OpenID Connect (OIDC) Plugin for SonarQube
This plugin enables users to automatically be sign up and authenticated on a SonarQube server via an OpenID Connect identity provider like Keycloak. Optionally the groups a user is associated in SonarQube can be synchronized with the provider (via a custom userinfo claim retrieved from the ID token).
Server Base URL
Server base URL property must be set either by setting the
URL from SonarQube administration page (General -> Server base URL) or
sonar.core.serverBaseURL key value in the
In this URL no trailing slash is allowed! Otherwise the redirects from the identity provider back to the SonarQube server are not created correctly.
If a network proxy is used with SonarQube (via
http[s].proxy[Host|Port] properties in the
sonar.properties) and the host name of the identity provider is not resolvable by this proxy then the IdP's host name must be excluded from being resolved by the proxy. This is done by defining the property
http.nonProxyHosts in the
Otherwise the plugin won't be able to send the token request to the IdP.
- Install the plugin from SonarQube marketplace via "Administration > Marketplace". Or download the plugin jar from GitHub Releases and put it into the
- Restart the SonarQube server
In OpenID Connect identity provider:
Create a client with access type 'public' or 'confidential' (in the latter case the corresponding client secret must be set in the plugin configuration) and white-list the redirect URI for the SonarQube server
Some IdP's (e.g. Keycloak) are supporting wildcards in the redirect URI white-list. Otherwise the absolute redirect URI must be white-listed.
In SonarQube administration (General-> Security -> OpenID Connect):
- SonarQube 6.7.1
- Keycloak 3.4.2.Final
- JetBrains Hub 2017.4
- Okta 2018.25