[Announce] Hybrid OpenID+OAuth2 authentication in Gerrit

[David Ostrovsky]

I'm pleased to announce, that Hybrid OpenID+OAuth2 authentication scheme is available: [1].

To set up OpenID + Google-OAuth 2.0 provider on stable-2.0 branch:

* pull latest stable-2.10 branch

* cherry-pick these changes: [2], [3], [4], [5]

* register your OAuth2 enabled Gerrit site: [6], set "Redirect URI" to: server:port/oauth

* pull the latest version of gerrit-oauth-provider-plugin [7], build [8] and deploy

* configure the plugin in $gerrit_site/etc/gerrit.config:

[plugin "gerrit-oauth-provider-google-oauth"]
    client-id = "<id>"
    client-secret = "<secret>"
    link-to-existing-openid-accounts = true

* Preserve auth.type = OPENID in $gerrit_site/etc/gerrit.config

* Observe that LoginForm offers Google OAuth2 provider: [1]

* Sign in using this link

* Observe that new identity is created and linked to your existing Gerrit account,

  e. g. under User=>Settings=>Identities OAuth2 (something like: 1016730112881507946)

  should be listed in addition to OpenID identity. Note, that when user is new then new Gerrit

  account is created and username is blank and must be set manually

* Observe that other OpenID providers, like Launchpad and FedoraProject still work 

[1] http://imgur.com/12bRRzO

[2] https://gerrit-review.googlesource.com/66310

[3] https://gerrit-review.googlesource.com/66311

[4] https://gerrit-review.googlesource.com/66312

[5] https://gerrit-review.googlesource.com/66313

[6] https://developers.google.com/accounts/docs/OpenIDConnect#appsetup

[7] https://github.com/davido/gerrit-oauth-provider

[8] https://github.com/davido/gerrit-oauth-provider/blob/master/src/main/resources/Documentation/build.md

[Luca Milanesio]

Wow, that’s really cool :-)

Shall we move the client-secret to secure.config? (otherwise isn’t a secret anymore ;-) )

Luca.

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Spencer Oliver]

On Monday, 16 March 2015 10:34:27 UTC, David Ostrovsky wrote:

I'm pleased to announce, that Hybrid OpenID+OAuth2 authentication scheme is available: [1].

 

David,

Thanks for you work on this, just wondering whether you could help me with one issue i am facing:
https://github.com/davido/gerrit-oauth-provider/issues/4

Many Thanks
Spen

[Paul Groudas]

David,

Thank you so much for your work on this!  The OpenID doomsday is almost upon us!

I've been working on this migration for my company, and would like to use your OAuth2 plugin but so far I'm having only mixed success.  I can easily enable the OAuth2 google plugin by following the directions, but the accounts don't seem to be linked.  Here are the strategies I've followed:

First I built gerrit-oath-provider.jar from your latest checkin, and I've built a gerrit release.jar from the 2.10.2 release plus this one change (the other three seemed to be already included): https://gerrit-review.googlesource.com/66313

1. Restore from backup (we've been running 2.10)

2. Add gerrit-oauth-provider.jar to site/plugins

3. Run java -jar release.jar init -d site/

4. Select auth provider OPENID

5. Select enable google oauth with necessary client id and secret

This results in being able to login when clicking "Google OAuth2 (gerrit-oauth-provider plugin)" but unfortunately it seems to be a new account, not linked to the old OpenID account.

I then also tried:

1. Restore from backup (we've been running 2.10)

2. Add gerrit-oauth-provider.jar to site/plugins

3. Run java -jar release.jar init -d site/

4. Select auth provider OAUTH

5. Select enable google oauth with necessary client id and secret

But the results are the same.

What steps do I need to take to enable the linking of old OpenID accounts?

Thank you for your help,

Paul

[David Ostrovsky]

On Sunday, April 5, 2015 at 7:43:50 PM UTC+3, Paul Groudas wrote:

David,

Thank you so much for your work on this!  The OpenID doomsday is almost upon us!

I've been working on this migration for my company, and would like to use your OAuth2 plugin but so far I'm having only mixed success.  I can easily enable the OAuth2 google plugin by following the directions, but the accounts don't seem to be linked.  Here are the strategies I've followed:

First I built gerrit-oath-provider.jar from your latest checkin, and I've built a gerrit release.jar from the 2.10.2 release plus this one change (the other three seemed to be already included): https://gerrit-review.googlesource.com/66313

1. Restore from backup (we've been running 2.10)

2. Add gerrit-oauth-provider.jar to site/plugins

3. Run java -jar release.jar init -d site/

4. Select auth provider OPENID

5. Select enable google oauth with necessary client id and secret

Sounds good to me. I will upload release.war
based on 2.10.2 + hybrid change + bundled plugin
on plugin's GH release page, to simplify this setup.

This results in being able to login when clicking "Google OAuth2 (gerrit-oauth-provider plugin)" but unfortunately it seems to be a new account, not linked to the old OpenID account.

I then also tried:

1. Restore from backup (we've been running 2.10)

2. Add gerrit-oauth-provider.jar to site/plugins

3. Run java -jar release.jar init -d site/

4. Select auth provider OAUTH

5. Select enable google oauth with necessary client id and secret

Good idea to make linking work with OAuth auth scheme.

But the results are the same.

What steps do I need to take to enable the linking of old OpenID accounts?

Linking should just work from Google's OpenID
to Google OAuth. Also note that the domain name
must be preserved.

See the discussion and steps how to troubleshoot
account linking in this issue: [1].

[1] https://github.com/davido/gerrit-oauth-provider/issues/2

[David Ostrovsky]

Am Montag, 6. April 2015 14:16:19 UTC+2 schrieb David Ostrovsky:

On Sunday, April 5, 2015 at 7:43:50 PM UTC+3, Paul Groudas wrote:

David,

Thank you so much for your work on this!  The OpenID doomsday is almost upon us!

I've been working on this migration for my company, and would like to use your OAuth2 plugin but so far I'm having only mixed success.  I can easily enable the OAuth2 google plugin by following the directions, but the accounts don't seem to be linked.  Here are the strategies I've followed:

First I built gerrit-oath-provider.jar from your latest checkin, and I've built a gerrit release.jar from the 2.10.2 release plus this one change (the other three seemed to be already included): https://gerrit-review.googlesource.com/66313

1. Restore from backup (we've been running 2.10)

2. Add gerrit-oauth-provider.jar to site/plugins

3. Run java -jar release.jar init -d site/

4. Select auth provider OPENID

5. Select enable google oauth with necessary client id and secret

Sounds good to me. I will upload release.war
based on 2.10.2 + hybrid change + bundled plugin
on plugin's GH release page, to simplify this setup.

Done in [1].

It turns out that Buck is hard to install, it has too many dependencies

and it's still a challenge to build patched Gerrit release with plugin

(with support for both standalone and in Gerrit-tree build modes).

[1] https://github.com/davido/gerrit-oauth-provider/releases/tag/v0.2

[Will DeBerry]

Not sure if the best thread for this, but since using this plugin, the login URLs have been off and not working. Anyone using the site clicks on Sign In and then is presented with the Sign In screen with the options GitHub, Google(Oauth), LaunchPad, Yahoo. If you click on GitHub or Google, it just changes the URL and refreshes the window and then provides the following URL:

http://gerrit.aokp.co/login/%23%2Fq%2Fstatus%3Aopen?id=gerrit-oauth-provider_-google-oauth

From this point, the two URLs don't do anything more than reloading the same Sign In page. The only way to get things to work is to click on the LaunchPad option which then refreshes the window again and provides the following URL:

http://gerrit.aokp.co/login/#%2Fq%2Fstatus:open?id=https://login.launchpad.net/%2Bopenid

The only thing I can see is that the URL isn't getting encoded properly in the 'broken' state, but not sure if there is anything I need to do on my end or if this is a bug within gerrit or plugin. I don't see any see any errors in the logs during this process either.

Let me know if you need anymore information to help narrow this down or if you'd rather me start a new thread.

[Roland Schulz]

On Mon, May 4, 2015 at 9:56 PM, Will DeBerry <willd...@gmail.com> wrote:

Not sure if the best thread for this, but since using this plugin, the login URLs have been off and not working. Anyone using the site clicks on Sign In and then is presented with the Sign In screen with the options GitHub, Google(Oauth), LaunchPad, Yahoo. If you click on GitHub or Google, it just changes the URL and refreshes the window and then provides the following URL:

http://gerrit.aokp.co/login/%23%2Fq%2Fstatus%3Aopen?id=gerrit-oauth-provider_-google-oauth

From this point, the two URLs don't do anything more than reloading the same Sign In page. The only way to get things to work is to click on the LaunchPad option which then refreshes the window again and provides the following URL:

http://gerrit.aokp.co/login/#%2Fq%2Fstatus:open?id=https://login.launchpad.net/%2Bopenid

The only thing I can see is that the URL isn't getting encoded properly in the 'broken' state, but not sure if there is anything I need to do on my end or if this is a bug within gerrit or plugin. I don't see any see any errors in the logs during this process either.

Let me know if you need anymore information to help narrow this down or if you'd rather me start a new thread.

Do you run gerrit behind a reverse proxy? We had a similar problem. We fixed it by changing our reverse proxy configuration. We used to use mod_rewrite with RewriteRule but that caused the problem. We changed it to proxy_http with ProxyPass as recommended by the gerrit documentation. Maybe a similar change can fix it for you.

Roland

 

On Sunday, April 12, 2015 at 8:06:39 AM UTC-4, David Ostrovsky wrote:

Am Montag, 6. April 2015 14:16:19 UTC+2 schrieb David Ostrovsky:

On Sunday, April 5, 2015 at 7:43:50 PM UTC+3, Paul Groudas wrote:

David,

Thank you so much for your work on this!  The OpenID doomsday is almost upon us!

I've been working on this migration for my company, and would like to use your OAuth2 plugin but so far I'm having only mixed success.  I can easily enable the OAuth2 google plugin by following the directions, but the accounts don't seem to be linked.  Here are the strategies I've followed:

First I built gerrit-oath-provider.jar from your latest checkin, and I've built a gerrit release.jar from the 2.10.2 release plus this one change (the other three seemed to be already included): https://gerrit-review.googlesource.com/66313

1. Restore from backup (we've been running 2.10)

2. Add gerrit-oauth-provider.jar to site/plugins

3. Run java -jar release.jar init -d site/

4. Select auth provider OPENID

5. Select enable google oauth with necessary client id and secret

Sounds good to me. I will upload release.war
based on 2.10.2 + hybrid change + bundled plugin
on plugin's GH release page, to simplify this setup.

Done in [1].

It turns out that Buck is hard to install, it has too many dependencies

and it's still a challenge to build patched Gerrit release with plugin

(with support for both standalone and in Gerrit-tree build modes).

[1] https://github.com/davido/gerrit-oauth-provider/releases/tag/v0.2

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

ORNL/UT Center for Molecular Biophysics cmb.ornl.gov
865-241-1537, ORNL PO BOX 2008 MS6309

[Will DeBerry]

That definitely straightened it out. Was still using the old way of doing things. Much appreciated!

[ji...@atomia.com]

Hi

What would be the easiest way to use this plugin together with 2.11?

Best regards,

Jimmy

[Luca Milanesio]

I think that DavidO’s plugin (master branch) should compile and work on 2.11, isn’t it?

Luca.

[David Ostrovsky]

Am Dienstag, 5. Mai 2015 09:22:03 UTC+2 schrieb lucamilanesio:

I think that DavidO’s plugin (master branch) should compile and work on 2.11, isn’t it?

I hope so ;-) There are three options:

* compile the plugin itself

* download binary from plugins's release page n GH: [1]

* download binary from Gerrit's CI server: [2] (Thanks Luca for adding it!)

[1] https://github.com/davido/gerrit-oauth-provider/releases/tag/v2.11

[2] https://ci.gerritforge.com/view/Plugins-master/job/Plugin_gerrit-oauth-provider_master

[Jimmy Bergman]

Hi

The version from https://github.com/davido/gerrit-oauth-provider/releases/tag/v2.11 worked great, thanks.

Best regards,

Jimmy

[Will DeBerry]

Just use the latest release from David's github 

https://github.com/davido/gerrit-oauth-provider/releases/tag/v2.11

[Will DeBerry]

I noticed today that even though I have the same account ID as before with openID, I am no longer in the Administrators group or any of the other groups I was in before hand. Checking SQL, I see that my account ID is still a part of the proper group IDs.

Is there an issue with the linking or weirdness that could have caused this?

[Will DeBerry]

So reporting back that I finally figured this out just in case someone else runs into this. I noticed that the new oauth linked account showed as untrsuted. I ended up having to add to the gerrit.config to trust all IDs (since we don't try to restrict any in our case).

trustedOpenID = ^.*$

Now without anything being untrusted as an openID authenticator, all is back to normal :).