gerrit-oauth-provider
gerrit-oauth-provider copied to clipboard
davido
Multiple domain params not supported for Google OAuth?
Hello,
I have the following setup for the Google OAuth plugin on Gerrit.
[plugin "gerrit-oauth-provider-google-oauth"]
client-id = xxx
link-to-existing-openid-accounts = false
domain = example1.com
use-email-as-username = true
This works fine, and users from @example1.com are able to login just fine. example1.com is hosted on GSuite.
Now, we wanted to invite a user from example2.com and that domain is also hosted on GSuite. I changed the config to this:
[plugin "gerrit-oauth-provider-google-oauth"]
client-id = xxx
link-to-existing-openid-accounts = false
domain = example1.com
domain = example2.com
use-email-as-username = true
This allows users from example2.com to sign in, but example1.com users now receive Unauthorized. If I switch the order of the domains in the config and restart gerrit, then users from example1.com can sign in but those from example2.com receive Unauthorized.
I also tried changing the line to:
domain = example1.com, example2.com
but that didn't work.
The log message from the plugin when [email protected] logs in to the gerrit instance at our example1.com site seems to indicate the HD param is messed up:
[2018-04-02 16:47:14,764] [HTTP-67] DEBUG com.googlesource.gerrit.plugins.oauth.GoogleOAuthService : OAuth2: authorization URL=https://accounts.google.com/o/oauth2/auth?response_type=code&client_id=xxx&redirect_uri=http%3A%2F%2Fgerrit.example1.com%2Foauth&scope=email%20profile&hd=example1.com
[2018-04-02 16:47:23,306] [HTTP-29744] DEBUG com.googlesource.gerrit.plugins.oauth.GoogleOAuthService : User info response: {
"id": "1234",
"email": "[email protected]",
"verified_email": true,
"name": "FL",
"given_name": "F",
"family_name": "L",
"link": "...",
"picture": ".../photo.jpg",
"gender": "male",
"locale": "en",
"hd": "example2.com"
}
[2018-04-02 16:47:23,306] [HTTP-29744] ERROR com.googlesource.gerrit.plugins.oauth.GoogleOAuthService : Error: hosted domain validation failed: example2.com
The source looks ok; the OAuth URL generated by Gerrit when doing OAuth against the Google servers includes the hd param with value example1.com.
At this point we had to remove the domain restriction to allow the other user in which is obviously not ideal.
Any idea what could be going on?
Just a guess: it's possible that you are the first site to attempt to use multiple domains in this way, and it may simply be that the code has a bug. Since the code is right here to view, can I suggest that you read it and see if and how it handles the multiple domains? If there is an error, patches are of course always welcome :wink: BTW, thanks for an excellent and clear bug report.
Actually multiple domains should be supported. See, for example the latest version documented here:
https://github.com/davido/gerrit-oauth-provider/blob/master/src/main/resources/Documentation/config.md
plugin.gerrit-oauth-provider-google-oauth.domain = "mycollege.edu"
plugin.gerrit-oauth-provider-google-oauth.domain = "myschool.net"
The code that handles the request for multiple hosted domains: is described here:
https://developers.google.com/identity/protocols/OpenIDConnect#hd-param
hd | (Optional) | The hd (hosted domain) parameter streamlines the login process for G Suite hosted accounts.
By including the domain of the G Suite user (for example,mycollege.edu), you can indicate that the account selection UI should be optimized for accounts at that domain.
To optimize for G Suite accounts generally instead of just one domain, use an asterisk: hd=*.
The code is here:
https://github.com/davido/gerrit-oauth-provider/blob/master/src/main/java/com/googlesource/gerrit/plugins/oauth/GoogleOAuthService.java#L211-L215
The extraction form the JWT is iterating over the array:
https://github.com/davido/gerrit-oauth-provider/blob/master/src/main/java/com/googlesource/gerrit/plugins/oauth/GoogleOAuthService.java#L211-L215
As @mwebber pointed out it should probably just work, or you are the first one who reporting the issues with multiple hosted domain support. Can you debug the problem?
Thanks for the responses guys. Yes, I failed to mention that I went through exactly the path that you mention @davido --
- I saw the docs indicating that multiple domains are supported
- added the extra
domain =and noted the failures - saw the comment about
hd = *and tried that, and that also failed (it checks for the string "*" and fails) - saw the source code and found the lines/method where the check is made
- saw the loop where the domain is checked against domains and thought "that probably should work ok"
- then scratched my head wondering what could be going wrong seeing as it doesn't
So that's where I am :)
What's left to try:
- I didn't try putting the domains in quotes as in the example, not sure if that has any bearing.
- Didn't actually build the plugin with additional debug logs. My suspicion is that the
domainsfield isn't actually populated correctly and the check is skipping out of the loop but I'd have to test this out. Not setup to code/test this out and was hoping someone else has tried this out already...
Could you just repeat the setting with:
domain = "foo"
domain = "bar"
Then try to authenticate with two different users from the domain foo and domain bar. And just activate the debug logging. Note, that it's not you, who activate hd=*, but it's put in the request. Can you post here obfuscated request and response log and the error message?
What version are you using? I could instrument the Google Oauth provider, add much more related logs statements and build a new version for you to try.
I'm on the move at the moment and can only get to this in a couple of days but I'll get back to you with your requested info. Thanks for the generous offer and your work on this!