[SAP IAS] Fix thread-safety race condition in PKCE handling The previous implementation used a shared AuthorizationUrlBuilder field in the SAPIasOAuthService singleton. Calling initPKCE() on this shared builder meant that concurrent login requests from different users would overwrite the code_verifier, leading to intermittent authentication failures. Use the new OAuthAuthorizationInfo extension point to generate and return a per-request code_verifier. This allows Gerrit to store the verifier in the user's session and pass it back to the getAccessToken(OAuthVerifier, String) method, ensuring the verifier matches the original challenge for each specific login flow. The single-argument getAccessToken(OAuthVerifier) and getAuthorizationUrl() methods are removed as they are now provided by default implementations in the OAuthServiceProvider interface. Add SAPIasOAuthServiceTest to verify the PKCE flow and ensure that the code verifier is correctly extracted from the session and passed to the underlying ScribeJava service. Depends-On: https://gerrit-review.googlesource.com/c/gerrit/+/564343 Change-Id: I718ec9d72da1c13ca4ac405563a8d4c4a5636b8e
With this plugin Gerrit can use OAuth2 protocol for authentication. Supported OAuth providers:
See the Wiki what it can do for you.
Prebuilt binary artifacts are available on release page. Make sure to pick the right JAR for your Gerrit version.
To build the plugin with Bazel, install Bazel and run the following:
git clone https://gerrit.googlesource.com/plugins/oauth cd oauth && bazel build oauth
Copy the bazel-bin/oauth.jar to $gerrit_site/plugins and re-run init to configure it:
java -jar gerrit.war init -d <site>
[...]
*** OAuth Authentication Provider
***
Use Bitbucket OAuth provider for Gerrit login ? [Y/n]? n
Use Google OAuth provider for Gerrit login ? [Y/n]?
Application client id : <client-id>
Application client secret :
confirm password :
Link to OpenID accounts? [true]:
Use GitHub OAuth provider for Gerrit login ? [Y/n]? n
Make sure to read the FAQ before reporting issues.
Apache License 2.0