Gerrit + OAuth2 + Keycloak
1,212 views
Skip to first unread message
Sergio Durigan Junior
Oct 9, 2019, 2:28:31 AM10/9/19
to repo-d...@googlegroups.com
Hello,
I have been trying to set up a Gerrit instance (latest version, running
in a local VM) with OAuth2 authentication using Keycloak (also running
at the same VM), and I'm seeing some strange errors.
First, some information about my setup. I'm running Debian 10 (buster)
with OpenJDK 11 installed. It took me a bit but I managed to make
Gerrit start with it, and it has been running without problems. Here's
my gerrit.config:
[gerrit]
basePath = git
canonicalWebUrl = http://192.168.122.32/gerrit/
serverId = c505cc81-e662-4c48-9dd3-7617f7c6d525
[container]
javaOptions = "-Dflogger.backend_factory=com.google.common.flogger.backend.log4j.Log4jBackendFactory#getInstance"
javaOptions = "-Dflogger.logging_context=com.google.gerrit.server.logging.LoggingContext#getInstance"
javaOptions = --add-opens=jdk.management/com.sun.management.internal=ALL-UNNAMED
user = gerrit
javaHome = /usr/lib/jvm/java-11-openjdk-amd64
[index]
type = LUCENE
[auth]
type = OAUTH
gitBasicAuthPolicy = HTTP
[receive]
enableSignedPush = false
[sendemail]
smtpServer = localhost
[sshd]
listenAddress = *:29418
[httpd]
listenUrl = proxy-http://127.0.0.1:8081/gerrit/
[cache]
directory = cache
[plugins]
allowRemoteAdmin = true
[plugin "gerrit-oauth-provider-keycloak-oauth"]
root-url = http://192.168.122.32:8877
realm = gerrit
client-id = gerrit
The main problem I'm facing has to do with a "Server Error" I'm getting
after I authenticate on Keycloak. The redirect_uri parameter is
"http://192.168.122.32/gerrit/oauth", and Keycloak is indeed redirecting
me to (after I successfully enter my user/password):
<http://192.168.122.32/gerrit/oauth?state=1w8zlPoyB6MKV0d3b1oxlVoZQSR2wdBYzoyRMhf0pkU&session_state=0cace963-06fb-4537-8ee5-81d015f644ed&code=fe554d1b-e667-400d-a657-b236e0e246c1.0cace963-06fb-4537-8ee5-81d015f644ed.6966edc3-701b-4c24-85c3-e36e04099dee>
However, that URL gives me the "Server Error" I mentioned. When I look
at Gerrit's logs, I see:
[2019-10-08 23:41:09,126] [HTTP-92] ERROR com.google.gerrit.pgm.http.jetty.HiddenErrorHandler : Error in GET /gerrit/oauth?state=1w8zlPoyB6MKV0d3b1oxlVoZQSR2wdBYzoyRMhf0pkU&session_state=0cace963-06fb-4537-8ee5-81d015f644ed&code=fe554d1b-e667-400d-a657-b236e0e246c1.0cace963-06fb-4537-8ee5-81d015f644ed.6966edc3-701b-4c24-85c3-e36e04099dee
java.lang.StringIndexOutOfBoundsException: String index out of range: -1
at java.base/java.lang.String.substring(String.java:1841)
at com.google.gerrit.httpd.auth.oauth.OAuthSession.authenticateAndRedirect(OAuthSession.java:156)
at com.google.gerrit.httpd.auth.oauth.OAuthSession.login(OAuthSession.java:109)
at com.google.gerrit.httpd.auth.oauth.OAuthWebFilter.doFilter(OAuthWebFilter.java:105)
at com.google.gerrit.httpd.RunAsFilter.doFilter(RunAsFilter.java:120)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:133)
at com.gerritforge.gerrit.plugins.account.XAuthFilter.doFilter(XAuthFilter.java:73)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:129)
at com.gerritforge.gerrit.plugins.account.AccountLoginRedirectFilter.doFilter(AccountLoginRedirectFilter.java:82)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:129)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy.doFilter(AllRequestFilter.java:135)
at com.google.gerrit.httpd.RequestMetricsFilter.doFilter(RequestMetricsFilter.java:57)
at com.google.gerrit.httpd.RequestContextFilter.doFilter(RequestContextFilter.java:69)
at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:121)
at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:133)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1588)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1345)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1557)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1247)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
at org.eclipse.jetty.server.Server.handle(Server.java:502)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:364)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765)
at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683)
at java.base/java.lang.Thread.run(Thread.java:834)
The interesting thing is that if I then go to the main page, I see
myself authenticated there.
The other problem happens when I try to logout. If I click on "Sign
out", Gerrit shows me that the sign out happened successfully. However,
when I try logging in again, I am redirected to the exact same
"/gerrit/oauth?state=..." URL I posted above, but now I see a different
error in the logs:
[2019-10-08 23:50:33,046] [HTTP-77] ERROR com.google.gerrit.pgm.http.jetty.HiddenErrorHandler : Error in GET /gerrit/oauth?state=1w8zlPoyB6MKV0d3b1oxlVoZQSR2wdBYzoyRMhf0pkU&session_state=0cace963-06fb-4537-8ee5-81d015f644ed&code=fc1becf8-6b8b-4689-ae8a-e6d62d00f477.0cace963-06fb-4537-8ee5-81d015f644ed.6966edc3-701b-4c24-85c3-e36e04099dee
org.scribe.exceptions.OAuthException: Cannot extract an access token. Response was: {"error":"invalid_grant","error_description":"Code not valid"}
at org.scribe.extractors.JsonTokenExtractor.extract(JsonTokenExtractor.java:23)
at com.googlesource.gerrit.plugins.oauth.OAuth20ServiceImpl.getAccessToken(OAuth20ServiceImpl.java:70)
at com.googlesource.gerrit.plugins.oauth.KeycloakOAuthService.getAccessToken(KeycloakOAuthService.java:120)
at com.google.gerrit.httpd.auth.oauth.OAuthSession.login(OAuthSession.java:104)
at com.google.gerrit.httpd.auth.oauth.OAuthWebFilter.doFilter(OAuthWebFilter.java:105)
at com.google.gerrit.httpd.RunAsFilter.doFilter(RunAsFilter.java:120)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:133)
at com.gerritforge.gerrit.plugins.account.XAuthFilter.doFilter(XAuthFilter.java:73)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:129)
at com.gerritforge.gerrit.plugins.account.AccountLoginRedirectFilter.doFilter(AccountLoginRedirectFilter.java:82)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:129)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy.doFilter(AllRequestFilter.java:135)
at com.google.gerrit.httpd.RequestMetricsFilter.doFilter(RequestMetricsFilter.java:57)
at com.google.gerrit.httpd.RequestContextFilter.doFilter(RequestContextFilter.java:69)
at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:121)
at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:133)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1588)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1345)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1557)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1247)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
at org.eclipse.jetty.server.Server.handle(Server.java:502)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:364)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765)
at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683)
at java.base/java.lang.Thread.run(Thread.java:834)
When I look at Keycloak's logs, I see:
23:50:33,044 WARN [org.keycloak.protocol.oidc.utils.OAuth2CodeParser] (default task-82) Code 'fc1becf8-6b8b-4689-ae8a-e6d62d00f477' already used for userSession '0cace963-06fb-4537-8ee5-81d015f644ed' and client '6966edc3-701b-4c24-85c3-e36e04099dee'.
23:50:33,044 WARN [org.keycloak.events] (default task-82) type=CODE_TO_TOKEN_ERROR, realmId=gerrit, clientId=gerrit, userId=null, ipAddress=192.168.122.32, error=invalid_code, grant_type=authorization_code, code_id=0cace963-06fb-4537-8ee5-81d015f644ed, client_auth_method=client-secret
IIUC, this is telling that the sign out process happened on Gerrit, but
wasn't "replicated" to Keycloak (i.e., I'm still logged in on Keycloak).
Has anyone here experience these problems when using OAuth2 with Gerrit
and Keycloak? Any suggestions on what to try? I've already tried
changing a lot of settings on Keycloak, without success.
Thanks in advance.
--
Sergio
GPG key ID: 237A 54B1 0287 28BF 00EF 31F4 D0EB 7628 65FC 5E36
Please send encrypted e-mail if possible
http://sergiodj.net/
I have been trying to set up a Gerrit instance (latest version, running
in a local VM) with OAuth2 authentication using Keycloak (also running
at the same VM), and I'm seeing some strange errors.
First, some information about my setup. I'm running Debian 10 (buster)
with OpenJDK 11 installed. It took me a bit but I managed to make
Gerrit start with it, and it has been running without problems. Here's
my gerrit.config:
[gerrit]
basePath = git
canonicalWebUrl = http://192.168.122.32/gerrit/
serverId = c505cc81-e662-4c48-9dd3-7617f7c6d525
[container]
javaOptions = "-Dflogger.backend_factory=com.google.common.flogger.backend.log4j.Log4jBackendFactory#getInstance"
javaOptions = "-Dflogger.logging_context=com.google.gerrit.server.logging.LoggingContext#getInstance"
javaOptions = --add-opens=jdk.management/com.sun.management.internal=ALL-UNNAMED
user = gerrit
javaHome = /usr/lib/jvm/java-11-openjdk-amd64
[index]
type = LUCENE
[auth]
type = OAUTH
gitBasicAuthPolicy = HTTP
[receive]
enableSignedPush = false
[sendemail]
smtpServer = localhost
[sshd]
listenAddress = *:29418
[httpd]
listenUrl = proxy-http://127.0.0.1:8081/gerrit/
[cache]
directory = cache
[plugins]
allowRemoteAdmin = true
[plugin "gerrit-oauth-provider-keycloak-oauth"]
root-url = http://192.168.122.32:8877
realm = gerrit
client-id = gerrit
The main problem I'm facing has to do with a "Server Error" I'm getting
after I authenticate on Keycloak. The redirect_uri parameter is
"http://192.168.122.32/gerrit/oauth", and Keycloak is indeed redirecting
me to (after I successfully enter my user/password):
<http://192.168.122.32/gerrit/oauth?state=1w8zlPoyB6MKV0d3b1oxlVoZQSR2wdBYzoyRMhf0pkU&session_state=0cace963-06fb-4537-8ee5-81d015f644ed&code=fe554d1b-e667-400d-a657-b236e0e246c1.0cace963-06fb-4537-8ee5-81d015f644ed.6966edc3-701b-4c24-85c3-e36e04099dee>
However, that URL gives me the "Server Error" I mentioned. When I look
at Gerrit's logs, I see:
[2019-10-08 23:41:09,126] [HTTP-92] ERROR com.google.gerrit.pgm.http.jetty.HiddenErrorHandler : Error in GET /gerrit/oauth?state=1w8zlPoyB6MKV0d3b1oxlVoZQSR2wdBYzoyRMhf0pkU&session_state=0cace963-06fb-4537-8ee5-81d015f644ed&code=fe554d1b-e667-400d-a657-b236e0e246c1.0cace963-06fb-4537-8ee5-81d015f644ed.6966edc3-701b-4c24-85c3-e36e04099dee
java.lang.StringIndexOutOfBoundsException: String index out of range: -1
at java.base/java.lang.String.substring(String.java:1841)
at com.google.gerrit.httpd.auth.oauth.OAuthSession.authenticateAndRedirect(OAuthSession.java:156)
at com.google.gerrit.httpd.auth.oauth.OAuthSession.login(OAuthSession.java:109)
at com.google.gerrit.httpd.auth.oauth.OAuthWebFilter.doFilter(OAuthWebFilter.java:105)
at com.google.gerrit.httpd.RunAsFilter.doFilter(RunAsFilter.java:120)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:133)
at com.gerritforge.gerrit.plugins.account.XAuthFilter.doFilter(XAuthFilter.java:73)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:129)
at com.gerritforge.gerrit.plugins.account.AccountLoginRedirectFilter.doFilter(AccountLoginRedirectFilter.java:82)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:129)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy.doFilter(AllRequestFilter.java:135)
at com.google.gerrit.httpd.RequestMetricsFilter.doFilter(RequestMetricsFilter.java:57)
at com.google.gerrit.httpd.RequestContextFilter.doFilter(RequestContextFilter.java:69)
at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:121)
at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:133)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1588)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1345)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1557)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1247)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
at org.eclipse.jetty.server.Server.handle(Server.java:502)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:364)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765)
at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683)
at java.base/java.lang.Thread.run(Thread.java:834)
The interesting thing is that if I then go to the main page, I see
myself authenticated there.
The other problem happens when I try to logout. If I click on "Sign
out", Gerrit shows me that the sign out happened successfully. However,
when I try logging in again, I am redirected to the exact same
"/gerrit/oauth?state=..." URL I posted above, but now I see a different
error in the logs:
[2019-10-08 23:50:33,046] [HTTP-77] ERROR com.google.gerrit.pgm.http.jetty.HiddenErrorHandler : Error in GET /gerrit/oauth?state=1w8zlPoyB6MKV0d3b1oxlVoZQSR2wdBYzoyRMhf0pkU&session_state=0cace963-06fb-4537-8ee5-81d015f644ed&code=fc1becf8-6b8b-4689-ae8a-e6d62d00f477.0cace963-06fb-4537-8ee5-81d015f644ed.6966edc3-701b-4c24-85c3-e36e04099dee
org.scribe.exceptions.OAuthException: Cannot extract an access token. Response was: {"error":"invalid_grant","error_description":"Code not valid"}
at org.scribe.extractors.JsonTokenExtractor.extract(JsonTokenExtractor.java:23)
at com.googlesource.gerrit.plugins.oauth.OAuth20ServiceImpl.getAccessToken(OAuth20ServiceImpl.java:70)
at com.googlesource.gerrit.plugins.oauth.KeycloakOAuthService.getAccessToken(KeycloakOAuthService.java:120)
at com.google.gerrit.httpd.auth.oauth.OAuthSession.login(OAuthSession.java:104)
at com.google.gerrit.httpd.auth.oauth.OAuthWebFilter.doFilter(OAuthWebFilter.java:105)
at com.google.gerrit.httpd.RunAsFilter.doFilter(RunAsFilter.java:120)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:133)
at com.gerritforge.gerrit.plugins.account.XAuthFilter.doFilter(XAuthFilter.java:73)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:129)
at com.gerritforge.gerrit.plugins.account.AccountLoginRedirectFilter.doFilter(AccountLoginRedirectFilter.java:82)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy$1.doFilter(AllRequestFilter.java:129)
at com.google.gerrit.httpd.AllRequestFilter$FilterProxy.doFilter(AllRequestFilter.java:135)
at com.google.gerrit.httpd.RequestMetricsFilter.doFilter(RequestMetricsFilter.java:57)
at com.google.gerrit.httpd.RequestContextFilter.doFilter(RequestContextFilter.java:69)
at com.google.inject.servlet.ManagedFilterPipeline.dispatch(ManagedFilterPipeline.java:121)
at com.google.inject.servlet.GuiceFilter.doFilter(GuiceFilter.java:133)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1610)
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:540)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1588)
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255)
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1345)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203)
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:480)
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1557)
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201)
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1247)
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144)
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132)
at org.eclipse.jetty.server.Server.handle(Server.java:502)
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:364)
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260)
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305)
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103)
at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765)
at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683)
at java.base/java.lang.Thread.run(Thread.java:834)
When I look at Keycloak's logs, I see:
23:50:33,044 WARN [org.keycloak.protocol.oidc.utils.OAuth2CodeParser] (default task-82) Code 'fc1becf8-6b8b-4689-ae8a-e6d62d00f477' already used for userSession '0cace963-06fb-4537-8ee5-81d015f644ed' and client '6966edc3-701b-4c24-85c3-e36e04099dee'.
23:50:33,044 WARN [org.keycloak.events] (default task-82) type=CODE_TO_TOKEN_ERROR, realmId=gerrit, clientId=gerrit, userId=null, ipAddress=192.168.122.32, error=invalid_code, grant_type=authorization_code, code_id=0cace963-06fb-4537-8ee5-81d015f644ed, client_auth_method=client-secret
IIUC, this is telling that the sign out process happened on Gerrit, but
wasn't "replicated" to Keycloak (i.e., I'm still logged in on Keycloak).
Has anyone here experience these problems when using OAuth2 with Gerrit
and Keycloak? Any suggestions on what to try? I've already tried
changing a lot of settings on Keycloak, without success.
Thanks in advance.
--
Sergio
GPG key ID: 237A 54B1 0287 28BF 00EF 31F4 D0EB 7628 65FC 5E36
Please send encrypted e-mail if possible
http://sergiodj.net/
Luca Milanesio
Oct 9, 2019, 3:14:50 AM10/9/19
to Sergio Durigan Junior, Luca Milanesio, repo-d...@googlegroups.com
On 9 Oct 2019, at 04:56, Sergio Durigan Junior <serg...@sergiodj.net> wrote:Hello,
I have been trying to set up a Gerrit instance (latest version, running
in a local VM) with OAuth2 authentication using Keycloak (also running
at the same VM), and I'm seeing some strange errors.
First, some information about my setup. I'm running Debian 10 (buster)
with OpenJDK 11 installed.
Unrelated comment: OpenJDK 11 is not (officially) supported yet [1] even if it works.
[1] https://gerrit-documentation.storage.googleapis.com/Documentation/3.0.2/install.html#prerequisites
--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/87zhiak1wr.fsf%40paluero.
David Ostrovsky
Oct 9, 2019, 3:17:08 AM10/9/19
to Repo and Gerrit Discussion
Am Mittwoch, 9. Oktober 2019 08:28:31 UTC+2 schrieb Sergio Durigan Junior:
Hello,
I have been trying to set up a Gerrit instance (latest version, running
in a local VM) with OAuth2 authentication using Keycloak (also running
at the same VM), and I'm seeing some strange errors.
It wasn't me who contributed Keycloak aauth scheme in gerrit-oauth-plugin.
I tried to use gerrit with it in test set-up and wrote this documentation how
to integrate the both: [1]. Can you try to reproduce the integration of gerrit
with Keykloack oauth using: [1], and compare the differences with your setup?
David Pursehouse
Oct 9, 2019, 3:25:54 AM10/9/19
to David Ostrovsky, Repo and Gerrit Discussion
Should that guide be included in the oauth plugin's documentation?
--
--
To unsubscribe, email repo-discuss...@googlegroups.com
More info at http://groups.google.com/group/repo-discuss?hl=en
---
You received this message because you are subscribed to the Google Groups "Repo and Gerrit Discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to repo-discuss...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/repo-discuss/d6350e39-b2db-4f53-8b10-cb733b45fe3a%40googlegroups.com.
Sergio Durigan Junior
Oct 9, 2019, 9:51:27 AM10/9/19
to David Ostrovsky, Repo and Gerrit Discussion
Apache as a proxy (which I'm doing), but I'll take a look and report
back.
Thanks,
Sergio Durigan Junior
Oct 9, 2019, 11:03:28 PM10/9/19
to Luca Milanesio, repo-d...@googlegroups.com
On Wednesday, October 09 2019, Luca Milanesio wrote:
>> On 9 Oct 2019, at 04:56, Sergio Durigan Junior <serg...@sergiodj.net> wrote:
>>
>> Hello,
>>
>> I have been trying to set up a Gerrit instance (latest version, running
>> in a local VM) with OAuth2 authentication using Keycloak (also running
>> at the same VM), and I'm seeing some strange errors.
>>
>> First, some information about my setup. I'm running Debian 10 (buster)
>> with OpenJDK 11 installed.
>
> Unrelated comment: OpenJDK 11 is not (officially) supported yet [1] even if it works.
Yeah, I saw that, but thanks for pointing out. It is becoming difficult
>> On 9 Oct 2019, at 04:56, Sergio Durigan Junior <serg...@sergiodj.net> wrote:
>>
>> Hello,
>>
>> I have been trying to set up a Gerrit instance (latest version, running
>> in a local VM) with OAuth2 authentication using Keycloak (also running
>> at the same VM), and I'm seeing some strange errors.
>>
>> First, some information about my setup. I'm running Debian 10 (buster)
>> with OpenJDK 11 installed.
>
> Unrelated comment: OpenJDK 11 is not (officially) supported yet [1] even if it works.
to satisfy this dependency on newer distributions if the person (like
me) wants to use the distro's packages and don't like setting things
using docker or pre-made images. But as I said in the other message, I
will give it a try and check if things work with the official docker
image for Keycloak.
Thanks,
Sergio Durigan Junior
Oct 10, 2019, 12:25:15 AM10/10/19
to David Ostrovsky, Repo and Gerrit Discussion
On Wednesday, October 09 2019, I wrote:
> On Wednesday, October 09 2019, David Ostrovsky wrote:
>
>> Am Mittwoch, 9. Oktober 2019 08:28:31 UTC+2 schrieb Sergio Durigan Junior:
>>>
>>> Hello,
>>>
>>> I have been trying to set up a Gerrit instance (latest version, running
>>> in a local VM) with OAuth2 authentication using Keycloak (also running
>>> at the same VM), and I'm seeing some strange errors.
>>>
>>
>> It wasn't me who contributed Keycloak aauth scheme in gerrit-oauth-plugin.
>> I tried to use gerrit with it in test set-up and wrote this documentation
>> how
>> to integrate the both: [1]. Can you try to reproduce the integration of
>> gerrit
>> with Keykloack oauth using: [1], and compare the differences with your
>> setup?
>>
>> [1] https://github.com/davido/keycloak-gerrit-oauth-provider
>
> Thanks. I can try it. I think Keycloak's docker setup doesn't use
> Apache as a proxy (which I'm doing), but I'll take a look and report
> back.
So, I tried running Keycloak from docker, and importing the JSON file
> On Wednesday, October 09 2019, David Ostrovsky wrote:
>
>> Am Mittwoch, 9. Oktober 2019 08:28:31 UTC+2 schrieb Sergio Durigan Junior:
>>>
>>> Hello,
>>>
>>> I have been trying to set up a Gerrit instance (latest version, running
>>> in a local VM) with OAuth2 authentication using Keycloak (also running
>>> at the same VM), and I'm seeing some strange errors.
>>>
>>
>> It wasn't me who contributed Keycloak aauth scheme in gerrit-oauth-plugin.
>> I tried to use gerrit with it in test set-up and wrote this documentation
>> how
>> to integrate the both: [1]. Can you try to reproduce the integration of
>> gerrit
>> with Keykloack oauth using: [1], and compare the differences with your
>> setup?
>>
>> [1] https://github.com/davido/keycloak-gerrit-oauth-provider
>
> Thanks. I can try it. I think Keycloak's docker setup doesn't use
> Apache as a proxy (which I'm doing), but I'll take a look and report
> back.
provided by you in order to configure the gerrit client on Keycloak. I
also noticed that the gerrit-oauth-provider plugin I was using had been
installed using the plugin-manager, and its sha256 differed from the
.jar provided in the github project, so I also updated that.
I'm still seeing the "Server Error" message, but now it's a different
one:
[2019-10-10 00:14:46,542] [HTTP-81] ERROR com.google.gerrit.pgm.http.jetty.HiddenErrorHandler : Error in GET /gerrit/oauth?state=4ZnqJHotq9Ul51sjdFtREk7hHlFXP7pBD8YaMvFgP2Q&session_state=86de8bed-870e-48b5-9627-954786c83c4b&code=c639f041-40b1-4205-a7d4-07f923e0e27b.86de8bed-870e-48b5-9627-954786c83c4b.b0086d87-e5ca-48d0-b2af-16b6b3ed8b47
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765)
at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683)
at java.base/java.lang.Thread.run(Thread.java:834)
The fact that I'm not seeing the "String out of bounds" error anymore is
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168)
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126)
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366)
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765)
at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683)
at java.base/java.lang.Thread.run(Thread.java:834)
a good thing, I think. It may have something to do with upgrading the
.jar file.
On Keycloak's side, I still see:
04:14:46,539 WARN [org.keycloak.protocol.oidc.utils.OAuth2CodeParser] (default task-14) Code 'c639f041-40b1-4205-a7d4-07f923e0e27b' already used for userSession '86de8bed-870e-48b5-9627-954786c83c4b' and client 'b0086d87-e5ca-48d0-b2af-16b6b3ed8b47'.
04:14:46,540 WARN [org.keycloak.events] (default task-14) type=CODE_TO_TOKEN_ERROR, realmId=master, clientId=gerrit, userId=null, ipAddress=192.168.122.32, error=invalid_code, grant_type=authorization_code, code_id=86de8bed-870e-48b5-9627-954786c83c4b, client_auth_method=client-secret
I've been trying to find something about these errors on the internet,
and I even found some people that were seeing the same warnings on
Keycloak, but so far nothing really useful for this specific case with
Gerrit.
Not sure if I mentioned this before, but I'm using running both Gerrit
and Keycloak behind an Apache proxy. I don't think this is related to
the problem above, but I decided to mention anyway.
I will post a help request on Keycloak user's mailing list as well, but
of course I'd love to see suggestions here as well.
Thanks a lot,
Sergio Durigan Junior
Oct 15, 2019, 5:48:59 PM10/15/19
to repo-d...@googlegroups.com
On Tuesday, October 08 2019, I wrote:
> Hello,
>
> I have been trying to set up a Gerrit instance (latest version, running
> in a local VM) with OAuth2 authentication using Keycloak (also running
> at the same VM), and I'm seeing some strange errors.
[...]
> Hello,
>
> I have been trying to set up a Gerrit instance (latest version, running
> in a local VM) with OAuth2 authentication using Keycloak (also running
> at the same VM), and I'm seeing some strange errors.
Just a followup: I was able to finish the configuration and fix the
problems. I wrote a semi-detailed description of the whole process
here:
https://blog.sergiodj.net/2019/10/15/installing-gerrit-and-keycloak-for-gdb.html
Thanks,
David Ostrovsky
Oct 16, 2019, 1:32:59 AM10/16/19
to Repo and Gerrit Discussion
Am Dienstag, 15. Oktober 2019 23:48:59 UTC+2 schrieb Sergio Durigan Junior:
On Tuesday, October 08 2019, I wrote:
> Hello,
>
> I have been trying to set up a Gerrit instance (latest version, running
> in a local VM) with OAuth2 authentication using Keycloak (also running
> at the same VM), and I'm seeing some strange errors.
[...]
Just a followup: I was able to finish the configuration and fix the
problems.
Thanks for letting us know. What was the root cause for first failing attempt
to integrate OAuth2 with Keycloak?
Sergio Durigan Junior
Oct 16, 2019, 10:05:26 AM10/16/19
to David Ostrovsky, Repo and Gerrit Discussion
"AllowEncondedSlashes On" (on Apache's config) plus some problem with
the version of the oauth2 plugin which I had installed using plugin
manager. When I replaced it with the version from github, things
worked.
David Ostrovsky
Oct 16, 2019, 1:29:08 PM10/16/19
to Repo and Gerrit Discussion
Am Mittwoch, 16. Oktober 2019 16:05:26 UTC+2 schrieb Sergio Durigan Junior:
On Wednesday, October 16 2019, David Ostrovsky wrote:
> Am Dienstag, 15. Oktober 2019 23:48:59 UTC+2 schrieb Sergio Durigan Junior:
>>
>> On Tuesday, October 08 2019, I wrote:
>>
>> > Hello,
>> >
>> > I have been trying to set up a Gerrit instance (latest version, running
>> > in a local VM) with OAuth2 authentication using Keycloak (also running
>> > at the same VM), and I'm seeing some strange errors.
>> [...]
>>
>> Just a followup: I was able to finish the configuration and fix the
>> problems.
>
>
> Thanks for letting us know. What was the root cause for first failing
> attempt
> to integrate OAuth2 with Keycloak?
I am not entirely sure, but I think it was a combination of a missing
"AllowEncondedSlashes On" (on Apache's config) plus some problem with
the version of the oauth2 plugin which I had installed using plugin
manager. When I replaced it with the version from github, things
worked.
I'm confused. Can you try to track down the problem with plugin-manager
plugin?
Are you using gerrit 3.0.x? I would have expected that plugin-manager would
install this oauth.jar from CI Plugins-stable-3.0 build plan: [1]. The GH release
version: [2] should be very similar to the version provided by GerritForge CI
(but it is not the same, though).
[2] https://github.com/davido/gerrit-oauth-provider/releases/download/v3.0.0/gerrit-oauth-provider.jar
Sergio Durigan Junior
Oct 16, 2019, 11:40:45 PM10/16/19
to David Ostrovsky, Repo and Gerrit Discussion
while. Also, I tried *so many* things (and spend so much time) to fix
this problem that I lost track of what exactly made it work. I remember
I wasn't able to make everything fully work with just one adjustment; it
was an incremental process.
> Are you using gerrit 3.0.x? I would have expected that plugin-manager would
> install this oauth.jar from CI Plugins-stable-3.0 build plan: [1]. The GH
> release
> version: [2] should be very similar to the version provided by GerritForge
> CI
> (but it is not the same, though).
plugin installed by github's version, and I remember noticing a
difference in the error message when I did that (before I was seeing the
OutOfBounds exception, and after I started seeing an error regarding the
auth credentials), but I also know that just replacing the plugin wasn't
enough: I also had to do the "AllowEncondedSlashes On" for it to fully
work.
Reply all
Reply to author
Forward
0 new messages