How to setup google apps account openId for Gerrit

Question

I am trying to setup Gerrit with OpenID as access control. I need my google apps account to be used as openID. I have tried a couple of ways to achieve this but so far not succesfull. This is what my gerrit config looks like:

[auth]
    type = OPENID
    allowedOpenID = 'https://www.google.com/accounts/o8/site-xrds?hd=mysite.com'  

For the above configuration, I am getting a Provider is not allowed error while trying to login.

It works fine with normal google account, but not with the google apps account . I have already read many posts in stackoverflow and gerrit developer sites, but nothing have worked for me. Any help is appreciated.

EDIT: The problem was using single quotes ' around the url. Howerver now there is a new issue: Once I sign-in and come back to my site it says:
The page you requested was not found, or you do not have permission to view this page

The URL redirected mysite.com/#SignInFailure,SIGN_IN,Provider+not+allowed . Any idea ?

Answer 1

After some searching and reading the documentation I came across this commit. I tried it in Gerrit 2.7-rc1 and it worked.

Your gerrit config should contain the following:

[auth]
    type = OPENID
    trustedOpenID = https://www.google.com/accounts/o8/id?id=
    openIdDomain = @mysite.com

This permits me to log in using with any OpenID enabled email address in the domain mysite.com and prohibits others. Note that the '@' has to be there it doesn't work without it. ;-)

Additionally if you only want to allow Google as an OpenID provider you may want to set the following to skip the selection of OpenID providers:

[auth]
    type = OPENID_SSO
    openIdDomain = @mysite.com
    openIdSsoUrl = https://www.google.com/accounts/o8/id

Documentation for Gerrit 2.6 also contains this information.

Answer 2

Have you set the canonicalWebUrl property in your gerrit config?