Google Account OpenId is no longer available to Gerrit Code Review

[Shawn Pearce]

Per https://developers.google.com/+/api/auth-migration#timetable new Gerrit Code Review servers are no longer able to sign in using Google Accounts.

Existing servers will continue to work through April 20, 2015, after which login support will also cease.

I just talked with the team that runs this service. Gerrit has to either rewrite our support specific to Google's new login API, or rip the Google Account login feature out. Either way existing server admins have less than 1 year to get their system upgraded.

Given how difficult OpenID has been in the past, and how complicated the new API is, I am inclined to rip out OpenID support from 2.10.

[Shawn Pearce]

https://gerrit-review.googlesource.com/57450 drops Google Account single click support from the web UI.

https://gerrit-review.googlesource.com/57451 changes the init default to recommend LDAP instead of OpenID.

[Khai Do]

instead of removing, would it be possible to move this functionality into a plugin?  Maybe there are others that may want to maintain as a plugin? 

[Shawn Pearce]

It won't work ever again. What value is a plugin?

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[lucamilanesio]

Why don't we include OAuth 2.0 as official Gerrit authentication mechanism ?

At the moment the only available AFAIK is the GitHub OAuth support in the GitHub plugin:

https://gerrit.googlesource.com/plugins/github/+/refs/heads/master/github-oauth/

Luca.

[Brad Larson]

On Saturday, May 24, 2014 11:07:51 AM UTC-5, lucamilanesio wrote:

Why don't we include OAuth 2.0 as official Gerrit authentication mechanism ?

My understanding from Shawn's link is that OAuth 2.0 isn't supported by Google either (long-term).  Only Google+ logins are supported.

[Luca Milanesio]

True :-O

Quite surprised about that ... but I imagine the pain to support different authentication protocols !

Lots of other systems however support OAuth 2.0, shall we promote it to the Gerrit core ?

Luca

Sent from my iPhone

--

[Shawn Pearce]

On Tue, May 27, 2014 at 11:24 PM, Luca Milanesio <luca.mi...@gmail.com> wrote:

Quite surprised about that ... but I imagine the pain to support different authentication protocols !

Lots of other systems however support OAuth 2.0, shall we promote it to the Gerrit core ?

Yes, maybe. The GitHub auth stuff may be interesting to get into Gerrit core. Everyone's got a GitHub account.

[Shawn Pearce]

Really, we should just get the plugin auth stuff working. But its a lot of work.

It may be quicker to get GitHub auth into core as auth.type = GITHUB and then work on better auth plugin support the rest of the year.

[Luca Milanesio]

The auth.type = GITHUB is going to be really trivial, as it is just HTTP authentication at the end of the day :-)

Will submit a patch for it.

Luca.

[Thomas Broyer]

On Wednesday, May 28, 2014 3:17:04 AM UTC+2, Brad Larson wrote:

On Saturday, May 24, 2014 11:07:51 AM UTC-5, lucamilanesio wrote:

Why don't we include OAuth 2.0 as official Gerrit authentication mechanism ?

My understanding from Shawn's link is that OAuth 2.0 isn't supported by Google either (long-term).  Only Google+ logins are supported.

OpenID Connect (which is itself based on OAuth 2.0) is just out the door (spec published in late February), and Google+ Sign-in is built on top of OpenID Connect.

I doubt they'll remove support for OpenID Connect any time soon.

https://developers.google.com/+/api/auth-migration#changes says “Google+ Sign-In can be configured to be OpenID Connect compliant, and we will continue to support OpenID Connect at the protocol level.”

Doc's at https://developers.google.com/accounts/docs/OAuth2Login

I'm more worried by the other thing Shawn said: “Given how difficult OpenID has been in the past”.

As an implementer of an OpenID Connect server, I can assure you that it's not a complicated API. From the little I know about OpenID 1.0 and OpenID 2.0, OpenID Connect is actually much simpler.

 

[Luca Milanesio]

On 28 May 2014, at 10:03, Thomas Broyer <t.br...@gmail.com> wrote:

On Wednesday, May 28, 2014 3:17:04 AM UTC+2, Brad Larson wrote:

On Saturday, May 24, 2014 11:07:51 AM UTC-5, lucamilanesio wrote:

Why don't we include OAuth 2.0 as official Gerrit authentication mechanism ?

My understanding from Shawn's link is that OAuth 2.0 isn't supported by Google either (long-term).  Only Google+ logins are supported.

OpenID Connect (which is itself based on OAuth 2.0) is just out the door (spec published in late February), and Google+ Sign-in is built on top of OpenID Connect.

I doubt they'll remove support for OpenID Connect any time soon.

Good point :-) and OpenID Connect is OAuth 2.0 anyway :-)

https://developers.google.com/accounts/docs/OAuth2Login

Luca.

[lucamilanesio]

I've uploaded a GitHub OAuth 2.0 authentication provider for Gerrit at:

https://gerrit-review.googlesource.com/#/c/57570/

In order to test it you need to select HTTP_GITHUB as login mechanism during Gerrit init and then add the following section to your gerrit.config:

[github]

        url = https://github.com

        clientId = yourGitHubClientId

        clientSecret = yourGitHubOAuthSecretFromGitHubWebUI

Feedback is more than welcome :-)

Luca.

[Monty Taylor]

Hey! Just wanted to register real quick that removing OpenID from Gerrit would be problematic for us over in OpenStack land at the moment. Our current SSO system (Launchpad) only supports OpenID. We do have plans in work to move off of Launchpad, but that's kind of a big transition to plan and it's not a thing we can do overnight.

[Luca Milanesio]

Ideally all authentication backed should be turned into plugins so that you can choose the one you need without having to support them in Gerrit core.

Dariusz has been working on the auth blackend for over a year, eventually the auth plugins support will be merged :-)

OpenID will then be just one of the auth backends available for Gerrit.

Luca

Sent from my iPhone

--

[Monty Taylor]

That would be great! I totally understand not wanting to keep in piles of core things.

You received this message because you are subscribed to a topic in the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/repo-discuss/Hjn-6BV3KBU/unsubscribe.
To unsubscribe from this group and all its topics, send an email to repo-discuss...@googlegroups.com.

[Matthew Webber]

On Thursday, 29 May 2014 02:19:46 UTC+1, lucamilanesio wrote:

I've uploaded a GitHub OAuth 2.0 authentication provider for Gerrit at: https://gerrit-review.googlesource.com/#/c/57570/

I just started installing a fresh Gerrit, with the intention if using Google OpenID, till I hit the problem discussed in this thread. Using GitHub for authentication would be a great solution.

Do you know when your authentication provider will be available (I see that the reviews have completed)? I guess that since it's not a plugin, I will either need to wait for a Gerrit release that includes it, or else build Gerrit  myself off the bleeding edge (which I'm) not keen to do).

How does your GitHub OAuth 2.0 authentication provider relate to the "github" plugin? The latter seems to provide GitHub-based authentication also (as well as other GitHub goodies), though it would not build when I tried it the other day.

Thanks

Matthew

[Joshua J. Kugler]

[Sent this just to Shawn, sorry about that.]

We maintain an OpenID server for our users internally. We would like to keep
using that. A plugin would allow us to do that, instead of having to migrate
all the accounts.

j

On Friday, May 23, 2014 13:05:40 'Shawn Pearce' via Repo and Gerrit Discussion
wrote:

--
Joshua J. Kugler - Fairbanks, Alaska
Azariah Enterprises - Programming and Website Design
jos...@azariah.com - Jabber: peda...@gmail.com
PGP Key: http://pgp.mit.edu/ ID 0x73B13B6A

[Matthew Webber]

Has anyone taken a look to see if there are any existing projects we can use to handle authentication for Gerrit?

I just came across pac4j

https://github.com/leleuj/pac4j

http://www.pac4j.org/

http://www.pac4j.org/authenticatewithfacebooktwittergooglein5minutes.html

I have not used it, but it promises(!) to handle the authentication for you for most of the common protocols. The project originator works on CAS authentication (http://jasig.github.io/cas/4.0.0/index.html) and wrote it for that, so I presume he knows what he is doing(!).

Anyhow, worth a look if you haven't come across it before.

There would still be a fair bit of work to integrate this into Gerrit of course.

Matthew

[Luca Milanesio]

Hi Matthew,

thanks for sharing ... I think it would make sense once the Gerrit auth backend would be 100% externalisable (through plugins) ... but not now :-(

It would add too much refactoring work and complexity to force Pac4J into Gerrit.

Luca.

[saj...@vocaliq.com]

Hi Shawn,
 So what is the outcome of discussion as  LDAP is no go, HTTP is fiddly and not great for open source I guess. Are we going to have github auth in Gerrit?

[Luca Milanesio]

Hi Sajjad,

with regards to GitHub auth, there is a plugin available [1] and presented at the last Gerrit User Summit 2014 [2], a book chapter dedicated to it [3] and a patch for Gerrit-2.11 under review [4].

Is that enough? :-)

The only question is: when is [4] going to be merged? What's missing? Is that good enough?

Luca.

[1] https://gerrit-review.googlesource.com/#/admin/projects/plugins/github 

[2] http://www.slideshare.net/lucamilanesio/gerrit-codereviewgit-hubplugin

[3] https://www.packtpub.com/books/content/using-gerrit-github

[4] https://gerrit-review.googlesource.com/#/c/57570/37

[saj...@vocaliq.com]

HI Luca,
  I see already patch 37 being discussed:) Everyone has gitHub account I guess make sense get it released if possible in Gerrit-2.11.
Cheers,
Sajjad

[Luca Milanesio]

LOL ... discussed = 37 patch-sets :o) ... that almost a fight ;-)

[lucamilanesio]

Jokes apart ... we do need a decision on how to proceed on that change :-)

Do we like the approach? If the answer is NO we should go back on a black canvas and design something different, possibly completely different.

My typical approach is:

1) make it simple and work 

2) use it

3) works=yes => go to 4);  start again from 1)

4) make it better => go to 2)

Obviously all points are subject to review :-)

Luca.

To unsubscribe, email repo-discuss+unsubscribe@googlegroups.com

More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss+unsubscribe@googlegroups.com.

[David Ostrovsky]

Am Donnerstag, 15. Januar 2015 11:22:28 UTC+1 schrieb lucamilanesio:

Jokes apart ... we do need a decision on how to proceed on that change :-)

I sought we've discussed this already in another thread?

 

Do we like the approach? If the answer is NO we should go back on a black canvas and design something different, possibly completely different.

To be merged in Gerrit core, we need generic OAuth2/OpenID Connect authentication provider,

not hard coded to one specific provider (even a popular one).

If someone needs Gerrit with GH OAuth2 provider only, plugin can be used.

Generic OAuth2/OpenID Connect implementation would allow one single site to support

multiple OAuth2/OpenID Connect providers, and let users select which one to use (similar

to current OpenID provider selection dialog).  Gerrit core cannot and shouldn't force users

to use only one specific provider. Even though this option can be useful, see OpenStack's

Launchpad SSO solution Monty mentioned in this thread.

[Luca Milanesio]

Thread URL? ... so that I can follow-up on that one ;-)

Luca.

[David Ostrovsky]

Am Donnerstag, 15. Januar 2015 11:57:59 UTC+1 schrieb lucamilanesio:

Thread URL? ...

https://groups.google.com/d/topic/repo-discuss/nrtxry9SNLg/discussion

 

so that I can follow-up on that one ;-)

Let me quote you in this thread: "Agreed ..." ;-) 

[Luca Milanesio]

... oh man I'm getting older ;-)

[Rangaraj R]

Hi David, Luca,

We were using Google Open ID to authenticate with Gerrit. As Google OpenID will not be available from 20th April 2015, we planned to use GitHub Plugin for OAuth2 Authentication. If we need to use GitHub authentication, do we need to create account for all the users or we can use our existing Google accounts via GitHub Authentication. Please let me know the options available and steps/links if any.

Thanks,

Rangaraj 

[David Ostrovsky]

Am Dienstag, 3. März 2015 06:04:17 UTC+1 schrieb Rangaraj R:

Hi David, Luca,

We were using Google Open ID to authenticate with Gerrit. As Google OpenID will not be available from 20th April 2015, we planned to use GitHub Plugin for OAuth2 Authentication. If we need to use GitHub authentication, do we need to create account for all the users or we can use our existing Google accounts via GitHub Authentication. Please let me know the options available and steps/links if any.

You have four native Gerrit options

(not to mention any HTTP auth hacks, with some magic in your reverse proxy thing):

* Migrate to LDAP authentication scheme

  ** Advantage: no messing around with OpenID (and friends) any more

  ** Disadvantage: migration overhead

* Switch to other OpenID provider

  Force your users to link to other OpenID identity. The instructions how to link mulple

  OpenID identities to the same Gerrit account are provided here [1]. Also note, that

  after the needed changes were cherry-picked, 2.10.1 is going to be available in near

  future that dropped deprecated OpenID provider from the login form and replaced it

  with Launchpad/UbuntuOne.

  ** Advantage: no intervention from admin side is needed

  ** Disadvantage: all users have to move to other OpenID provider(s)

* Use Gerrit GitHub plugin

  ** Advantage: Supported upstream

  ** Disadvantage: all users have to sign in to GitHub. New created GitHub account

  must be manually linked to the existing Gerrit account.

* Use experimental OAuth authentication scheme [2] with Google OAuth plugin [3].

  See the explanation how it works [4] and how to set it up: [5]

  ** Advantage: Users can use their Google accounts

  ** Disadvantage: Gerrit must be patched. Manually linking OAuth Google identity to

  existing Gerrit accounts is needed (linking of multiple identities is not yet implemented)

[1] https://gerrit-review.googlesource.com/Documentation/config-sso.html#_multiple_identities

[2] https://gerrit-review.googlesource.com/65101

[3] https://github.com/davido/gerrit-oauth-provider

[4] https://groups.google.com/d/topic/repo-discuss/K2U6WcWSCaE/discussion

[5] https://code.google.com/p/gerrit/issues/detail?id=2677#c40

[Rangaraj R]

Hi David,

Thanks for the options

I am planning to try Google OAuth Plugin. 

I tried to download and build the Gerrit OAuth provider, but with the files I am not sure which build method to use or how to build. 

Please share the details patching Gerrit and building Google OAuth Plugin

Thanks,

Rangaraj

[David Ostrovsky]

Am Mittwoch, 4. März 2015 10:49:42 UTC+1 schrieb Rangaraj R:

Hi David,

Thanks for the options

I am planning to try Google OAuth Plugin. 

I tried to download and build the Gerrit OAuth provider, but with the files I am not sure which build method to use or how to build. 

Please share the details patching Gerrit

I cherry-picked OAuth extension point change to stable-2.10: [1].

 

and building Google OAuth Plugin

Three different plugin build modes are currently supported:

* Maven build: pom.xml must be there

* Sandalone build: .buckconfig must be there

* In-Gerrit tree build: only BUCK file is needed

Given that firt two files mentioned above are missing, only third method

is currently supported. You can follow instructions provided for cookbook-plugin

(starting from "Build in Gerrit tree" section) how to build plugin In-Gerrit tree

mode: [2]. Replace "cookbook-plugin" with "gerrit-oauth-provider".

[1] https://gerrit-review.googlesource.com/65700

[2] https://gerrit.googlesource.com/plugins/cookbook-plugin/+/master/src/main/resources/Documentation/build.md

[Luca Milanesio]

Should I create ad-hoc build projects on ci.gerritforge.com?

Luca.

[David Ostrovsky]

Am Donnerstag, 5. März 2015 10:55:57 UTC+1 schrieb lucamilanesio:

Should I create ad-hoc build projects on ci.gerritforge.com?

This would be very helpful, indeed. Can we bundle the plugin as well?

Thanks Luca!

[Rangaraj R]

David,

I cherry picked 65700 changeset and try to build gerrit-oauth-provider plugin, it throws below error

Traceback (most recent call last):

  File "<dir>/gerrit/.buckd/tmp/buck_run.6SGER4L4Lj/buck128045575087475671.py", line 1145, in <module>

    main()

  File "<dir>/gerrit/.buckd/tmp/buck_run.6SGER4L4Lj/buck128045575087475671.py", line 565, in main

    buildFileProcessor.process(build_file.rstrip())

  File "<dir>/gerrit/.buckd/tmp/buck_run.6SGER4L4Lj/buck128045575087475671.py", line 464, in process

    build_env['BUILD_FILE_SYMBOL_TABLE'])

  File "<dir>/gerrit/./plugins/gerrit-oauth-provider/BUCK", line 26, in <module>

    local_license = True,

TypeError: maven_jar() got an unexpected keyword argument 'local_license'

BUILD FAILED: Parse error for BUCK file ./plugins/gerrit-oauth-provider/BUCK: End of input at line 1 column 1

Help me on this.

Thanks,

Rangaraj

[David Ostrovsky]

Am Montag, 9. März 2015 05:51:58 UTC+1 schrieb Rangaraj R:

David,

I cherry picked 65700 changeset and try to build gerrit-oauth-provider plugin, it throws below error

Traceback (most recent call last):

  File "<dir>/gerrit/.buckd/tmp/buck_run.6SGER4L4Lj/buck128045575087475671.py", line 1145, in <module>

    main()

  File "<dir>/gerrit/.buckd/tmp/buck_run.6SGER4L4Lj/buck128045575087475671.py", line 565, in main

    buildFileProcessor.process(build_file.rstrip())

  File "<dir>/gerrit/.buckd/tmp/buck_run.6SGER4L4Lj/buck128045575087475671.py", line 464, in process

    build_env['BUILD_FILE_SYMBOL_TABLE'])

  File "<dir>/gerrit/./plugins/gerrit-oauth-provider/BUCK", line 26, in <module>

    local_license = True,

TypeError: maven_jar() got an unexpected keyword argument 'local_license'

BUILD FAILED: Parse error for BUCK file ./plugins/gerrit-oauth-provider/BUCK: End of input at line 1 column 1

Indeed, maven_jar() was extended during last Gerrit developer hackathon

but this change missed 2.10 stable branch. Just cherry-pick this change[1]

and it should work.

* [1] https://gerrit-review.googlesource.com/59954

[Rangaraj R]

Hi David, Luca,

I able to start the build with above check-in. But build stuck when it tries to download h2 jar file from Maven repository. 

I tried to download the file manually and upload to location but it fails after 98 % all the time. Same issue is there for all versions h2 jar file download.

With this I am stuck and not able to proceed.

If anyone already built the Patch build and Plugin for Google OAuth, please share the same.

Thanks,

Rangaraj 

[Luca Milanesio]

What’s the URL you’re downloading it from?

Luca.

[Rangaraj R]

http://repo1.maven.org/maven2/com/h2database/h2/1.3.174/h2-1.3.174.jar

[Rangaraj R]

This is the download where build got stuck. and proceeding. I tried manually from URL and from repo http://mvnrepository.com/artifact/com.h2database/h2

[Luca Milanesio]

That’s a very small jar (1.6 MBytes) and I managed to download in less than 1 second … I think you have serious connectivity problems :-O

Luca.

[Rangaraj R]

Hi Luca,

I am able to build the plugin, but it is not working with Gerrit-2.10. I created a package and plugin  using patch code [1].

I initialized Gerrit using new package, copied the plugin to plugin folder and started the gerrit with below config

auth.type =OAUTH

[plugin "gerrit-oauth-provider-google-oauth"]

    client-id = ID

    client-secret = ID

    callback = http://HOST/oauth

 

When I try to sign in with existing user, it shows "forbidden".

David said , we need to link OAuth Google identity manually with the existing accounts. Do we have details of changes needed. 

Also I am not seeing Register Option for new new users.

Please share your suggestions.

1. https://gerrit.googlesource.com/gerrit refs/changes/00/65700/2

Thanks,

Rangaraj

[David Ostrovsky]

Am Freitag, 13. März 2015 11:15:11 UTC+1 schrieb Rangaraj R:

Hi Luca,

I am able to build the plugin, but it is not working with Gerrit-2.10. I created a package and plugin  using patch code [1].

I initialized Gerrit using new package, copied the plugin to plugin folder and started the gerrit with below config

auth.type =OAUTH

[plugin "gerrit-oauth-provider-google-oauth"]

    client-id = ID

    client-secret = ID

    callback = http://HOST/oauth

 

When I try to sign in with existing user, it shows "forbidden".

 

David said , we need to link OAuth Google identity manually with the existing accounts. Do we have details of changes needed. 

Linking of OAuth identities to existing Gerrit accounts should work now. To test:

* pull the latest stable-2.10 branch

* apply these pending changes: [1], [2] and [3]

* pull the latest plugn version

* build Gerrit and the plugin

* add this option to config section (callback option was dropped):

[plugin "gerrit-oauth-provider-google-oauth"] link-to-existing-openid-accounts = true

I've tested the following use case and it works:

* create fresh Gerrit site with OpenID auth scheme

* user registers to the site with Google's OpenID account

* user assigned its username to "jdoe" from the UI

At this point the account_external_ids contains two entries:

 ACCOUNT_ID | EMAIL_ADDRESS             | PASSWORD | EXTERNAL_ID

 -----------+---------------------------+----------+---------------------------------------------------------------------------------

 1000000    | joh...@gmail.com | NULL     | https://www.google.com/accounts/o8/id?id=AlsJASDadg53khsadaASdasdh-IOoks_9sddJ_aSdZ

 1000000    | NULL                      | NULL     | username:jdoe

* Gerrit site migrated to OAuth auth scheme

* gerrit-oauth-provider plugin is deployed with activated link identity feature

* user logged in to the site using Google OAuth 2.0 provider

* user's OpenID identity is retrieved and new OAuth identity is linked to

  the existing Gerrit account

At this point the account_external_ids contains three entries:

 ACCOUNT_ID | EMAIL_ADDRESS             | PASSWORD | EXTERNAL_ID

 -----------+---------------------------+----------+---------------------------------------------------------------------------------

 1000000    | joh...@gmail.com | NULL     | https://www.google.com/accounts/o8/id?id=AlsJASDadg53khsadaASdasdh-IOoks_9sddJ_aSdZ

 1000000    | NULL                      | NULL     | username:jdoe

 1000000    | joh...@gmail.com | NULL     | 1016730112881507946

[1] https://gerrit-review.googlesource.com/66310

[2] https://gerrit-review.googlesource.com/66311

[3] https://gerrit-review.googlesource.com/66312

[Rangaraj R]

Hi David,

I have built gerrit package and plugin with details shared. 

But when I tried to login into gerrit using OAUTH, it says server error.

my gerrit.config

[auth]

        type = OAUTH

[plugin "gerrit-oauth-provider-google-oauth"]

    client-id = clientid

    client-secret = secretid

    callback = http://host:port/oauth

    link-to-existing-openid-accounts = true

I have few doubts on my configuration. 

• 1. When I created Google Client ID with redirectURI as http://hostname:8443/oauth. Is this correct? If it is wrong, please let me know the redirectURL should be for Gerrit.

2.  is Callback url is correct?

Thanks,

Rangaraj.

[David Ostrovsky]

Am Montag, 16. März 2015 17:13:30 UTC+1 schrieb Rangaraj R:

Hi David,

I have built gerrit package and plugin with details shared. 

But when I tried to login into gerrit using OAUTH, it says server error.

Stack trace?

[Rangaraj R]

Hi David,

Please find the logs

[2015-03-16 17:06:31,340 +0530] c4934ccb gerrit - AUTH FAILURE FROM 127.0.0.1 user-not-found

[2015-03-16 17:11:22,813 +0530] e49d30da gerrit - AUTH FAILURE FROM 127.0.0.1 user-not-found

[2015-03-16 17:11:45,447 +0530] 44a75c2e gerrit - AUTH FAILURE FROM 127.0.0.1 user-not-found

Thanks,

Rangaraj

[David Ostrovsky]

Am Montag, 16. März 2015 18:58:36 UTC+1 schrieb Rangaraj R:

Hi David,

Please find the logs

[2015-03-16 17:06:31,340 +0530] c4934ccb gerrit - AUTH FAILURE FROM 127.0.0.1 user-not-found

I believe this log is from SshLog and has nothing to do with OAuth2 problem.

Can you open development console in your browser and see the requests?

[Rangaraj R]

Hi David,

Please find error log attached.

[2015-03-16 23:37:36,819] WARN  org.eclipse.jetty.servlet.ServletHandler : /oauth

java.io.IOException: Status 403 ({

 "error": {

  "errors": [

   {

    "domain": "usageLimits",

    "reason": "accessNotConfigured",

    "message": "Access Not Configured. The API (Google+ API) is not enabled for your project. Please use the Google Developers Console to update your configuration.",

    "extendedHelp": "https://console.developers.google.com"

   }

  ],

  "code": 403,

  "message": "Access Not Configured. The API (Google+ API) is not enabled for your project. Please use the Google Developers Console to update your configuration."

 }

}

) for request https://www.googleapis.com/plus/v1/people/me/openIdConnect

        at com.googlesource.gerrit.plugins.oauth.GoogleOAuthService.getUserInfo(GoogleOAuthService.java:96)

        at com.google.gerrit.httpd.auth.oauth.OAuthSession.login(OAuthSession.java:95)

        at com.google.gerrit.httpd.auth.oauth.OAuthWebFilter.doFilter(OAuthWebFilter.java:119)

        at com.google.gwtexpui.server.CacheControlFilter.doFilter(CacheControlFilter.java:70)

        at com.google.gerrit.httpd.RunAsFilter.doFilter(RunAsFilter.java:113)

        at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:64)

        at com.google.gerrit.httpd.AllRequestFilter$FilterProxy.doFilter(AllRequestFilter.java:57)

        at com.google.gerrit.httpd.RequestContextFilter.doFilter(RequestContextFilter.java:75)

        at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:119)

        at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:133)

        at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:130)

        at com.google.inject.servlet.GuiceFilter$Context.call(GuiceFilter.java:203)

        at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:130)

        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1636)

        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:564)

        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:219)

        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1111)

        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:498)

        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:183)

        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1045)

        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)

        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:98)

        at org.eclipse.jetty.server.handler.RequestLogHandler.handle(RequestLogHandler.java:92)

        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:98)

        at org.eclipse.jetty.server.Server.handle(Server.java:461)

        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:284)

        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:244)

        at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:534)

        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:607)

        at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:536)

        at java.lang.Thread.run(Thread.java:745)

[2015-03-16 23:37:36,827] ERROR com.google.gerrit.pgm.http.jetty.HiddenErrorHandler : Error in GET /oauth?state=lD_8nqdKQ-5W7WNrkpFaozBpUCq0Gde23GAjUgoxBgE&code=4/FsXaPao4GF39M-SZSGqoynjN4pmFDXJKrmOgAQ_-yLQ.Mj02Mz7IZskcEnp6UAPFm0Hq0YlHmAI&authuser=0&num_sessions=1&hd=logitech.com&session_state=b5cdfb82cd8827e2d1d69a3117e8ba309393fb29..b7ac&prompt=none

java.io.IOException: Status 403 ({

 "error": {

  "errors": [

   {

    "domain": "usageLimits",

    "reason": "accessNotConfigured",

    "message": "Access Not Configured. The API (Google+ API) is not enabled for your project. Please use the Google Developers Console to update your configuration.",

    "extendedHelp": "https://console.developers.google.com"

   }

  ],

  "code": 403,

  "message": "Access Not Configured. The API (Google+ API) is not enabled for your project. Please use the Google Developers Console to update your configuration."

 }

}

) for request https://www.googleapis.com/plus/v1/people/me/openIdConnect

        at com.googlesource.gerrit.plugins.oauth.GoogleOAuthService.getUserInfo(GoogleOAuthService.java:96)

        at com.google.gerrit.httpd.auth.oauth.OAuthSession.login(OAuthSession.java:95)

        at com.google.gerrit.httpd.auth.oauth.OAuthWebFilter.doFilter(OAuthWebFilter.java:119)

        at com.google.gwtexpui.server.CacheControlFilter.doFilter(CacheControlFilter.java:70)

        at com.google.gerrit.httpd.RunAsFilter.doFilter(RunAsFilter.java:113)

        at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:64)

        at com.google.gerrit.httpd.AllRequestFilter$FilterProxy.doFilter(AllRequestFilter.java:57)

        at com.google.gerrit.httpd.RequestContextFilter.doFilter(RequestContextFilter.java:75)

        at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:119)

        at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:133)

        at com.google.inject.servlet.GuiceFilter$1.call(GuiceFilter.java:130)

        at com.google.inject.servlet.GuiceFilter$Context.call(GuiceFilter.java:203)

        at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:130)

        at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1636)

        at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:564)

        at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:219)

        at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1111)

        at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:498)

        at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:183)

        at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1045)

        at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)

        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:98)

        at org.eclipse.jetty.server.handler.RequestLogHandler.handle(RequestLogHandler.java:92)

        at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:98)

        at org.eclipse.jetty.server.Server.handle(Server.java:461)

        at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:284)

        at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:244)

        at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:534)

        at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:607)

        at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:536)

        at java.lang.Thread.run(Thread.java:745)

Thanks,

Rangaraj

[David Ostrovsky]

Am Montag, 16. März 2015 19:19:37 UTC+1 schrieb Rangaraj R:

Hi David,

Please find error log attached.

[2015-03-16 23:37:36,819] WARN  org.eclipse.jetty.servlet.ServletHandler : /oauth

java.io.IOException: Status 403 ({

 "error": {

  "errors": [

   {

    "domain": "usageLimits",

    "reason": "accessNotConfigured",

    "message": "Access Not Configured. The API (Google+ API) is not enabled for your project. Please use the Google Developers Console to update your configuration.",

That makes sense. I switched user endpoint multiple times,

and in the latest plugin version Google+ API endpoint was used,

in which case you have to explicitly enable this API in developer

console. But I switched it back [1]. You can pull the latest version

and it should work without Google+ API enabled.

[1] https://github.com/davido/gerrit-oauth-provider/commit/b070d3d5c6dfc58d068bbd010fbb15860d756b38

[Rangaraj R]

Hi David,

Thanks for the fix.

I have updated the plugin and I am able to Login . 

I find few other issues,

1. After login, I am able to see only anonymous and registered user as my groups. I am not getting any other group and I see admin access is not there for my account..

2. I verified the database and find that Google OAUTH entry for my email id has different account id. 

Please provide your suggestions.

Thanks,

Rangaraj

[David Ostrovsky]

Am Dienstag, 17. März 2015 07:30:27 UTC+1 schrieb Rangaraj R:

Hi David,

Thanks for the fix.

I have updated the plugin and I am able to Login . 

I find few other issues,

1. After login, I am able to see only anonymous and registered user as my groups. I am not getting any other group and I see admin access is not there for my account..

2. I verified the database and find that Google OAUTH entry for my email id has different account id.

Are you sure you have enabled:

link-to-existing-openid-accounts = true

If yes, I assume, that for some reasons, openid_id wasn't included in JWT

response, so that linking of OAuth identity to exising account didn't work.

I will add some debug statements in Gerrit core and plugin to verify it:

during OpenID auth request, openid.realm is probably set to host:port:/.

For OAuth2 request opend.realm must be set to exactly the same value [1].

We should verify this.

https://github.com/davido/gerrit-oauth-provider/blob/master/src/main/java/com/googlesource/gerrit/plugins/oauth/GoogleOAuthService.java#L195

[Rangaraj R]

Hi David,

Yes, I have link-to-existing-openid-accounts = true added to my config.

I will generate Google Apps Client ID with canonicalWebUrl and update you the status.

Also provide me patchset information, so I can recreate gerrit code and plugin to share details.

Thanks,

Rangaraj

[Rangaraj R]

Hi David,

I have generated Google Client ID for canonicalWebUrl and I have same issue.

Thanks, Rangaraj

[David Ostrovsky]

Am Dienstag, 17. März 2015 17:47:30 UTC+1 schrieb Rangaraj R:

Hi David,

I have generated Google Client ID for canonicalWebUrl and I have same issue.

Have you removed the row for OAuth2 from account_external_ids? I don't think that the

linking works, when the row already exists and points to another account.

[Rangaraj R]

I have updated the account id for OAUTH entry to be same as my account id.

[David Ostrovsky]

Am Mittwoch, 18. März 2015 06:26:06 UTC+1 schrieb Rangaraj R:

I have updated the account id for OAUTH entry to be same as my account id.

Sure, but you have beter plans for the next time, then perform

manual linking of OAuth2 to OpenID accounts for 10k+ users, havn't you?

I uploaded change in Gerrit core: [1] and plugin: [2] with verbose log messages.

Re-build and re-deploy Gerrit and plugin and perform these steps:

* remove OAuth2 account from account_external_ids table

* switch to OPENID auth scheme

* start gerrit and login with your Google's account

* observe the following log message in error_log:

OpenID: openid-realm=http://localhost:8080/

* stop gerrit, switch to OAUTH auth scheme, start gerrit, login with Google's account

* observe the following log messages in error_log:

GoogleOAuthService : OAuth2: canonicalWebUrl=http://localhost:8080/

GoogleOAuthService : OAuth2: scope=openid email profile

GoogleOAuthService : OAuth2: linkToExistingOpenIDAccounts=true

GoogleOAuthService : OAuth2: authorization URL=[...]scope=openid%20email%20profile&openid.realm=http%3A%2F%2Flocalhost%3A8080%2F

GoogleOAuthService : OAuth2: openid_id=https://www.google.com/accounts/o8/id?id=<*********>

According to the spec, openid_id is only provided when OpenID: openid-realm

in openid hand shake and openid.realm=http%3A%2F%2Flocalhost%3A8080%2F

in oauth2 hand shake are exactly the same and openid scope was included.

[1] https://gerrit-review.googlesource.com/66391

[2] https://github.com/davido/gerrit-oauth-provider/commit/5258dd72a63a8e5e90161caf8c4df4b92ea0a53e

[David Ostrovsky]

Am Mittwoch, 18. März 2015 09:01:07 UTC+1 schrieb David Ostrovsky:

Am Mittwoch, 18. März 2015 06:26:06 UTC+1 schrieb Rangaraj R:

I have updated the account id for OAUTH entry to be same as my account id.

Sure, but you have beter plans for the next time, then perform

manual linking of OAuth2 to OpenID accounts for 10k+ users, havn't you?

I uploaded change in Gerrit core: [1] and plugin: [2] with verbose log messages.

Re-build and re-deploy Gerrit and plugin and perform these steps:

* remove OAuth2 account from account_external_ids table

* switch to OPENID auth scheme

* start gerrit and login with your Google's account

* observe the following log message in error_log:

OpenID: openid-realm=http://localhost:8080/

* stop gerrit, switch to OAUTH auth scheme, start gerrit, login with Google's account

* observe the following log messages in error_log:

GoogleOAuthService : OAuth2: canonicalWebUrl=http://localhost:8080/

GoogleOAuthService : OAuth2: scope=openid email profile

GoogleOAuthService : OAuth2: linkToExistingOpenIDAccounts=true

GoogleOAuthService : OAuth2: authorization URL=[...]scope=openid%20email%20profile&openid.realm=http%3A%2F%2Flocalhost%3A8080%2F

GoogleOAuthService : OAuth2: openid_id=https://www.google.com/accounts/o8/id?id=<*********>

Forgot to mention last log output line:

OAuthSession : OAuth2: linking claimed identity to 1000000

[Rangaraj R]

Hi David,

Gerrit is not starting with (auth type as OPENID) latest patch set. Please find error message attached. 

 

[2015-03-18 21:37:14,927] INFO  org.eclipse.jetty.server.ServerConnector : Started ServerConnector@335fe8ac{HTTP/1.1}{0.0.0.0:8443}

[2015-03-18 21:37:14,930] WARN  org.eclipse.jetty.util.component.AbstractLifeCycle : FAILED org.eclipse.jetty.server.Server@4d275e5b: javax.servlet.ServletException: OAuth service provider wasn't installed

javax.servlet.ServletException: OAuth service provider wasn't installed

        at com.google.gerrit.httpd.auth.openid.OAuthWebFilterOverOpenID.pickSSOServiceProvider(OAuthWebFilterOverOpenID.java:104)

        at com.google.gerrit.httpd.auth.openid.OAuthWebFilterOverOpenID.init(OAuthWebFilterOverOpenID.java:60)

        at com.google.inject.servlet.FilterDefinition.init(FilterDefinition.java:112)

        at com.google.inject.servlet.ManagedFilterPipeline.initPipeline(ManagedFilterPipeline.java:99)

        at com.google.inject.servlet.GuiceFilter.init(GuiceFilter.java:220)

        at org.eclipse.jetty.servlet.FilterHolder.initialize(FilterHolder.java:137)

        at org.eclipse.jetty.servlet.ServletHandler.initialize(ServletHandler.java:831)

        at org.eclipse.jetty.servlet.ServletContextHandler.startContext(ServletContextHandler.java:300)

        at org.eclipse.jetty.server.handler.ContextHandler.doStart(ContextHandler.java:744)

        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)

        at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)

        at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)

        at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:60)

        at org.eclipse.jetty.server.handler.RequestLogHandler.doStart(RequestLogHandler.java:131)

        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)

        at org.eclipse.jetty.util.component.ContainerLifeCycle.start(ContainerLifeCycle.java:132)

        at org.eclipse.jetty.server.Server.start(Server.java:357)

        at org.eclipse.jetty.util.component.ContainerLifeCycle.doStart(ContainerLifeCycle.java:114)

        at org.eclipse.jetty.server.handler.AbstractHandler.doStart(AbstractHandler.java:60)

        at org.eclipse.jetty.server.Server.doStart(Server.java:324)

        at org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:68)

        at com.google.gerrit.pgm.http.jetty.JettyServer$Lifecycle.start(JettyServer.java:125)

        at com.google.gerrit.lifecycle.LifecycleManager.start(LifecycleManager.java:74)

        at com.google.gerrit.pgm.Daemon.start(Daemon.java:292)

        at com.google.gerrit.pgm.Daemon.run(Daemon.java:204)

        at com.google.gerrit.pgm.util.AbstractProgram.main(AbstractProgram.java:64)

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

        at java.lang.reflect.Method.invoke(Method.java:606)

        at com.google.gerrit.launcher.GerritLauncher.invokeProgram(GerritLauncher.java:166)

        at com.google.gerrit.launcher.GerritLauncher.mainImpl(GerritLauncher.java:93)

        at com.google.gerrit.launcher.GerritLauncher.main(GerritLauncher.java:50)

        at Main.main(Main.java:25)

[2015-03-18 21:37:14,931] ERROR com.google.gerrit.pgm.Daemon : Unable to start daemon

java.lang.IllegalStateException: Cannot start HTTP daemon

        at com.google.gerrit.pgm.http.jetty.JettyServer$Lifecycle.start(JettyServer.java:139)

        at com.google.gerrit.lifecycle.LifecycleManager.start(LifecycleManager.java:74)

        at com.google.gerrit.pgm.Daemon.start(Daemon.java:292)

        at com.google.gerrit.pgm.Daemon.run(Daemon.java:204)

        at com.google.gerrit.pgm.util.AbstractProgram.main(AbstractProgram.java:64)

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

        at java.lang.reflect.Method.invoke(Method.java:606)

        at com.google.gerrit.launcher.GerritLauncher.invokeProgram(GerritLauncher.java:166)

        at com.google.gerrit.launcher.GerritLauncher.mainImpl(GerritLauncher.java:93)

        at com.google.gerrit.launcher.GerritLauncher.main(GerritLauncher.java:50)

        at Main.main(Main.java:25)

Caused by: javax.servlet.ServletException: OAuth service provider wasn't installed

[David Ostrovsky]

Am Mittwoch, 18. März 2015 17:16:14 UTC+1 schrieb Rangaraj R:

Hi David,

Gerrit is not starting with (auth type as OPENID) latest patch set. Please find error message attached. 

That's because I screwed it up in my last hybrid OpenID+OAuth2 change.

I will fix it later, but for now just deploy the plugin and it should work.

Note: on stable-2.10 pre-configured Google OpenID provider was removed from login form.

You would need to enter the URL manually into input field: [1].

[1] https://www.google.com/accounts/o8/id

[lucamilanesio]

I will start now changing the auth type of the GitHub plugin from HTTP to OAUTH so that the plugin is registered as OAuth provider.

This will simply the configuration and allow to be a "first-class" citizen in the Gerrit world :-)

Thanks again DavidO for the efforts on the attempt #2 ... at the least my attempt#1 was useful for something ;-)

Luca.