gerrit-oauth-provider exist in the wild, but I don't know LDAP implications and whether it makes sense to investigate with Differential being the long-term goal...

I thought about differential. However my impression is that a total migration will still take some time. In the meanwhile, maybe we can benefit from it. Thanks.

I'm not sure it's worth the work, we don't really need non-technical users in gerrit do we?

I'd say that we don't due to the nature of gerrit. I recognize that it's mainly because of lazyness that I'm asking for this, so I don't have to type so many times a password to log in to Wikimedia, to Phabricator, to Gerrit and Wikitech. If most of the active gerrit regulars won't find it useful, I'm willing to drop the request. I'm however sorry not to have found a more appropriate place to discuss and propose this.

@bd808 has plans for eventually merging LDAP with SUL, I think.

In T147864#2706550, @Tgr wrote:

@bd808 has plans for eventually merging LDAP with SUL, I think.

There isn't a full plan with a timeline yet, but yes I'm starting work towards associating LDAP and normal Wikimedia unified accounts. When we get this fully done then it may be possible to find a way use Wikimedia OAUTH with gerrit.

I doint think this will work, I believe gerrit only supports one login system at a time unlike mediawiki which can support a lot. But I'm guessing here.

It's not a very good standard though (e.g. the registration experience we provide is pretty bad) and probably probably contributes to our dwindling volunteer numbers. Plus having passwords is always an annoyance and a slight security risk (no keylogger can steal an OAuth login button). There would be merit in using a more sensible login method IMO. Of course, it would depend on having some way to assign LDAP groups to external accounts (hence, wikitech SUL migration probably).

Could probably use mod_authnz_fcgi with something like mediawiki/oauthclient? Anyway this is blocked on having some connection between LDAP and SUL (so T148048: Store Wikimedia unified account name (SUL) in LDAP directory I guess?).

Would suck to have to install PHP just for that but I get your point: can do it indirectly via authnz_fcgi or similar.

I think authnz_fcgi allows the CGI script to be hosted remotely so it could be centralized (and then use something like mod_session to remember the user).

Also see T48146

Sorry for the off-topic. Maybe we should move towards using 2FA for gerrit instead, and require it for people with +2 access on mediawiki as well as those on ldap/{wmf,ops}, operations/puppet, Gerrit Administrators, Gerrit Managers, and other sensitive places/groups. @Paladox Does Gerrit support 2FA?

Gerrit dosent support 2fa as far as I know.

In T147864#4924028, @MarcoAurelio wrote:

Does Gerrit support 2FA?

Currently the two-factor protection for Wikimedia developer accounts must be handled by the Wikitech MediaWiki deployment. The Time-based One Time Password (TOTP) second factor we use must always be checked with access to state information about other attempts to use the token. This is a protection against replay attacks: Alice provides TOTP token to Service A, Mallory intercepts TOTP token in transit between Alice and Service A, Mallory provides TOTP token + credentials for Alice to Service B before the token expires. We protect against this by recording (user, TOTP token) pairs and checking to ensure that the same TOTP token has not been used previously. The best way to start enforcing 2FA protection across multiple applications using Wikimedia developer accounts (LDAP) would be to implement a true single sign-on (SSO) service like Kerberos or SAML. See also T179463: Create a single application to provision and manage developer (LDAP) accounts.