Infra announce: Authenticating against gerrit using TDF's Single Sign-On system

Guilhem Moulin guilhem at
Sun Sep 15 11:28:56 UTC 2019

Dear developers,

Please visit (use your Single
Sign-On credentials to authenticate — if you don't have an account there
then please create one) and check whether you have “Gerrit” in the
“Linked profiles” section.  If not, then add the preferred email address
of your gerrit account [0] to the form above; a confirmation token will
then be delivered to that address, and “Gerrit” should appear in the
“Linked profiles” section after confirmation.

About 68% of the gerrit accounts who uploaded a patch set in the past 30
days are known to the Single Sign-On system.  These accounts can use TDF's
new OAuth2 IdP at i.e., authenticate
through The Document Foundation's Single Sign-On system.

Unfortunately, due to the way the OAuth2 plugin work, if you try a new IdP
that is not linked to your existing gerrit account, then a *brand new*
account is created.  (This is no different than for other providers like
GitHub or Google.)  If that happens, then please *do not* start using the
new account, instead ask us to merge them ASAP at hostmaster at
(or on IRC at #tdf-infra).  While merging a fresh account is painless, the
logic is more brittle (there is risk of breaking referential integrity) if
they're both actively used, so again please poke us ASAP.

In the not too distant future, TDF's OAuth2 IdP will become the *only* way
to authenticate against our gerrit instance: authenticating using other
OAuth2 or OpenID providers will no longer be possible.  We're unable to
give a precise ETA right now, as we need a higher ratio of patchsets
authors in SSO, but that will definitely be *in 2019*.  Later this week
we'll individually poke all recent patchsets authors that are still
unknown from our Single Sign-On system.  Once we deprecate other OAuth2
and OpenID providers, gerrit accounts that are still missing from SSO will
be effectively *locked out* until an infra team member manually tie them
up to the relevant LDAP DIT entry.

FWIW finalizing the migration to TDF's OAuth2 IdP is a prerequisite for
upgrading gerrit to more recent versions (with shiny new Web UI, ed25519
SSH key support, CodeMirror editor plugin, and more [1]).

Guilhem, for The Document Foundation's infra team.

[0] The one shown at .
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <>

More information about the LibreOffice mailing list