auth via Google Workspace

113 views
Skip to first unread message

James Muir

unread,
Mar 30, 2023, 12:13:28 AM3/30/23
to Repo and Gerrit Discussion
Say Company X is using Google Workspace (to provide corporate email, calendar, etc).  Is it possible for devs to use their Google Workspace account for gerrit authentication?  How?

-James M

Kari Klein

unread,
Mar 30, 2023, 2:16:26 PM3/30/23
to Repo and Gerrit Discussion
On Wednesday, March 29, 2023 at 10:13:28 PM UTC-6 James Muir wrote:
Say Company X is using Google Workspace (to provide corporate email, calendar, etc).  Is it possible for devs to use their Google Workspace account for gerrit authentication?  How?

I just did this and wrote down the steps - I think they are fairly complete. Hopefully this helps:

Set Up OAuth2 with Google
Enable OAuth in Google Cloud:

You need the client id, secret password and to set up the redirect URIs. Enable being able to access full name and email. See https://developers.google.com/identity/openid-connect/openid-connect


The Authorized Redirect URI should be


https://<subdomain>/oauth

And maybe add the following?


https://<subdomain>/login/

Install the OAuth plugin

Find the plugin docs here: https://github.com/davido/gerrit-oauth-provider, and copy the pre-built binary from here: https://github.com/davido/gerrit-oauth-provider/releases


curl -L -O "<weblink to binary>"

cp gerrit-oauth-provider.jar $GERRIT_SITE/plugins/gerrit-oauth-provider.jar


Configure the plugin


java -jar gerrit-3.5.1.war init -d rumission-gerrit


Keep all the defaults until it gets to OAuth:


  *** OAuth Authentication Provider

  ***

  Use Bitbucket OAuth provider for Gerrit login ? [Y/n]? n

  Use Google OAuth provider for Gerrit login ? [Y/n]? Y

  Application client id          : <client-id>

  Application client secret      : 

                confirm password : 

  Link to OpenID accounts? [true]: 

  Use GitHub OAuth provider for Gerrit login ? [Y/n]? n


 

-James M

James Muir

unread,
Mar 30, 2023, 4:52:47 PM3/30/23
to Repo and Gerrit Discussion
On Thu, Mar 30, 2023 at 2:16 PM Kari Klein <kkl...@rumission.com> wrote:

On Wednesday, March 29, 2023 at 10:13:28 PM UTC-6 James Muir wrote:
Say Company X is using Google Workspace (to provide corporate email, calendar, etc).  Is it possible for devs to use their Google Workspace account for gerrit authentication?  How?

I just did this and wrote down the steps - I think they are fairly complete. Hopefully this helps:

Set Up OAuth2 with Google
Enable OAuth in Google Cloud:

You need the client id, secret password and to set up the redirect URIs. Enable being able to access full name and email. See https://developers.google.com/identity/openid-connect/openid-connect



Thanks very much for sharing this, Kari.

openid is the default auth mechanism for gerrit, so it seems like setting up openid via Google Workspace would be the way to go.  But I think the setup requires creating a Google Cloud project.  It is not clear to me if there is an additional cost associated with that.

Would there be a small fee each time a dev logs in to Gerrit and hits the Google Cloud openid endpoint?

I have read that Google Workspace supports SAML (see link below) and that there is a SAML plugin for Gerrit.

  https://support.google.com/a/topic/7556794?hl=en&ref_topic=7556686

Has anyone set up gerrit auth via Google Workspace using SAML?

-James M

Reply all
Reply to author
Forward
0 new messages