OpenID Connect (OIDC) Plugin for SonarQube
Branch: master
Clone or download
Type Name Latest commit message Commit time
Failed to load latest commit information.
.mvn Initial version Dec 29, 2017
docs/images #5 - updates documentation Feb 10, 2018
src Fixes #18 - adds support for configurable login button text Sep 10, 2018
.travis.yml Fix authentication issue with missing profile info (#4) Jan 13, 2018
LICENSE #13 - adds hint for properly white-listing the redirect URI and adds … Jul 3, 2018
mvnw Initial version Dec 29, 2017
pom.xml Add setting to provide additional scopes (#17) Sep 8, 2018

OpenID Connect (OIDC) Plugin for SonarQube

Build Status Quality Gate Release


This plugin enables users to automatically be sign up and authenticated on a SonarQube server via an OpenID Connect identity provider like Keycloak. Optionally the groups a user is associated in SonarQube can be synchronized with the provider (via a custom userinfo claim retrieved from the ID token).


Server Base URL

Server base URL property must be set either by setting the URL from SonarQube administration page (General -> Server base URL) or through setting sonar.core.serverBaseURL key value in the file.

In this URL no trailing slash is allowed! Otherwise the redirects from the identity provider back to the SonarQube server are not created correctly.

Network Proxy

If a network proxy is used with SonarQube (via http[s].proxy[Host|Port] properties in the and the host name of the identity provider is not resolvable by this proxy then the IdP's host name must be excluded from being resolved by the proxy. This is done by defining the property http.nonProxyHosts in the

Otherwise the plugin won't be able to send the token request to the IdP.


  1. Install the plugin from SonarQube marketplace via "Administration > Marketplace". Or download the plugin jar from GitHub Releases and put it into the SONARQUBE_HOME/extensions/plugins/ directory
  2. Restart the SonarQube server


  • In OpenID Connect identity provider:

    • Create a client with access type 'public' or 'confidential' (in the latter case the corresponding client secret must be set in the plugin configuration) and white-list the redirect URI for the SonarQube server https://<sonarqube base>/oauth2/callback/oidc Keycloak Client Configuration

      Some IdP's (e.g. Keycloak) are supporting wildcards in the redirect URI white-list. Otherwise the absolute redirect URI must be white-listed.

    • For synchronizing SonarQube groups create a mapper which adds group names to a custom userinfo claim in the ID token (the claim's name is used in the plugin configuration later on) Keycloak Mapper Configuration

    • Retrieve the provider's endpoint configuration as JSON text via the providers /.well-known/openid-configuration URL (needed for plugin configuration) Keycloak Client Configuration

  • In SonarQube administration (General-> Security -> OpenID Connect):

    • Configure the plugin for the OpenID Connect client (a client secret is only required for clients with access type 'confidential') SonarQube Plugin Configuration

    • For synchronizing groups the name of the custom userinfo claim must be the same as defined in the identity provider's mapper

Tested with

  • SonarQube 6.7.1
  • Keycloak 3.4.2.Final
  • JetBrains Hub 2017.4
  • Okta 2018.25