Re: SSO with OpenId

412 views
Skip to first unread message

Shawn Pearce

unread,
Jun 25, 2012, 10:14:46 AM6/25/12
to Andreas Borglin, repo-d...@googlegroups.com
On Sun, Jun 24, 2012 at 7:50 PM, Andreas Borglin
<andreas...@neonstingray.com> wrote:
> I'm currently investigating Gerrit as a potential code review tool for a
> small company. We are looking at having single sign on across all our tools
> in the development work flow.
> Our preferred option is to use Google OpenId, as we use Google Apps for
> e-mail, etc and people will already be logged into their Google account.
>
> Now, two questions.
>
> 1. Is there any way for Gerrit to automatically detect that you are already
> logged into a Google account and use those details? Currently you have to
> click Sign In and then choose a provider before you get logged in.

No. Gerrit can't see the cookies from Google that indicate you are
already signed in, those are on a different domain. You can modify
auth.allowOpenID[1] to limit the choices to only Google's URL. It
might be a minor UI change to automatically jump to Google when there
is only the Google provider allowed.

[1] https://gerrit-review.googlesource.com/Documentation/config-gerrit.html#auth.allowedOpenID

> 2. I did read a previous post where Shawn mentioned that restricting OpenId
> login to a specific domain was not possible. Is this still the case? Is
> there no way at all to restrict access to Gerrit either pre/post login via
> Google Open Id? Any way to authenticate via some kind of Open Id delegate
> that uses Google Open Id but only accepts logins from a particular domain?

Currently this is not possible. However, it should be in the future.
The current tip of master has an abstracted group system. If a plugin
was written that used the Google API [2] you could install this and
use the plugin to query for membership in the domain. Unfortunately
this code has not been written yet.

[2] https://developers.google.com/google-apps/provisioning/#retrieving_all_groups_for_a_member

> I guess if none of this is possible, LDAP would be the way to go?

This might be a reasonable option in the short-term.

ffa

unread,
Jun 27, 2012, 1:18:14 AM6/27/12
to repo-d...@googlegroups.com
for SSO, try https://github.com/openstack-ci/gerrit/commit/1e35b2096f9776c44d8bb2d8d88e31791ecf47f3 .

On Sunday, June 24, 2012 7:50:14 PM UTC-7, Andreas Borglin wrote:
Hi.

First of, thanks for a great product.


I'm currently investigating Gerrit as a potential code review tool for a small company. We are looking at having single sign on across all our tools in the development work flow.
Our preferred option is to use Google OpenId, as we use Google Apps for e-mail, etc and people will already be logged into their Google account.

Now, two questions.

1. Is there any way for Gerrit to automatically detect that you are already logged into a Google account and use those details? Currently you have to click Sign In and then choose a provider before you get logged in.
2. I did read a previous post where Shawn mentioned that restricting OpenId login to a specific domain was not possible. Is this still the case? Is there no way at all to restrict access to Gerrit either pre/post login via Google Open Id? Any way to authenticate via some kind of Open Id delegate that uses Google Open Id but only accepts logins from a particular domain?

I guess if none of this is possible, LDAP would be the way to go?

Thanks in advance.

Cheers, Andreas

On Sunday, June 24, 2012 7:50:14 PM UTC-7, Andreas Borglin wrote:
Hi.

First of, thanks for a great product.


I'm currently investigating Gerrit as a potential code review tool for a small company. We are looking at having single sign on across all our tools in the development work flow.
Our preferred option is to use Google OpenId, as we use Google Apps for e-mail, etc and people will already be logged into their Google account.

Now, two questions.

1. Is there any way for Gerrit to automatically detect that you are already logged into a Google account and use those details? Currently you have to click Sign In and then choose a provider before you get logged in.
2. I did read a previous post where Shawn mentioned that restricting OpenId login to a specific domain was not possible. Is this still the case? Is there no way at all to restrict access to Gerrit either pre/post login via Google Open Id? Any way to authenticate via some kind of Open Id delegate that uses Google Open Id but only accepts logins from a particular domain?

I guess if none of this is possible, LDAP would be the way to go?

Thanks in advance.

Cheers, Andreas

Pursehouse, David

unread,
Jun 27, 2012, 1:38:46 AM6/27/12
to ffa, repo-d...@googlegroups.com
The same commit is uploaded on gerrit-review:
https://gerrit-review.googlesource.com/#/c/36150/

--
David Pursehouse
Configuration Manager
Sony Mobile Communications Japan, Inc.

Shawn Pearce

unread,
Sep 30, 2012, 9:31:41 PM9/30/12
to Andreas Borglin, repo-discuss
On Tue, Sep 18, 2012 at 6:04 PM, Andreas Borglin
<andreas...@neonstingray.com> wrote:
> We're now looking at setting Gerrit up for our team.
> I can see that 2.5 rc0 has been released with support for that plugin system
> you referred to here.
>
> I spent some more time investigating this, and noticed that Jenkins supports
> something they call "Google Apps SSO", which allows you to restrict OpenId
> logins to a specific Google Apps domain.
> They have implemented this with open4java, which from what I can tell, is
> the same lib that Gerrit is using to support OpenId. From looking at the
> code, it seems to be fairly minor modifications to the how you handle
> standard OpenId auth.
> (https://github.com/jenkinsci/openid-plugin/blob/master/src/main/java/hudson/plugins/openid/GoogleAppSsoSecurityRealm.java)
>
> Now, I've been trying to figure out how I would go about writing a plugin to
> extend / replace the current OpenId authentication method in Gerrit, but not
> quite sure how I'd get started with that.
> Is this something that should be committed to the Gerrit core, or is there a
> way to do this via a plugin? Any pointers would be great in that case.
> Seems like Gerrit would need to support one additional auth.type -
> OpenID_GoogleApps and an additional parameter auth.allowedGoogleAppsDomain.

It isn't currently possible to write a plugin to handle an
authentication system. The authentication system code is strewn
throughout the code base. auth.type converts to an enum, AuthType, and
there are many switches that do different things throughout the code
based on the value of AuthType. :-(

If it is just a minor modification to the openid4java usage, it might
be fairly simple to support this with auth.type = OpenID and a new
auth parameter that specifies the Google Apps domain to limit login
to. This may be a fairly small change to the OpenID code, and would be
easier to do than replacing the entire authentication system to
support plugins first.

Of course we really should support plugins for authentication systems
just like we do for group systems, but its a non-trivial effort that
will take some significant time to code.
Reply all
Reply to author
Forward
0 new messages