Upgrade from 10.4.1 to 10.5.0 broke OIDC authentication

After upgrading SonarQube (Community Edition) from container image 10.4.1-community to 10.5.0-community our OIDC authentication with Gitlab broke.

2024.04.19 15:01:46 WARN web[a1575830-46c4-459c-8d4c-a93c89220f41][o.s.s.a.AuthenticationError] Fail to callback authentication with 'gitlab'
java.lang.IllegalStateException: Fail to execute request 'https://gitlab.*******/api/v4/groups?min_access_level=10&per_page=100'. HTTP code: 403, response: {"error":"insufficient_scope","error_description":"The request requires higher privileges than provided by the access token.","scope":"api read_api"}

Scope settings in gitlab - working with 10.4.1 - are: api, read_user
Just-in-time user provisioning is used in SonarQube, No user and group sync.

When I change to scopes in gitlab to api, read_api, the authentication is still failing. Gitlab is showing an error: “The requested scope is invalid, unknown, or malformed.”

According to the documentation GitLab authentication, scopes should be api and read_user.


Welcome to the community and thanks for this report!

We’ll fix this with 10.5.1 (coming… “soon”).