# Default authentication through DevOps platform

With the DevOps platform service authentication:

* Just-in-Time user provisioning is used. When a user signs up with SonarQube Cloud for the first time through their DevOps platform (DOP), their DOP user account is automatically created in SonarQube Cloud.
* The automatic member synchronization is supported with GitHub. See [GitHub member synchronization](/sonarqube-cloud/administering-sonarcloud/about-sonarqube-cloud-solution/user-management/github-member-synchronization.md) for more information.

## Authentication flow

Users log directly into SonarQube Cloud with their DevOps platform (DOP) credentials which are transmitted to an Auth0 server for authentication. Auth0 bridges SonarQube Cloud and the DOP service.

The authentication flow is as follows:

1. The user enters their login for their DOP via SonarQube Cloud.
2. SonarQube Cloud redirects the authentication request to Auth0.
3. Auth0 forwards the request to the DOP service.
4. The DOP authenticates the user and sends the authentication response to Auth0.
5. Auth0 forwards the authentication response to SonarQube Cloud.
6. SonarQube Cloud performs extra-authentication checks. If successful, the user is authenticated in SonarQube Cloud.

<figure><img src="/spaces/KXW79zfYFiA8incTvwZK/files/2yE41TFwZ7QAaWqbvd0C" alt="Users log directly into SonarQube Cloud with their DevOps platform (DOP) credentials which are transmitted to an Auth0 server for authentication. Auth0 bridges SonarQube Cloud and the DOP service."><figcaption></figcaption></figure>

{% hint style="info" %}
Auth0 may connect to the DOP service from one of the IP addresses listed [here](https://auth0.com/docs/secure/security-guidance/data-security/allowlist).
{% endhint %}

## User login format <a href="#user-login-format" id="user-login-format"></a>

When creating a new user login, SonarQube Cloud systematically adds a random suffix to the login name to manage user misidentification risk.

{% hint style="info" %}
When setting up API-based automations related to users, don’t use the `login` field to retrieve a user. Use the `email` field instead.
{% endhint %}

## Azure DevOps service authentication <a href="#azure-devops-service-authentication" id="azure-devops-service-authentication"></a>

The following applies for Azure DevOps service authentication in SonarQube Cloud:

* ID tokens are used.
* Both personal and organizations accounts are supported (the multi-tenant endpoint is used).
* The following scopes are required: `User.Read`, `openid`, `profile`, and `email`.

## Related page <a href="#related-pages" id="related-pages"></a>

[User onboarding and offboarding](/sonarqube-cloud/administering-sonarcloud/managing-organization/users-and-permissions/user-on-and-offboarding.md)\
[GitHub member synchronization](/sonarqube-cloud/administering-sonarcloud/about-sonarqube-cloud-solution/user-management/github-member-synchronization.md)\
[SSO and provisioning](/sonarqube-cloud/administering-sonarcloud/enterprise-security/sso-and-provisioning.md)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.sonarsource.com/sonarqube-cloud/administering-sonarcloud/about-sonarqube-cloud-solution/user-management/devops-platform-authentication.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.