This step-by-step guide helps you securely integrate Gerrit Code Review (http://gerrit:8080) with Keycloak (https://keycloak.maksonlee.com) using OAuth 2.0 / OpenID Connect.
Summary
| Component | Value |
|---|---|
| Gerrit Version | 3.11.2 |
| Keycloak Realm | maksonlee.com |
| Keycloak Client ID | gerrit |
| Gerrit Base URL | http://gerrit:8080 |
| Admin Email | admin@example.com |
| Gerrit Admin ID | 1000000 |
| Plugin Name | gerrit-oauth-provider-keycloak-oauth |
| Plugin Source | GerritForge CI |
- Create Keycloak Client
In Keycloak Admin Console:
- Go to Clients → Create
- Fill in:
Client ID : gerrit
Client Type : OpenID Connect
Root URL : http://gerrit:8080
Click Save, then edit the settings:
Valid Redirect URIs : http://gerrit:8080/oauth
Web Origins : http://gerrit:8080
Client Authentication : On
Standard Flow Enabled : Yes
Direct Access Grants Enabled : Yes
Go to the Credentials tab and copy the Client Secret.
- Create Keycloak User
- Go to Users → Add User
Username : admin
Email : admin@example.com
Then:
- Go to Credentials → Set a password (disable temporary)
- Go to Details → Enable
Email Verified = ON
- Download the OAuth Plugin for Gerrit
sudo su - gerrit
cd /srv/gerrit/plugins
wget https://gerrit-ci.gerritforge.com/job/plugin-oauth-bazel-master-stable-3.11/lastSuccessfulBuild/artifact/bazel-bin/plugins/oauth/oauth.jar
exit
- Configure Gerrit (via
gerrit init)
Run the setup wizard:
sudo service gerrit stop
sudo su - gerrit
cd /srv/gerrit
java -jar bin/gerrit.war init -d .
You’ll see:
Use Keycloak OAuth provider for Gerrit login ? [y/N]? Y
Application client id : gerrit
Application client secret : <paste from Keycloak>
confirm password : <paste again>
Keycloak Root URL : https://keycloak.maksonlee.com
Keycloak Realm : maksonlee.com
After that, make sure you have following:
- /srv/gerrit/etc/gerrit.config
[gerrit]
basePath = git
canonicalWebUrl = http://gerrit:8080/
[auth]
type = OAUTH
userNameCaseInsensitive = true
gitBasicAuthPolicy = HTTP
[oauth]
provider = keycloak-oauth
[plugin "gerrit-oauth-provider-keycloak-oauth"]
client-id = gerrit
root-url = https://keycloak.maksonlee.com
realm = maksonlee.com
use-preferred-username = true
- /srv/gerrit/etc/secure.config
[plugin "gerrit-oauth-provider-keycloak-oauth"]
client-secret = <your-client-secret>
- Link Keycloak Identity to Gerrit Admin
- Clone and checkout
external-ids
git clone /srv/gerrit/git/All-Users.git all-users-wt
cd all-users-wt
git fetch origin refs/meta/external-ids:refs/remotes/origin/external-ids
git checkout -b meta-external-ids origin/external-ids
- Add Keycloak externalId for
admin
echo -n 'keycloak-oauth:admin' | sha1sum
# Output: 82acdd010fbac8a15bd6210dc89c96162cc579a7
vi 82acdd010fbac8a15bd6210dc89c96162cc579a7
Paste:
[externalId "keycloak-oauth:admin"]
accountId = 1000000
email = admin@example.com
- Commit and Push
git add .
git commit -m "Add external IDs for initial admin user"
git push origin meta-external-ids:refs/meta/external-ids
exit
- Restart Gerrit
sudo service gerrit restart
- Test OAuth Login
- Visit
http://gerrit:8080 - Click Sign In
- You are redirected to Keycloak (
https://keycloak.maksonlee.com) - Log in with:
- Username:
admin - Password: your configured password
- You are returned to Gerrit, logged in as admin (accountId: 1000000)