search

davido / gerrit-oauth-provider

OAuth2 authentication provider for Gerrit Code Review. Please upload changes for review to: https://gerrit-review.googlesource.com/#/admin/projects/plugins/oauth
Apache License 2.0
140 stars 84 forks source link

OAuth 2.0 is not an authentication protocol #35

Open tbroyer opened 9 years ago

tbroyer commented 9 years ago

See http://oauth.net/articles/authentication/ for the full rationale.

Basically, this plugin should support OpenID Connect.

Google authentication actually is OpenID Connect; this plugin should do the additional work of validating the ID Token: https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation (or here in Google's docs)

Once that work is done, then it should be easy to support any OpenID Connect Provider (see #32), including Microsoft's Azure Active Directory, Auth0, Salesforce, or your internal server (Ping Identity, GLUU, ForgeRock, etc.): you'd just have to configure the authorization, token and userinfo endpoints, and the issuer. Or maybe you could configure the URL to an OpenID Configuration document (e.g. https://accounts.google.com/.well-known/openid-configuration for Google) that Gerrit would download and cache (e.g. at each startup). Of course, that doesn't prevent bundling service-specific implementations, when those services have extensions to the standard, for example Google's hd parameter (see #22)

Ideally, the plugin would also support single sign-out, but let's track it separately (and the specs aren't finalized yet)

davido commented 9 years ago

Basically, this plugin should support OpenID Connect.

I see your point. But for the timing reasons it was important to introduce OAuth extension point in Gerrit, to support plugin based OAuth scheme in generall, and based on this support allow to support hybrid OpenID/OAuth auth scheme in Gerrit. Check this commit message [1], as why this was so important. Many Open Source Gerrit sites depend on both OpenID and (now) OAuth auth schemes. Without support for hybrid OpenID/OAuth scheme, substantial part of their use base would be locked out.

Once that work is done, then it should be easy to support any OpenID Connect Provider

Yes, I'm aware of this. But my main design goal for the Gerrit OAuth extension API and this plugin was to follow KISS principle and not to implement the whole 9 yards spec. Moreover, I fail to see the value behind supporting Microsoft and friends in this context. I'm not interested. This plugin supports GH and Google OAuth providers: c'est tout. The only OAuth providers that I'm going to add in future to this plugin is Launchpad/UbuntuOne and FedoraProject. Currently these OpenID providers don't have OAuth support.

[1] https://gerrit-review.googlesource.com/66313

webczat commented 7 years ago

what about the case when someone has their own central auth system supporting oauth? I would like to use my own sso solution if possible then

DiamondLightSource-build-server commented 7 years ago

Is that your own home-grown implementation of OAuth? If not, what SSO system are you using? Just wondering what your existing options are. Thanks.

webczat commented 7 years ago

I am not, but few days ago I was checking if all web applications I want to use support oauth/whatever to integrate their login. It seemed some of them besides gerrit didn't, but I am still wondering what about those people that need it. For example one wiki called xwiki does have the oauth provider extension, at least I remember it did.