Google Git
Sign in
gerrit/plugins/oauth/2134c3482c1382f85d05c38f010310de4e944cc3
commit
2134c3482c1382f85d05c38f010310de4e944cc3
[log]
author
Thomas Dräbing <thomas.draebing@sap.com>
Wed Nov 12 09:19:59 2025 +0100
committer
David Ostrovsky <david@ostrovsky.org>
Sat Mar 21 03:25:50 2026 -0700
tree
ed72c9503a79fc6ce62572119604865dfa2d6344
parent
5c230cddbac5ac7c83b102c0e4b83237b0d37a1b [diff]
Adapt to Gerrit's use of bazel modules

Turn off strict_visibility in the rules_jvm_external maven_install used
for @external_plugin_deps.

With strict_visibility enabled, transitively resolved Maven artifacts
are generated with //visibility:private and cannot be referenced
directly from plugin BUILD targets. This conflicts with Bazel strict-
deps, which requires direct dependencies to be listed when their types
are used at compile time.

For example, scribejava-apis depends transitively on scribejava-core,
but plugin sources extending DefaultApi20 must add
@external_plugin_deps//:com_github_scribejava_scribejava_core as a
direct dependency to satisfy strict-deps. With strict_visibility enabled
this fails due to visibility restrictions.

Disabling strict_visibility allows depending on such transitively
resolved artifacts directly, while still keeping strict-deps enabled to
enforce explicit compile-time dependencies.

To support both standalone and in-tree build modes, split the Maven
repositories into:

  * a shared "external_plugin_deps" repository that contains only
    Gerrit-provided APIs (gerrit-plugin-api and acceptance framework)
    and does not define a lock file

  * a plugin-specific repository ("oauth_plugin_deps") that contains
    the plugin's bundled runtime dependencies and owns its lock file

This allows:

  - bazlets to continue referencing @external_plugin_deps for
    Gerrit API dependencies in standalone mode without bundling
    them into the plugin

  - plugin runtime dependencies to remain reproducible via
    lock files

  - multiple plugins to coexist in an in-tree build without
    contributing conflicting lock files for the same repository

Provide a MODULE.bazel fragment that can be linked into Gerrit's
`plugins/external_plugin_deps.MODULE.bazel` when the plugin is built
inside the Gerrit source tree.

This allows the plugin to be built in-tree without modifying Gerrit's
main module configuration beyond including this fragment.

Update the build documentation to describe how to link the fragment
and run plugin tests in this configuration.

Change-Id: Ib3e8ee4012c8180131b26622dfacc29e31834646
19 files changed
tree: ed72c9503a79fc6ce62572119604865dfa2d6344
  1. .settings/
  2. src/
  3. tools/
  4. .bazelignore
  5. .bazelrc
  6. .bazelversion
  7. .gitignore
  8. .travis.yml
  9. BUILD
  10. external_plugin_deps.MODULE.bazel
  11. LICENSE
  12. LICENSE-scribe
  13. MODULE.bazel
  14. MODULE.bazel.lock
  15. oauth_plugin_deps.lock.json
  16. README.md
README.md

Gerrit OAuth2 authentication provider

Build Status

With this plugin Gerrit can use OAuth2 protocol for authentication. Supported OAuth providers:

See the Wiki what it can do for you.

Prebuilt artifacts

Prebuilt binary artifacts are available on release page. Make sure to pick the right JAR for your Gerrit version.

Build

To build the plugin with Bazel, install Bazel and run the following:

  git clone https://gerrit.googlesource.com/plugins/oauth
  cd oauth && bazel build oauth

Install

Copy the bazel-bin/oauth.jar to $gerrit_site/plugins and re-run init to configure it:

  java -jar gerrit.war init -d <site>
  [...]
  *** OAuth Authentication Provider
  ***
  Use Bitbucket OAuth provider for Gerrit login ? [Y/n]? n
  Use Google OAuth provider for Gerrit login ? [Y/n]?
  Application client id          : <client-id>
  Application client secret      : 
                confirm password : 
  Link to OpenID accounts? [true]: 
  Use GitHub OAuth provider for Gerrit login ? [Y/n]? n

Reporting bugs

Make sure to read the FAQ before reporting issues.

License

Apache License 2.0