You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is fundamentally broken: users must be able to freely change their usernames without breaking OAuth (I will not go into why usernames must be changeable, but let's assume it is a given).
It appears that this can be fixed by using "sub" from the ID token instead of the username for the external ID, and using the same "fix legacy IDs" approach as is implemented on the GitHub plugin as well.
The text was updated successfully, but these errors were encountered:
The username is used as the external ID on Gerrit: https://gerrit.googlesource.com/plugins/oauth/+/refs/heads/master/src/main/java/com/googlesource/gerrit/plugins/oauth/KeycloakOAuthService.java#125
This is fundamentally broken: users must be able to freely change their usernames without breaking OAuth (I will not go into why usernames must be changeable, but let's assume it is a given).
In fact, this is correctly implemented for the GitHub provider: an immutable machine-readable ID is used for the external ID in Gerrit, as should be the case: https://gerrit.googlesource.com/plugins/oauth/+/refs/heads/master/src/main/java/com/googlesource/gerrit/plugins/oauth/GitHubOAuthService.java#121
It appears that this can be fixed by using "sub" from the ID token instead of the username for the external ID, and using the same "fix legacy IDs" approach as is implemented on the GitHub plugin as well.
The text was updated successfully, but these errors were encountered: