Google Git
Sign in
gerrit / plugins / oauth / 6a3d10dddb3642c067d3871784dd35e41883117b^! / .
commit6a3d10dddb3642c067d3871784dd35e41883117b[log] [tgz]
authorDavid Ostrovsky <david@ostrovsky.org>Fri Feb 03 08:14:18 2017 +0100
committerDavid Ostrovsky <david@ostrovsky.org>Mon Feb 06 22:40:43 2017 +0100
tree4ad0db9b1625aec7c927a4d5c90cfc7124c33349
parentfee9340f4d664444ba48a0ea43747a6ead688875 [diff]
Google OAuth provider: OpenID 2.0 identifier mapping is discontinued

According to Google OAuth2 specification[1]: the support for OpenID 2.0
identifier mapping is discontinued:

Note: Support for the OpenID 2.0 identifier mapping described above will
remain in effect until January 1, 2017.

Reflect this fact in the code and discontinue the exposed option in the
Google OAuth provider for this OpenID identifier mapping.

[1]  https://developers.google.com/identity/protocols/OpenID2Migration

Bug: Issue https://github.com/davido/gerrit-oauth-provider/issues/77
Change-Id: I0c1806e14c22d385b73c810e39568edd9ff84db0

diff --git a/src/main/java/com/googlesource/gerrit/plugins/oauth/GoogleOAuthService.java b/src/main/java/com/googlesource/gerrit/plugins/oauth/GoogleOAuthService.java
index 860f34b..18547f7 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/oauth/GoogleOAuthService.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/oauth/GoogleOAuthService.java

@@ -61,7 +61,6 @@
   private static final String SCOPE = "email profile";
   private final OAuthService service;
   private final String canonicalWebUrl;
-  private final boolean linkToExistingOpenIDAccounts;
   private final String domain;
   private final boolean useEmailAsUsername;
 
@@ -73,26 +72,23 @@
         pluginName + CONFIG_SUFFIX);
     this.canonicalWebUrl = CharMatcher.is('/').trimTrailingFrom(
         urlProvider.get()) + "/";
-    this.linkToExistingOpenIDAccounts = cfg.getBoolean(
-        InitOAuth.LINK_TO_EXISTING_OPENID_ACCOUNT, false);
+    if (cfg.getBoolean(InitOAuth.LINK_TO_EXISTING_OPENID_ACCOUNT, false)) {
+      log.warn(String.format("The support for: %s is disconinued",
+          InitOAuth.LINK_TO_EXISTING_OPENID_ACCOUNT));
+    }
     this.domain = cfg.getString(InitOAuth.DOMAIN);
     this.useEmailAsUsername = cfg.getBoolean(
         InitOAuth.USE_EMAIL_AS_USERNAME, false);
-    String scope = linkToExistingOpenIDAccounts
-        ? "openid " + SCOPE
-        : SCOPE;
     this.service = new ServiceBuilder()
         .provider(Google2Api.class)
         .apiKey(cfg.getString(InitOAuth.CLIENT_ID))
         .apiSecret(cfg.getString(InitOAuth.CLIENT_SECRET))
         .callback(canonicalWebUrl + "oauth")
-        .scope(scope)
+        .scope(SCOPE)
         .build();
     if (log.isDebugEnabled()) {
       log.debug("OAuth2: canonicalWebUrl={}", canonicalWebUrl);
-      log.debug("OAuth2: scope={}", scope);
-      log.debug("OAuth2: linkToExistingOpenIDAccounts={}",
-          linkToExistingOpenIDAccounts);
+      log.debug("OAuth2: scope={}", SCOPE);
       log.debug("OAuth2: domain={}", domain);
       log.debug("OAuth2: useEmailAsUsername={}", useEmailAsUsername);
     }
@@ -124,15 +120,10 @@
       }
       JsonElement email = jsonObject.get("email");
       JsonElement name = jsonObject.get("name");
-      String claimedIdentifier = null;
       String login = null;
 
-      if (linkToExistingOpenIDAccounts
-          || !Strings.isNullOrEmpty(domain)) {
+      if (!Strings.isNullOrEmpty(domain)) {
         JsonObject jwtToken = retrieveJWTToken(token);
-        if (linkToExistingOpenIDAccounts) {
-          claimedIdentifier = retrieveClaimedIdentity(jwtToken);
-        }
         if (!Strings.isNullOrEmpty(domain)) {
           String hdClaim = retrieveHostedDomain(jwtToken);
           if (!domain.equalsIgnoreCase(hdClaim)) {
@@ -150,7 +141,7 @@
           login /*username*/,
           email == null || email.isJsonNull() ? null : email.getAsString() /*email*/,
           name == null || name.isJsonNull() ? null : name.getAsString() /*displayName*/,
-	      claimedIdentifier /*claimedIdentity*/);
+	      null /*claimedIdentity*/);
     }
 
     throw new IOException(String.format(
@@ -177,17 +168,6 @@
     return null;
   }
 
-  private static String retrieveClaimedIdentity(JsonObject jwtToken) {
-    JsonElement openidIdElement = jwtToken.get("openid_id");
-    if (openidIdElement != null && !openidIdElement.isJsonNull()) {
-      String openIdId = openidIdElement.getAsString();
-      log.debug("OAuth2: openid_id={}", openIdId);
-      return openIdId;
-    }
-    log.debug("OAuth2: JWT doesn't contain openid_id element");
-    return null;
-  }
-
   private static String retrieveHostedDomain(JsonObject jwtToken) {
     JsonElement hdClaim = jwtToken.get("hd");
     if (hdClaim != null && !hdClaim.isJsonNull()) {
@@ -228,10 +208,6 @@
   public String getAuthorizationUrl() {
     String url = service.getAuthorizationUrl(null);
     try {
-      if (linkToExistingOpenIDAccounts) {
-        url += "&openid.realm=" + URLEncoder.encode(canonicalWebUrl,
-            StandardCharsets.UTF_8.name());
-      }
       if (!Strings.isNullOrEmpty(domain)) {
         url += "&hd=" + URLEncoder.encode(domain,
             StandardCharsets.UTF_8.name());

diff --git a/src/main/java/com/googlesource/gerrit/plugins/oauth/InitOAuth.java b/src/main/java/com/googlesource/gerrit/plugins/oauth/InitOAuth.java
index 0a5876d..add1da1 100644
--- a/src/main/java/com/googlesource/gerrit/plugins/oauth/InitOAuth.java
+++ b/src/main/java/com/googlesource/gerrit/plugins/oauth/InitOAuth.java

@@ -59,9 +59,6 @@
         true, "Use Google OAuth provider for Gerrit login ?");
     if (configureGoogleOAuthProvider) {
       configureOAuth(googleOAuthProviderSection);
-      googleOAuthProviderSection.string(
-          "Link to OpenID accounts?",
-          LINK_TO_EXISTING_OPENID_ACCOUNT, "true");
     }
 
     boolean configueGitHubOAuthProvider = ui.yesno(