My favorites | Sign in
Project Home Downloads Wiki Issues Source
New issue   Search
for
  Advanced search   Search tips   Subscriptions
Issue 2715: OpenID Authentication is deprecated by Google
21 people starred this issue and may be notified of changes. Back to list
Status:  Duplicate
Merged:  issue 2677
Owner:  ----
Closed:  Mar 2015


Sign in to add a comment
 
Reported by de...@webtuner.tv, Jun 12, 2014
Affected Version: gerrit-2.9-rc2.war

What steps will reproduce the problem?
1. Install gerrit as per Installation Guide
2. Try to register with a Google account

What is the expected output? Successful Login using my Google account via OpenID

What do you see instead? "Error 400: OpenID auth request contains an unregistered domain".  



Please provide any additional information below.

This is not a problem with my Google account; it is a problem caused by Google shutting down OpenID services.

Google is no longer accepting new domains (meaning, new Gerrit servers!) for OpenID authentication.  Furthermore, existing OpenID domains (meaning, Gerrit servers) will be locked out on April 20, 2015.

Unfortunately, Gerrit uses "[auth] type = OPENID" by default during a fresh install.

Google is forcing web app developers to switch to their "Google+ OpenID Connect" authentication.  Maybe Gerrit should make that the default.  Or maybe Gerrit should add local account creation/registration.

References (incl. forced migration schedule):

http://stackoverflow.com/questions/23773275/changed-domain-error-openid-auth-request-contains-an-unregistered-domain
http://googledevelopers.blogspot.com/2014/02/welcome-openid-connect.html
https://developers.google.com/+/api/auth-migration


"Don't be evil... unless Google+ is involved."
Jun 13, 2014
#2 de...@webtuner.tv
I have just tested Gerrit using http://launchpad.net/ as the OpenID login provider.

The Launchpad service is a popular and widely-used bug tracking service originally deployed for Ubuntu.

I think running auth through Launchpad (instead of Google) is a much easier solution for end users than either (a) requiring an Apache front end to do HTTP Basic Auth, or (b) setting up an LDAP server.  Both Apache and OpenLDAP are non-trivial servers which are difficult to configure for n00bs and which come with non-obvious security implications.

So I recommend that "[auth] type = OPENID" continue to be the default auth method, and simply remove Google as a button from the login page and add Launchpad instead.

That is, I think

https://gerrit-review.googlesource.com/57450

is a great idea, however

https://gerrit-review.googlesource.com/57451

is a terrible idea.  Linux distros don't install LDAP by default, and setting it up for authentication would take several hours (or days) of ramp-up time if one is not familiar with LDAP Schemas, objectClasses and Attributes (and other LDAP terminology).

Jun 13, 2014
Project Member #3 David.Os...@gmail.com
FYI: OpenStack is one of the biggest Oopen Source projects that is using Gerrit/LaunchPad combination: [1].

 [1] https://review.openstack.org/#/q/status:open,n,z

So obviously that works ;-) 
Jul 15, 2014
#4 sateesh....@gmail.com
@David,
From this discussion on stackoverflow (from the original report), Google allows all previously registered gerrit domains, but for any new ones, this error is thrown. I was trying to move out Gerrit server from one IP to another (deployed to another cloud provider) and because of this issue, we are stuck.
Dec 25, 2014
#5 travnikkamil
doodles#archive#Kamil@Travnik+55Million$

logo_en_a1.gif
1.1 KB   View   Download
Jan 31, 2015
#6 mahesh.rao78@gmail.com
hi,
i have just started installed gerrit, the latest version 2.10. could you let me know the changes you did in gerrit.config and any other files to get your http://launchpad.net as OpenID working?

Thanks in advance.
Mum
Feb 12, 2015
#7 cam.sp...@solidfire.com
yes, please someone provide some instructions for setting up gerrit to use launchpad authentication
Feb 13, 2015
Project Member #8 David.Os...@gmail.com
> please someone provide some instructions for setting up gerrit to use launchpad authentication

Well, first thing to understand: it is not "launchpad authentication" it's OpenID.

There are two cases:

1. New Gerrit site is set up => Install gerrit master, set up auth = OpenID, Google OpenID provider link is replaced with Launchpad. You may want to consider to restrict the OpenID provider to only one, ford example Launchpad. In this case user is not presented with Select OpenID provider dialog, and just redirected to OpenID provide's login page.

2. Existing Gerrit site with OpenID auth scheme, that wasn't restricted to one specific OpenID provider, so that users are using different OpenID providers, say

* 25% of user base is using Google
* 25% of user base is using Facebook
* 25% of user base is using Launchpad
* 25% of user base is using Fedoraproject

In the case above only 25% of user base must migrate from Google OpenID provider to other OpenID providers, the other user are not affected in any way and can still user their OpenID providers.

Instructions for Gerrit site with OpenID auth scheme that wasn't restricted to one specific OpenID provider:

* Register in Gerrit for first time

If you are registering for the first time in Gerrit, please refrain from using Google as OpenID provider, because this service is going to be shut down as of April 20, 2015. Use another OpenID provider instead.

* You are already registered and you are not using Google OpenID

No action is required.

* You are already registered and you are using Google OpenID provider: You need to move to a new provider before April 20, 2015.

Migrating away from Google OpenID and linking multiple OpenIDs

When you already registered with Google, you need to link your existing Gerrit account to another OpenID provider to be able to log in to Gerrit after April 20, 2015.

Note: if you don't use Google as your OpenID provider, (or use say Fedoraproject, Launchpad, ...), you don't need to take any action.

The exact steps how to link another identity to an existing account (please re-read twice before taking any action):

* Login with the existing account
* Select menu Settings → Identities
* Click the 'Link Another Identity' button
* Select the OpenID provider for the other identity
* Authenticate with the other identity
* Log in using the other identity can only be performed after the linking is successful

*Warning I*

Users wishing to link an alternative identity should *NOT* log in separately with that identity. Doing so will result in a new account being created, and subsequent attempts to link that account with the existing account will fail. In cases where this happens, the administrator will need to manually merge the accounts.

*Warning II*

You must link another identity before April 20, 2015. Otherwise you wouldn't be able to log in to your existing Gerrit account.

*Warning III*

Contact Gerrit administrators if you missed the deadline.

Feb 13, 2015
#9 cam.sp...@solidfire.com
True, what I meant to ask was: can someone please provide instructions for setting up gerrit with different OpenID links besides Google and Yahoo?

My point was that the default setup for gerrit no longer works, because the google link in the register/login page does not work.

For those who find this thread, you can run these commands to setup an OpenID login portal with launchpad:

git config --file <gerrit_path>/etc/gerrit.config auth.type OpenID_SSO
git config --file <gerrit_path>/etc/gerrit.config auth.openIdSsoUrl https://login.launchpad.net

Obviously, the launchpad login link could be replaced by any other OpenID login page
Mar 24, 2015
Project Member #12 David.Os...@gmail.com
(No comment was entered for this change.)
Status: Duplicate
Mergedinto: 2677
Sign in to add a comment

Powered by Google Project Hosting