OpenID 2.0 not supported by Google anymore

[GoogleCodeExporter]

Affected Version: All

What steps will reproduce the problem?
1. Set up gerrit on a new domain
2. OpenID login with Google Account

What is the expected output? What do you see instead?
Expected output: login with Google Account
Actual output: Google shows a page with error 400, saying the domain is 
unregistered.

Please provide any additional information below.

This issue has been discussed here: 
https://groups.google.com/forum/#!topic/repo-discuss/4Rhw7NZnu98

The issue seems to be the fact that on May 19, 2014, Google dropped support for 
new client registrations with OpenID 2.0 (see here: 
https://developers.google.com/+/api/auth-migration#timetable ).

Original issue reported on code.google.com by tsu...@lagat.org on 22 May 2014 at 8:43

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

Hi , it would be good to change this from minor to major.  As far as we can 
tell, we can not authenticate with google at all on new instances of gerrit 
using google auth provider.

Original comment by edward.r...@gmail.com on 28 May 2014 at 4:28

[GoogleCodeExporter]

Yup should be major, same issue with a new instance we made. Move to G+ Sign in 
would be appreciated!

Original comment by sfera...@gmail.com on 30 May 2014 at 3:22

[GoogleCodeExporter]

Original comment by David.Os...@gmail.com on 3 Jun 2014 at 8:34

• Changed state: Accepted
• Added labels: Priority-Major
• Removed labels: Priority-Minor

[GoogleCodeExporter]

This is definitely an issue, as yahoo openID works flawlessly, and I obviously 
would rather have Google working.

Original comment by xlightwa...@gmail.com on 4 Jul 2014 at 9:30

[GoogleCodeExporter]

@xlightwa - I think you might have misunderstood the problem. Google have 
DROPPED SUPPORT for OpenID for new client registrations. There is nothing the 
Gerrit developers can do to restore that.

They are looking at alternative sign-in methods for Google, but OpenID won't be 
restored.

Original comment by matt...@unsolvable.org on 5 Jul 2014 at 6:24

[GoogleCodeExporter]

Clarification on my desired outcome for closure on this issue.

As a gerrit administrator i would like to provide my end-users with 
authentication method that uses a go-forward google supported authentication 
provider.  As it stands, i can not use gerrit with any google authentication 
provider available.

Original comment by edward.r...@gmail.com on 5 Jul 2014 at 11:31

[GoogleCodeExporter]

Well if Google is out of commission, where can I find the documentation for a 
successful GitHub Authentication?  I have tried various options on Google and I 
cannot seem to even have that work.  The only luck I have had was with Yahoo.

Original comment by xlightwa...@gmail.com on 16 Jul 2014 at 5:39

[GoogleCodeExporter]

> where can I find the documentation for a successful GitHub Authentication?
GitHub does not support OpenID either. Gerrit 2.9 will add an authentication 
method for GitHub, but 2.9 is not yet released, and likely there will be a few 
limitations (e.g currently it doesn't work through a proxy - see 
http://code.google.com/p/gerrit/issues/detail?id=2757)

> The only luck I have had was with Yahoo.
Yes, Gerrit authentication using OpenID works with any OpenID provider. Yahoo 
is one (but not Google).

Original comment by matt...@unsolvable.org on 17 Jul 2014 at 10:29

[GoogleCodeExporter]

Workaround is to use other OpenID providers or use OAuth GitHub authentication 
provider:

https://gerrit-review.googlesource.com/57570

Original comment by David.Os...@gmail.com on 18 Jul 2014 at 7:00

• Changed state: ChangeUnderReview

[GoogleCodeExporter]

> Gerrit 2.9 will add an authentication method for GitHub [...]

Nope, unfortunately: the change was rejected, so you would need to patch Gerrit 
yourself:

* stable-2.8: [1]
* stable-2.9: [2]

[1] https://gerrit-review.googlesource.com/58670
[2] https://gerrit-review.googlesource.com/58010

Original comment by David.Os...@gmail.com on 18 Jul 2014 at 7:05

[GoogleCodeExporter]

>> Gerrit 2.9 will add an authentication method for GitHub [...]
> Nope, unfortunately: the change was rejected

It looks like the relevant change (in "Needs Code-Review" status at the time of 
writing) is:
https://gerrit-review.googlesource.com/#/c/57570/
and you're right, that's on master only.

So I'm not sure when that means we will see it in an official release. Quite a 
few people need this capability (following Google OpenID being removed), so 
sooner would be great ...

Gerrit 2.9 has just been released, so that means waiting till either 2.9.1 (if 
it can be cherry-picked there), or 2.10. Alternatively, as has been pointed 
out, you can try and build it yourself.

Original comment by matt...@unsolvable.org on 18 Jul 2014 at 12:15

[GoogleCodeExporter]

>It looks like the relevant change (in "Needs Code-Review" status at the time 
of writing) is:
>https://gerrit-review.googlesource.com/#/c/57570/

[...]
> Gerrit 2.9 has just been released, so that means waiting till either 2.9.1 
(if it can be cherry-picked there), or 2.10.

This change missed 2.10 too. So it is probably only going to be available on 
2.11.

Original comment by David.Os...@gmail.com on 22 Jul 2014 at 1:03

[GoogleCodeExporter]

> This change missed 2.10 too.
That's a real shame, I'm waiting on that change for a new Gerrit deployment.

A lot of good work has been done by Luca Milanesio and David Ostrovsky on this, 
but this is a relatively complex change (see the patchset 
https://gerrit-review.googlesource.com/#/c/57570/), and it's still is waiting 
review.

Is there any chance of it making 2.10rc1 (even if in "experimental" status)?

Original comment by matt...@unsolvable.org on 22 Jul 2014 at 1:16

[GoogleCodeExporter]

Anyone know what the holdup on the review is?

Original comment by geer...@gmail.com on 2 Sep 2014 at 10:18

[GoogleCodeExporter]

If you need a workaround today: 
http://stackoverflow.com/questions/26215409/google-authentication-for-gerrit-and
-jenkins

Original comment by m...@ukeller.ch on 6 Oct 2014 at 11:48

[GoogleCodeExporter]

This issue is a major showstopper for us as well. Preferably, Gerrit should at 
least support an authentication scheme that doesn't rely on a third party. 
Having OpenID and such available is nice. Having ONLY OpenID available is not, 
and this situation is living proof of this.

Gerrit is a great piece of software, but in this situation we just can't use it.

Original comment by toumaltheorca@gmail.com on 20 Oct 2014 at 1:22

[GoogleCodeExporter]

Just as a note, Google will completely shut down OpenID 2.0 on April 20th 2015, 
as per their timetable: 
https://developers.google.com/+/api/auth-migration#timetable

Original comment by toumaltheorca@gmail.com on 4 Dec 2014 at 4:53

[GoogleCodeExporter]

I agree that "Gerrit should at least support an authentication scheme that 
doesn't rely on a third party". Fortunately, it already does:
https://gerrit-review.googlesource.com/Documentation/config-gerrit.html#auth

Original comment by dborowitz@google.com on 4 Dec 2014 at 8:16

[GoogleCodeExporter]

FWIW we've been using v2.10-rc0 and then switched to builds from stable-2.10 
branch with the github oauth plugin for a few months now.

Original comment by geer...@gmail.com on 4 Dec 2014 at 9:50

[GoogleCodeExporter]

@dborowitz er, the page you linked to appears to only list the now-disabled 
"OpenID" method and various ways to set up an LDAP integration...  so is LDAP 
the only supported SSO method now? Will OpenID Connect/OAuth2 be supported 
sometime before April 2015? At that point it sounds like existing installations 
will stop working with Google, which is even worse than not being able to set 
up new installations...

Original comment by rheyw...@google.com on 6 Dec 2014 at 6:22

[GoogleCodeExporter]

@dborowitz: That is sadly no solution. First of all, in new situations, LDAP is 
not always available nor is it always possible to set up for various reasons. 
If a software can't be deployed without the need for setting up a separate SSO 
system, that software will simply not make the cut. I've had to drop Gerrit 
from several projects because of this.

Existing projects that use gerrit extensively are also not helped by this.

Third, I wrote "Gerrit should at least support an authentication scheme that 
doesn't rely on a third party", and you respond by saying that it does support 
LDAP - which is a third party solution. Yes you can run your own, but it's 
still a separate piece of software.

No. Pretty much every software out there with a user account system has the 
ability to register new users and manage and authenticate them without needing 
google, a separate LDAP server, or anything like that. 

We're using Atlassian for various work-related projects now because of this. 
And I'm facing the prospect of having to stop using Gerrit unless there's a 
possibility to continue working with the current user accounts beyond the 
OpenID shutdown.

Gerrit needs a new user registration form, a user management page, and perhaps 
a password recovery form. Not just LDAP.

Original comment by toumaltheorca@gmail.com on 6 Dec 2014 at 11:41

[GoogleCodeExporter]

@toumaltheorca Some of the things you say are true, but there are more OpenID 
providers than Google... http://openid.net/get-an-openid/

What do you suggest Gerrit use to provide "a new user registration form, a user 
management page, and perhaps a password recovery form"?

Original comment by Mark.J.A...@gmail.com on 7 Dec 2014 at 12:04

[GoogleCodeExporter]

@Mark: Part of the problem is that OpenID itself is not exactly the most 
popular technology out there. The other is that while integration is great to 
have, it should be an option, not the *only* option.

What should gerrit use by default? Simple, its own user database. Gerrit 
already stores most of that info, all it would need is a password for the web 
frontend login, and an account management page.

As a good example of what I mean, take a look at Redmine: You can still use 
external SSO with that, but by default it can just run using its own user 
authentication and management. And it's really simple too, there's a 
registration form and a management page for approving new user accounts. The 
git stuff uses pubkeys anyway so nothing changes there. And best of all, with 
Redmine, if any of the external authentication mechanisms goes away for some 
reason, it's possible to switch to the internal authentication without having 
to create new users or reassign project memberships.

Ideally, the same would be true for Gerrit: Google disabling OpenID should be 
something we can deal with by just sending users their new gerrit password via 
email after switching to the built-in authentication method.

Original comment by toumaltheorca@gmail.com on 7 Dec 2014 at 12:59

[GoogleCodeExporter]

@toumaltheorca Atlassian has the Crowd product, which supports being an OpenID 
endpoint. We are doing that to migrate (some of) our users off of Google.

Original comment by pedah...@gmail.com on 10 Dec 2014 at 12:49

[GoogleCodeExporter]

@pedah... (name deobfuscation doesn't work for some reason)

Yeah we're aware of that. My problem is twofold: At work I wanted to deploy 
Gerrit in an enclosed environment where each active service is a huge political 
and administrative issue. Any software that's self-sufficient is a huge plus 
there. Gerrit could not be used because it lacks user registration. I'd write a 
patch myself, but I see that this has already been done, but the change is has 
not been accepted into the official branch.

Second, I'm running several private projects with lots of contributors. It 
would be perfect if we could just transition from OpenID to an internal account 
system. For operating GIT this is already not an issue since it uses pubkey 
auth, all Gerrit would need to add is a user/pass login method for the web 
interface, a registration page, and perhaps a userlist with links to 
accept/reject new registrations.

I really like Gerrit a lot, and I think this would be a big improvement.

Original comment by toumaltheorca@gmail.com on 10 Dec 2014 at 3:27

[GoogleCodeExporter]

I thought setting up Gerrit with ldap was painful in corporate environment but 
now using google business emails service with no IT, I thought life will be 
easier with default option of OpenID but its painful. When Gerrit will 
introduce some method of user authentication, Don't mind which way something 
which works like internal database of Gerrit? Its shame we are deprecating 
OpenID2.0 without any solution beforehand.  

Original comment by saj...@vocaliq.com on 6 Jan 2015 at 11:47

[GoogleCodeExporter]

@saj >> Its shame we are deprecating OpenID2.0

I think you might have misunderstood the problem.
Gerrit is not deprecating OpenID. Gerrit continues to support it.
Google have DROPPED SUPPORT for OpenID for new client registrations. There is 
nothing the Gerrit developers can do to restore that.

Original comment by matt...@unsolvable.org on 8 Jan 2015 at 10:50

[GoogleCodeExporter]

@matt...@unsolvable.org
Well I understand problem, solution is to provide Gerrit's own database for 
user as suggested here. When so many people use product its hard to just say we 
are dropping support because third party doesn’t support it any more, you 
have to provide alternative.  

Original comment by saj...@vocaliq.com on 13 Jan 2015 at 1:48

[GoogleCodeExporter]

@saj
There's no support for anything that has been dropped in gerrit.

Your users depended on Google for an OpenID, they can instead depend on 
something else. Or some more people can put their hand up to work on the code 
under review. "you have to provide alternative" makes it sound like you've been 
paying for both gerrit and OpenID, which I doubt you have been doing...

Original comment by Mark.J.A...@gmail.com on 13 Jan 2015 at 2:07

[GoogleCodeExporter]

Is there anything being done on OpenID Connect from Google which seems to be 
the newer way of authenticating users?  If so, can somebody point me in that 
direction so I might be able to assist?

Original comment by bmad...@myvest.com on 13 Jan 2015 at 7:19

[GoogleCodeExporter]

I agree... OpenID 2.0 is not current, and while Google's abrupt dropping of 
support is very inconvenient, OpenID Connect was introduced for valid reasons 
and it seems that if this piece of integration is to remain it should support 
the current release of the OpenID standard.

Original comment by m...@lark-it.com on 13 Jan 2015 at 10:42

[GoogleCodeExporter]

All identities in our organization are managed using google. So, migrating to 
another openid provider would be a big problem / extra hustle. We would either 
have to patch gerrit our self, and use out of tree version -- and switch to 
another code review solution.
Given the presence of the patch - I really don't understand why it cannot be 
merged into the product.

Original comment by i...@cloudlinux.com on 17 Feb 2015 at 1:32

[GoogleCodeExporter]

> So, migrating to another openid provider would be a big problem, [...]
> Given the presence of the patch - I really don't understand why it cannot be 
merged into the product.

For one the mentioned patch is available as Gerrit GitHub plugin, for another 
even merged into Gerrit core it wouldn't solve your problem: It would force 
your user base to move to GitHub OAuth. I guess you are missing the point, that 
GitHub OAuth Provider wouldn't enable your site to use Google OpenID Connect. 
So wait until someone has implemented Google OpenID Connect provider in Gerrit, 
switch to different provider or use HTTP auth scheme in combination with Apache 
reverse proxy with installed and configured mod_auth_openidc module: [1].

[1] 
http://stackoverflow.com/questions/26215409/google-authentication-for-gerrit-and
-jenkins

Original comment by David.Os...@gmail.com on 17 Feb 2015 at 2:18

[GoogleCodeExporter]

Google OAuth2 authentication provider for Gerrit is here: [1].

[1] https://github.com/davido/gerrit-google-oauth-provider

Original comment by David.Os...@gmail.com on 24 Feb 2015 at 9:04

[GoogleCodeExporter]

I've tried the change, it works quite well. Had to insert my G+ profile URL 
into the field, it would be nice to just have the G+ button to sign-in. Thanks 
for your work David, very much appreciated.

Original comment by tsu...@lagat.org on 27 Feb 2015 at 9:06

[GoogleCodeExporter]

> Had to insert my G+ profile URL into the field

Which field? When the OAuth extension point change [1] with the plugin [2] is 
used, there is no input field anymore.  Are you still on OpenID auth scheme? 
Have you switched auth.type = OAUTH in gerrit.config?

[1] https://gerrit-review.googlesource.com/65101
[2] https://github.com/davido/gerrit-oauth-provider

Original comment by David.Os...@gmail.com on 27 Feb 2015 at 9:58

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

[deleted comment]

[GoogleCodeExporter]

> Currently gerrit complains with this for me:
>
j> avax.servlet.ServletException: OAuth service provider wasn't installed

That's correct. As explained in this thread [1] on dev ML, the OAuth providers 
are supplied by plugins. So what is happened now, no OAuth providers/plugins 
were installed on your site, so Gerrit cannot operate and refuses to start. 
What you need is to build gerrit-oauth-provider plugin, install it in your 
$site_path/plugins and configure the provider(s).

I haven't provided any documentation yet, but what you basically need is go to 
Google/GitHub development console, create new project, set up client-id and 
client-secret, enable Google+ API, and add these lines to your gerrit.config:

[plugin "gerrit-oauth-provider-google-oauth"]
    client-id = "foo"
    client-secret = "bar"
    callback = "http://localhost:8080/oauth"

[plugin "gerrit-oauth-provider-github-oauth"]
    client-id = "baz"
    client-secret = "qux"
    callback = "http://localhost:8080/oauth"

If you don't need/want that your users can use GitHub OAuth provider as well, 
just remove GH section.

Note: that all three options are mandatory for now, but i will optimize it and 
make callback optional. It can be induced from gerrit.canonicalWebUrl that is 
always available anyway.

[1] https://groups.google.com/d/topic/repo-discuss/K2U6WcWSCaE/discussion

Original comment by David.Os...@gmail.com on 27 Feb 2015 at 10:40

[GoogleCodeExporter]

Setting the plugin options in gerrit.config did the trick. Thanks!

Original comment by tsu...@lagat.org on 27 Feb 2015 at 11:07

[GoogleCodeExporter]

can you please tell me what this is? I would like to deepen
http://wdfshare.blogspot.com

Original comment by putuindr...@gmail.com on 18 Mar 2015 at 12:42

[GoogleCodeExporter]

Any idea when we will have this support in gerrit? Is there any version plan?

Original comment by and...@gherzan.ro on 18 Mar 2015 at 8:11

[GoogleCodeExporter]

I saw core support for oauth in just released 2.10.1.  However, it still 
requires a plugin, e.g., the one David created.

I had only partial success with the plugin.  I couldn't convince gerrit to 
create new account and was constantly getting exception that user name cannot 
contain spaces (it is trying to use my real name).   I saw that I would need to 
create some entry manually, but I couldn't find any documentation about that... 
:(

Original comment by caw...@gmail.com on 18 Mar 2015 at 8:43

[GoogleCodeExporter]

Thank you. If you succeed please shoot a message here so I can try it myself.

Original comment by and...@gherzan.ro on 18 Mar 2015 at 8:47

[GoogleCodeExporter]

>I saw core support for oauth in just released 2.10.1.

Yes.

>I couldn't convince gerrit to create new account and was constantly getting 
exception.

Stack trace?

Also, make sure you are using the three changes that weren't merged yet.
And the most recent plugin version.

It was changed not to try to guess username anymore (it didn't work),
and allow user to assign the username instead. Aslo note, that linking
of new OAuth identity to existing OpenID account should just work.

Original comment by David.Os...@gmail.com on 18 Mar 2015 at 8:52

[GoogleCodeExporter]

Currently these changes are needed on top of 2.10.1 for
plugin to compile and work properly: [1],[2] and [3].

[1] https://gerrit-review.googlesource.com/66310
[2] https://gerrit-review.googlesource.com/66311
[3] https://gerrit-review.googlesource.com/66312

Original comment by David.Os...@gmail.com on 18 Mar 2015 at 8:54

[GoogleCodeExporter]

I have tried a few days ago and not sure about the latest version.  I 
definitely didn't use the latest patches.

I will try again soon and report my success (hopefully :)).  And big thanks for 
making this implementation!

Original comment by caw...@gmail.com on 18 Mar 2015 at 8:56

[GoogleCodeExporter]

Hi David,

I have successfully configured and tried out both google and github oauth 
providers.  There was a tiny glitch with github provider (I submitted a pull 
request to your repo with a fix).

One function to consider in the future is ability to link other oauth 
identities to the same gerrit account.  It is already possible to do by 
manually editing `account_external_ids` table, but having this in UI interface 
could be better.

Original comment by caw...@gmail.com on 21 Mar 2015 at 4:00

[GoogleCodeExporter]

Thanks for the fix and Documentation, it was merged.
I removed callback configuration from gerrit config
and induced it from canonicalWebUrl and crewed it up
for GitHub.

>One function to consider in the future is ability to
>link other oauth identities to the same gerrit account.

Definitely.

Right now only automatic linking OAuth->OpenID works
for Googe accounts. But OpenID auth scheme allows that
throuh UI: Identities => Link another identity. My plan
is to support the same for OAUTH auth scheme.

One complication: In this pending change: [1] I added
support another important mode: Hybrid-OpenID+OAuth
auth scheme. The linking must work there too, in both
directions.

[1] https://gerrit-review.googlesource.com/66313

Original comment by David.Os...@gmail.com on 21 Mar 2015 at 6:39