Gerrit and Keycloak integration using OIDC

I spent several days trying to make Gerrit work with Keycloak using OIDC (OpenID Connect). At the company I’m working at we’re using Gerrit for our code repositories. I had never tried or heard of Gerrit before, so it is actually pretty interesting to learn that something like Gerrit exists. The user interface is simple and I actually started to enjoy using it. It is not that I use UI that much, because I interact with Gerrit using ‘git’ in the terminal. Authentication was done previously with LDAP. As you know LDAP is not that awesome when you have multiple cloud-based applications. We decided to use our Keycloak installation because we use it with various other services that are either connected to it over SAML or OIDC. Keycloak has the awesome benefit that it supports both authentication mechanisms. So I will describe the things that I found out by trying to integrate Gerrit, Gerrit OAuth plugin and Keycloak.

I found this plugin: gerrit-oauth-provider for Gerrit. It supports Keycloak using OAuth. I installed the plugin in the mentioned directory under plugins/ in Gerrit and configured it according to the guide. However when clicking on sign-in at the top right corner in Gerrit led me to the Keycloak installation that I had set up and configured but it just said ‘Page not found’. So what was the solution?

The problem was the URL that was used to direct the connection from Gerrit to Keycloak. The deprecated Wildfly distribution of Keycloak used the url https://keycloak-endpoint/auth/realms, however the new Quarkus distribution uses https://keycloak-endpoint/realms/ - the difference is the /auth/. So I fixed the URL in the Keycloak API in the plugin, used Bazel to build the package, installed the new plugin and then it worked totally fine. You can find my implementation in a forked repository I created gerrit-oauth-provider. I have not made compiled build yet, but you can do it yourself by typing (You need to have Bazel installed):

$ bazel build oauth

You take the output .jar file and put it in your plugins folder in Gerrit, restart it and then it’ll work if you have configured it correctly.