private void authenticateAndRedirect(HttpServletRequest req, HttpServletResponse rsp)
      throws IOException {
    AuthRequest areq = new AuthRequest(user.getExternalId());
    AuthResult arsp;
    try {
      String claimedIdentifier = user.getClaimedIdentity();
      if (!Strings.isNullOrEmpty(claimedIdentifier)) {
        if (!authenticateWithIdentityClaimedDuringHandshake(areq, rsp, claimedIdentifier)) {
          return;
        }
      } else if (linkMode) {
        if (!authenticateWithLinkedIdentity(areq, rsp)) {
          return;
        }
      }
      areq.setUserName(user.getUserName());
      areq.setEmailAddress(user.getEmailAddress());
      areq.setDisplayName(user.getDisplayName());
      arsp = accountManager.authenticate(areq);
    } catch (AccountException e) {
      log.error("Unable to authenticate user \"" + user + "\"", e);
      rsp.sendError(HttpServletResponse.SC_FORBIDDEN);
      return;
    }

    webSession.get().login(arsp, true);
    String suffix = redirectToken.substring(OAuthWebFilter.GERRIT_LOGIN.length() + 1);
    StringBuilder rdr = new StringBuilder(urlProvider.get(req));
    rdr.append(Url.decode(suffix));
    rsp.sendRedirect(rdr.toString());
  }
 private boolean authenticateWithIdentityClaimedDuringHandshake(
     AuthRequest req, HttpServletResponse rsp, String claimedIdentifier)
     throws AccountException, IOException {
   Account.Id claimedId = accountManager.lookup(claimedIdentifier);
   Account.Id actualId = accountManager.lookup(user.getExternalId());
   if (claimedId != null && actualId != null) {
     if (claimedId.equals(actualId)) {
       // Both link to the same account, that's what we expected.
       log.debug("OAuth2: claimed identity equals current id");
     } else {
       // This is (for now) a fatal error. There are two records
       // for what might be the same user.
       //
       log.error(
           "OAuth accounts disagree over user identity:\n"
               + "  Claimed ID: "
               + claimedId
               + " is "
               + claimedIdentifier
               + "\n"
               + "  Delgate ID: "
               + actualId
               + " is "
               + user.getExternalId());
       rsp.sendError(HttpServletResponse.SC_FORBIDDEN);
       return false;
     }
   } else if (claimedId != null && actualId == null) {
     // Claimed account already exists: link to it.
     //
     log.info("OAuth2: linking claimed identity to {}", claimedId.toString());
     try {
       accountManager.link(claimedId, req);
     } catch (OrmException e) {
       log.error(
           "Cannot link: "
               + user.getExternalId()
               + " to user identity:\n"
               + "  Claimed ID: "
               + claimedId
               + " is "
               + claimedIdentifier);
       rsp.sendError(HttpServletResponse.SC_FORBIDDEN);
       return false;
     }
   }
   return true;
 }
 private boolean authenticateWithLinkedIdentity(AuthRequest areq, HttpServletResponse rsp)
     throws AccountException, IOException {
   try {
     accountManager.link(identifiedUser.get().getAccountId(), areq);
   } catch (OrmException e) {
     log.error(
         "Cannot link: "
             + user.getExternalId()
             + " to user identity: "
             + identifiedUser.get().getAccountId());
     rsp.sendError(HttpServletResponse.SC_FORBIDDEN);
     return false;
   } finally {
     linkMode = false;
   }
   return true;
 }