| Issue 2677: | OpenID 2.0 not supported by Google anymore | |
| 90 people starred this issue and may be notified of changes. | Back to list |
Affected Version: All What steps will reproduce the problem? 1. Set up gerrit on a new domain 2. OpenID login with Google Account What is the expected output? What do you see instead? Expected output: login with Google Account Actual output: Google shows a page with error 400, saying the domain is unregistered. Please provide any additional information below. This issue has been discussed here: https://groups.google.com/forum/#!topic/repo-discuss/4Rhw7NZnu98 The issue seems to be the fact that on May 19, 2014, Google dropped support for new client registrations with OpenID 2.0 (see here: https://developers.google.com/+/api/auth-migration#timetable ).
May 28, 2014
#2
edward.r...@gmail.com
May 30, 2014
Yup should be major, same issue with a new instance we made. Move to G+ Sign in would be appreciated!
Jun 3, 2014
(No comment was entered for this change.)
Status:
Accepted
Labels: -Priority-Minor Priority-Major
Jul 4, 2014
This is definitely an issue, as yahoo openID works flawlessly, and I obviously would rather have Google working.
Jul 5, 2014
@xlightwa - I think you might have misunderstood the problem. Google have DROPPED SUPPORT for OpenID for new client registrations. There is nothing the Gerrit developers can do to restore that. They are looking at alternative sign-in methods for Google, but OpenID won't be restored.
Jul 5, 2014
Clarification on my desired outcome for closure on this issue. As a gerrit administrator i would like to provide my end-users with authentication method that uses a go-forward google supported authentication provider. As it stands, i can not use gerrit with any google authentication provider available.
Jul 16, 2014
Well if Google is out of commission, where can I find the documentation for a successful GitHub Authentication? I have tried various options on Google and I cannot seem to even have that work. The only luck I have had was with Yahoo.
Jul 17, 2014
> where can I find the documentation for a successful GitHub Authentication? GitHub does not support OpenID either. Gerrit 2.9 will add an authentication method for GitHub, but 2.9 is not yet released, and likely there will be a few limitations (e.g currently it doesn't work through a proxy - see https://code.google.com/p/gerrit/issues/detail?id=2757) > The only luck I have had was with Yahoo. Yes, Gerrit authentication using OpenID works with any OpenID provider. Yahoo is one (but not Google).
Jul 18, 2014
Workaround is to use other OpenID providers or use OAuth GitHub authentication provider: https://gerrit-review.googlesource.com/57570
Status:
ChangeUnderReview
Jul 18, 2014
> Gerrit 2.9 will add an authentication method for GitHub [...] Nope, unfortunately: the change was rejected, so you would need to patch Gerrit yourself: * stable-2.8: [1] * stable-2.9: [2] [1] https://gerrit-review.googlesource.com/58670 [2] https://gerrit-review.googlesource.com/58010
Jul 18, 2014
>> Gerrit 2.9 will add an authentication method for GitHub [...] > Nope, unfortunately: the change was rejected It looks like the relevant change (in "Needs Code-Review" status at the time of writing) is: https://gerrit-review.googlesource.com/#/c/57570/ and you're right, that's on master only. So I'm not sure when that means we will see it in an official release. Quite a few people need this capability (following Google OpenID being removed), so sooner would be great ... Gerrit 2.9 has just been released, so that means waiting till either 2.9.1 (if it can be cherry-picked there), or 2.10. Alternatively, as has been pointed out, you can try and build it yourself.
Jul 22, 2014
>It looks like the relevant change (in "Needs Code-Review" status at the time of writing) is: >https://gerrit-review.googlesource.com/#/c/57570/ [...] > Gerrit 2.9 has just been released, so that means waiting till either 2.9.1 (if it can be cherry-picked there), or 2.10. This change missed 2.10 too. So it is probably only going to be available on 2.11.
Jul 22, 2014
> This change missed 2.10 too. That's a real shame, I'm waiting on that change for a new Gerrit deployment. A lot of good work has been done by Luca Milanesio and David Ostrovsky on this, but this is a relatively complex change (see the patchset https://gerrit-review.googlesource.com/#/c/57570/), and it's still is waiting review. Is there any chance of it making 2.10rc1 (even if in "experimental" status)?
Sep 2, 2014
Anyone know what the holdup on the review is?
Oct 6, 2014
If you need a workaround today: http://stackoverflow.com/questions/26215409/google-authentication-for-gerrit-and-jenkins
Oct 20, 2014
This issue is a major showstopper for us as well. Preferably, Gerrit should at least support an authentication scheme that doesn't rely on a third party. Having OpenID and such available is nice. Having ONLY OpenID available is not, and this situation is living proof of this. Gerrit is a great piece of software, but in this situation we just can't use it.
Dec 4, 2014
Just as a note, Google will completely shut down OpenID 2.0 on April 20th 2015, as per their timetable: https://developers.google.com/+/api/auth-migration#timetable
Dec 4, 2014
I agree that "Gerrit should at least support an authentication scheme that doesn't rely on a third party". Fortunately, it already does: https://gerrit-review.googlesource.com/Documentation/config-gerrit.html#auth
Dec 4, 2014
FWIW we've been using v2.10-rc0 and then switched to builds from stable-2.10 branch with the github oauth plugin for a few months now.
Dec 6, 2014
@dborowitz er, the page you linked to appears to only list the now-disabled "OpenID" method and various ways to set up an LDAP integration... so is LDAP the only supported SSO method now? Will OpenID Connect/OAuth2 be supported sometime before April 2015? At that point it sounds like existing installations will stop working with Google, which is even worse than not being able to set up new installations...
Dec 6, 2014
@dborowitz: That is sadly no solution. First of all, in new situations, LDAP is not always available nor is it always possible to set up for various reasons. If a software can't be deployed without the need for setting up a separate SSO system, that software will simply not make the cut. I've had to drop Gerrit from several projects because of this. Existing projects that use gerrit extensively are also not helped by this. Third, I wrote "Gerrit should at least support an authentication scheme that doesn't rely on a third party", and you respond by saying that it does support LDAP - which is a third party solution. Yes you can run your own, but it's still a separate piece of software. No. Pretty much every software out there with a user account system has the ability to register new users and manage and authenticate them without needing google, a separate LDAP server, or anything like that. We're using Atlassian for various work-related projects now because of this. And I'm facing the prospect of having to stop using Gerrit unless there's a possibility to continue working with the current user accounts beyond the OpenID shutdown. Gerrit needs a new user registration form, a user management page, and perhaps a password recovery form. Not just LDAP.
Dec 6, 2014
@toumaltheorca Some of the things you say are true, but there are more OpenID providers than Google... http://openid.net/get-an-openid/ What do you suggest Gerrit use to provide "a new user registration form, a user management page, and perhaps a password recovery form"?
Dec 6, 2014
@Mark: Part of the problem is that OpenID itself is not exactly the most popular technology out there. The other is that while integration is great to have, it should be an option, not the *only* option. What should gerrit use by default? Simple, its own user database. Gerrit already stores most of that info, all it would need is a password for the web frontend login, and an account management page. As a good example of what I mean, take a look at Redmine: You can still use external SSO with that, but by default it can just run using its own user authentication and management. And it's really simple too, there's a registration form and a management page for approving new user accounts. The git stuff uses pubkeys anyway so nothing changes there. And best of all, with Redmine, if any of the external authentication mechanisms goes away for some reason, it's possible to switch to the internal authentication without having to create new users or reassign project memberships. Ideally, the same would be true for Gerrit: Google disabling OpenID should be something we can deal with by just sending users their new gerrit password via email after switching to the built-in authentication method.
Dec 9, 2014
@toumaltheorca Atlassian has the Crowd product, which supports being an OpenID endpoint. We are doing that to migrate (some of) our users off of Google.
Dec 10, 2014
@pedah... (name deobfuscation doesn't work for some reason) Yeah we're aware of that. My problem is twofold: At work I wanted to deploy Gerrit in an enclosed environment where each active service is a huge political and administrative issue. Any software that's self-sufficient is a huge plus there. Gerrit could not be used because it lacks user registration. I'd write a patch myself, but I see that this has already been done, but the change is has not been accepted into the official branch. Second, I'm running several private projects with lots of contributors. It would be perfect if we could just transition from OpenID to an internal account system. For operating GIT this is already not an issue since it uses pubkey auth, all Gerrit would need to add is a user/pass login method for the web interface, a registration page, and perhaps a userlist with links to accept/reject new registrations. I really like Gerrit a lot, and I think this would be a big improvement.
Jan 6, 2015
I thought setting up Gerrit with ldap was painful in corporate environment but now using google business emails service with no IT, I thought life will be easier with default option of OpenID but its painful. When Gerrit will introduce some method of user authentication, Don't mind which way something which works like internal database of Gerrit? Its shame we are deprecating OpenID2.0 without any solution beforehand.
Jan 8, 2015
@saj >> Its shame we are deprecating OpenID2.0 I think you might have misunderstood the problem. Gerrit is not deprecating OpenID. Gerrit continues to support it. Google have DROPPED SUPPORT for OpenID for new client registrations. There is nothing the Gerrit developers can do to restore that.
Jan 13, 2015
@matt...@unsolvable.org Well I understand problem, solution is to provide Gerrit's own database for user as suggested here. When so many people use product its hard to just say we are dropping support because third party doesn’t support it any more, you have to provide alternative.
Jan 13, 2015
@saj There's no support for anything that has been dropped in gerrit. Your users depended on Google for an OpenID, they can instead depend on something else. Or some more people can put their hand up to work on the code under review. "you have to provide alternative" makes it sound like you've been paying for both gerrit and OpenID, which I doubt you have been doing...
Jan 13, 2015
Is there anything being done on OpenID Connect from Google which seems to be the newer way of authenticating users? If so, can somebody point me in that direction so I might be able to assist?
Jan 13, 2015
I agree... OpenID 2.0 is not current, and while Google's abrupt dropping of support is very inconvenient, OpenID Connect was introduced for valid reasons and it seems that if this piece of integration is to remain it should support the current release of the OpenID standard.
Feb 17, 2015
All identities in our organization are managed using google. So, migrating to another openid provider would be a big problem / extra hustle. We would either have to patch gerrit our self, and use out of tree version -- and switch to another code review solution. Given the presence of the patch - I really don't understand why it cannot be merged into the product.
Feb 17, 2015
> So, migrating to another openid provider would be a big problem, [...] > Given the presence of the patch - I really don't understand why it cannot be merged into the product. For one the mentioned patch is available as Gerrit GitHub plugin, for another even merged into Gerrit core it wouldn't solve your problem: It would force your user base to move to GitHub OAuth. I guess you are missing the point, that GitHub OAuth Provider wouldn't enable your site to use Google OpenID Connect. So wait until someone has implemented Google OpenID Connect provider in Gerrit, switch to different provider or use HTTP auth scheme in combination with Apache reverse proxy with installed and configured mod_auth_openidc module: [1]. [1] http://stackoverflow.com/questions/26215409/google-authentication-for-gerrit-and-jenkins
Feb 24, 2015
Google OAuth2 authentication provider for Gerrit is here: [1]. [1] https://github.com/davido/gerrit-google-oauth-provider
Feb 27, 2015
I've tried the change, it works quite well. Had to insert my G+ profile URL into the field, it would be nice to just have the G+ button to sign-in. Thanks for your work David, very much appreciated.
Feb 27, 2015
> Had to insert my G+ profile URL into the field Which field? When the OAuth extension point change [1] with the plugin [2] is used, there is no input field anymore. Are you still on OpenID auth scheme? Have you switched auth.type = OAUTH in gerrit.config? [1] https://gerrit-review.googlesource.com/65101 [2] https://github.com/davido/gerrit-oauth-provider
Feb 27, 2015
> Currently gerrit complains with this for me:
>
j> avax.servlet.ServletException: OAuth service provider wasn't installed
That's correct. As explained in this thread [1] on dev ML, the OAuth providers are supplied by plugins. So what is happened now, no OAuth providers/plugins were installed on your site, so Gerrit cannot operate and refuses to start. What you need is to build gerrit-oauth-provider plugin, install it in your $site_path/plugins and configure the provider(s).
I haven't provided any documentation yet, but what you basically need is go to Google/GitHub development console, create new project, set up client-id and client-secret, enable Google+ API, and add these lines to your gerrit.config:
[plugin "gerrit-oauth-provider-google-oauth"]
client-id = "foo"
client-secret = "bar"
callback = "http://localhost:8080/oauth
[plugin "gerrit-oauth-provider-github-oauth"]
client-id = "baz"
client-secret = "qux"
callback = "http://localhost:8080/oauth
If you don't need/want that your users can use GitHub OAuth provider as well, just remove GH section.
Note: that all three options are mandatory for now, but i will optimize it and make callback optional. It can be induced from gerrit.canonicalWebUrl that is always available anyway.
[1] https://groups.google.com/d/topic/repo-discuss/K2U6WcWSCaE/discussion
Feb 27, 2015
Setting the plugin options in gerrit.config did the trick. Thanks!
Mar 18, 2015
can you please tell me what this is? I would like to deepen http://wdfshare.blogspot.com
Mar 18, 2015
Any idea when we will have this support in gerrit? Is there any version plan?
Mar 18, 2015
I saw core support for oauth in just released 2.10.1. However, it still requires a plugin, e.g., the one David created. I had only partial success with the plugin. I couldn't convince gerrit to create new account and was constantly getting exception that user name cannot contain spaces (it is trying to use my real name). I saw that I would need to create some entry manually, but I couldn't find any documentation about that... :(
Mar 18, 2015
Thank you. If you succeed please shoot a message here so I can try it myself.
Mar 18, 2015
>I saw core support for oauth in just released 2.10.1. Yes. >I couldn't convince gerrit to create new account and was constantly getting exception. Stack trace? Also, make sure you are using the three changes that weren't merged yet. And the most recent plugin version. It was changed not to try to guess username anymore (it didn't work), and allow user to assign the username instead. Aslo note, that linking of new OAuth identity to existing OpenID account should just work.
Mar 18, 2015
Currently these changes are needed on top of 2.10.1 for plugin to compile and work properly: [1],[2] and [3]. [1] https://gerrit-review.googlesource.com/66310 [2] https://gerrit-review.googlesource.com/66311 [3] https://gerrit-review.googlesource.com/66312
Mar 18, 2015
I have tried a few days ago and not sure about the latest version. I definitely didn't use the latest patches. I will try again soon and report my success (hopefully :)). And big thanks for making this implementation!
Mar 20, 2015
Hi David, I have successfully configured and tried out both google and github oauth providers. There was a tiny glitch with github provider (I submitted a pull request to your repo with a fix). One function to consider in the future is ability to link other oauth identities to the same gerrit account. It is already possible to do by manually editing `account_external_ids` table, but having this in UI interface could be better.
Mar 20, 2015
Thanks for the fix and Documentation, it was merged. I removed callback configuration from gerrit config and induced it from canonicalWebUrl and crewed it up for GitHub. >One function to consider in the future is ability to >link other oauth identities to the same gerrit account. Definitely. Right now only automatic linking OAuth->OpenID works for Googe accounts. But OpenID auth scheme allows that throuh UI: Identities => Link another identity. My plan is to support the same for OAUTH auth scheme. One complication: In this pending change: [1] I added support another important mode: Hybrid-OpenID+OAuth auth scheme. The linking must work there too, in both directions. [1] https://gerrit-review.googlesource.com/66313
Mar 24, 2015
Issue 2715 has been merged into this issue.
Mar 24, 2015
(No comment was entered for this change.)
Status:
Released
Labels: FixedIn-2.10.1
Apr 8, 2015
Am I right to understand that [1] https://gerrit-review.googlesource.com/66310 [2] https://gerrit-review.googlesource.com/66311 [3] https://gerrit-review.googlesource.com/66312 Are no longer needed in 2.10.2 ? Also is there any documentation for migrating from google OpenID to google Oauth?
Apr 8, 2015
Yes. Gerrit 2.10.2 includes all changes, needed for OAuth provider plugins to work properly. Check gerrit-oauth-plugin Readme and Wiki on GitHub for the documentation. |
|
| ► Sign in to add a comment |