Gerrit and Google oauth2 initial setup

[Andrew Palmer]

Hi All,

I'm having a bit of trouble finishing the config of gerrit using google oauth2, all new to me. I have followed all the forum and tutorials I could possible find. I initially had gerrit up and running, but because it is only supporting openid for login, Client credentials were created on google dev console. I searched for an alternative which would allow google accounts for login. I ended up going through the apache setup ok, but ran into issues after entering google credentials. To log in, I navigate to gerrit-server.my.domain.com, which prompts to log in with google. Upon entering a valid credential, I end up with the "not found" page.

Note, apache/gerrit are running on the same server with different ports.

Hopefully, I just have some simple typo in here, and appreciate any help!

My gerrit.config file:

# gerrit-server.my.domain.com and <server_ip> are of the same host, and hostname is registered in dns

[gerrit]
    basePath = git
    serverId = <serverid>
    canonicalWebUrl = http://gerrit-server.my.domain.com:8081/
[database]
    type = h2
    database = /home/gerritadmin/gerrit_test/db/ReviewDB
[noteDb "changes"]
    disableReviewDb = true
    primaryStorage = note db
    read = true
    sequence = true
    write = true
[index]
    type = LUCENE
[auth]
    type = HTTP
    emailFormat = {0}@domain.com
    httpHeader =  X-Forwarded-User
[receive]
    enableSignedPush = false
[sendemail]
    smtpServer = localhost
[container]
    user = gerritadmin
    javaHome = /usr/lib/jvm/java-8-oracle/jre
[sshd]
    listenAddress = *:29418
[httpd]
    listenUrl = proxy-http://<server_ip>:8081/
[cache]
    directory = cache

/etc/apache2/sites-available/gerrit.conf

<VirtualHost *:80>
ServerName gerrit-server.my.domain.com
ServerAdmin m...@domain.com
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined


OIDCProviderMetadataURL <google account address>
OIDCClientID <taken from google oauth2 client creds>
OIDCClientSecret <taken from google oauth2 client creds>


OIDCScope "openid email profile"
OIDCRedirectURI http://gerrit-server.my.domain.com:8081/oauth2callback
OIDCCryptoPassphrase blah   # Note, not really sure what this does but it is required.


OIDCSessionInactivityTimeout 600


OIDCCookiePath /


OIDCAuthRequestParams hd=domain.com
OIDCRemoteUserClaim email
OIDCAuthNHeader X-Forwarded-User


RewriteEngine On
#LogLevel alert rewrite:trace2
RewriteRule ^/logout$ /oauth2callback?logout=http://gerrit-server.my.domain.com/ [R]


ProxyPass /  http://<server_ip>:8081/ nocanon
ProxyPassReverse / http://<server_ip>:8081/
ProxyRequests     Off
AllowEncodedSlashes On




<Proxy http://gerrit-server.my.domain.com:80/*>
# add rewrites here if necessary
</Proxy>


<Location /login/>
   AuthType openid-connect
   Require claim hd:domain.com
   Require valid-user
</Location>


</VirtualHost>

[Andy]

Wanted to just update this in case others run into the same issue. I ended up skipping the apache2 config file and installing the gerrit-oauth-provider plugin:

https://github.com/davido/gerrit-oauth-provider

I don't know why I didn't try this earlier, it was much simpler to config.

With this, I simply installed and followed the short README, and after having done that, the google authentication showed up when either using "sign in" or "register".

As a note, I ran into some issue where I had to kill a process that had a lock (h2 db):

sudo ps aux | grep java

Then, config went through fine.