SSO HTTP Header Authentication for the web interface

SonarQube
, ,
1

Hi, I’m trying to set up auth in the latest version of SonarQube community edition. I want to handle authorization separately, so I’m trying to set up http header authentication. It seems to work fine for the API but not for accessing the dashboard, and the web UI in general. Is there a way to access the web interface without logging in at /login username and password?

Basically, I want to provide my users a link to the web interface, but without providing them a sonarqube username and password, as they are already logged in on my platform, so I’m trying to find a way to proxy the request to my backend, get the corresponding sonarqube user.login for that user, and redirect them to the web ui using those credentials

2

Hi,

Did you have a look at https://docs.sonarqube.org/latest/instance-administration/delegated-auth/ ?

Regards,
Julien Lancelot

3

I did, and I have succesfully set up http header authentication for the API, however it is not working for accesing the web app, it just redirects me to /sessions/new and asks for login and password

In summary:

  • set up http headers X-Forwarded-Login and X-Forwarded-Name to the appropiate values

  • GET request to localhost:9000/api/measures/component?component=projectkey&metricKeys=sqale_rating
    response is OK, I get the data

  • GET request to http://localhost:9000/dashboard?id=projectkey
    redirects to login, asks for password

Is this intended? Is there a way to access the web interface without making my users log in again?

4

In order to use web service when using HTTTP headers authentication, you need to use user tokens : https://docs.sonarqube.org/latest/user-guide/user-token/

5

tokens are only working for the API as well, not the web app
trying to access http://localhost:9000/dashboard?id=projectkey setting basic authentication with user tokens (or passwords for that matter) does nothing, it just redirects to the login screen

6

Ok, let me resume :

  • For the UI, you need to use the HTTP Header authentication, using a proxy
  • For WS, you need to generate a user token
7

For the UI, you need to use the HTTP Header authentication, using a proxy

In my second post, I mentioned that this is not working for me, setting the appropiate headers X-Forwarded-Login and X-Forwarded-Name to the appropiate values and requesting to see a page for the UI like /dashboard just redirects me to the login page. HTTP Header authentication is working for the api at /api ONLY, but not for the UI
Is that the expected behaviour?

8

Could you please execute the following steps to help me understand your issue :

  • Set the server log to DEBUG (Administration → System → Logs level → DEBUG)
  • Authenticate with the header
  • Check for lines in web.log containing [auth.event] and report them here
  • Change back the server log to INFO
9

These are the logs for a GET request to /dashboard?id=marcosfede.algorithms
setting up the X-Forwarded-Login and X-Forwarded-Name headers

sonarqube_1  | 2019.02.04 12:56:25 DEBUG web[AWi4ju64Xb7u8NzxAADu][o.s.s.u.NewUserNotifier] User created: marcosfede.algorithms. Notifying NewUserHandler handlers...

sonarqube_1  | 2019.02.04 12:56:25 DEBUG web[AWi4ju64Xb7u8NzxAADu][auth.event] login success [method|SSO][provider|SSO|sso][IP|172.19.0.1|][login|marcosfede.algorithms]

It does says login successful but it just redirects to the login page with a message “insufficient privileges” (I do have read access with that user and I have no problem logging in with username and password through the web app, although I’m not sure if a “local” user has the same privileges than a sso user?):

image
image.png1511×777 75 KB

10

As the logs says “login success”, then you need to check that the user ‘marcosfede.algorithms’ has the ‘Browse’ permission on the project.

11

It does have permissions

image
image.png1288×252 28.5 KB

Could it be related to the change from ‘local’ user to sso once I try to log in using headers? Maybe the permissions change?

12

It should not be possible to convert a local user to a sso user.

Could you please try to authenticate with sso using a none-local user ?

13

I just created a non local user though the API and gave it the needed permissions. The result is the same “unsufficient privileges”

logs:

sonarqube_1  | 2019.02.04 16:58:56 DEBUG web[AWi5ciy3ej+3YvDpAAAU][auth.event] login success [method|SSO][provider|SSO|sso][IP|172.19.0.1|][login|nonlocal]

Also notice that if you make a request setting the X-Forwarded-Login and X-Forwarded-Name headers of a LOCAL user, it will automatically be converted to a nonlocal user.

This is the output from /api/users/search

{
  "paging": {
    "pageIndex": 1,
    "pageSize": 50,
    "total": 3
  },
  "users": [
    {
      "login": "admin",
      "name": "Administrator",
      "active": true,
      "local": true,
      "externalProvider": "sonarqube"
    },
    {
      "login": "marcosfede.algorithms",
      "name": "marcosfede.algorithms",
      "active": true,
      "local": false,
      "externalProvider": "sonarqube"
    },
    {
      "login": "nonlocal",
      "name": "nonlocal",
      "active": true,
      "tokensCount": 0,
      "local": false,
      "externalProvider": "sonarqube"
    }
  ]
}

here marcosfede.algorithms was initially a local user, but it changed to non-local once I made a request setting its login and name in the headers

nonlocal is the user I just created, though the API and I’ve specified to set local = false

14

Indeed, my bad it’s possible to convert a local user to a none local user.

15

I still have no clue why the user authenticated by SSO is not able to access the project…

16

Haiiii I need to set HTTP auth for sonarqube via proxy. And get the test status of sonarqube only via Bitbucket console. Can some one please explain briefly about how to set Sonar via proxy and set HTTP Auth for this Sonar server. Because my Sonar machine is in private.