Project

General

Profile

Task #1625

Gerrit: Install and configure gerrit-oauth-plugin to enable GitHub- and Google-OAuth2 providers

Added by David Ostrovsky about 2 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Normal
Category:
-
Target version:
Team - Q4/2015
Start date:
Due date:
% Done:

0%

Estimated time:
Tags:
URL:

Description

Gerrit-oauth-provider plugin: [1] allows users to use their GitHub, Google and Bitbucket identity.
Support for this plugin was added already in Gerrit 2.10.4. It's trivial to set up and running: [2]
and is used in production by dozens big Gerrit sites, e.g.: [3].

OpenID authentication is not affected, as this plugin suports Hybrid-OpenID+OAuth2 mode.
This is needed, because popular OpenID providers in FLOSS communities, like
Launchpad and Fedoraproject don't offer OAuth2 authentication scheme (yet).


Related issues

Blocks Infrastructure - Task #1587: Bump Gerrit version to 2.11.7Closed

History

#1 Updated by David Ostrovsky about 2 years ago

Guys,

do we have TDF accounts on google.com and github.com?

When logged in with those accounts, we need to create new
applications there and request OAuth2 credential. We would
need it to enable OAuth2 plugin on our Gerrit instance. We
would want to ceate two applications. Every application
contains callback URL that must be used. The callback URLs
would be:

I can help with creating and configuring the applications on Google and GitHub.
I've also setup the plugin with both Google and GitHub OAuth provider on my
Gerrit instance for you to play:

https://review.idaia.de

I've also verified that the old Google OpenID accounts are linked correctly to new
OAuth2 providers (Google OpenID auth scheme was dropped early this year):

mysql> select account_id, registered_on, full_name, preferred_email from accounts;
-------------------------------+-------------------+---------------------------+
account_id registered_on full_name preferred_email
-------------------------------+-------------------+---------------------------+
42 2015-11-21 11:11:57 Joe Dow

After connecting with OAuth2 with the same account, the OAuth2 identity is linked to the existing account that was created using Google OpenID:

mysql> select * from account_external_ids;
-------------------------------------------+----------+----------------------------------------------------------------------------------+ | account_id | email_address | password | external_id |
-------------------------------------------+----------+----------------------------------------------------------------------------------+ | 4 | | NULL | 1031623528736452451234 |
-------------------------------------------+----------+----------------------------------------------------------------------------------+

Changes in gerrit configuration site (gerrit.config):

[auth]
type = OPENID
trustedOpenID=^.*$

[plugin "gerrit-oauth-provider-google-oauth"]
client-id = <client-id>
client-secret = <client-secret>
link-to-existing-openid-accounts = true

[plugin "gerrit-oauth-provider-github-oauth"]
client-id = <client-id>
client-secret = <client-secret>

Plugin binary (can be fetched from master branch):

https://gerrit-ci.gerritforge.com/view/Plugins-master/job/plugin-gerrit-oauth-provider-gh-master/lastSuccessfulBuild/artifact/buck-out/gen/plugins/gerrit-oauth-provider/gerrit-oauth-provider.jar

#2 Updated by David Ostrovsky about 2 years ago

  • Subject changed from Gerrit: Install and configure gerrit-oauth-plugin to enable GitHub-, Google- and Bitbucket-OAuth2 providers to Gerrit: Install and configure gerrit-oauth-plugin to enable GitHub- and Google-OAuth2 providers

#3 Updated by Florian Effenberger about 2 years ago

Cloph has credentials and knows how to set it up I assume - can you poke
him?

#4 Updated by Thorsten Behrens about 2 years ago

  • Assignee set to Christian Lohmaier

Cloph - any chance to quickly do that?

#5 Updated by Florian Effenberger about 2 years ago

My fault, I thought Cloph had access to the respective Google account already, which he hadn't
Just given him the credentials so he can have a look - sorry for the delay here!

#6 Updated by Florian Effenberger about 2 years ago

Cloph sent OAuth credentials to David now

#7 Updated by Christian Lohmaier about 2 years ago

  • Blocks Task #1587: Bump Gerrit version to 2.11.7 added

#8 Updated by Christian Lohmaier about 2 years ago

  • Status changed from New to Resolved

setting this one to resolved, as there is separate one to do the actual upgrade

#9 Updated by Christian Lohmaier about 2 years ago

  • Target version set to Q4/2015

#10 Updated by Florian Effenberger about 2 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF