Skip to content

tgbyte/sonar-auth-oidc

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

73 Commits
.mvn
.mvn
 
 
docs/images
docs/images
 
 
src
src
 
 
.travis.yml
.travis.yml
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
RELEASE.md
RELEASE.md
 
 
mvnw
mvnw
 
 
mvnw.cmd
mvnw.cmd
 
 
pom.xml
pom.xml
 
 

Repository files navigation

OpenID Connect (OIDC) Plugin for SonarQube

Build Status Quality Gate Release

Description

This plugin enables users to automatically be sign up and authenticated on a SonarQube server via an OpenID Connect identity provider like Keycloak. SonarQube Login

Optionally the groups a user is associated in SonarQube can be synchronized with the provider (via a custom userinfo claim retrieved from the ID token).

Prerequisites

Server Base URL

Server base URL property must be set either by setting the URL from SonarQube administration page (General -> Server base URL).

In this URL no trailing slash is allowed! Otherwise the redirects from the identity provider back to the SonarQube server are not created correctly.

Network Proxy

If a network proxy is used with SonarQube (via http[s].proxy[Host|Port] properties in the sonar.properties) and the host name of the identity provider is not resolvable by this proxy then the IdP's host name must be excluded from being resolved by the proxy. This is done by defining the property http.nonProxyHosts in the sonar.properties.

Otherwise the plugin won't be able to send the token request to the IdP.

Installation

  1. Install the plugin from SonarQube marketplace via "Administration > Marketplace". Or download the plugin jar from GitHub Releases and put it into the SONARQUBE_HOME/extensions/plugins/ directory
  2. Restart the SonarQube server

Configuration

  • In OpenID Connect identity provider:

    • Create a client with access type 'public' or 'confidential' (in the latter case the corresponding client secret must be set in the plugin configuration) and white-list the redirect URI for the SonarQube server https://<sonarqube base>/oauth2/callback/oidc Keycloak Client Configuration

      Some IdP's (e.g. Keycloak) are supporting wildcards in the redirect URI white-list. Otherwise the absolute redirect URI must be white-listed.

    • For synchronizing SonarQube groups create a mapper which adds group names to a custom userinfo claim in the ID token (the claim's name is used in the plugin configuration later on) Keycloak Mapper Configuration

    • The provider's discovery URI (without the /.well-known/openid-configuration path) is needed for the plugin configuration (Issuer URI) Keycloak Client Configuration

  • In SonarQube administration (General-> Security -> OpenID Connect):

    • Configure the plugin for the OpenID Connect client (a client secret is only required for clients with access type 'confidential') SonarQube Plugin Configuration

    • For synchronizing groups the name of the custom userinfo claim must be the same as defined in the identity provider's mapper

Tested with

  • SonarQube 7.9.1, 8.2
  • Keycloak 4.8.1.Final
  • JetBrains Hub 2017.4
  • Okta 2018.25

About

OpenID Connect (OIDC) Plugin for SonarQube

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

10 tags

Packages

No packages published

Languages

  • Java 100.0%