Discovery OAuth: Add optional PKCE support Add support for Proof Key for Code Exchange (PKCE) in the Discovery OAuth provider to improve security of the authorization code flow. When `enable-pkce = true`: - Generate a PKCE code verifier/challenge during authorization - Return verifier alongside the authorization URL - Include verifier when exchanging the authorization code for a token This is disabled by default to preserve backward compatibility with providers that do not support PKCE. NOTE: This change depends on a Gerrit core update that extends the OAuthServiceProvider API (OAuthAuthorizationInfo and PKCE-aware getAccessToken). The plugin will not work with older Gerrit versions. Also: - Update configuration and documentation - Add unit tests covering PKCE authorization and token exchange flows Contributed-By: Kai Liu <kraml.liu@gmail.com> Change-Id: I56fa0f4d50333a2c568d95c31c78f2de3afed661
With this plugin Gerrit can use OAuth2 protocol for authentication. Supported OAuth providers:
See the Wiki what it can do for you.
Prebuilt binary artifacts are available on release page. Make sure to pick the right JAR for your Gerrit version.
To build the plugin with Bazel, install Bazel and run the following:
git clone https://gerrit.googlesource.com/plugins/oauth cd oauth && bazel build oauth
Copy the bazel-bin/oauth.jar to $gerrit_site/plugins and re-run init to configure it:
java -jar gerrit.war init -d <site>
[...]
*** OAuth Authentication Provider
***
Use Bitbucket OAuth provider for Gerrit login ? [Y/n]? n
Use Google OAuth provider for Gerrit login ? [Y/n]?
Application client id : <client-id>
Application client secret :
confirm password :
Link to OpenID accounts? [true]:
Use GitHub OAuth provider for Gerrit login ? [Y/n]? n
Make sure to read the FAQ before reporting issues.
Apache License 2.0