Google OAUTH issue
Miccia94 opened this issue · 13 comments
Hello Davido,
Im running Gerrit 2.16.8 fully migrated to noteDB. Im still using gerrit-oauth-provider version 2.13.2 and all is fine. I was planning to upgrade the plugin but im having problems. Same as issue 123
This is what i have in gerrit.config:
[plugin "gerrit-oauth-provider-google-oauth"]
client-id = *****************************
fix-legacy-user-id = true
link-to-existing-openid-accounts = true
If i try to use the latest version of the plugin i get this error while authenticating then a redirect to a forbidden page
[2019-05-21 23:09:27,787] [HTTP-185] WARN com.googlesource.gerrit.plugins.oauth.GoogleOAuthService : The support for: link-to-existing-openid-accounts is disconinued
[2019-05-21 23:09:30,529] [HTTP-186] INFO com.google.gerrit.httpd.auth.oauth.OAuthSession : OAuth2: linking claimed identity to 1601
[2019-05-21 23:09:30,608] [HTTP-186] WARN com.google.gerrit.server.account.AccountManager : Email *@gmail.com is already assigned to account 1601; cannot create external ID google-oauth:109031793006731947128 with the same email for account 1601.
[2019-05-21 23:09:30,608] [HTTP-186] ERROR com.google.gerrit.httpd.auth.oauth.OAuthSession : Unable to authenticate user "com.google.gerrit.extensions.auth.oauth.OAuthUserInfo@1c548b0a"
com.google.gerrit.server.account.AccountException: Email '*@gmail.com' in use by another account
[2019-05-21 23:10:55,719] [HTTP-187] WARN org.eclipse.jetty.server.HttpChannel : /oauth
org.scribe.exceptions.OAuthException: Cannot extract an access token. Response was: {
"error": "invalid_grant",
"error_description": "Bad Request"
}
[2019-05-21 23:10:55,720] [HTTP-187] ERROR com.google.gerrit.pgm.http.jetty.HiddenErrorHandler : Error in GET /oauth?state=Miv5JCkWlMsF04EJ8017-fKK9rWDBGlAUvQs0YsXqN8&code=4/UgFvJ0GMZEOkUtzk0LYnZN3Eg_7YfmJZIzZz0UEBx2sDrEW0k5b07_daBFypG8G2I2YF0BWbhnqQbIkLCA4lyYo&scope=email+profile+https://www.googleapis.com/auth/userinfo.email+https://www.googleapis.com/auth/userinfo.profile
org.scribe.exceptions.OAuthException: Cannot extract an access token. Response was: {
"error": "invalid_grant",
"error_description": "Bad Request"
}
Here the details for the same account retrived from api GET /accounts/1601/external.ids
)]}'
[
{
"identity": "109031793006731947128",
"email_address": "*@gmail.com",
"trusted": true,
"can_delete": true
},
{
"identity": "google-oauth:109031793006731947128",
"trusted": true,
"can_delete": true
},
{
"identity": "username:Mich",
"trusted": true
}
]
Thanks in advance for help
The latest version of the plugin is trying to link the non-prefixed external-id to the prefixed one:
OAuth2: linking claimed identity to 1601
Email *@gmail.com is already assigned to account 1601;
cannot create external ID google-oauth:109031793006731947128 with the same email for account 1601.
Unless we drop this restriction in the gerrit core, see: [1], there seems to be only two workarounds:
- stop prefixing external-id "foo" with "oauth-scheme"-"foo" in this plugin during the login operation
- bulk change all accounts from "foo" to "oauth-scheme"-"foo" in users backend (before or after NoteDb migration)
[1] https://bugs.chromium.org/p/gerrit/issues/detail?id=9001
Thanks for the feedback Davido,
I will try to compile the pluging without the external id prefix ( fastest way, instead of bulk edit whole notedb )
I will try to look into it as well, and add aditional config option to unblock you and other plugin users who migrated to the latest Gerrit releases. This should be a trivial change.
Hello David,
I can confirm that removing GOOGLE_PROVIDER_PREFIX from https://github.com/davido/gerrit-oauth-provider/blob/master/src/main/java/com/googlesource/gerrit/plugins/oauth/GoogleOAuthService.java#L144 allow me to login
I went with option 2 - changed all accounts in NoteDb.
First, I've added a prefix with simple sed (lost it in bash history).
But that was not enough - also needed to change filenames.
That is what I've used to rehash file names (rehash.sh):
#!/bin/bash
while read filename
do
id="$(grep -UEo 'google-oauth:[[:digit:]]+' ${filename})"
new_hash=$(echo -n ${id} | sha1sum | cut -f 1 -d ' ')
echo "id ${id} renaming ${filename} to ${new_hash}"
mv ${filename} ${new_hash}
done < "/dev/stdin"
And call it with file names to rehash on the stdin:
grep -Er 'externalId "google-oauth:[[:digit:]]+"' . | cut -d ':' -f 1 | ~/gerrit-upgrade/rehash.sh
Althought not a full copy-and-run solution - hope it helps (should be easy to modify).
Decided to put together a complete solution since this issue should be relatively widespread (#123, #116 etc)..
Prerequisites:
- NoteDb
How to use:
- clone
All-Usersproject and checkoutmeta/external-ids - run this script
- commit and push
- restart gerrit
Use this script to patch all unprefixed external-ids to have some prefix.
Optional arguments - path to All-Users (defaults to current dir) and oauth-prefix (defaults to google).
USERS_DIR="${1:-.}"
OAUTH_PREFIX="${2:-google-oauth}"
files="$(grep -Er 'externalId "[[:digit:]]+"' ${USERS_DIR} | cut -d ':' -f 1)"
while read -r filename
do
sed -Ei "s/externalId \"([[:digit:]]+)\"/externalId \"${OAUTH_PREFIX}:\1\"/" ${filename}
id=$(grep -UEo "${OAUTH_PREFIX}:[[:digit:]]+" ${filename})
new_hash=$(echo -n ${id} | sha1sum | cut -f 1 -d ' ')
mv ${filename} ${new_hash}
echo "patched id: ${id}, renamed ${filename} to ${new_hash}"
done <<< "${files}"
Thanks Jmennius for the script, I extended it somewhat:
USERS_DIR="${1:-.}"
OAUTH_PREFIX="${2:-google-oauth}"
MATCH="${3:-+}"
files="$(grep -Er 'externalId "[[:digit:]]'"${MATCH}"'"' ${USERS_DIR} | cut -d ':' -f 1)"
while read -r filename
do
sed -Ei "s/externalId \"([[:digit:]]+)\"/externalId \"${OAUTH_PREFIX}:\1\"/" ${filename}
id=$(grep -UEo "${OAUTH_PREFIX}:[[:digit:]]+" ${filename})
new_hash=$(echo -n ${id} | sha1sum | cut -f 1 -d ' ')
git mv ${filename} ${new_hash}
echo "patched id: ${id}, renamed ${filename} to ${new_hash}"
done <<< "${files}"
This allows running it with a third argument to help separate google and github ID:
script . google-oauth "{10,}"
script . github-oauth "{,9}"
assigns the right prefix to each ID. It also registers the renames with git.
Thanks, @Jmennius, @pgeorgi great contribution.
How about to add this script to the plugin repository itself with documentation? Optionally also to the WIKI of this GH repository? Though, note, that I do not accept PRs here, but only CLs on the canonical git repository at: googlesource.com.
@pgeorgi Thanks, this was useful. I just noticed that at least in 3.0.1 the migration script would leave files in the root instead of at ${SHA:0:2}/${SHA:2:38}, I updated your script a bit:
USERS_DIR="${1:-.}"
OAUTH_PREFIX="${2:-google-oauth}"
MATCH="${3:-+}"
files="$(grep -Er 'externalId "[[:digit:]]'"${MATCH}"'"' ${USERS_DIR} | cut -d ':' -f 1)"
while read -r filename
do
sed -Ei "s/externalId \"([[:digit:]]+)\"/externalId \"${OAUTH_PREFIX}:\1\"/" ${filename}
id=$(grep -UEo "${OAUTH_PREFIX}:[[:digit:]]+" ${filename})
new_hash=$(echo -n ${id} | sha1sum | cut -f 1 -d ' ')
prefix=${new_hash:0:2}
remaining=${new_hash:2:38}
mkdir -p ${prefix}
git mv ${filename} ${prefix}/${remaining}
echo "patched id: ${id}, renamed ${filename} to ${prefix}/${remaining}"
done <<< "${files}"Prerequisites:
- NoteDb
How to use:
- clone
All-Usersproject and checkoutmeta/external-ids
Could you please tell the exact commands you used ? i'm stuck on this step and I wonder if it's due to my weak git level or to permission issues on all-users repository
have a nice day
Prerequisites:
- NoteDb
How to use:
- clone
All-Usersproject and checkoutmeta/external-idsCould you please tell the exact commands you used ? i'm stuck on this step and I wonder if it's due to my weak git level or to permission issues on all-users repository
have a nice day
forget about it, I just discovered the global privilege "Access Database" as told here : https://www.gerritcodereview.com/config-accounts.html#external-ids
:)
The problem was fixed in Gerrit: [1].
[1] https://gerrit-review.googlesource.com/c/gerrit/+/238833