Setting up OpenID for Gerrit installation running on a private 192.168.x.x server

[jme...@sybernet.ie]

Hi, 

I have a Gerrit installation which is up and running and uses the DEVELOPMENT_BECOME_ANY_ACCOUNT auth method. There are two users already created in Gerrit. 

I have upgraded the installation to 2.15.3 and I would like to add the openId auth setup as the auth type for the site but I am struggling with it. 

I re-ran the gerrit init command and I get the following auth entries in my gerrit.config. 

[auth]

        type = OPENID

        trustedOpenID = https://www.google.com/accounts/o8/id?

I have also included the gerrit-oauth-provider.jar plugin and selected Google in the setup

What do I do now ? Apologies for the basic question but I am a bit lost - any pointer to a "how-to" would be appreciated. 

How do I add my Google identity to my existing gerrit user account that would allow me access to my existing Gerrit user account once I have logged in on Google ? 

Any pointers would be much appreciated. 

Thanks

John. 

[David Ostrovsky]

On Thursday, August 30, 2018 at 8:37:42 AM UTC+2, jme...@sybernet.ie wrote:

Hi, 

I have a Gerrit installation which is up and running and uses the DEVELOPMENT_BECOME_ANY_ACCOUNT auth method. There are two users already created in Gerrit. 

I have upgraded the installation to 2.15.3 and I would like to add the openId auth setup as the auth type for the site but I am struggling with it. 

I re-ran the gerrit init command and I get the following auth entries in my gerrit.config. 

[auth]

        type = OPENID

        trustedOpenID = https://www.google.com/accounts/o8/id?

I have also included the gerrit-oauth-provider.jar plugin and selected Google in the setup

I think you are mixing something here. Google dropped OpenID years ago.

gerrit-oauth-provider that I maintain offers two major operation modes

(you can found detailed explanation on this Wiki site of this plugin: [1]):

* OAuth mode only

* Hybrid OpenID+OAuth authentication

Hybrid mode is important for LibreOffice developers, because some of them

still heavily use OpenID providers but some use OAuth providers on the same

gerrit installation site.

If all you want is to use Google's OAuth you should use OAuth mode and not

OpenID mode of this plugin. See also further documentation how to set up

OAuth providers for this plugin: [2].

[1] https://github.com/davido/gerrit-oauth-provider/wiki/FAQ

[2] https://github.com/davido/gerrit-oauth-provider/wiki/Getting-Started

[jme...@sybernet.ie]

Thanks, David. I have never used OpenId before so I am not tied to that in any way. Google OAuth should be all I need  

I re-ran the init and configured it for oauth 

My gerrit.config now has the following 

[auth]

        type = OAUTH

        trustedOpenID = https://www.google.com/accounts/o8/id?

        gitBasicAuthPolicy = HTTP

and 

[plugin "gerrit-oauth-provider-google-oauth"]

        fix-legacy-user-id = yes

        client-id = <my-client-id> 

However I get the following error when I try to sign in on my Gerrit instance. 

Error: invalid_request

device_id and device_name are required for private IP: http://192.168.x.x:8xxx/oauth

Learn more

Request Details

• response_type=code
• client_id=<my-client-id-as-setup-on-google-developer-console>
• redirect_uri=http://192.168.x.x:xxxx/oauth
• scope=email profile
• state=7UbO2TPSLcC9DARnVrGhnnXYo7UpKDOY-LTU-svJDXQ

That’s all we know.

When I set up the client ID on Google Console, I did not fill in anything for "Redirect URIs" as my Gerrit installation is an internal private IP address. 

Do I need to configure firewall/nat rules to allow Google access to the Gerrit installation to complete the authentication? 

Again thanks for any help or pointers, 

Best Regards

John.