gerrit-oauth-provider icon indicating copy to clipboard operation
gerrit-oauth-provider copied to clipboard

Published 20 hours ago verified publisher icon davido

Behind Google Cloud Identity-Aware Proxy

Open ghost opened this issue 7 years ago • 3 comments

Hello,

Our Gerrit server is running behind Google Cloud Identity-Aware Proxy and it works well.

But the only issue is that a user has to click Sign In in Gerrit home page in order to do an actual sign-in to Gerrit. People is usually confused because they think they already signed-in Gerrit when he/she signed in Google Cloud IAP.

Is there any way to sign-in (or sign-up) automatically?

Thanks,

ghost avatar Sep 23 '18 00:09 ghost

And also web session seems to be expired after 1 hour, but I'm not sure whether Google IAP causes it.

ghost avatar Sep 24 '18 22:09 ghost

Can you try without IAP ro confirm that session expiration issue is related to IAP? Refresh access token is not implemented: [1].

[1] https://developers.google.com/identity/protocols/OAuth2WebServer#offline

davido avatar Sep 25 '18 05:09 davido

Yes, I tried without IAP and it works fine. It looks like IAP causes this issue. IAP session is valid only for one hour and it also seems to work when I tried 'refreshing': [1].

Currently I'm just using IAP in order to restrict access not just by domain, but also by a list of emails (via Google group).

[1] https://cloud.google.com/iap/docs/special-urls-howto#refreshing_user_sessions

ghost avatar Sep 25 '18 07:09 ghost