Authenticate Gerrit server to Azure SSO

128 views
Skip to first unread message

Guy Levkowitz

unread,
Dec 15, 2025, 4:44:16 AM12/15/25
to Repo and Gerrit Discussion
Hey

Today, we are using LDAP authentication on our Gerrit server 3.12.2
[auth]
        type = LDAP
        gitBasicAuthPolicy = HTTP_LDAP

how can we use Azure SSO - can you use the 
plugins/oauth - ? 

Any documentation about it 

Please share


Alon Bar-Lev

unread,
Dec 15, 2025, 4:53:22 AM12/15/25
to Guy Levkowitz, Repo and Gerrit Discussion
Hi,

I use oauth as saml has no advantage in this case, no SCIM and no groups.

Create App registration; Gerrit.
Choose web authentication method and input: https://fq-host/oauth as url.

Generate a secret.

Install gerrit-oauth-provider plugin in gerrit.

gerrit.config
---
[auth]
type = OAUTH
gitBasicAuthPolicy = HTTP 
[plugin "gerrit-oauth-provider-azure-oauth"]
tenant = @uuid-of-your-tenant@
---

secure.config
---
[plugin "gerrit-oauth-provider-azure-oauth"]
client-id = @client-id@
client-secret = @secret@
---

Regards,
Alon

Guy Levkowitz

unread,
Dec 15, 2025, 9:48:33 AM12/15/25
to Repo and Gerrit Discussion
Thanks for your answer



ב-יום שני, 15 בדצמבר 2025 בשעה 11:53:22 UTC+2, Alon Bar-Lev כתב/ה:

Guy Levkowitz

unread,
Dec 22, 2025, 7:53:15 AM12/22/25
to Repo and Gerrit Discussion
Hey
Alon Bar-Lev

is this the only thing you have configured:
gerrit.config
[auth]
type = OAUTHgitBasicAuthPolicy = HTTP 

[plugin "gerrit-oauth-provider-azure-oauth"]
tenant = uuid-of-your-tenant

In the file :
secure.config
[plugin "gerrit-oauth-provider-azure-oauth"]
client-id = client-id
client-secret = secret


what is those "@" ? 

I have try to configure and got "Forbitten" 
ב-יום שני, 15 בדצמבר 2025 בשעה 16:48:33 UTC+2, Guy Levkowitz כתב/ה:

Alon Bar-Lev

unread,
Dec 22, 2025, 7:58:32 AM12/22/25
to Guy Levkowitz, Repo and Gerrit Discussion
On Mon, 22 Dec 2025 at 14:53, Guy Levkowitz <sil...@gmail.com> wrote:
Hey
Alon Bar-Lev

is this the only thing you have configured:
gerrit.config
[auth]
type = OAUTHgitBasicAuthPolicy = HTTP 

[plugin "gerrit-oauth-provider-azure-oauth"]
tenant = uuid-of-your-tenant

In the file :
secure.config
[plugin "gerrit-oauth-provider-azure-oauth"]
client-id = client-id
client-secret = secret


what is those "@" ? 


The @xxx@ is a convention for string replacement.
 
I have try to configure and got "Forbitten" 

forbidden of what exactly?
 
--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/repo-discuss/c184e601-fe21-42cd-ae0d-c9fd0b3fb7b1n%40googlegroups.com.

Guy Levkowitz

unread,
Dec 22, 2025, 10:48:00 AM12/22/25
to Repo and Gerrit Discussion

When I press the sign in , it redirects me to and i get an attached error




ב-יום שני, 22 בדצמבר 2025 בשעה 14:58:32 UTC+2, Alon Bar-Lev כתב/ה:
forbidden_perkins_stg.checkpoint.com_8443_oauth.jpg

Alon Bar-Lev

unread,
Dec 22, 2025, 11:01:54 AM12/22/25
to Guy Levkowitz, Repo and Gerrit Discussion
On Mon, 22 Dec 2025 at 17:48, Guy Levkowitz <sil...@gmail.com> wrote:

When I press the sign in , it redirects me to and i get an attached error

Screenshot is not helping, do you have a valid code, for example:
/oauth?code=1.AYEAxx4G2oljh0m-a1HEU...&session_state=0099afd9-b32d-ff82-0cee-25cb48dbc9a3

What is your gerrit URL? aka host, port and prefix?
Do you have a web proxy such as apache between world and gerrit?
What component reports the Forbidden, examine the headers.
Looking at the hostname, I am sure you have resources at your disposal to assist in problem determination.
Please avoid downloading plugins manually, use the Plugins->Manage interface of gerrit.
 

Guy Levkowitz

unread,
Dec 22, 2025, 11:29:05 AM12/22/25
to Repo and Gerrit Discussion
this is the code: 
oauth?code=1.ASAAiVIqYaiJwkWkDfNvrbbTfFQ1pT055jVAkVOy33J9EufkABogAA.AgABBAIAAABlMNzVhAPUTrARzfQjWPtKAwDs_wUA9P9Fdm9TdHNBcnRpZmFjdHMCAAAAAABDXy2yxsW4sDYPwM6boEtSGMo1W28CgjIWnPCrvPILsmLEEKUWZkU4q2iSDTiuywKRe6Pinj6SHRINA3TehkSncDPbbt4-FoyCH8GHG8oNvLnG6l4d20jQuC7pUidhgkONYl156IoS2dKEvn9C9xsR29UOrg9Qx9G-pK6Iown_TQZvFCbYk2HdYtwLgDfE3oPNLZC3z9lRltO_XTtoCg3l54GXeYElsv8FFCLmtnM-_Q5ruggtldvfcOkpVsBPeParDf7Khzptrhr6-ue2nylKzVVnGCSP592fMc6KrANl9-FuArGai24U_kKW_8PL1muOj9uLO-eQOlKdjZRLsICjj24UrTenOREPf0LKxfprnzejl99kRtTjE89d4z7y9Z88nLCvH79fkdv6VlU5r-4zIEAP3qYxBxwYHoCBeDXPIi77tyfOPpGam9tDC__G7lKwnmattJg2RWLEqKnGn6njoZNtLBsM-Wyww5h6nMMggjX6BVhITO-tWdmyARvgPfZCSNmEJiZnnjHdr3PZvrCcaTymXLFXIA9otgYXpqowV9l25d17QR-Eiqy5Fu37E-0HojGCh9Dqy-l4oyGbSta2WCH_MzE0sOubn7TNSU5FFCDHb0_KUuZXEFWmAAasoNFUhiwSpSR3fneda8NjG5MDRqHLmmlvu84Nq6T6zTbbAt7So_YKN47i49GtUps2tdmJbLmKWakcu8rTsyv3PfosnKbyci2GZV47DkDK0x6P5LACaD7fKS5G3dadNkSELjLHgphFsMz886PIvXq_hJchf7Oj5b2Ph5ldvrIJzHS45MtcJ7mBWg4xAo2U8-B_RldtLu4wn63Wgd0SjkL0ntdvOwkcAzLfQSsnT8bFi29y-Yg6rjljf-791S3EXtIjIkZLujwnL6djmZpsQfdkl8Ywim4c5SfUTk5gPzq2ImKZBx6xaI9z68YXQI-M7gwLsXfRj2ShUY9pxdMc1TeFGfxO0urPJ7xzC6AzwLdA2hOcVyRRZf66tnuQzf-NcA&state=yO8sR9BiVQwEgxeENuvy7YH3zcufpEeTWcnvZXTWYXY%3d&session_state=009b0f69-280e-5325-fa3c-fc19b82eda55#

our Gerrit url is :

Do you have a web proxy such as apache between world and gerrit? - No we don't have any proxy 

ב-יום שני, 22 בדצמבר 2025 בשעה 18:01:54 UTC+2, Alon Bar-Lev כתב/ה:
forbidden_perkins_stg.checkpoint.com_8443_oauth-console.jpg

Alon Bar-Lev

unread,
Dec 22, 2025, 11:33:13 AM12/22/25
to Guy Levkowitz, Repo and Gerrit Discussion
On Mon, 22 Dec 2025 at 18:29, Guy Levkowitz <sil...@gmail.com> wrote:
this is the code: 


our Gerrit url is :

Do you have a web proxy such as apache between world and gerrit? - No we don't have any proxy 

And what do you get at gerrit log?
 

Guy Levkowitz

unread,
Dec 22, 2025, 11:36:46 AM12/22/25
to Repo and Gerrit Discussion
ב-יום שני, 22 בדצמבר 2025 בשעה 18:33:13 UTC+2, Alon Bar-Lev כתב/ה:
gerrit.config1.jpg
gerrit.config.jpg
security.config.jpg

Guy Levkowitz

unread,
Dec 22, 2025, 11:38:35 AM12/22/25
to Repo and Gerrit Discussion
also in the error log: give 
[2025-12-22T18:26:12.749+02:00] [HTTP GET /oauth?code=1.ASAAiVIqYaiJwkWkDfNvrbbTfFQ1pT055jVAkVOy33J9EufkABogAA.AgABBAIAAABlMNzVhAPUTrARzfQjWPtKAwDs_wUA9P (N/A from 172.20.209.26)] WARN  com.google.gerrit.server.account.AccountManager : Email guylevk@companycom is already assigned to account 1000044; cannot create external ID azure-oauth:8a048f54-a0cc-4537-bb5b-3f540a2dbd72 with the same email for account 1000143. [CONTEXT TRACE_ID="1766420772217-7eb2e9ba" ]
[2025-12-22T18:26:12.749+02:00] [HTTP GET /oauth?code=1.ASAAiVIqYaiJwkWkDfNvrbbTfFQ1pT055jVAkVOy33J9EufkABogAA.AgABBAIAAABlMNzVhAPUTrARzfQjWPtKAwDs_wUA9P (N/A from 172.20.209.26)] ERROR com.google.gerrit.httpd.auth.oauth.OAuthSession : Unable to authenticate user "com.google.gerrit.extensions.auth.oauth.OAuthUserInfo@17337b10" [CONTEXT TRACE_ID="1766420772217-7eb2e9ba" ]
com.google.gerrit.server.account.AccountException: Email 'guy...@company.com' in use by another account
error_log_user_already_exist.jpg

ב-יום שני, 22 בדצמבר 2025 בשעה 18:36:46 UTC+2, Guy Levkowitz כתב/ה:
error_log_user_already_exist.jpg

Alon Bar-Lev

unread,
Dec 22, 2025, 11:42:31 AM12/22/25
to Guy Levkowitz, Repo and Gerrit Discussion
On Mon, 22 Dec 2025 at 18:38, Guy Levkowitz <sil...@gmail.com> wrote:
also in the error log: give 
[2025-12-22T18:26:12.749+02:00] [HTTP GET /oauth?code=1.ASAAiVIqYaiJwkWkDfNvrbbTfFQ1pT055jVAkVOy33J9EufkABogAA.AgABBAIAAABlMNzVhAPUTrARzfQjWPtKAwDs_wUA9P (N/A from 172.20.209.26)] WARN  com.google.gerrit.server.account.AccountManager : Email guylevk@companycom is already assigned to account 1000044; cannot create external ID azure-oauth:8a048f54-a0cc-4537-bb5b-3f540a2dbd72 with the same email for account 1000143. [CONTEXT TRACE_ID="1766420772217-7eb2e9ba" ]
[2025-12-22T18:26:12.749+02:00] [HTTP GET /oauth?code=1.ASAAiVIqYaiJwkWkDfNvrbbTfFQ1pT055jVAkVOy33J9EufkABogAA.AgABBAIAAABlMNzVhAPUTrARzfQjWPtKAwDs_wUA9P (N/A from 172.20.209.26)] ERROR com.google.gerrit.httpd.auth.oauth.OAuthSession : Unable to authenticate user "com.google.gerrit.extensions.auth.oauth.OAuthUserInfo@17337b10" [CONTEXT TRACE_ID="1766420772217-7eb2e9ba" ]
com.google.gerrit.server.account.AccountException: Email 'guy...@company.com' in use by another account
error_log_user_already_exist.jpg

Please use another user to sign in, then after this works, remove your account so that it can be created properly.
If this is a new instance of gerrit, it is usually easier to install a fresh installation with no users, perform the settings, then first login will be given admin rights.
 

Guy Levkowitz

unread,
Dec 22, 2025, 11:49:01 AM12/22/25
to Repo and Gerrit Discussion
but this is our staging server (as as our production ) all users are loged in till now via LDAP authentication 
So i can't remove all users and also how can i remove my user ? 


ב-יום שני, 22 בדצמבר 2025 בשעה 18:42:31 UTC+2, Alon Bar-Lev כתב/ה:

Alon Bar-Lev

unread,
Dec 22, 2025, 12:02:43 PM12/22/25
to Guy Levkowitz, Repo and Gerrit Discussion
On Mon, 22 Dec 2025 at 18:49, Guy Levkowitz <sil...@gmail.com> wrote:
but this is our staging server (as as our production ) all users are loged in till now via LDAP authentication 
So i can't remove all users and also how can i remove my user ? 

I suggest to first test this in a fresh server make sure everything is working as expected.

This will also allow you to test the migration process without breaking anything important.

The procedure is dangerous, I won't assist in this... as it requires local attention, use the below at your own risk.

Basically it is:

cd /tmp
git init xxx
cd xxx
git fetch /var/lib/gerrit/git/All-Users.git/ refs/meta/external-ids
git checkout FETCH_HEAD

For each account based on his identity the following should be created:

[externalId "azure-oauth:c12e6209-b368-43e2-e4422-ebd57745c62c"]
        accountId = 1000000
        email = alon....@gmail.com

name of the file should be the output of:
echo -n  azure-oauth:c12e6209-b368-43e2-e4422-ebd57745c62c | sha1sum

once created, you should remove the ldap external user id for the user, look for the accountId in other files.

Once finished add new files and commit, then push back to gerrit.

git push /var/lib/gerrit/git/All-Users.git/ HEAD:refs/meta/external-ids

Regards,
Alon
Message has been deleted

Guy Levkowitz

unread,
Dec 23, 2025, 4:28:06 AM12/23/25
to Repo and Gerrit Discussion
  Alon

FYI - I have requested one of our developers who never login to our staging server, and he was able to log in - this means that as you wrote we need to delete all users that define 
the question is will they see all their history after they re-login (meaning after i will delete their account in  All-Users.git) 

Also in his repo list he saw just one repo  All-Users.git   all other repos that are defined - he can't see in the webUI - strange  - any Idea why ? 

the new account was created as i refetch and git checkout FETCH_HEAD --> 
[externalId "azure-oauth:47c90e98-af2b-4ab3-a595-3881afbac55b"]
        accountId = 1000144
        email = my-email


ב-יום שני, 22 בדצמבר 2025 בשעה 19:02:43 UTC+2, Alon Bar-Lev כתב/ה:
Reply all
Reply to author
Forward
0 new messages