Skip to content
OpenID Connect (OIDC) Plugin for SonarQube
Branch: master
Clone or download

OpenID Connect (OIDC) Plugin for SonarQube

Build Status Quality Gate Release


This plugin enables users to automatically be sign up and authenticated on a SonarQube server via an OpenID Connect identity provider like Keycloak. SonarQube Login

Optionally the groups a user is associated in SonarQube can be synchronized with the provider (via a custom userinfo claim retrieved from the ID token).


Server Base URL

Server base URL property must be set either by setting the URL from SonarQube administration page (General -> Server base URL).

In this URL no trailing slash is allowed! Otherwise the redirects from the identity provider back to the SonarQube server are not created correctly.

Network Proxy

If a network proxy is used with SonarQube (via http[s].proxy[Host|Port] properties in the and the host name of the identity provider is not resolvable by this proxy then the IdP's host name must be excluded from being resolved by the proxy. This is done by defining the property http.nonProxyHosts in the

Otherwise the plugin won't be able to send the token request to the IdP.


  1. Install the plugin from SonarQube marketplace via "Administration > Marketplace". Or download the plugin jar from GitHub Releases and put it into the SONARQUBE_HOME/extensions/plugins/ directory
  2. Restart the SonarQube server


  • In OpenID Connect identity provider:

    • Create a client with access type 'public' or 'confidential' (in the latter case the corresponding client secret must be set in the plugin configuration) and white-list the redirect URI for the SonarQube server https://<sonarqube base>/oauth2/callback/oidc Keycloak Client Configuration

      Some IdP's (e.g. Keycloak) are supporting wildcards in the redirect URI white-list. Otherwise the absolute redirect URI must be white-listed.

    • For synchronizing SonarQube groups create a mapper which adds group names to a custom userinfo claim in the ID token (the claim's name is used in the plugin configuration later on) Keycloak Mapper Configuration

    • Retrieve the provider's endpoint configuration as JSON text via the providers /.well-known/openid-configuration URL (needed for plugin configuration) Keycloak Client Configuration

  • In SonarQube administration (General-> Security -> OpenID Connect):

    • Configure the plugin for the OpenID Connect client (a client secret is only required for clients with access type 'confidential') SonarQube Plugin Configuration

    • For synchronizing groups the name of the custom userinfo claim must be the same as defined in the identity provider's mapper

Tested with

  • SonarQube 7.9.1
  • Keycloak 4.8.1.Final
  • JetBrains Hub 2017.4
  • Okta 2018.25
You can’t perform that action at this time.