Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Google OAUTH issue

See original GitHub issue

Hello Davido,

Im running Gerrit 2.16.8 fully migrated to noteDB. Im still using gerrit-oauth-provider version 2.13.2 and all is fine. I was planning to upgrade the plugin but im having problems. Same as issue 123 This is what i have in gerrit.config:

[plugin "gerrit-oauth-provider-google-oauth"]
        client-id = *****************************
        fix-legacy-user-id = true
        link-to-existing-openid-accounts = true

If i try to use the latest version of the plugin i get this error while authenticating then a redirect to a forbidden page

[2019-05-21 23:09:27,787] [HTTP-185] WARN  com.googlesource.gerrit.plugins.oauth.GoogleOAuthService : The support for: link-to-existing-openid-accounts is disconinued
[2019-05-21 23:09:30,529] [HTTP-186] INFO  com.google.gerrit.httpd.auth.oauth.OAuthSession : OAuth2: linking claimed identity to 1601
[2019-05-21 23:09:30,608] [HTTP-186] WARN  com.google.gerrit.server.account.AccountManager : Email *@gmail.com is already assigned to account 1601; cannot create external ID google-oauth:109031793006731947128 with the same email for account 1601.
[2019-05-21 23:09:30,608] [HTTP-186] ERROR com.google.gerrit.httpd.auth.oauth.OAuthSession : Unable to authenticate user "com.google.gerrit.extensions.auth.oauth.OAuthUserInfo@1c548b0a"
com.google.gerrit.server.account.AccountException: Email '*@gmail.com' in use by another account
[2019-05-21 23:10:55,719] [HTTP-187] WARN  org.eclipse.jetty.server.HttpChannel : /oauth
org.scribe.exceptions.OAuthException: Cannot extract an access token. Response was: {
  "error": "invalid_grant",
  "error_description": "Bad Request"
}
[2019-05-21 23:10:55,720] [HTTP-187] ERROR com.google.gerrit.pgm.http.jetty.HiddenErrorHandler : Error in GET /oauth?state=Miv5JCkWlMsF04EJ8017-fKK9rWDBGlAUvQs0YsXqN8&code=4/UgFvJ0GMZEOkUtzk0LYnZN3Eg_7YfmJZIzZz0UEBx2sDrEW0k5b07_daBFypG8G2I2YF0BWbhnqQbIkLCA4lyYo&scope=email+profile+https://www.googleapis.com/auth/userinfo.email+https://www.googleapis.com/auth/userinfo.profile
org.scribe.exceptions.OAuthException: Cannot extract an access token. Response was: {
  "error": "invalid_grant",
  "error_description": "Bad Request"
}

Here the details for the same account retrived from api GET /accounts/1601/external.ids

)]}'
[
  {
    "identity": "109031793006731947128",
    "email_address": "*@gmail.com",
    "trusted": true,
    "can_delete": true
  },
  {
    "identity": "google-oauth:109031793006731947128",
    "trusted": true,
    "can_delete": true
  },
  {
    "identity": "username:Mich",
    "trusted": true
  }
]

Thanks in advance for help

Issue Analytics

State:
Created 4 years ago
Reactions:1
Comments:13 (4 by maintainers)

Top GitHub Comments

1reaction

pgeorgicommented, Jun 29, 2019

Thanks Jmennius for the script, I extended it somewhat:

USERS_DIR="${1:-.}"
OAUTH_PREFIX="${2:-google-oauth}"
MATCH="${3:-+}"

files="$(grep -Er 'externalId "[[:digit:]]'"${MATCH}"'"' ${USERS_DIR} | cut -d ':' -f 1)"

while read -r filename
do
    sed -Ei "s/externalId \"([[:digit:]]+)\"/externalId \"${OAUTH_PREFIX}:\1\"/" ${filename}
    id=$(grep -UEo "${OAUTH_PREFIX}:[[:digit:]]+" ${filename})
    new_hash=$(echo -n ${id} | sha1sum | cut -f 1 -d ' ')
    git mv ${filename} ${new_hash}
    echo "patched id: ${id}, renamed ${filename} to ${new_hash}"
done <<< "${files}"

This allows running it with a third argument to help separate google and github ID:

script . google-oauth "{10,}"
script . github-oauth "{,9}"

assigns the right prefix to each ID. It also registers the renames with git.

0reactions

davidocommented, Oct 1, 2019

The problem was fixed in Gerrit: [1].

[1] https://gerrit-review.googlesource.com/c/gerrit/+/238833

Top Results From Across the Web

Authorization Errors | Device Access

During the authorization process, Google OAuth may return an error. Use this guide to troubleshoot the most common errors during this ...

Google OAuth

We are currently experiencing an issue with authentication to Google App Engine sites, the Google Cloud Console, Identity Aware Proxy, ...

Google oAUTH scope error [158278184] - Visible to Public

A small code sample that reliably reproduces the issue. The sample should run as-is or with minimal setup, without external dependencies. from __future__...

OAuth API verification FAQs - Google Cloud Platform ...

All apps that access Google APIs must verify that they accurately represent their identity and intent as specified by Google's API Services User ......

Google OAuth 2.0 failing with Error 400: invalid_request for ...

I was able to reproduce the same problem in a dev domain. I have three client ids. The oldest one is from January...