Migration from HTTP Basic Authentication to OAUTH
50 views
Skip to first unread message
shichao lan
Jul 12, 2024, 4:58:55 AM (10 days ago) Jul 12
to Repo and Gerrit Discussion
We have a Gerrit server with repos and users.
Previously, we used nginx for reverse proxy with auth_masic.
Now, we hope to change Gerrit's user authentication method to OAUTH. How can we ensure that user data remains unchanged after logging in with OAUTH ? I hope their grouping and permissions can be preserved.
Tips: The email obtained from OAUTH will be consistent with the email previously used by users
Previously, we used nginx for reverse proxy with auth_masic.
Now, we hope to change Gerrit's user authentication method to OAUTH. How can we ensure that user data remains unchanged after logging in with OAUTH ? I hope their grouping and permissions can be preserved.
Tips: The email obtained from OAUTH will be consistent with the email previously used by users
David Ostrovsky
Jul 14, 2024, 3:57:15 AM (8 days ago) Jul 14
to Repo and Gerrit Discussion
shichao lan schrieb am Freitag, 12. Juli 2024 um 10:58:55 UTC+2:
We have a Gerrit server with repos and users.
Previously, we used nginx for reverse proxy with auth_masic.
Now, we hope to change Gerrit's user authentication method to OAUTH. How can we ensure that user data remains unchanged after logging in with OAUTH ? I hope their grouping and permissions can be preserved.
Gerrit is using external id to identify users: [1] In case of HTTP authentication scheme external
id looks like: "gerrit:foo". In case of OAUTH authentication scheme the external id depends on
the used OAuth plugin and the OAuth authentication provider.
For gerrit-oauth-provider plugin: [2] and Google OAuth provider the external id would be:
"google-oauth:<sub>", see: [3], where sub is an identifier for the user, unique among all
Google accounts and never reused, e.g.: 10769150350006150715113082367.
Now, say existing account with external id "gerrit:foo" has email f...@gmail.com and new user
is identified with Google OAuth with external id: "google-oauth:4711" has the same email.
Gerrit would need to know to link the new OAUTH account to the existing HTTP account.
There is such a feature "link another identity" from Gerrit UI, but this feature is only available
for the same authentication scheme, like OPENID or OAUTH, where different authentication providers
are used (user would like to be able to login to gerrit using her GitHub and Google accounts).
However, this cannot work across different authentication schemes.
Note, that since Gerrit 3.8 support was added in Gerrit core to migrate to Google OAuth: [4].
Right now it only supports migration to Google OAuth:
// TODO: in case of extension of further migration paths this code should
// probably be refactored out by creating an AccountMigrator extension point.
if (who.getExternalIdKey().isScheme(SCHEME_GOOGLE_OAUTH)) {
Optional<ExternalId> existingLDAPExtID = findLdapExternalId(who);
if (existingLDAPExtID.isPresent()) {
return migrateLdapAccountToOauth(who, existingLDAPExtID.get());
}
}
// probably be refactored out by creating an AccountMigrator extension point.
if (who.getExternalIdKey().isScheme(SCHEME_GOOGLE_OAUTH)) {
Optional<ExternalId> existingLDAPExtID = findLdapExternalId(who);
if (existingLDAPExtID.isPresent()) {
return migrateLdapAccountToOauth(who, existingLDAPExtID.get());
}
}
According to the TODO comment above, an extension point could be extracted and a similar logic
could be moved to oauth provider plugins, where account linking support for different OAuth providers
could be implemented.
Anyway, you could migrate new created account by merging them to the existing user account by editing
the "refs/meta/external-ids" branch manually, see for example this issue for more details: [5].
Reply all
Reply to author
Forward
0 new messages