Hi,
Are there any plans to support some sort of OAuth2 via rest api? Just some sort "connected apps" for the user profile, so developers can request to Gerrit site admins an app client secret to start an oauth2 auth flow, and users having the availability of revoked apps access_tokens, and maybe with grained access permissions via scopes.
--
Regards
--
To unsubscribe, email repo-discuss+unsubscribe@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
On 29 Dec 2017, at 08:49, Jorge Ruesga <j.ruesg...@gmail.com> wrote:Hi,
Luca, not not necessarily "Gerrit itself being an OAuth 2.0 provider". There are many REST api services (xe feedly) relaying on external OAuth2 providers to provide authentication to its rest api clients. Basically, it have a rest api oauth end point that provides the necessary workflow to obtain an access and refresh token.
My main concern with this request a way to login in IOS/Android apps without the need to store user authentication locally in the phone. The current oauth plugins only provides authentication for the Gerrit website itself, but no way to obtain access_token and refresh token. With the current OAuth flow, one can create a Webview and try to obtain the XSRF_TOKEN cookie to provide the X-Gerrit-Auth header, but:
1.- This token is websession based, so it will expire at some point, which requires present a new oauth flow window to the user to login again (which seems to be a good UX behaviour to me).
2.- Embeeded browsers (aka webviews) are disable by Google Sign since April 1 (https://developers.googleblog.com/2016/08/modernizing-oauth-interactions-in-native-apps.html), basically to about app developers to access cookies or change the response (basically allow developers some kind of phising).
And in the way, this could enable fine grain access to api via scopes, like let an access_token to do read operations (like read changes), disallowing publish comments or changes, or not allowing to access user account details like secondary emails, etc. Also, user can get control which apps are connected and revoke its accesses.
In addition the current http password is one-way generated, that means if i have 2 devices the user needs to generate the http password, store outside Gerrit and type ion both devices (or even between different apps on a same device), which sounds a bit unsecure.
Regards--
--
On 29 Dec 2017, at 09:50, Jorge Ruesga <j.ruesg...@gmail.com> wrote:My concerns was more from an app developer point of view. I have an android app that provides access whatever gerrit instance the user want to access, but I don't control any of them.
Auth0 could be implemented in a Gerrit site but other gerrit instances could implement other OAuth solutions, and I'm not sure all be compatible (one could be oauth1a or something like that). In fact, currently I have no way to know if the gerrit instance allow an oauth app client workflow. I was trying to request some more integrated into Gerrit code solution.
Are you developing an OpenSource Mobile client for Gerrit?
Are you aware of https://gerrit.googlesource.com/apps/reviewit/ ? It is an Android Gerrit Client that provides the code-review experience on your Mobile phone.
On 29 Dec 2017, at 10:52, Jorge Ruesga <j.ruesg...@gmail.com> wrote:Are you developing an OpenSource Mobile client for Gerrit?Yeah, I developed/mantained an Android one (https://github.com/jruesga/rview). It's almost paired in featured with the Gerrit web.
Are you aware of https://gerrit.googlesource.com/apps/reviewit/ ? It is an Android Gerrit Client that provides the code-review experience on your Mobile phone.
Yes, I'm aware of it
Very nice App ... do you have (or are you planning) an iOS one as well?
I see your point of doing the authentication once and get an access token for it. I believe the only thing you could do is really to "simulate" a web login (POST to /login) and getting the resulting Cookies. Then store the cookies and keep them as much as you can.
Thanks for your suggestions Luca.