Cannot link to user identity with OAuth prefix

[ernestoalejo]

We use Gerrit configured with GitHub OAuth. When updating this plugin to the latest version this error appears every time the users log in and a Forbidden error is returned.

Error in the logs:

[2018-01-03 09:53:01,472] [HTTP-79] ERROR com.google.gerrit.httpd.auth.oauth.OAuthSession : OAuth accounts disagree over user identity:
Claimed ID: 1000000 is 961XXX
Delgate ID: 1000259 is github-oauth:961XXX

I saw the commit 879bbae and configured it using:

git config -f "$GERRIT_SITE/etc/gerrit.config" plugin.gerrit-oauth-provider-github-oauth.fix-legacy-user-id true

The file gerrit.config has the following settings related to the plugin:

[plugin "gerrit-oauth-provider-github-oauth"]
	client-id = XXX
	client-secret = XXX
	fix-legacy-user-id = true
[plugin "gerrit-oauth-provider-bitbucket-oauth"]
	fix-legacy-user-id = false
[plugin "gerrit-oauth-provider-cas-oauth"]
	fix-legacy-user-id = false

The cache is not stale, we re-index everything automatically when Gerrit is restarted with the following commands:

java -jar $GERRIT_SITE/bin/gerrit.war init --batch -d $GERRIT_SITE
java -jar $GERRIT_SITE/bin/gerrit.war reindex -d $GERRIT_SITE

This issue is similar to #91, but I'm already in the latest stable version of Gerrit.

Does anyone know why the plugin is not adding the prefix when comparing it to migrate old accounts?

Versions:
Gerrit: 2.14.6, downloaded from https://www.gerritcodereview.com/download/gerrit-2.14.6.war
Gerrit OAuth provider: 2.14.6, downloaded from https://github.com/davido/gerrit-oauth-provider/releases/download/v2.14.6/gerrit-oauth-provider.jar

[davido]

Can you check in the database If you have any new entries in the table?

[ernestoalejo]

Running this query:

select * from ACCOUNT_EXTERNAL_IDS; 

and filtering only all the rows related to my user:

 ACCOUNT_ID | EMAIL_ADDRESS                  | PASSWORD    | EXTERNAL_ID
 -----------+--------------------------------+-------------+-------------------------------------
 1000000    | [email protected]        | NULL        | 961XXX
 1000000    | NULL                           | NULL        | username:ernestoalejo
 1000000    | [email protected]       | NULL        | mailto:[email protected]
 1000259    | [email protected]        | NULL        | github-oauth:961XXX

[ernestoalejo]

Also, I have reverted to the older version in the meantime and it is working ok:
Gerrit: v2.14.6
OAuth: v2.13.2

[davido]

As you can see, the entry was written as expected:

1000259    | [email protected]        | NULL        | github-oauth:961XXX

The better question is why the authentification doesn't work.

[ernestoalejo]

It has created a new 1000259 user for the same account, is that expected?

[davido]

I was not able to reproduce your problem. What I tried:

• Create new gerrit site with Gerrit 2.14.6-17-gb046129965, built from (b0461299658477df1f3a63e2d59a561bb4e07c8b)
• Install older plugin version, that is not aware of prefixed external id (GitHub external id in the form of 4711 are created)
• Login first time, user 1000000 is created, with external id: 4711
• stop gerrit
• install the latest version of plugin (3325e8c)
• specify fix-legacy-user-id = true for the provider
• clear browser cache
• start gerrit
• login using GitHub Oauth provider, claimed identity = 4711 but the current identity = github-oauth:4711
• after login both external ids are pointed to the same user: 1000000
• stop gerrit (simulating that all users logged oi once in the migration phase)
• remove fix-legacy-user-id = true
• start gerrit
• login
• confirm that the current external id is github-oauth:4711
• go to identities page: #/settings/web-identities
• select old identity 4711
• click delete
• log out
• log in
• confirm, that still the user id is 1000000
• confirm, that only one single external id exists: github-oauth:4711 for user: 1000000

[davido]

On second thought, I have an idea, what probably went wrong on your side. Can it be, that you:

• upgraded plugin version
• you logged in once with GitHub provider
• stopped gerrit
• only then enabled fix-legacy-user-id = true option
• started gerrit
• log in with error

This is the only explanation that I have, how you could end up with different user ids. The reason is, that if you don't specify fix-legacy-user-id = true and try to log in with latest plugin version, new form of external-id is specified (github-oauth:4711), but no identity linking machinery takes place, and, consequently, a new vanilla user with new external id is created.

There is no automagical way to recover from here. What you would need to do:

• remove that new user
• remove the new external id
• upgrade plugin
• add fix-legacy-user-id = true
• start gerrit
• log in

This should just work.

[ernestoalejo]

It sounds like a reasonable cause; I will update the plugin and try with a clean user to see if everything is OK. If it doesn't I will debug further to provide a reproducible list of steps.

[ernestoalejo]

Confirmed. It has been a timing issue because some people (including me testing) logged in before the setting was active. I will remove the new users from the tables manually.

Thank you very much for you help.