Trouble having sonarqube and SSO enabled with oauth2-proxy

Bastian_Bretagne · May 3, 2022, 3:58pm

Hello,
I am trying to install sonarqube with SSO enable (SONAR_WEB_SSO_ENABLE env set to true),
and oauth2-proxy for authentication.
All the headers seems to be forwarded to sonarqube but when I hit the sonarqube servername, oauth2-proxy kicks in, I log in, then I got redirect to sonarqube but it always redirects me to the login form.

Does anyone know what could be a problem?

Here is the config that I use for nginx (installed on the server), oauth2-proxy in a container and sonarqube in a container (sharing same network as oauth2-proxy), I use PSQL on aws RDS:

oauth2-proxy
quay.io/oauth2-proxy/oauth2-proxy:v7.2.1-amd64
OAUTH2_PROXY_HTTP_ADDRESS=http://0.0.0.0:4180
OAUTH2_PROXY_REVERSE_PROXY=true
OAUTH2_PROXY_CLIENT_ID=${$google_sso_client}
OAUTH2_PROXY_CLIENT_SECRET=${$google_sso_secret}
OAUTH2_PROXY_EMAIL_DOMAINS=mydomain.com
OAUTH2_PROXY_COOKIE_SECRET=${sonarqube_cookie_secret}
OAUTH2_PROXY_COOKIE_SECURE=true
OAUTH2_PROXY_SSL_UPSTREAM_INSECURE_SKIP_VERIFY=true
OAUTH2_PROXY_UPSTREAMS=http://sonarqube:9000
OAUTH2_PROXY_WHITELIST_DOMAINS=.mydomain.com
OAUTH2_PROXY_PASS_USER_HEADERS=true

sonarqube:
image: sonarqube:9.4.0-community
SONAR_JDBC_USERNAME=sonarqube
SONAR_JDBC_PASSWORD=${psql_password}
SONAR_JDBC_URL=jdbc:postgresql://sonarqube-testenv.my-domain.eu-west-1.rds.amazonaws.com/sonarqube
SONAR_WEB_PORT=9000
SONAR_WEB_HOST=0.0.0.0
SONAR_WEB_CONTEXT=/app
SONAR_WEB_SSO_ENABLE=true

nginx:
server {
    listen 443 default ssl;
    server_name sonarqube-testenv.mydomain.com;
    add_header Strict-Transport-Security max-age=2592000;
    ssl_certificate           /etc/ssl/mydomain/wildcard.mydomain.com.crt;
    ssl_certificate_key       /etc/ssl/mydomain/wildcard.mydomain.com.key;
    ssl_protocols             TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers               ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;

    location / {
        proxy_pass http://127.0.0.1:4180;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Scheme $scheme;
        proxy_connect_timeout 1;
        proxy_send_timeout 30;
        proxy_read_timeout 30;
    }
}
}

Colin · May 4, 2022, 9:11am

Hey there.

It could mean that authentication is failing. You may want to set SONAR_LOG_LEVEL to DEBUG and check the logs for authentication errors which are logged by the web process.

Bastian_Bretagne · May 4, 2022, 10:04am

Thanks for the tip @Colin unfortunately nothing special there, seems that it doesnt even see that there is http delegation:

2022.05.04 10:02:36 DEBUG web[TYUIOEFHEJFEF][auth.event] login failure [cause|User must be authenticated][method|BASIC][provider|LOCAL|local][IP|172.18.0.2|172.18.0.1][login|]
2022.05.04 10:02:43 DEBUG web[][o.a.h.i.n.c.MainClientExec] [exchange: 171] start execution
2022.05.04 10:02:43 DEBUG web[][o.a.h.c.p.RequestAddCookies] CookieSpec selected: default
2022.05.04 10:02:43 DEBUG web[][o.a.h.c.p.RequestAuthCache] Re-using cached 'basic' auth scheme for http://localhost:9001
2022.05.04 10:02:43 DEBUG web[][o.a.h.c.p.RequestAuthCache] No credentials for preemptive authentication
2022.05.04 10:02:43 DEBUG web[][o.a.h.i.n.c.InternalHttpAsyncClient] [exchange: 171] Request connection for {}->http://localhost:9001
2022.05.04 10:02:43 DEBUG web[][o.a.h.i.n.c.PoolingNHttpClientConnectionManager] Connection request: [route: {}->http://localhost:9001][total kept alive: 2; route allocated: 2 of 10; total allocated: 2 of 30]
2022.05.04 10:02:43 DEBUG web[][o.a.h.i.n.c.ManagedNHttpClientConnectionImpl] http-outgoing-0 127.0.0.1:60002<->127.0.0.1:9001[ACTIVE][r:r]: Set timeout 0
2022.05.04 10:02:43 DEBUG web[][o.a.h.i.n.c.PoolingNHttpClientConnectionManager] Connection leased: [id: http-outgoing-0][route: {}->http://localhost:9001][total kept alive: 1; route allocated: 2 of 10; total allocated: 2 of 30]
2022.05.04 10:02:43 DEBUG web[][o.a.h.i.n.c.InternalHttpAsyncClient] [exchange: 171] Connection allocated: CPoolProxy{http-outgoing-0 [ACTIVE]}
2022.05.04 10:02:43 DEBUG web[][o.a.h.i.n.c.ManagedNHttpClientConnectionImpl] http-outgoing-0 127.0.0.1:60002<->127.0.0.1:9001[ACTIVE][r:r]: Set attribute http.nio.exchange-handler
2022.05.04 10:02:43 DEBUG web[][o.a.h.i.n.c.ManagedNHttpClientConnectionImpl] http-outgoing-0 127.0.0.1:60002<->127.0.0.1:9001[ACTIVE][rw:r]: Event set [w]
2022.05.04 10:02:43 DEBUG web[][o.a.h.i.n.c.InternalIODispatch] http-outgoing-0 [ACTIVE] Request ready
2022.05.04 10:02:43 DEBUG web[][o.a.h.i.n.c.MainClientExec] [exchange: 171] Attempt 1 to execute request
2022.05.04 10:02:43 DEBUG web[][o.a.h.i.n.c.MainClientExec] [exchange: 171] Target auth state: UNCHALLENGED
2022.05.04 10:02:43 DEBUG web[][o.a.h.i.n.c.MainClientExec] [exchange: 171] Proxy auth state: UNCHALLENGED

Bastian_Bretagne · May 4, 2022, 10:31am

Well problem solved ! the issue was that oauth2 provide X-F…-User instead of X-F…-Name headers

system · May 11, 2022, 10:31am

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.