Task #1625
closedGerrit: Install and configure gerrit-oauth-plugin to enable GitHub- and Google-OAuth2 providers
0%
Description
Gerrit-oauth-provider plugin: [1] allows users to use their GitHub, Google and Bitbucket identity.
Support for this plugin was added already in Gerrit 2.10.4. It's trivial to set up and running: [2]
and is used in production by dozens big Gerrit sites, e.g.: [3].
OpenID authentication is not affected, as this plugin suports Hybrid-OpenID+OAuth2 mode.
This is needed, because popular OpenID providers in FLOSS communities, like
Launchpad and Fedoraproject don't offer OAuth2 authentication scheme (yet).
Related issues
Updated by David Ostrovsky over 8 years ago
Guys,
do we have TDF accounts on google.com and github.com?
When logged in with those accounts, we need to create new
applications there and request OAuth2 credential. We would
need it to enable OAuth2 plugin on our Gerrit instance. We
would want to ceate two applications. Every application
contains callback URL that must be used. The callback URLs
would be:
- Application: "TDF Gerrit Code Review", callback = https://gerrit.libreoffice.org/oauth
- Application: "TDF Gerrit Code Review Staging", callback = https://gerrit-test.libreoffice.org/oauth
I can help with creating and configuring the applications on Google and GitHub.
I've also setup the plugin with both Google and GitHub OAuth provider on my
Gerrit instance for you to play:
I've also verified that the old Google OpenID accounts are linked correctly to new
OAuth2 providers (Google OpenID auth scheme was dropped early this year):
| account_id | registered_on | full_name | preferred_email | 42 | 2015-11-21 11:11:57 | Joe Dow | john.doe@gmail.com |
After connecting with OAuth2 with the same account, the OAuth2 identity is linked to the existing account that was created using Google OpenID:
mysql> select * from account_external_ids;-------------------------------------------+----------+----------------------------------------------------------------------------------+
| account_id | email_address | password | external_id |-------------------------------------------+----------+----------------------------------------------------------------------------------+
| 4 | john.doe@gmail.com | NULL | 1031623528736452451234 |-------------------------------------------+----------+----------------------------------------------------------------------------------+
Changes in gerrit configuration site (gerrit.config):
[auth]
type = OPENID
trustedOpenID=^.*$
[plugin "gerrit-oauth-provider-google-oauth"]
client-id = <client-id>
client-secret = <client-secret>
link-to-existing-openid-accounts = true
[plugin "gerrit-oauth-provider-github-oauth"]
client-id = <client-id>
client-secret = <client-secret>
Plugin binary (can be fetched from master branch):
Updated by David Ostrovsky over 8 years ago
- Subject changed from Gerrit: Install and configure gerrit-oauth-plugin to enable GitHub-, Google- and Bitbucket-OAuth2 providers to Gerrit: Install and configure gerrit-oauth-plugin to enable GitHub- and Google-OAuth2 providers
Updated by Florian Effenberger over 8 years ago
Cloph has credentials and knows how to set it up I assume - can you poke
him?
Updated by Thorsten Behrens over 8 years ago
- Assignee set to Christian Lohmaier
Cloph - any chance to quickly do that?
Updated by Florian Effenberger over 8 years ago
My fault, I thought Cloph had access to the respective Google account already, which he hadn't
Just given him the credentials so he can have a look - sorry for the delay here!
Updated by Florian Effenberger over 8 years ago
Cloph sent OAuth credentials to David now
Updated by Christian Lohmaier over 8 years ago
- Blocks Task #1587: Bump Gerrit version to 2.11.7 added
Updated by Christian Lohmaier over 8 years ago
- Status changed from New to Resolved
setting this one to resolved, as there is separate one to do the actual upgrade
Updated by Florian Effenberger over 8 years ago
- Status changed from Resolved to Closed