[Notice] Big Gerrit login change

If you are a Gerrit user (https://review.haiku-os.org), we are beginning to migrate accounts over to a dedicated Haiku identity provider.

This will improve our ability to conduct single-sign-on workflows throughout our applications, allow users to access our services without a Github account, and help us better combat spammers.

Here’s the condensed list of steps I need from you:

If you have an email defined in Gerrit (300+ users)

  1. Go to https://sso.haiku-os.org and click “Forgot Password?”
  2. Reset your password
  3. Profit. You can authenticate to Gerrit now with this Identity

If you do NOT have an email defined in Gerrit: (~180 users)

  1. Try the above. Who knows, it might work.
  2. If it doesn’t, follow “Path B” in the guide below.

I’ve put together a detailed guide with screenshots:

If you need “Path B”, be sure to complete this as soon as possible. If we eventually ever unplug from direct Github authentication, you’ll lose your connection to Gerrit.


As someone who likes to use one account to authenticate another, I also seem to be able to log in to https://sso.haiku-os.org by linking it to my existing GitHub account. That way, the page would require me to re-verify my email address instead of setting up a new password (a new random piece of text that I would have to manage).

Hopefully Haiku SSO can be used to log in to all haiku-os.org sites in the near future, including the bug tracker and Pootle.


That’s the goal. Trac, Discourse, Pootle, Translation Tools, Haikudepot? I’ve gotten a lot of feedback over the years about people not wanting github accounts to login to Haiku as the sole option.

This might (might) help us control spam on things like Trac too.

Here’s my notes on the various services:

  • Trac - Difficult, unmaintained oidc2 plugin
  • Discourse - Difficult, lots of users, and no option for multiple auth providers.
  • Pootle - Moderate. Easy base of users… unclear if oidc2 or saml supported :expressionless:
  • Translation tools - Moderate. I think it’s our codebase? We’ll need to develop workflows
  • Haikudepot - easy for me… @apl does all the work :grin:

All reasons I went with Gerrit first :slight_smile:. For all the sysadmin drama on it, it supported oidc2 the best.

Keycloak supports Webauthn too… which is really cool “passwordless OTP login” cough


Both Path A and Path B do not work. I have an email address but not receiving emails when I try reset. Using GitHub tells me that I have an account already linked. No access.
Are bugs being reported for this in Trac?

Yeah, path B was only valid for a month or two. It only worked when we were in “authentication limbo”

If you open a trac ticket or email contact at haiku-os.org we can take a look on manual intervention.

Well, in case HaikuDepot Server I have a doubt about SSO solution as my ticket about nick name issue closed last time with not complete resolution.
Now we can register longer nick names and however the registration page does not mention a “little constraint” : do not use CAPITAL letters in your nickname !
So then I had gave up to register a user here as finally I still could not register the exact same user name here that I could use everywhere.
Now I was tried to register “KitsunePrefecture” on HaikuDepot Server but still fails - [Create] still remains grey - so not activated as a button - after all fields filled out … this way still not possible to have the same account name as on other services.

Sounds like a ticket at Trac would be more useful than posting in an only slightly related thread.

Hello @KitsunePrefecture ; for issues with Haiku Depot Server (HDS), can you please lodge a ticket to correct this problem here.

The pattern for nicknames in HDS is ^[a-z0-9]{4,32}$ so you are correct that you will not be able to use upper-case letters.

HDS is not currently integrated with the new Haiku identity system and it will take a number of complex steps over a period of time to achieve this. It is likely that the primary identifier will be on the email but I am unsure at this stage.

I am aware that email is currently optional in HDS and this is something that will need to be worked through.

Dear @apl ,

Thanks, understand that . I just simply wait till I can use the same nick on HDS.
I do not need basically the SSO actually.
I just thought it is LDAP-like where the account name should be the same on all servers.
Primarily, what’s important : works … I can download packages, so basically HDS works for me as well. I could use only extra stuff like rating if I could login as well - so at this time I’ll bear with it - as it is.

Thanks for your work,