Gerrit and Keycloak integration using OIDC

I spent several days trying to make Gerrit work with Keycloak using OIDC (OpenID Connect). At the company we’re working at we’re using Gerrit for our code repositories. Gerrit is actually pretty interesting because it has a UI that is really simple I’ve actually started to enjoy using it. It is not that I use UI that much, but I interact with Gerrit using ‘git’ in the terminal. Authentication was done previously with LDAP. As you know LDAP is not that awesome when you have multiple cloud-based applications. We created a Keycloak instance and we have used this product with various services that are either connected to it over SAML or OIDC. Keycloak has the awesome benefit that it supports both authentication mechanism. So I will describe the things that I found out by trying to integrate Gerrit, Gerrit OAuth plugin and Keycloak.

I found this plugin: gerrit-oauth-provider for Gerrit. It supports Keycloak using OAuth. I installed the plugin in the mentioned directory under plugins/ in Gerrit and configured it according to the guide. However when clicking on sign-in an the top right corner in Gerrit lead me to the Keycloak installation that I had set up and configured, but it just said ‘Page not found’. So what was the solution?

The problem was the URL that was used to direct the connection from Gerrit to Keycloak. The deprecated Wildfly distribution of Keycloak used the url https://keycloak-endpoint/auth/realms, however the new Quarkus distribution uses https://keycloak-endpoint/realms/ - the difference is the /auth/. So I fixed the URL in the Keycloak API in the plugin, used Bazel to build the package, installed the new plugin and then it worked totally fine. You can find my implementation in a forked repository I created gerrit-oauth-provider. I have not made compiled build yet, but you can do it yourself by typing (You need to have Bazel installed):

$ bazel build oauth

You take the output .jar file and put it in your plugins folder in Gerrit, restart it and then it’ll work if you have configured the Gerrit configuration correctly.