Support for OpenID Connect

[Joshua J. Kugler]

Howdy!

I looked over e-mails going back over several months (and bug reports), and
didn't find anything, so feel free to point me in the right direction if I
missed something.

With the coming EOL of Google's support for OpenID 2.0, and migration to
OpenID Connect, is there any work in Gerrit to support OpenID connect (and
migrate existing users automatically (as described here:
https://developers.google.com/accounts/docs/OpenID#map-identifiers ) We have a
large community (http://review.whamcloud.com) and just telling them "go find
another OpenID provider" is not going to go over well.

j

--
Joshua J. Kugler - Fairbanks, Alaska
Azariah Enterprises - Programming and Website Design
jos...@azariah.com - Jabber: peda...@gmail.com
PGP Key: http://pgp.mit.edu/ ID 0x73B13B6A

[David Ostrovsky]

Am Mittwoch, 10. Dezember 2014 03:01:07 UTC+1 schrieb Joshua Kugler:

Howdy!

I looked over e-mails going back over several months (and bug reports), and
didn't find anything, so feel free to point me in the right direction if I
missed something.

With the coming EOL of Google's support for OpenID 2.0, and migration to
OpenID Connect, is there any work in Gerrit to support OpenID connect (and
migrate existing users automatically (as described here:
https://developers.google.com/accounts/docs/OpenID#map-identifiers ) We have a
large community (http://review.whamcloud.com) and just telling them "go find
another OpenID provider" is not going to go over well.

Why? That's what other open source Gerrit communities will do.

With Fedoraproject [1] and [2] Launchpad we have prominent OpenID providers, where the

majority of contributors will have an account already. If you have ever contributed to OpenStack,

you may know, that they restricted their Gerrit to launchpad OpenID provder exclusively, by setting

this configuration option: [3].

[1] http://fedoraproject.org/wiki/OpenID

[2] https://help.launchpad.net/YourAccount/OpenID

[3] auth.openIdDomain

List of allowed OpenID email address domains. Only used if auth.type is set to OPENID or OPENID_SSO.

Domain is case insensitive and must be in the same form as it appears in the email address, for example, "example.com".

[Joshua J. Kugler]

On Tuesday, December 09, 2014 21:53:40 David Ostrovsky wrote:
> Am Mittwoch, 10. Dezember 2014 03:01:07 UTC+1 schrieb Joshua Kugler:
> > With the coming EOL of Google's support for OpenID 2.0, and migration to
> > OpenID Connect, is there any work in Gerrit to support OpenID connect (and
> > migrate existing users automatically (as described here:
> > https://developers.google.com/accounts/docs/OpenID#map-identifiers ) We
> > have a
> > large community (http://review.whamcloud.com) and just telling them "go
> > find
> > another OpenID provider" is not going to go over well.
>
> Why? That's what other open source Gerrit communities will do.

That may be. I just know that is now going to fly with my management. I also
do not look forward to all the users who do not follow directions, log in
directly with their new OpenID, wonder why they can't see their existing
projects and review, and then complain when they then cannot link their new
OpenID to their existing account (because it's used by their "new" spurious
account). Will be a very large headache.

[Joshua J. Kugler]

On Wednesday, December 10, 2014 23:22:12 Joshua J. Kugler wrote:
> On Tuesday, December 09, 2014 21:53:40 David Ostrovsky wrote:
> > Am Mittwoch, 10. Dezember 2014 03:01:07 UTC+1 schrieb Joshua Kugler:
> > > With the coming EOL of Google's support for OpenID 2.0, and migration to
> > > OpenID Connect, is there any work in Gerrit to support OpenID connect
> > > (and
> > > migrate existing users automatically (as described here:
> > > https://developers.google.com/accounts/docs/OpenID#map-identifiers ) We
> > > have a
> > > large community (http://review.whamcloud.com) and just telling them "go
> > > find
> > > another OpenID provider" is not going to go over well.
> >
> > Why? That's what other open source Gerrit communities will do.
>
> That may be. I just know that is now going to fly with my management.

"not" going to fly, in case it wasn't clear that was a typo. :)

[Joshua J. Kugler]

Also, could this stance be documented somewhere so I can't point my management
to a page that says "Gerrit will not be supporting Google's OpenID Connect, so
you must migrate your users." With something like that, it will be much
easier to convince them this isn't going to be resolved by the next upgrade.
:)

j

On Wednesday, December 10, 2014 23:22:12 Joshua J. Kugler wrote:

[David Pursehouse]

On 12/11/2014 05:59 PM, Joshua J. Kugler wrote:
> Also, could this stance be documented somewhere so I can't point my management
> to a page that says "Gerrit will not be supporting Google's OpenID Connect, so
> you must migrate your users." With something like that, it will be much
> easier to convince them this isn't going to be resolved by the next upgrade.
> :)
>

I assume that was another typo and you actually meant "CAN point my
management" :)

Anyway, there's already a change open [1] to remove Google Open Id
support. I guess the warning you're after could either be added
somewhere in the Gerrit documentation as part of that change, or
mentioned in the release notes for whichever release that change
eventually gets merged into. If it gets merged soon, that will be 2.11
and I'll add the warning in the release notes for that [2].

[1] https://gerrit-review.googlesource.com/57450/
[2] https://gerrit-review.googlesource.com/62004/

[Ishaaq Chandy]

So, just to clarify, does this mean that there are no plans to enable support for Google's OpenID Connect?

--

--
To unsubscribe, email repo-discuss+unsubscribe@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

--- You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Shawn Pearce]

On Thu, Dec 11, 2014 at 3:26 AM, Ishaaq Chandy <ish...@gmail.com> wrote:

So, just to clarify, does this mean that there are no plans to enable support for Google's OpenID Connect?

Apparently not.

I don't have the time, will, or energy to make the changes and keep chasing whatever new fancy "standard" Google has decided to demand on application developers in order to use Google Accounts for authentication to their website.

If someone else does the work, OK. But it ain't going to be me. It took too much effort to get it working the first time. Let alone this new version where applications have to create a developer project at Google, obtain secrets, configure those secrets into Gerrit... *ick*

To unsubscribe, email repo-discuss...@googlegroups.com

More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.

To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.

[David Ostrovsky]

Am Donnerstag, 11. Dezember 2014 16:14:49 UTC+1 schrieb Shawn Pearce:

On Thu, Dec 11, 2014 at 3:26 AM, Ishaaq Chandy <ish...@gmail.com> wrote:

So, just to clarify, does this mean that there are no plans to enable support for Google's OpenID Connect?

Apparently not.

I don't have the time, will, or energy to make the changes and keep chasing whatever new fancy "standard" Google has decided to demand on application developers in order to use Google Accounts for authentication to their website.

If someone else does the work, OK. But it ain't going to be me.

In fact, someone else already did the work [2] and hard coded GitHub OAuth2 (OpenID Connect

is just further development of OAuth2) as core Gerrit feature. While this was the wrong way to

do it, with the right way to finalize pluggable authentication backend [2] first and allow plugins to

contribute different authentication providers.

Last time we've discussed this topic, we decided (?) to merge GitHub OAuth2 change as is (it's

non-invasive change that can be even merged without any conflicts into stable-2.9 branch).

The only problem that i have with this change in its current form: it doesn't seamlessly support

anonymous browsing. But other argued, that this is a missing feature for all HTTP authentication

methods and can be addressed later.

[1] https://gerrit-review.googlesource.com/57570

[2] https://code.google.com/p/gerrit/wiki/OutstandingTopics#Pluggable_authentication_backend

[Matthew Webber]

On Thursday, December 11, 2014 3:14:49 PM UTC, Shawn Pearce wrote:

I don't have the time, will, or energy to make the changes and keep chasing whatever new fancy "standard" Google has decided to demand on application developers in order to use Google Accounts for authentication to their website.

If someone else does the work, OK.

There are indeed existing projects that we might be able to use to handle authentication for Gerrit.

I just came across pac4j

https://github.com/leleuj/pac4j

http://www.pac4j.org/

http://www.pac4j.org/authenticatewithfacebooktwittergooglein5minutes.html

I have not used it, but it promises(!) to handle the authentication for you for most of the common protocols. The project originator works on CAS authentication (http://jasig.github.io/cas/4.0.0/index.html) and wrote it for that, so I presume he knows what he is doing(!).

 

It would be non-trivial to integrate into Gerrit (really, we would need to split the auth backend out and make it pluggable).

Anyhow, just a thought. We should not have to write auth stuff ourselves.

[David Ostrovsky]

Am Donnerstag, 18. Dezember 2014 14:20:04 UTC+1 schrieb Matthew Webber:

On Thursday, December 11, 2014 3:14:49 PM UTC, Shawn Pearce wrote:

I don't have the time, will, or energy to make the changes and keep chasing whatever new fancy "standard" Google has decided to demand on application developers in order to use Google Accounts for authentication to their website.

If someone else does the work, OK.

There are indeed existing projects that we might be able to use to handle authentication for Gerrit.

I just came across pac4j

https://github.com/leleuj/pac4j

Something like that, see my last comment to this change: [1]. So pac4j claims to support all these providers,

that supports OAuth2 spec. No matter if we use this or other library or would have our own home baked

implementation with Apache HttpComponents, we need one generic OAUTH2 auth method implementation,

that in fact will be part of Gerrit core (for something generic like that we don't need plugggable backend),

that support single or multiple configured providers:

Facebook: OAuth 2.0
GitHub: OAuth 2.0
Google: OAuth 2.0
LinkedIn: OAuth 2.0

Windows Live: OAuth 2.0
WordPress: OAuth 2.0
PayPal: OAuth 2.0
Vk: OAuth 2.0
Foursquare: OAuth 2.0

[...]

[1] https://gerrit-review.googlesource.com/57570

[Luca Milanesio]

Agreed: then it makes sense to completely detach from GitHub and just implement OAuth 2.0.

NOTE: bear in mind that OAuth 2.0 is a “loose” spec and needs a “service-specific” API to fetch the user details. It means that the OAuth 2.0 support in Gerrit will expose an extension point for plugins to implement the service-specific API.

Luca.