the web ui using those credentials


(Julien Lancelot) #2

Hi,

Did you have a look at https://docs.sonarqube.org/latest/instance-administration/delegated-auth/ ?

Regards,
Julien Lancelot


(Federico Marcos) #3

I did, and I have succesfully set up http header authentication for the API, however it is not working for accesing the web app, it just redirects me to /sessions/new and asks for login and password

In summary:

  • set up http headers X-Forwarded-Login and X-Forwarded-Name to the appropiate values

  • GET request to localhost:9000/api/measures/component?component=projectkey&metricKeys=sqale_rating
    response is OK, I get the data

  • GET request to http://localhost:9000/dashboard?id=projectkey
    redirects to login, asks for password

Is this intended? Is there a way to access the web interface without making my users log in again?


(Julien Lancelot) #4

In order to use web service when using HTTTP headers authentication, you need to use user tokens : https://docs.sonarqube.org/latest/user-guide/user-token/


(Federico Marcos) #5

tokens are only working for the API as well, not the web app
trying to access http://localhost:9000/dashboard?id=projectkey setting basic authentication with user tokens (or passwords for that matter) does nothing, it just redirects to the login screen


(Julien Lancelot) #6

Ok, let me resume :

  • For the UI, you need to use the HTTP Header authentication, using a proxy
  • For WS, you need to generate a user token

(Federico Marcos) #7

For the UI, you need to use the HTTP Header authentication, using a proxy

In my second post, I mentioned that this is not working for me, setting the appropiate headers X-Forwarded-Login and X-Forwarded-Name to the appropiate values and requesting to see a page for the UI like /dashboard just redirects me to the login page. HTTP Header authentication is working for the api at /api ONLY, but not for the UI
Is that the expected behaviour?


(Julien Lancelot) #8

Could you please execute the following steps to help me understand your issue :

  • Set the server log to DEBUG (Administration -> System -> Logs level -> DEBUG)
  • Authenticate with the header
  • Check for lines in web.log containing [auth.event] and report them here
  • Change back the server log to INFO

(Federico Marcos) #9

These are the logs for a GET request to /dashboard?id=marcosfede.algorithms
setting up the X-Forwarded-Login and X-Forwarded-Name headers

sonarqube_1  | 2019.02.04 12:56:25 DEBUG web[AWi4ju64Xb7u8NzxAADu][o.s.s.u.NewUserNotifier] User created: marcosfede.algorithms. Notifying NewUserHandler handlers...

sonarqube_1  | 2019.02.04 12:56:25 DEBUG web[AWi4ju64Xb7u8NzxAADu][auth.event] login success [method|SSO][provider|SSO|sso][IP|172.19.0.1|][login|marcosfede.algorithms]

It does says login successful but it just redirects to the login page with a message “insufficient privileges” (I do have read access with that user and I have no problem logging in with username and password through the web app, although I’m not sure if a “local” user has the same privileges than a sso user?):


(Julien Lancelot) #10

As the logs says “login success”, then you need to check that the user ‘marcosfede.algorithms’ has the ‘Browse’ permission on the project.


(Federico Marcos) #11

It does have permissions


Could it be related to the change from ‘local’ user to sso once I try to log in using headers? Maybe the permissions change?


(Julien Lancelot) #12

It should not be possible to convert a local user to a sso user.

Could you please try to authenticate with sso using a none-local user ?


(Federico Marcos) #13

I just created a non local user though the API and gave it the needed permissions. The result is the same “unsufficient privileges”

logs:

sonarqube_1  | 2019.02.04 16:58:56 DEBUG web[AWi5ciy3ej+3YvDpAAAU][auth.event] login success [method|SSO][provider|SSO|sso][IP|172.19.0.1|][login|nonlocal]

Also notice that if you make a request setting the X-Forwarded-Login and X-Forwarded-Name headers of a LOCAL user, it will automatically be converted to a nonlocal user.

This is the output from /api/users/search

{
  "paging": {
    "pageIndex": 1,
    "pageSize": 50,
    "total": 3
  },
  "users": [
    {
      "login": "admin",
      "name": "Administrator",
      "active": true,
      "local": true,
      "externalProvider": "sonarqube"
    },
    {
      "login": "marcosfede.algorithms",
      "name": "marcosfede.algorithms",
      "active": true,
      "local": false,
      "externalProvider": "sonarqube"
    },
    {
      "login": "nonlocal",
      "name": "nonlocal",
      "active": true,
      "tokensCount": 0,
      "local": false,
      "externalProvider": "sonarqube"
    }
  ]
}

here marcosfede.algorithms was initially a local user, but it changed to non-local once I made a request setting its login and name in the headers

nonlocal is the user I just created, though the API and I’ve specified to set local = false


(Julien Lancelot) #14

Indeed, my bad it’s possible to convert a local user to a none local user.


(Julien Lancelot) #15

I still have no clue why the user authenticated by SSO is not able to access the project…