OAuth provider plugin: new and noteworthy

[David Ostrovsky]

I'm pleased to announce, that oauth-provider plugin supports now

* Facebook oauth provider, thanks to Boyan Vladinov [1].

* GitLab oauth provider, thanks to Andrey Tuvaev [2].

Thanks also to Luca for helping with review ;)

It worth noting that during the work on new providers, we've

discovered one nasty bug: [3]: raw provider ids were stored

without the provider prefix in the backend. This was fixed in:

[4]. The migration is seamless, thanks to linking feature, set

  fix-legacy-user-id = true

for each oauth provider section.

[1] https://gerrit-review.googlesource.com/#/c/96377

[2] https://gerrit-review.googlesource.com/#/c/99000

[3] https://github.com/davido/gerrit-oauth-provider/issues/82

[4] https://gerrit-review.googlesource.com/96422

[Luca Milanesio]

Great job David, well done !

Hope to enable all of them on GerritHub.io very soon :-) 

Lots of people from GitLab would like to use Gerrit Code Review for their workflow.

Luca.

--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en

---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Matthew Webber]

Thanks David, we are looking to migrate away from our existing Open_ID provider, so this is good news.

A couple of notes:

(1) You didn't mention the addition of a CAS provider, but it is mentioned at https://github.com/davido/gerrit-oauth-provider/releases in the notes for 2.13.2. We are planning to try it out.

(2) The most recent release on https://github.com/davido/gerrit-oauth-provider/releases pre-dates the merging of the Facebook and GitLab providers; so is there somewhere else that we should be getting a more recent release jar from? I notice that the canonical source repository is now on gerrit-review, but gerrit-forge only seems to have builds for master and 2.10.

Matthew

[David Ostrovsky]

On Monday, March 6, 2017 at 5:17:36 PM UTC+1, Matthew Webber wrote:

Thanks David, we are looking to migrate away from our existing Open_ID provider, so this is good news.

You know, you don't need to migrate from OpenID, to use OAuth?

Thanks to Hybrid OpenID+OAuth provider feature you can have

both. Just install the plugin, configure the providers and preserve

OpenID auth scheme, done.

 

A couple of notes:

(1) You didn't mention the addition of a CAS provider, but it is mentioned at https://github.com/davido/gerrit-oauth-provider/releases in the notes for 2.13.2. We are planning to try it out.

Indeed, I missed to announce CAS OAuth provider. I only mentioned

Bitbucket here: [1].

(2) The most recent release on https://github.com/davido/gerrit-oauth-provider/releases pre-dates the merging of the Facebook and GitLab providers;

Done: [2].

* [1] https://groups.google.com/d/topic/repo-discuss/V4Dwjw2cj8o/discussion

* [2] https://github.com/davido/gerrit-oauth-provider/releases/tag/v2.13.6

[Matthew Webber]

On Monday, March 6, 2017 at 11:18:11 PM UTC, David Ostrovsky wrote:

You know, you don't need to migrate from OpenID, to use OAuth?

Thanks to Hybrid OpenID+OAuth provider feature you can have

both. Just install the plugin, configure the providers and preserve

OpenID auth scheme, done.

Thanks for the reminder, David.

We currently use OpenID (Yahoo), What I'd like is for existing users to be able to switch, and a time of their choosing, to using OAuth (GitHub). I tried using the "Link Identity" facility, but it failed with the stack track given below (this is Gerrit and gerrit-oauth-provider 2.13.6). Is the ability to merge that combination supposed to work, or not? If it is supposed to work, I'll open a ticket with full details; if it's not supported, then we'll have to work out some other way of doing it.

Thanks

[2017-03-08 16:53:13,277] [HTTP-70] ERROR com.google.gerrit.httpd.auth.openid.OAuthSessionOverOpenID : Unable to authenticate user "com.google.gerrit.extensions.auth.oauth.OAuthUserInfo@18db978b"

com.google.gerrit.server.account.AccountException: Cannot assign external ID "github-oauth:562564" to account 1000055; external ID already in use.

at com.google.gerrit.server.account.AccountManager.create(AccountManager.java:268)

at com.google.gerrit.server.account.AccountManager.authenticate(AccountManager.java:132)

at com.google.gerrit.httpd.auth.openid.OAuthSessionOverOpenID.authenticateAndRedirect(OAuthSessionOverOpenID.java:192)

at com.google.gerrit.httpd.auth.openid.OAuthSessionOverOpenID.login(OAuthSessionOverOpenID.java:105)

at com.google.gerrit.httpd.auth.openid.OAuthWebFilterOverOpenID.doFilter(OAuthWebFilterOverOpenID.java:79)

at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)

at com.google.gerrit.httpd.RequireSslFilter.doFilter(RequireSslFilter.java:77)

at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)

at com.google.gwtexpui.server.CacheControlFilter.doFilter(CacheControlFilter.java:73)

at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)

at com.google.gerrit.httpd.RunAsFilter.doFilter(RunAsFilter.java:122)

at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)

at com.google.gerrit.httpd.RequestMetricsFilter.doFilter(RequestMetricsFilter.java:60)

at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)

at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:136)

at com.google.gerrit.httpd.AllRequestFilter$FilterProxy.doFilter(AllRequestFilter.java:105)

at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)

at com.google.gerrit.httpd.RequestContextFilter.doFilter(RequestContextFilter.java:75)

at com.google.inject.servlet.FilterChainInvocation.doFilter(FilterChainInvocation.java:82)

at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:120)

at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:135)

at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1652)

at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:585)

at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:221)

at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127)

at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515)

at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)

at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061)

at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)

at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97)

at org.eclipse.jetty.server.Server.handle(Server.java:499)

at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311)

at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257)

at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544)

at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)

at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)

at java.lang.Thread.run(Thread.java:745)

[David Ostrovsky]

Am Donnerstag, 9. März 2017 12:23:49 UTC+1 schrieb Matthew Webber:

On Monday, March 6, 2017 at 11:18:11 PM UTC, David Ostrovsky wrote:

You know, you don't need to migrate from OpenID, to use OAuth?

Thanks to Hybrid OpenID+OAuth provider feature you can have

both. Just install the plugin, configure the providers and preserve

OpenID auth scheme, done.

Thanks for the reminder, David.

We currently use OpenID (Yahoo), What I'd like is for existing users to be able to switch, and a time of their choosing, to using OAuth (GitHub). I tried using the "Link Identity" facility, but it failed with the stack track given below (this is Gerrit and gerrit-oauth-provider 2.13.6). Is the ability to merge that combination supposed to work, or not? If it is supposed to work, I'll open a ticket with full details; if it's not supported, then we'll have to work out some other way of doing it.

Thanks

[2017-03-08 16:53:13,277] [HTTP-70] ERROR com.google.gerrit.httpd.auth.openid.OAuthSessionOverOpenID : Unable to authenticate user "com.google.gerrit.extensions.auth.oauth.OAuthUserInfo@18db978b"

com.google.gerrit.server.account.AccountException: Cannot assign external ID "github-oauth:562564" to account 1000055; external ID already in use.

How you put yourself in that state? Can it be, that you first registered directly with

this GitHub identity, *without* linking? And later you are trying to link to the same

identity? The workflow supposed to be like this:

1. Register with OpenID

2. Login with OpenID

3. Select "Link Identity" button

4. Select any of configured provider

5. Approve provider specific credentials

6. New Identity is linked to the existing account

There is no facility for account merging, neither in Gerrit core, no in oauth

plugin. Once screwed up, you would need to merge the accounts manually.

[Matthew Webber]

On Thursday, March 9, 2017 at 12:37:26 PM UTC, David Ostrovsky wrote:

How you put yourself in that state? Can it be, that you first registered directly with

this GitHub identity, *without* linking? And later you are trying to link to the same

identity? The workflow supposed to be like this:

1. Register with OpenID

2. Login with OpenID

3. Select "Link Identity" button

4. Select any of configured provider

5. Approve provider specific credentials

6. New Identity is linked to the existing account

There is no facility for account merging, neither in Gerrit core, no in oauth

plugin. Once screwed up, you would need to merge the accounts manually.

Thanks for the detail. That's exactly the sequence I was following, and it fails every time in the same way. However, I wonder whether the problem occurs because we were originally using auth=OPENID_SSO.

I changed this as follows:

# display existing auth configuration

$ git config -f ${gerrit_config} --get-regexp auth

auth.type OPENID_SSO

auth.openidssourl https://me.yahoo.com

# update auth configuration

git config -f ${gerrit_config} --replace-all auth.type OPENID

git config -f ${gerrit_config} --unset-all   auth.openIdSsoUrl

git config -f ${gerrit_config} --replace-all auth.trustedOpenID '^.*$'

git config -f ${gerrit_config} --replace-all plugin.gerrit-oauth-provider-github-oauth.client-id <<value>>

git config -f ${gerrit_config} --replace-all plugin.gerrit-oauth-provider-github-oauth.client-secret <<value>>

Having logged in to Gerrit using one OpenID provider, I can successfully link my Gerrit account to an identity from another OpenID provider.

I can also register an new Gerrit account using GitHub OAuth provider.

However, what I can't do is link an existing Gerrit account to an new identity from GitHub OAuth provider (to be clear: that's not an identity that has been previously registered) - I get the stack trace as originally mentioned.

It sounds like this is supposed to work. I will confirm (or otherwise!) this next week using a fresh Gerrit install, and open a ticket as required.

[David Ostrovsky]

Am Freitag, 10. März 2017 18:04:04 UTC+1 schrieb Matthew Webber:

On Thursday, March 9, 2017 at 12:37:26 PM UTC, David Ostrovsky wrote:

How you put yourself in that state? Can it be, that you first registered directly with

this GitHub identity, *without* linking? And later you are trying to link to the same

identity? The workflow supposed to be like this:

1. Register with OpenID

2. Login with OpenID

3. Select "Link Identity" button

4. Select any of configured provider

5. Approve provider specific credentials

6. New Identity is linked to the existing account

There is no facility for account merging, neither in Gerrit core, no in oauth

plugin. Once screwed up, you would need to merge the accounts manually.

Thanks for the detail. That's exactly the sequence I was following, and it fails every time in the same way. However, I wonder whether the problem occurs because we were originally using auth=OPENID_SSO.

[...]

I can also register an new Gerrit account using GitHub OAuth provider.

However, what I can't do is link an existing Gerrit account to an new identity from GitHub OAuth provider (to be clear: that's not an identity that has been previously registered) - I get the stack trace as originally mentioned.

It sounds like this is supposed to work. I will confirm (or otherwise!) this next week using a fresh Gerrit install, and open a ticket as required.

That sounds like a bug to me. Just to make sure, can you try above use case on the

most recent master? There were some bugs in account reindexing logic, even in recent

2.13 release, e.g.: [1].

* [1]  https://gerrit-review.googlesource.com/99290

[Matthew Webber]

On Friday, 10 March 2017 17:31:10 UTC, David Ostrovsky wrote:

That sounds like a bug to me. Just to make sure, can you try above use case on the most recent master?

 

Well spotted. On a completely fresh install (the simplest possible, h2 database, 1 user, no repos):

- I did a fresh install of 2.13.6. The problem occurred, as reported above.

- I did a fresh install of master. The problem did NOT occur. Yeah!

- I did a fresh install of 2.13.6 (without OAuth), then upgraded to master while adding OAuth. It worked properly.

I have not yet tested with a (copy of a) large install with users and history, but I'll try and do that tomorrow.

Meantime, it looks like I can just wait till 2.14 is released.

Thanks for your assistance with all this.

Matthew

[David Ostrovsky]

Am Montag, 13. März 2017 18:10:38 UTC+1 schrieb Matthew Webber:

On Friday, 10 March 2017 17:31:10 UTC, David Ostrovsky wrote:

That sounds like a bug to me. Just to make sure, can you try above use case on the most recent master?

 

Well spotted. On a completely fresh install (the simplest possible, h2 database, 1 user, no repos):

- I did a fresh install of 2.13.6. The problem occurred, as reported above.

- I did a fresh install of master. The problem did NOT occur. Yeah!

Thanks for letting us know. It would be great if you could confirm,

whether 2.13.7 (once released) works as expected.

[Matthew Webber]

On Tuesday, 14 March 2017 15:18:35 UTC, David Ostrovsky wrote:

Thanks for letting us know. It would be great if you could confirm,

whether 2.13.7 (once released) works as expected.

 

I'm happy to report that 2.13.7 works correctly in this regard.

Specifically, I recreated in the problem in a 2.13.6 install, then upgraded to 2.13.7, and verified that the problem no longer occurred.

Thanks

Matthew

 

[David Ostrovsky]

In light of this discussion please check that you are running at least Gerrit version

2.13.7 before reporting any issues related to gerrit-oauth-provider plugin.

Older Gerrit versions are known to suffer from account index bugs, that broke quite

some OAuth related features.

[David Ostrovsky]

On Thursday, March 2, 2017 at 11:27:42 PM UTC+1, David Ostrovsky wrote:

I'm pleased to announce, that oauth-provider plugin supports now

* Facebook oauth provider, thanks to Boyan Vladinov [1].

* GitLab oauth provider, thanks to Andrey Tuvaev [2].

Thanks also to Luca for helping with review ;)

It worth noting that during the work on new providers, we've

discovered one nasty bug: [3]: raw provider ids were stored

without the provider prefix in the backend. This was fixed in:

[4]. The migration is seamless, thanks to linking feature, set

  fix-legacy-user-id = true

for each oauth provider section.

In light of https://github.com/davido/gerrit-oauth-provider/issues/99,

I would like to emphasize that the new setting:

    fix-legacy-user-id = true

must be enabled during the upgrade and not after it. Otherwise,

the identity linking machinery is not activated, and new users will

be created during log in, instead of linking new external ids to the

existing users.