Adding OAuth authentication scheme for Gerrit

I gave a talk on last FOSDEM about Gerrit User Authentication. Here are the slides. It was a long and interesting journey to add OAuth authentication scheme support in Gerrit Code Review. Luca spent a lot of time trying to get GitHub OAuth support in Gerrit core. After almost 1 year work on this change and countless reviews and addressed comments (57 patch set) it was abandoned. But the work wasn’t in vane. The lessons learned from this attempt was:

  • There must be support for multiple authentication providers
  • Because of the nature of the OAuth providers, the support cannot be done in Gerrit core, and must be done as a plugin
  • To write a plugin extension point must be exposed first

However, in the past there were quite some attempts to implement generic pluggable auth scheme extension point, but they all were abandoned. So it was more or less clear if we would revamp the attempt to introduce something totally generic it would require a lot of efforts and would take another couple of years of work. Instead we should try to add KISS extension point, just for OAuth. Sure, some folks in the wild were disappointed, because they would prefer to see a big generic pluggable auth extension point in Gerrit, but we just wanted to get the job done for this specific use case.

Another thing to solve, after the extension point was extracted and plugin support for the following OAuth providers Google, GitHub, CAS and BitBucket was introduced, was OpenID providers. That why I also added Hybrid OAuth+OpenID auth scheme support.

I would like to thank Norbert Thiebaud from The Document Foundation for invaluable help in many discussions we had during my work on Hybrid OAuth+OpenID authentication.

Responses are currently closed, but you can trackback from your own site.

Comments are closed.