Issue 2677: OpenID 2.0 not supported by Google anymore
Status:  Released
Owner: ----
Closed:  Mar 2015
Reported by tsu...@lagat.org, May 22, 2014
Affected Version: All

What steps will reproduce the problem?
1. Set up gerrit on a new domain
2. OpenID login with Google Account

What is the expected output? What do you see instead?
Expected output: login with Google Account
Actual output: Google shows a page with error 400, saying the domain is unregistered.


Please provide any additional information below.

This issue has been discussed here: https://groups.google.com/forum/#!topic/repo-discuss/4Rhw7NZnu98

The issue seems to be the fact that on May 19, 2014, Google dropped support for new client registrations with OpenID 2.0 (see here: https://developers.google.com/+/api/auth-migration#timetable ).
May 28, 2014
#2 edward.r...@gmail.com
Hi , it would be good to change this from minor to major.  As far as we can tell, we can not authenticate with google at all on new instances of gerrit using google auth provider.
May 30, 2014
#3 sfera...@gmail.com
Yup should be major, same issue with a new instance we made. Move to G+ Sign in would be appreciated!
Jun 3, 2014
Project Member #4 David.Os...@gmail.com
(No comment was entered for this change.)
Status: Accepted
Labels: -Priority-Minor Priority-Major
Jul 4, 2014
#5 xlightwa...@gmail.com
This is definitely an issue, as yahoo openID works flawlessly, and I obviously would rather have Google working.
Jul 5, 2014
#6 matt...@unsolvable.org
@xlightwa - I think you might have misunderstood the problem. Google have DROPPED SUPPORT for OpenID for new client registrations. There is nothing the Gerrit developers can do to restore that.

They are looking at alternative sign-in methods for Google, but OpenID won't be restored.

Jul 5, 2014
#7 edward.r...@gmail.com
Clarification on my desired outcome for closure on this issue.

As a gerrit administrator i would like to provide my end-users with authentication method that uses a go-forward google supported authentication provider.  As it stands, i can not use gerrit with any google authentication provider available.
Jul 16, 2014
#8 xlightwa...@gmail.com
Well if Google is out of commission, where can I find the documentation for a successful GitHub Authentication?  I have tried various options on Google and I cannot seem to even have that work.  The only luck I have had was with Yahoo.
Jul 17, 2014
#9 matt...@unsolvable.org
> where can I find the documentation for a successful GitHub Authentication?
GitHub does not support OpenID either. Gerrit 2.9 will add an authentication method for GitHub, but 2.9 is not yet released, and likely there will be a few limitations (e.g currently it doesn't work through a proxy - see https://code.google.com/p/gerrit/issues/detail?id=2757)

> The only luck I have had was with Yahoo.
Yes, Gerrit authentication using OpenID works with any OpenID provider. Yahoo is one (but not Google).
Jul 18, 2014
Project Member #10 David.Os...@gmail.com
Workaround is to use other OpenID providers or use OAuth GitHub authentication provider:

https://gerrit-review.googlesource.com/57570
Status: ChangeUnderReview
Jul 18, 2014
Project Member #11 David.Os...@gmail.com
> Gerrit 2.9 will add an authentication method for GitHub [...]

Nope, unfortunately: the change was rejected, so you would need to patch Gerrit yourself:

* stable-2.8: [1]
* stable-2.9: [2]

[1] https://gerrit-review.googlesource.com/58670
[2] https://gerrit-review.googlesource.com/58010

Jul 18, 2014
#12 matt...@unsolvable.org
>> Gerrit 2.9 will add an authentication method for GitHub [...]
> Nope, unfortunately: the change was rejected

It looks like the relevant change (in "Needs Code-Review" status at the time of writing) is:
https://gerrit-review.googlesource.com/#/c/57570/
and you're right, that's on master only.

So I'm not sure when that means we will see it in an official release. Quite a few people need this capability (following Google OpenID being removed), so sooner would be great ...

Gerrit 2.9 has just been released, so that means waiting till either 2.9.1 (if it can be cherry-picked there), or 2.10. Alternatively, as has been pointed out, you can try and build it yourself.



Jul 22, 2014
Project Member #13 David.Os...@gmail.com
>It looks like the relevant change (in "Needs Code-Review" status at the time of writing) is:
>https://gerrit-review.googlesource.com/#/c/57570/

[...]
> Gerrit 2.9 has just been released, so that means waiting till either 2.9.1 (if it can be cherry-picked there), or 2.10.

This change missed 2.10 too. So it is probably only going to be available on 2.11.

Jul 22, 2014
#14 matt...@unsolvable.org
> This change missed 2.10 too.
That's a real shame, I'm waiting on that change for a new Gerrit deployment.

A lot of good work has been done by Luca Milanesio and David Ostrovsky on this, but this is a relatively complex change (see the patchset https://gerrit-review.googlesource.com/#/c/57570/), and it's still is waiting review.

Is there any chance of it making 2.10rc1 (even if in "experimental" status)?


Sep 2, 2014
#15 geer...@gmail.com
Anyone know what the holdup on the review is?
Oct 20, 2014
#17 toumaltheorca@gmail.com
This issue is a major showstopper for us as well. Preferably, Gerrit should at least support an authentication scheme that doesn't rely on a third party. Having OpenID and such available is nice. Having ONLY OpenID available is not, and this situation is living proof of this.

Gerrit is a great piece of software, but in this situation we just can't use it.
Dec 4, 2014
#18 toumaltheorca@gmail.com
Just as a note, Google will completely shut down OpenID 2.0 on April 20th 2015, as per their timetable: https://developers.google.com/+/api/auth-migration#timetable


Dec 4, 2014
#19 dborowitz@google.com
I agree that "Gerrit should at least support an authentication scheme that doesn't rely on a third party". Fortunately, it already does:
https://gerrit-review.googlesource.com/Documentation/config-gerrit.html#auth
Dec 4, 2014
#20 geer...@gmail.com
FWIW we've been using v2.10-rc0 and then switched to builds from stable-2.10 branch with the github oauth plugin for a few months now.
Dec 6, 2014
#21 rheyw...@google.com
@dborowitz er, the page you linked to appears to only list the now-disabled "OpenID" method and various ways to set up an LDAP integration...  so is LDAP the only supported SSO method now? Will OpenID Connect/OAuth2 be supported sometime before April 2015? At that point it sounds like existing installations will stop working with Google, which is even worse than not being able to set up new installations...
Dec 6, 2014
#22 toumaltheorca@gmail.com
@dborowitz: That is sadly no solution. First of all, in new situations, LDAP is not always available nor is it always possible to set up for various reasons. If a software can't be deployed without the need for setting up a separate SSO system, that software will simply not make the cut. I've had to drop Gerrit from several projects because of this.

Existing projects that use gerrit extensively are also not helped by this.

Third, I wrote "Gerrit should at least support an authentication scheme that doesn't rely on a third party", and you respond by saying that it does support LDAP - which is a third party solution. Yes you can run your own, but it's still a separate piece of software.

No. Pretty much every software out there with a user account system has the ability to register new users and manage and authenticate them without needing google, a separate LDAP server, or anything like that. 

We're using Atlassian for various work-related projects now because of this. And I'm facing the prospect of having to stop using Gerrit unless there's a possibility to continue working with the current user accounts beyond the OpenID shutdown.

Gerrit needs a new user registration form, a user management page, and perhaps a password recovery form. Not just LDAP.
Dec 6, 2014
#23 Mark.J.A...@gmail.com
@toumaltheorca Some of the things you say are true, but there are more OpenID providers than Google... http://openid.net/get-an-openid/

What do you suggest Gerrit use to provide "a new user registration form, a user management page, and perhaps a password recovery form"?
Dec 6, 2014
#24 toumaltheorca@gmail.com
@Mark: Part of the problem is that OpenID itself is not exactly the most popular technology out there. The other is that while integration is great to have, it should be an option, not the *only* option.

What should gerrit use by default? Simple, its own user database. Gerrit already stores most of that info, all it would need is a password for the web frontend login, and an account management page.

As a good example of what I mean, take a look at Redmine: You can still use external SSO with that, but by default it can just run using its own user authentication and management. And it's really simple too, there's a registration form and a management page for approving new user accounts. The git stuff uses pubkeys anyway so nothing changes there. And best of all, with Redmine, if any of the external authentication mechanisms goes away for some reason, it's possible to switch to the internal authentication without having to create new users or reassign project memberships.

Ideally, the same would be true for Gerrit: Google disabling OpenID should be something we can deal with by just sending users their new gerrit password via email after switching to the built-in authentication method.


Dec 9, 2014
#25 pedah...@gmail.com
@toumaltheorca Atlassian has the Crowd product, which supports being an OpenID endpoint. We are doing that to migrate (some of) our users off of Google.
Dec 10, 2014
#26 toumaltheorca@gmail.com
@pedah... (name deobfuscation doesn't work for some reason)

Yeah we're aware of that. My problem is twofold: At work I wanted to deploy Gerrit in an enclosed environment where each active service is a huge political and administrative issue. Any software that's self-sufficient is a huge plus there. Gerrit could not be used because it lacks user registration. I'd write a patch myself, but I see that this has already been done, but the change is has not been accepted into the official branch.

Second, I'm running several private projects with lots of contributors. It would be perfect if we could just transition from OpenID to an internal account system. For operating GIT this is already not an issue since it uses pubkey auth, all Gerrit would need to add is a user/pass login method for the web interface, a registration page, and perhaps a userlist with links to accept/reject new registrations.

I really like Gerrit a lot, and I think this would be a big improvement.

Jan 6, 2015
#27 saj...@vocaliq.com
I thought setting up Gerrit with ldap was painful in corporate environment but now using google business emails service with no IT, I thought life will be easier with default option of OpenID but its painful. When Gerrit will introduce some method of user authentication, Don't mind which way something which works like internal database of Gerrit? Its shame we are deprecating OpenID2.0 without any solution beforehand.  
Jan 8, 2015
#28 matt...@unsolvable.org
@saj >> Its shame we are deprecating OpenID2.0

I think you might have misunderstood the problem.
Gerrit is not deprecating OpenID. Gerrit continues to support it.
Google have DROPPED SUPPORT for OpenID for new client registrations. There is nothing the Gerrit developers can do to restore that.

Jan 13, 2015
#29 saj...@vocaliq.com
@matt...@unsolvable.org
Well I understand problem, solution is to provide Gerrit's own database for user as suggested here. When so many people use product its hard to just say we are dropping support because third party doesn’t support it any more, you have to provide alternative.  
Jan 13, 2015
#30 Mark.J.A...@gmail.com
@saj
There's no support for anything that has been dropped in gerrit.

Your users depended on Google for an OpenID, they can instead depend on something else. Or some more people can put their hand up to work on the code under review. "you have to provide alternative" makes it sound like you've been paying for both gerrit and OpenID, which I doubt you have been doing...
Jan 13, 2015
#31 bmad...@myvest.com
Is there anything being done on OpenID Connect from Google which seems to be the newer way of authenticating users?  If so, can somebody point me in that direction so I might be able to assist?
Jan 13, 2015
#32 m...@lark-it.com
I agree... OpenID 2.0 is not current, and while Google's abrupt dropping of support is very inconvenient, OpenID Connect was introduced for valid reasons and it seems that if this piece of integration is to remain it should support the current release of the OpenID standard.
Feb 17, 2015
#33 i...@cloudlinux.com
All identities in our organization are managed using google. So, migrating to another openid provider would be a big problem / extra hustle. We would either have to patch gerrit our self, and use out of tree version -- and switch to another code review solution.
Given the presence of the patch - I really don't understand why it cannot be merged into the product.
Feb 17, 2015
Project Member #34 David.Os...@gmail.com
> So, migrating to another openid provider would be a big problem, [...]
> Given the presence of the patch - I really don't understand why it cannot be merged into the product.

For one the mentioned patch is available as Gerrit GitHub plugin, for another even merged into Gerrit core it wouldn't solve your problem: It would force your user base to move to GitHub OAuth. I guess you are missing the point, that GitHub OAuth Provider wouldn't enable your site to use Google OpenID Connect. So wait until someone has implemented Google OpenID Connect provider in Gerrit, switch to different provider or use HTTP auth scheme in combination with Apache reverse proxy with installed and configured mod_auth_openidc module: [1].

[1] http://stackoverflow.com/questions/26215409/google-authentication-for-gerrit-and-jenkins

Feb 24, 2015
Project Member #35 David.Os...@gmail.com
Google OAuth2 authentication provider for Gerrit is here: [1].

[1] https://github.com/davido/gerrit-google-oauth-provider
Feb 27, 2015
#36 tsu...@lagat.org
I've tried the change, it works quite well. Had to insert my G+ profile URL into the field, it would be nice to just have the G+ button to sign-in. Thanks for your work David, very much appreciated.
Feb 27, 2015
Project Member #37 David.Os...@gmail.com
> Had to insert my G+ profile URL into the field

Which field? When the OAuth extension point change [1] with the plugin [2] is used, there is no input field anymore.  Are you still on OpenID auth scheme? Have you switched auth.type = OAUTH in gerrit.config?

[1] https://gerrit-review.googlesource.com/65101
[2] https://github.com/davido/gerrit-oauth-provider
Feb 27, 2015
Project Member #40 David.Os...@gmail.com
> Currently gerrit complains with this for me:
>
j> avax.servlet.ServletException: OAuth service provider wasn't installed

That's correct. As explained in this thread [1] on dev ML, the OAuth providers are supplied by plugins. So what is happened now, no OAuth providers/plugins were installed on your site, so Gerrit cannot operate and refuses to start. What you need is to build gerrit-oauth-provider plugin, install it in your $site_path/plugins and configure the provider(s).

I haven't provided any documentation yet, but what you basically need is go to Google/GitHub development console, create new project, set up client-id and client-secret, enable Google+ API, and add these lines to your gerrit.config:

[plugin "gerrit-oauth-provider-google-oauth"]
    client-id = "foo"
    client-secret = "bar"
    callback = "http://localhost:8080/oauth

[plugin "gerrit-oauth-provider-github-oauth"]
    client-id = "baz"
    client-secret = "qux"
    callback = "http://localhost:8080/oauth

If you don't need/want that your users can use GitHub OAuth provider as well, just remove GH section.

Note: that all three options are mandatory for now, but i will optimize it and make callback optional. It can be induced from gerrit.canonicalWebUrl that is always available anyway.

[1] https://groups.google.com/d/topic/repo-discuss/K2U6WcWSCaE/discussion

Feb 27, 2015
#41 tsu...@lagat.org
Setting the plugin options in gerrit.config did the trick. Thanks!
Mar 18, 2015
#42 putuindr...@gmail.com
can you please tell me what this is? I would like to deepen
http://wdfshare.blogspot.com
Mar 18, 2015
#43 and...@gherzan.ro
Any idea when we will have this support in gerrit? Is there any version plan?
Mar 18, 2015
#44 caw...@gmail.com
I saw core support for oauth in just released 2.10.1.  However, it still requires a plugin, e.g., the one David created.

I had only partial success with the plugin.  I couldn't convince gerrit to create new account and was constantly getting exception that user name cannot contain spaces (it is trying to use my real name).   I saw that I would need to create some entry manually, but I couldn't find any documentation about that... :(
Mar 18, 2015
#45 and...@gherzan.ro
Thank you. If you succeed please shoot a message here so I can try it myself.
Mar 18, 2015
Project Member #46 David.Os...@gmail.com
>I saw core support for oauth in just released 2.10.1.

Yes.

>I couldn't convince gerrit to create new account and was constantly getting exception.

Stack trace?

Also, make sure you are using the three changes that weren't merged yet.
And the most recent plugin version.

It was changed not to try to guess username anymore (it didn't work),
and allow user to assign the username instead. Aslo note, that linking
of new OAuth identity to existing OpenID account should just work.

Mar 18, 2015
Project Member #47 David.Os...@gmail.com
Currently these changes are needed on top of 2.10.1 for
plugin to compile and work properly: [1],[2] and [3].

[1] https://gerrit-review.googlesource.com/66310
[2] https://gerrit-review.googlesource.com/66311
[3] https://gerrit-review.googlesource.com/66312
Mar 18, 2015
#48 caw...@gmail.com
I have tried a few days ago and not sure about the latest version.  I definitely didn't use the latest patches.

I will try again soon and report my success (hopefully :)).  And big thanks for making this implementation!
Mar 20, 2015
#49 caw...@gmail.com
Hi David,

I have successfully configured and tried out both google and github oauth providers.  There was a tiny glitch with github provider (I submitted a pull request to your repo with a fix).

One function to consider in the future is ability to link other oauth identities to the same gerrit account.  It is already possible to do by manually editing `account_external_ids` table, but having this in UI interface could be better.

Mar 20, 2015
Project Member #50 David.Os...@gmail.com
Thanks for the fix and Documentation, it was merged.
I removed callback configuration from gerrit config
and induced it from canonicalWebUrl and crewed it up
for GitHub.

>One function to consider in the future is ability to
>link other oauth identities to the same gerrit account.

Definitely.

Right now only automatic linking OAuth->OpenID works
for Googe accounts. But OpenID auth scheme allows that
throuh UI: Identities => Link another identity. My plan
is to support the same for OAUTH auth scheme.

One complication: In this pending change: [1] I added
support another important mode: Hybrid-OpenID+OAuth
auth scheme. The linking must work there too, in both
directions.

[1] https://gerrit-review.googlesource.com/66313
Mar 24, 2015
Project Member #51 David.Os...@gmail.com
 Issue 2715  has been merged into this issue.
Mar 24, 2015
Project Member #52 David.Os...@gmail.com
(No comment was entered for this change.)
Status: Released
Labels: FixedIn-2.10.1
Apr 8, 2015
#53 silviu.vulcan
Am I right to understand that 

[1] https://gerrit-review.googlesource.com/66310
[2] https://gerrit-review.googlesource.com/66311
[3] https://gerrit-review.googlesource.com/66312

Are no longer needed in 2.10.2 ? 

Also is there any documentation for migrating from google OpenID to google Oauth? 
Apr 8, 2015
Project Member #54 David.Os...@gmail.com
Yes. Gerrit 2.10.2 includes all changes, needed for OAuth provider plugins to work properly.
Check gerrit-oauth-plugin Readme and Wiki on GitHub for the documentation.