search

davido / gerrit-oauth-provider

OAuth2 authentication provider for Gerrit Code Review. Please upload changes for review to: https://gerrit-review.googlesource.com/#/admin/projects/plugins/oauth
Apache License 2.0
140 stars 84 forks source link

OAuth authentication does not work for CAS provider 5.0+ #92

Closed mwebber closed 7 years ago

mwebber commented 7 years ago

I'm using

Gerrit 2.14
gerrit-oauth-provider 2.13.16
CAS 5.1.1 (note: the newest version)

We successfully use mixed OAuth+OpenID. We had one OAuth provider, which was GitHub. We attempted to add a second OAuth provider, CAS, but it does not work, as described below.

There appear to be 2 separate problems:

  1. When a user attempts to log in and is redirected to CAS, the URL needs an additional parameter response_type=code; this parameter is missing from the URL that Gerrit generates. This is new in CAS 5.0.x, the previous version (4.2.x) did not require it. Compare the CAS specs: https://apereo.github.io/cas/4.2.x/installation/OAuth-OpenId-Authentication.html https://apereo.github.io/cas/5.1.x/installation/OAuth-OpenId-Authentication.html

  2. My CAS person hacked his end to mimic Gerrit including &response_type=code in the redirect URL, and it looks like CAS successfully authenticated the user, and then redirected back to Gerrit. At this point, Gerrit is supposed to get the token directly from the CAS server, at the URL endpoint /cas/oauth2.0/accessToken. Gerrit is doing this via GET, which was supported in CAS 4.2, but in CAS 5.1 this needs to be POST. (It's not clear to me which is required in 5.0).

I'm still looking at the CAS history to understand what they have done with their OAuth implementation, but in the meantime, it;s clear that GErrit OAuth won't work with CAS 5.0+.

This issue is possibly a duplicate of, or related to, issue #87 reported by @mrcasablr

salk31 commented 7 years ago

Some stack traces (related to point 2).

Error on gerrit server as it tries to get a token: at org.scribe.extractors.TokenExtractor20Impl.extract(TokenExtractor20Impl.java:32) at org.scribe.oauth.OAuth20ServiceImpl.getAccessToken(OAuth20ServiceImpl.java:37) at com.googlesource.gerrit.plugins.oauth.CasOAuthService.getAccessToken(CasOAuthService.java:157) at com.google.gerrit.httpd.auth.openid.OAuthSessionOverOpenID.login(OAuthSessionOverOpenID.java:101) at com.google.gerrit.httpd.auth.openid.OAuthWebFilterOverOpenID.doFilter(OAuthWebFilterOverOpenID.java:75) at com.google.gerrit.httpd.RequireSslFilter.doFilter(RequireSslFilter.java:73) at com.google.gerrit.httpd.RunAsFilter.doFilter(RunAsFilter.java:111)

and

The error on the CAS server and returned to the gerrit server: org.springframework.web.HttpRequestMethodNotSupportedException: Request method 'GET' not supported org.springframework.web.servlet.mvc.method.RequestMappingInfoHandlerMapping.handleNoMatch(RequestMappingInfoHandlerMapping.java:207)

mwebber commented 7 years ago

Looking at the code, it appears that the changes to support CAS 5.0+ are fairly straightforward (I'm not a Java programmer, otherwise I'd submit a PR).

It's not required by me, but there should probably be a configuration setting to indicate which version of CAS to support.

davido commented 7 years ago

@mwebber What do you mean by "fairly straightforward"? What the problem is and what is the fix?

mwebber commented 7 years ago

The problem is:

The reason is:

So, this ticket is a feature request: "Make Gerrit OAuth Provider support CAS version 5.0+"

By "straightfoward", I mean that the coding changes to Gerrit OAuth to support CAS 5.0+ look like they would be fairly small. They come down to:

com.googlesource.gerrit.plugins.oauth.CasApi
  private static final String AUTHORIZE_URL =
      "%s/oauth2.0/authorize?client_id=%s&redirect_uri=%s";
changes to
  private static final String AUTHORIZE_URL =
      "%s/oauth2.0/authorize?response_type=code&client_id=%s&redirect_uri=%s";

and somewhere else (I'm not sure where), there needs to be some code like this

  public Verb getAccessTokenVerb() {
    return Verb.POST;
  }

I think that covers all the changes to make Gerrit OAuth compatible with CAS 5.0.

Of course, a nice change would allow the user to specify what version of CAS they were operating against.

mwebber commented 7 years ago

I have created fix https://gerrit-review.googlesource.com/c/117990. Please be kind to me, I'm not a Java programmer, so all I was able to do was borrow the technique used for the other OAuth providers.

mwebber commented 7 years ago

Fix has been merged, and will be available in the next release.

davido commented 7 years ago

Thanks, Matthew, I'm going to make new release this week.