Gerrit is using external id to identify users: [1] In case of HTTP authentication scheme external
id looks like: "gerrit:foo". In case of OAUTH authentication scheme the external id depends on
the used OAuth plugin and the OAuth authentication provider.
For gerrit-oauth-provider plugin: [2] and Google OAuth provider the external id would be:
"google-oauth:<sub>", see: [3], where sub is an identifier for the user, unique among all
Google accounts and never reused, e.g.: 10769150350006150715113082367.
Now, say existing account with external id "gerrit:foo" has email
f...@gmail.com and new user
is identified with Google OAuth with external id: "google-oauth:4711" has the same email.
Gerrit would need to know to link the new OAUTH account to the existing HTTP account.
There is such a feature "link another identity" from Gerrit UI, but this feature is only available
for the same authentication scheme, like OPENID or OAUTH, where different authentication providers
are used (user would like to be able to login to gerrit using her GitHub and Google accounts).
However, this cannot work across different authentication schemes.
Note, that since Gerrit 3.8 support was added in Gerrit core to migrate to Google OAuth: [4].
Right now it only supports migration to Google OAuth:
// TODO: in case of extension of further migration paths this code should
// probably be refactored out by creating an AccountMigrator extension point.
if (who.getExternalIdKey().isScheme(SCHEME_GOOGLE_OAUTH)) {
Optional<ExternalId> existingLDAPExtID = findLdapExternalId(who);
if (existingLDAPExtID.isPresent()) {
return migrateLdapAccountToOauth(who, existingLDAPExtID.get());
}
}
According to the TODO comment above, an extension point could be extracted and a similar logic
could be moved to oauth provider plugins, where account linking support for different OAuth providers
could be implemented.
Anyway, you could migrate new created account by merging them to the existing user account by editing
the "refs/meta/external-ids" branch manually, see for example this issue for more details: [5].