up

2025-01-13 18:00:03 +08:00 · 2025-01-13 18:00:03 +08:00 · c2d68ee68c
commit c2d68ee68c
38 changed files with 4168 additions and 0 deletions
--- a/README.rst
+++ b/README.rst
@ -0,0 +1,247 @@
 =============================
 Authentication OpenID Connect
 =============================
 .. 
   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
   !! This file is generated by oca-gen-addon-readme !!
   !! changes will be overwritten.                   !!
   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
   !! source digest: sha256:cd754fc72d2039d02ab1b8aec98af43fb9543c9a70f2150ab6e482954e4e83d6
   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 .. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
    :target: https://odoo-community.org/page/development-status
    :alt: Beta
 .. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png
    :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
    :alt: License: AGPL-3
 .. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
    :target: https://github.com/OCA/server-auth/tree/18.0/auth_oidc
    :alt: OCA/server-auth
 .. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
    :target: https://translation.odoo-community.org/projects/server-auth-18-0/server-auth-18-0-auth_oidc
    :alt: Translate me on Weblate
 .. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png
    :target: https://runboat.odoo-community.org/builds?repo=OCA/server-auth&target_branch=18.0
    :alt: Try me on Runboat
 |badge1| |badge2| |badge3| |badge4| |badge5|
 This module allows users to login through an OpenID Connect provider
 using the authorization code flow or implicit flow.
 Note the implicit flow is not recommended because it exposes access
 tokens to the browser and in http logs.
 **Table of contents**
 .. contents::
   :local:
 Installation
 ============
 This module depends on the
 `python-jose <https://pypi.org/project/python-jose/>`__ library, not to
 be confused with ``jose`` which is also available on PyPI.
 Configuration
 =============
 Setup for Microsoft Azure
 -------------------------
 Example configuration with OpenID Connect authorization code flow.
 1. configure a new web application in Azure with OpenID and code flow
   (see the `provider
   documentation <https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-provider>`__))
 2. in this application the redirect url must be be "<url of your
   server>/auth_oauth/signin" and of course this URL should be reachable
   from Azure
 3. create a new authentication provider in Odoo with the following
   parameters (see the `portal
   documentation <https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-settings>`__
   for more information):
 |image|
 |image1|
 Single tenant provider limits the access to user of your tenant, while
 Multitenants allow access for all AzureAD users, so user of foreign
 companies can use their AzureAD login without an guest account.
 -  Provider Name: Azure AD Single Tenant
 -  Client ID: Application (client) id
 -  Client Secret: Client secret
 -  Allowed: yes
 or
 -  Provider Name: Azure AD Multitenant
 -  Client ID: Application (client) id
 -  Client Secret: Client secret
 -  Allowed: yes
 -  replace {tenant_id} in urls with your Azure tenant id
 |image2|
 Setup for Keycloak
 ------------------
 Example configuration with OpenID Connect authorization code flow.
 In Keycloak:
 1. configure a new Client
 2. make sure Authorization Code Flow is Enabled.
 3. configure the client Access Type as "confidential" and take note of
   the client secret in the Credentials tab
 4. configure the redirect url to be "<url of your
   server>/auth_oauth/signin"
 In Odoo, create a new Oauth Provider with the following parameters:
 -  Provider name: Keycloak (or any name you like that identify your
   keycloak provider)
 -  Auth Flow: OpenID Connect (authorization code flow)
 -  Client ID: the same Client ID you entered when configuring the client
   in Keycloak
 -  Client Secret: found in keycloak on the client Credentials tab
 -  Allowed: yes
 -  Body: the link text to appear on the login page, such as Login with
   Keycloak
 -  Scope: openid email
 -  Authentication URL: The "authorization_endpoint" URL found in the
   OpenID Endpoint Configuration of your Keycloak realm
 -  Token URL: The "token_endpoint" URL found in the OpenID Endpoint
   Configuration of your Keycloak realm
 -  JWKS URL: The "jwks_uri" URL found in the OpenID Endpoint
   Configuration of your Keycloak realm
 .. |image| image:: https://raw.githubusercontent.com/OCA/server-auth/18.0/auth_oidc/static/description/oauth-microsoft_azure-api_permissions.png
 .. |image1| image:: https://raw.githubusercontent.com/OCA/server-auth/18.0/auth_oidc/static/description/oauth-microsoft_azure-optional_claims.png
 .. |image2| image:: https://raw.githubusercontent.com/OCA/server-auth/18.0/auth_oidc/static/description/odoo-azure_ad_multitenant.png
 Usage
 =====
 On the login page, click on the authentication provider you configured.
 Known issues / Roadmap
 ======================
 -  When going to the login screen, check for a existing token and do a
   direct login without the clicking on the SSO link
 -  When doing a logout an extra option to also logout at the SSO
   provider.
 Changelog
 =========
 18.0.1.0.0 2024-10-09
 ---------------------
 -  Odoo 18 migration
 17.0.1.0.0 2024-03-20
 ---------------------
 -  Odoo 17 migration
 16.0.1.1.0 2024-02-28
 ---------------------
 -  Forward port OpenID Connect fixes from 15.0 to 16.0
 16.0.1.0.2 2023-11-16
 ---------------------
 -  Readme link updates
 16.0.1.0.1 2023-10-09
 ---------------------
 -  Add AzureAD code flow provider
 16.0.1.0.0 2023-01-27
 ---------------------
 -  Odoo 16 migration
 15.0.1.0.0 2023-01-06
 ---------------------
 -  Odoo 15 migration
 14.0.1.0.0 2021-12-10
 ---------------------
 -  Odoo 14 migration
 13.0.1.0.0 2020-04-10
 ---------------------
 -  Odoo 13 migration, add authorization code flow.
 10.0.1.0.0 2018-10-05
 ---------------------
 -  Initial implementation
 Bug Tracker
 ===========
 Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-auth/issues>`_.
 In case of trouble, please check there if your issue has already been reported.
 If you spotted it first, help us to smash it by providing a detailed and welcomed
 `feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_oidc%0Aversion:%2018.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
 Do not contact contributors directly about support or help with technical issues.
 Credits
 =======
 Authors
 -------
 * ICTSTUDIO
 * André Schenkels
 * ACSONE SA/NV
 Contributors
 ------------
 -  Alexandre Fayolle <alexandre.fayolle@camptocamp.com>
 -  Stéphane Bidoul <stephane.bidoul@acsone.eu>
 -  David Jaen <david.jaen.revert@gmail.com>
 -  Andreas Perhab <andreas.perhab@wt-io-it.at>
 Maintainers
 -----------
 This module is maintained by the OCA.
 .. image:: https://odoo-community.org/logo.png
   :alt: Odoo Community Association
   :target: https://odoo-community.org
 OCA, or the Odoo Community Association, is a nonprofit organization whose
 mission is to support the collaborative development of Odoo features and
 promote its widespread use.
 .. |maintainer-sbidoul| image:: https://github.com/sbidoul.png?size=40px
    :target: https://github.com/sbidoul
    :alt: sbidoul
 Current `maintainer <https://odoo-community.org/page/maintainer-role>`__:
 |maintainer-sbidoul| 
 This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/18.0/auth_oidc>`_ project on GitHub.
 You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.
--- a/init.py
+++ b/init.py
@ -0,0 +1,5 @@
 # Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
 # License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
 from . import controllers
 from . import models
--- a/manifest.py
+++ b/manifest.py
@ -0,0 +1,21 @@
 # Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
 # Copyright 2021 ACSONE SA/NV <https://acsone.eu>
 # License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
 {
    "name": "Authentication OpenID Connect",
    "version": "18.0.1.0.0",
    "license": "AGPL-3",
    "author": (
        "ICTSTUDIO, André Schenkels, "
        "ACSONE SA/NV, "
        "Odoo Community Association (OCA)"
    ),
    "maintainers": ["sbidoul"],
    "website": "https://github.com/OCA/server-auth",
    "summary": "Allow users to login through OpenID Connect Provider",
    "external_dependencies": {"python": ["python-jose"]},
    "depends": ["auth_oauth"],
    "data": ["views/auth_oauth_provider.xml", "data/auth_oauth_data.xml"],
    "demo": ["demo/local_keycloak.xml"],
 }
--- a/pycache/init.cpython-312.pyc
+++ b/pycache/init.cpython-312.pyc
--- a/controllers/init.py
+++ b/controllers/init.py
@ -0,0 +1,4 @@
 # Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
 # License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
 from . import main
--- a/controllers/pycache/init.cpython-312.pyc
+++ b/controllers/pycache/init.cpython-312.pyc
--- a/controllers/pycache/main.cpython-312.pyc
+++ b/controllers/pycache/main.cpython-312.pyc
--- a/controllers/main.py
+++ b/controllers/main.py
@ -0,0 +1,50 @@
 # Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
 # Copyright 2021 ACSONE SA/NV <https://acsone.eu>
 # License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
 import base64
 import hashlib
 import logging
 import secrets
 from werkzeug.urls import url_decode, url_encode
 from odoo.addons.auth_oauth.controllers.main import OAuthLogin
 _logger = logging.getLogger(__name__)
 class OpenIDLogin(OAuthLogin):
    def list_providers(self):
        providers = super().list_providers()
        for provider in providers:
            flow = provider.get("flow")
            if flow in ("id_token", "id_token_code"):
                params = url_decode(provider["auth_link"].split("?")[-1])
                # nonce
                params["nonce"] = secrets.token_urlsafe()
                # response_type
                if flow == "id_token":
                    # https://openid.net/specs/openid-connect-core-1_0.html
                    # #ImplicitAuthRequest
                    params["response_type"] = "id_token token"
                elif flow == "id_token_code":
                    # https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
                    params["response_type"] = "code"
                # PKCE (https://tools.ietf.org/html/rfc7636)
                code_verifier = provider["code_verifier"]
                code_challenge = base64.urlsafe_b64encode(
                    hashlib.sha256(code_verifier.encode("ascii")).digest()
                ).rstrip(b"=")
                params["code_challenge"] = code_challenge
                params["code_challenge_method"] = "S256"
                # scope
                if provider.get("scope"):
                    if "openid" not in provider["scope"].split():
                        _logger.error("openid connect scope must contain 'openid'")
                    params["scope"] = provider["scope"]
                # auth link that the user will click
                provider["auth_link"] = "{}?{}".format(
                    provider["auth_endpoint"], url_encode(params)
                )
        return providers
--- a/data/auth_oauth_data.xml
+++ b/data/auth_oauth_data.xml
@ -0,0 +1,39 @@
 <?xml version="1.0" encoding="utf-8" ?>
 <odoo noupdate="1">
    <record id="provider_azuread_multi" model="auth.oauth.provider">
        <field name="name">Azure AD Multitenant</field>
        <field name="flow">id_token_code</field>
        <field name="enabled">False</field>
        <field name="token_map">upn:user_id upn:email</field>
        <field
            name="auth_endpoint"
        >https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize</field>
        <field name="scope">profile openid</field>
        <field
            name="token_endpoint"
        >https://login.microsoftonline.com/organizations/oauth2/v2.0/token</field>
        <field
            name="jwks_uri"
        >https://login.microsoftonline.com/organizations/discovery/v2.0/keys</field>
        <field name="css_class">fa fa-fw fa-windows</field>
        <field name="body">Log in with Microsoft</field>
    </record>
    <record id="provider_azuread_single" model="auth.oauth.provider">
        <field name="name">Azure AD Single Tenant</field>
        <field name="flow">id_token_code</field>
        <field name="enabled">False</field>
        <field name="token_map">upn:user_id upn:email</field>
        <field
            name="auth_endpoint"
        >https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/authorize</field>
        <field name="scope">profile openid</field>
        <field
            name="token_endpoint"
        >https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token</field>
        <field
            name="jwks_uri"
        >https://login.microsoftonline.com/{tenant_id}/discovery/v2.0/keys</field>
        <field name="css_class">fa fa-fw fa-windows</field>
        <field name="body">Log in with Microsoft</field>
    </record>
 </odoo>
--- a/demo/local_keycloak.xml
+++ b/demo/local_keycloak.xml
@ -0,0 +1,20 @@
 <odoo>
    <record id="local_keycloak" model="auth.oauth.provider">
        <field name="name">keycloak:8080 on localhost</field>
        <field name="flow">id_token_code</field>
        <field name="client_id">auth_oidc-test</field>
        <field name="token_map">preferred_username:user_id</field>
        <field name="body">keycloak:8080 on localhost</field>
        <field name="enabled" eval="True" />
        <field name="scope">openid email</field>
        <field
            name="auth_endpoint"
        >http://localhost:8080/auth/realms/master/protocol/openid-connect/auth</field>
        <field
            name="token_endpoint"
        >http://localhost:8080/auth/realms/master/protocol/openid-connect/token</field>
        <field
            name="jwks_uri"
        >http://localhost:8080/auth/realms/master/protocol/openid-connect/certs</field>
    </record>
 </odoo>
--- a/i18n/auth_oidc.pot
+++ b/i18n/auth_oidc.pot
@ -0,0 +1,119 @@
 # Translation of Odoo Server.
 # This file contains the translation of the following modules:
 # 	* auth_oidc
 #
 msgid ""
 msgstr ""
 "Project-Id-Version: Odoo Server 18.0\n"
 "Report-Msgid-Bugs-To: \n"
 "Last-Translator: \n"
 "Language-Team: \n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: \n"
 "Plural-Forms: \n"
 #. module: auth_oidc
 #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__flow
 msgid "Auth Flow"
 msgstr ""
 #. module: auth_oidc
 #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__client_secret
 msgid "Client Secret"
 msgstr ""
 #. module: auth_oidc
 #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__code_verifier
 msgid "Code Verifier"
 msgstr ""
 #. module: auth_oidc
 #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__jwks_uri
 msgid "JWKS URL"
 msgstr ""
 #. module: auth_oidc
 #: model:auth.oauth.provider,body:auth_oidc.provider_azuread_multi
 #: model:auth.oauth.provider,body:auth_oidc.provider_azuread_single
 msgid "Log in with Microsoft"
 msgstr ""
 #. module: auth_oidc
 #: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__access_token
 msgid "OAuth2"
 msgstr ""
 #. module: auth_oidc
 #: model:ir.model,name:auth_oidc.model_auth_oauth_provider
 msgid "OAuth2 provider"
 msgstr ""
 #. module: auth_oidc
 #: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__id_token_code
 msgid "OpenID Connect (authorization code flow)"
 msgstr ""
 #. module: auth_oidc
 #: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__id_token
 msgid "OpenID Connect (implicit flow, not recommended)"
 msgstr ""
 #. module: auth_oidc
 #: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__token_endpoint
 msgid "Required for OpenID Connect authorization code flow."
 msgstr ""
 #. module: auth_oidc
 #: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__jwks_uri
 msgid "Required for OpenID Connect."
 msgstr ""
 #. module: auth_oidc
 #: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__token_map
 msgid ""
 "Some Oauth providers don't map keys in their responses exactly as required."
 "  It is important to ensure user_id and email at least are mapped. For "
 "OpenID Connect user_id is the sub key in the standard."
 msgstr ""
 #. module: auth_oidc
 #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__token_map
 msgid "Token Map"
 msgstr ""
 #. module: auth_oidc
 #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__token_endpoint
 msgid "Token URL"
 msgstr ""
 #. module: auth_oidc
 #: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__code_verifier
 msgid "Used for PKCE."
 msgstr ""
 #. module: auth_oidc
 #: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__client_secret
 msgid ""
 "Used in OpenID Connect authorization code flow for confidential clients."
 msgstr ""
 #. module: auth_oidc
 #: model:ir.model,name:auth_oidc.model_res_users
 msgid "User"
 msgstr ""
 #. module: auth_oidc
 #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__validation_endpoint
 msgid "UserInfo URL"
 msgstr ""
 #. module: auth_oidc
 #: model_terms:ir.ui.view,arch_db:auth_oidc.view_oidc_provider_form
 msgid "e.g from:to upn:email sub:user_id"
 msgstr ""
 #. module: auth_oidc
 #: model:auth.oauth.provider,body:auth_oidc.local_keycloak
 msgid "keycloak:8080 on localhost"
 msgstr ""
--- a/i18n/es.po
+++ b/i18n/es.po
@ -0,0 +1,128 @@
 # Translation of Odoo Server.
 # This file contains the translation of the following modules:
 # 	* auth_oidc
 #
 msgid ""
 msgstr ""
 "Project-Id-Version: Odoo Server 16.0\n"
 "Report-Msgid-Bugs-To: \n"
 "PO-Revision-Date: 2023-10-15 19:36+0000\n"
 "Last-Translator: Ivorra78 <informatica@totmaterial.es>\n"
 "Language-Team: none\n"
 "Language: es\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: \n"
 "Plural-Forms: nplurals=2; plural=n != 1;\n"
 "X-Generator: Weblate 4.17\n"
 #. module: auth_oidc
 #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__flow
 msgid "Auth Flow"
 msgstr "Flujo de autenticación"
 #. module: auth_oidc
 #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__client_secret
 msgid "Client Secret"
 msgstr "Secreto del cliente"
 #. module: auth_oidc
 #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__code_verifier
 msgid "Code Verifier"
 msgstr "Verificador del código"
 #. module: auth_oidc
 #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__jwks_uri
 msgid "JWKS URL"
 msgstr "URL JWKS"
 #. module: auth_oidc
 #: model:auth.oauth.provider,body:auth_oidc.provider_azuread_multi
 #: model:auth.oauth.provider,body:auth_oidc.provider_azuread_single
 msgid "Log in with Microsoft"
 msgstr "Iniciar sesión con Microsoft"
 #. module: auth_oidc
 #: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__access_token
 msgid "OAuth2"
 msgstr "OAuth2"
 #. module: auth_oidc
 #: model:ir.model,name:auth_oidc.model_auth_oauth_provider
 msgid "OAuth2 provider"
 msgstr "Proveedor OAuth2"
 #. module: auth_oidc
 #: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__id_token_code
 msgid "OpenID Connect (authorization code flow)"
 msgstr "OpenID Connect (flujo de código de autorización)"
 #. module: auth_oidc
 #: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__id_token
 msgid "OpenID Connect (implicit flow, not recommended)"
 msgstr "OpenID Connect (flujo implícito, no recomendado)"
 #. module: auth_oidc
 #: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__token_endpoint
 msgid "Required for OpenID Connect authorization code flow."
 msgstr "Necesario para el flujo de código de autorización de OpenID Connect."
 #. module: auth_oidc
 #: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__jwks_uri
 msgid "Required for OpenID Connect."
 msgstr "Requerido para OpenID Connect."
 #. module: auth_oidc
 #: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__token_map
 msgid ""
 "Some Oauth providers don't map keys in their responses exactly as required.  "
 "It is important to ensure user_id and email at least are mapped. For OpenID "
 "Connect user_id is the sub key in the standard."
 msgstr ""
 "Algunos proveedores de Oauth no mapean las claves en sus respuestas "
 "exactamente como se requiere.  Es importante asegurarse de que al menos "
 "user_id y email están mapeados. Para OpenID Connect user_id es la subclave "
 "en el estándar."
 #. module: auth_oidc
 #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__token_map
 msgid "Token Map"
 msgstr "Mapa de Símbolos"
 #. module: auth_oidc
 #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__token_endpoint
 msgid "Token URL"
 msgstr "URL de la ficha"
 #. module: auth_oidc
 #: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__code_verifier
 msgid "Used for PKCE."
 msgstr "Utilizado para PKCE."
 #. module: auth_oidc
 #: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__client_secret
 msgid ""
 "Used in OpenID Connect authorization code flow for confidential clients."
 msgstr ""
 "Se utiliza en el flujo de código de autorización de OpenID Connect para "
 "clientes confidenciales."
 #. module: auth_oidc
 #: model:ir.model,name:auth_oidc.model_res_users
 msgid "User"
 msgstr "Usuario"
 #. module: auth_oidc
 #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__validation_endpoint
 msgid "UserInfo URL"
 msgstr "URL de información del usuario"
 #. module: auth_oidc
 #: model_terms:ir.ui.view,arch_db:auth_oidc.view_oidc_provider_form
 msgid "e.g from:to upn:email sub:user_id"
 msgstr "p.ej. from:to upn:email sub:user_id"
 #. module: auth_oidc
 #: model:auth.oauth.provider,body:auth_oidc.local_keycloak
 msgid "keycloak:8080 on localhost"
 msgstr "keycloak:8080 en el servidor local"
--- a/i18n/it.po
+++ b/i18n/it.po
@ -0,0 +1,127 @@
 # Translation of Odoo Server.
 # This file contains the translation of the following modules:
 # 	* auth_oidc
 #
 msgid ""
 msgstr ""
 "Project-Id-Version: Odoo Server 16.0\n"
 "Report-Msgid-Bugs-To: \n"
 "PO-Revision-Date: 2024-01-05 10:34+0000\n"
 "Last-Translator: mymage <stefano.consolaro@mymage.it>\n"
 "Language-Team: none\n"
 "Language: it\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: \n"
 "Plural-Forms: nplurals=2; plural=n != 1;\n"
 "X-Generator: Weblate 4.17\n"
 #. module: auth_oidc
 #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__flow
 msgid "Auth Flow"
 msgstr "Flusso atorizzazione"
 #. module: auth_oidc
 #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__client_secret
 msgid "Client Secret"
 msgstr "Chiave segreta client"
 #. module: auth_oidc
 #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__code_verifier
 msgid "Code Verifier"
 msgstr "Verificatore codice"
 #. module: auth_oidc
 #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__jwks_uri
 msgid "JWKS URL"
 msgstr "URL JWKS"
 #. module: auth_oidc
 #: model:auth.oauth.provider,body:auth_oidc.provider_azuread_multi
 #: model:auth.oauth.provider,body:auth_oidc.provider_azuread_single
 msgid "Log in with Microsoft"
 msgstr "Accedi con Mcrosoft"
 #. module: auth_oidc
 #: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__access_token
 msgid "OAuth2"
 msgstr "OAuth2"
 #. module: auth_oidc
 #: model:ir.model,name:auth_oidc.model_auth_oauth_provider
 msgid "OAuth2 provider"
 msgstr "Provider OAuth2"
 #. module: auth_oidc
 #: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__id_token_code
 msgid "OpenID Connect (authorization code flow)"
 msgstr "OpenID Connect (flusso codice autorizzazione)"
 #. module: auth_oidc
 #: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__id_token
 msgid "OpenID Connect (implicit flow, not recommended)"
 msgstr "OpenID Connect (flusso implicito, non raccomandato)"
 #. module: auth_oidc
 #: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__token_endpoint
 msgid "Required for OpenID Connect authorization code flow."
 msgstr "Richiesto per flusso codice atorizzazione OpenID Connect."
 #. module: auth_oidc
 #: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__jwks_uri
 msgid "Required for OpenID Connect."
 msgstr "Richiesto per OpenID Connect."
 #. module: auth_oidc
 #: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__token_map
 msgid ""
 "Some Oauth providers don't map keys in their responses exactly as required.  "
 "It is important to ensure user_id and email at least are mapped. For OpenID "
 "Connect user_id is the sub key in the standard."
 msgstr ""
 "Alcuni Provider Oauth non mappano le chiavi nelle loro risposte esattamente "
 "come richiesto.   È importante assicurare che almeno user_id ed e-mail siano "
 "mappati. Per OpenID Connect user_id è la sotto-chiave nello standard."
 #. module: auth_oidc
 #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__token_map
 msgid "Token Map"
 msgstr "Mappa token"
 #. module: auth_oidc
 #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__token_endpoint
 msgid "Token URL"
 msgstr "URL token"
 #. module: auth_oidc
 #: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__code_verifier
 msgid "Used for PKCE."
 msgstr "Utilizzato per PKCE."
 #. module: auth_oidc
 #: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__client_secret
 msgid ""
 "Used in OpenID Connect authorization code flow for confidential clients."
 msgstr ""
 "Utilizzato nel flusso codice autorizzazione OpenID Connect per client "
 "riservati."
 #. module: auth_oidc
 #: model:ir.model,name:auth_oidc.model_res_users
 msgid "User"
 msgstr "Utente"
 #. module: auth_oidc
 #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__validation_endpoint
 msgid "UserInfo URL"
 msgstr "URL info utente"
 #. module: auth_oidc
 #: model_terms:ir.ui.view,arch_db:auth_oidc.view_oidc_provider_form
 msgid "e.g from:to upn:email sub:user_id"
 msgstr "es. from:to upn:email sub:user_id"
 #. module: auth_oidc
 #: model:auth.oauth.provider,body:auth_oidc.local_keycloak
 msgid "keycloak:8080 on localhost"
 msgstr "keycloak:8080 su localhost"
--- a/i18n/zh_CN.po
+++ b/i18n/zh_CN.po
@ -0,0 +1,124 @@
 # Translation of Odoo Server.
 # This file contains the translation of the following modules:
 # 	* auth_oidc
 #
 msgid ""
 msgstr ""
 "Project-Id-Version: Odoo Server 17.0\n"
 "Report-Msgid-Bugs-To: \n"
 "PO-Revision-Date: 2024-07-03 10:47+0000\n"
 "Last-Translator: xtanuiha <feihu.zhang@live.com>\n"
 "Language-Team: none\n"
 "Language: zh_CN\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: \n"
 "Plural-Forms: nplurals=1; plural=0;\n"
 "X-Generator: Weblate 4.17\n"
 #. module: auth_oidc
 #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__flow
 msgid "Auth Flow"
 msgstr "认证流程"
 #. module: auth_oidc
 #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__client_secret
 msgid "Client Secret"
 msgstr "客户端密钥"
 #. module: auth_oidc
 #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__code_verifier
 msgid "Code Verifier"
 msgstr "代码验证器"
 #. module: auth_oidc
 #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__jwks_uri
 msgid "JWKS URL"
 msgstr "JWKS 网址"
 #. module: auth_oidc
 #: model:auth.oauth.provider,body:auth_oidc.provider_azuread_multi
 #: model:auth.oauth.provider,body:auth_oidc.provider_azuread_single
 msgid "Log in with Microsoft"
 msgstr "使用 Microsoft 登录"
 #. module: auth_oidc
 #: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__access_token
 msgid "OAuth2"
 msgstr "OAuth2"
 #. module: auth_oidc
 #: model:ir.model,name:auth_oidc.model_auth_oauth_provider
 msgid "OAuth2 provider"
 msgstr "OAuth2 提供者"
 #. module: auth_oidc
 #: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__id_token_code
 msgid "OpenID Connect (authorization code flow)"
 msgstr "OpenID Connect（授权码流程）"
 #. module: auth_oidc
 #: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__id_token
 msgid "OpenID Connect (implicit flow, not recommended)"
 msgstr "OpenID Connect（隐式流程，不推荐）"
 #. module: auth_oidc
 #: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__token_endpoint
 msgid "Required for OpenID Connect authorization code flow."
 msgstr "OpenID Connect 授权码流程所需。"
 #. module: auth_oidc
 #: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__jwks_uri
 msgid "Required for OpenID Connect."
 msgstr "OpenID Connect 所需。"
 #. module: auth_oidc
 #: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__token_map
 msgid ""
 "Some Oauth providers don't map keys in their responses exactly as required.  "
 "It is important to ensure user_id and email at least are mapped. For OpenID "
 "Connect user_id is the sub key in the standard."
 msgstr ""
 "一些 OAuth 提供者在其响应中并没有完全按照要求映射键。至少需要确保 user_id 和 "
 "email 被映射。对于 OpenID Connect，user_id 是标准中的 sub 键。"
 #. module: auth_oidc
 #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__token_map
 msgid "Token Map"
 msgstr "令牌映射"
 #. module: auth_oidc
 #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__token_endpoint
 msgid "Token URL"
 msgstr "令牌网址"
 #. module: auth_oidc
 #: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__code_verifier
 msgid "Used for PKCE."
 msgstr "用于 PKCE。"
 #. module: auth_oidc
 #: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__client_secret
 msgid ""
 "Used in OpenID Connect authorization code flow for confidential clients."
 msgstr "在 OpenID Connect 授权码流程中用于保密客户端。"
 #. module: auth_oidc
 #: model:ir.model,name:auth_oidc.model_res_users
 msgid "User"
 msgstr "用户"
 #. module: auth_oidc
 #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__validation_endpoint
 msgid "UserInfo URL"
 msgstr "用户信息网址"
 #. module: auth_oidc
 #: model_terms:ir.ui.view,arch_db:auth_oidc.view_oidc_provider_form
 msgid "e.g from:to upn:email sub:user_id"
 msgstr "例如 from:to upn:email sub:user_id"
 #. module: auth_oidc
 #: model:auth.oauth.provider,body:auth_oidc.local_keycloak
 msgid "keycloak:8080 on localhost"
 msgstr "localhost 上的 keycloak:8080"
--- a/models/init.py
+++ b/models/init.py
@ -0,0 +1,5 @@
 # Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
 # License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
 from . import auth_oauth_provider
 from . import res_users
--- a/models/pycache/init.cpython-312.pyc
+++ b/models/pycache/init.cpython-312.pyc
--- a/models/pycache/auth_oauth_provider.cpython-312.pyc
+++ b/models/pycache/auth_oauth_provider.cpython-312.pyc
--- a/models/pycache/res_users.cpython-312.pyc
+++ b/models/pycache/res_users.cpython-312.pyc
--- a/models/auth_oauth_provider.py
+++ b/models/auth_oauth_provider.py
@ -0,0 +1,106 @@
 # Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
 # Copyright 2021 ACSONE SA/NV <https://acsone.eu>
 # License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
 import logging
 import secrets
 import requests
 from odoo import fields, models, tools
 try:
    from jose import jwt
    from jose.exceptions import JWSError, JWTError
 except ImportError:
    logging.getLogger(__name__).debug("jose library not installed")
 class AuthOauthProvider(models.Model):
    _inherit = "auth.oauth.provider"
    flow = fields.Selection(
        [
            ("access_token", "OAuth2"),
            ("id_token_code", "OpenID Connect (authorization code flow)"),
            ("id_token", "OpenID Connect (implicit flow, not recommended)"),
        ],
        string="Auth Flow",
        required=True,
        default="access_token",
    )
    token_map = fields.Char(
        help="Some Oauth providers don't map keys in their responses "
        "exactly as required.  It is important to ensure user_id and "
        "email at least are mapped. For OpenID Connect user_id is "
        "the sub key in the standard."
    )
    client_secret = fields.Char(
        help="Used in OpenID Connect authorization code flow for confidential clients.",
    )
    code_verifier = fields.Char(
        default=lambda self: secrets.token_urlsafe(32), help="Used for PKCE."
    )
    validation_endpoint = fields.Char(required=False)
    token_endpoint = fields.Char(
        string="Token URL", help="Required for OpenID Connect authorization code flow."
    )
    jwks_uri = fields.Char(string="JWKS URL", help="Required for OpenID Connect.")
    @tools.ormcache("self.jwks_uri", "kid")
    def _get_keys(self, kid):
        r = requests.get(self.jwks_uri, timeout=10)
        r.raise_for_status()
        response = r.json()
        # the keys returned here should follow
        # JWS Notes on Key Selection
        # https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-signature#appendix-D
        return [
            key
            for key in response["keys"]
            if kid is None or key.get("kid", None) == kid
        ]
    def _map_token_values(self, res):
        if self.token_map:
            for pair in self.token_map.split(" "):
                from_key, to_key = (k.strip() for k in pair.split(":", 1))
                if to_key not in res:
                    res[to_key] = res.get(from_key, "")
        return res
    def _parse_id_token(self, id_token, access_token):
        self.ensure_one()
        res = {}
        header = jwt.get_unverified_header(id_token)
        res.update(self._decode_id_token(access_token, id_token, header.get("kid")))
        res.update(self._map_token_values(res))
        return res
    def _decode_id_token(self, access_token, id_token, kid):
        keys = self._get_keys(kid)
        if len(keys) > 1 and kid is None:
            # https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.10.1
            # If there are multiple keys in the referenced JWK Set document, a kid
            # value MUST be provided in the JOSE Header.
            raise JWTError(
                "OpenID Connect requires kid to be set if there is more"
                " than one key in the JWKS"
            )
        error = None
        # we accept multiple keys with the same kid in case a key gets rotated.
        for key in keys:
            try:
                values = jwt.decode(
                    id_token,
                    key,
                    algorithms=["RS256"],
                    audience=self.client_id,
                    access_token=access_token,
                )
                return values
            except (JWTError, JWSError) as e:
                error = e
        if error:
            raise error
        return {}
--- a/models/res_users.py
+++ b/models/res_users.py
@ -0,0 +1,82 @@
 # Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
 # Copyright 2021 ACSONE SA/NV <https://acsone.eu>
 # License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
 import logging
 import requests
 from odoo import api, models
 from odoo.exceptions import AccessDenied
 from odoo.http import request
 _logger = logging.getLogger(__name__)
 class ResUsers(models.Model):
    _inherit = "res.users"
    def _auth_oauth_get_tokens_implicit_flow(self, oauth_provider, params):
        # https://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthResponse
        return params.get("access_token"), params.get("id_token")
    def _auth_oauth_get_tokens_auth_code_flow(self, oauth_provider, params):
        # https://openid.net/specs/openid-connect-core-1_0.html#AuthResponse
        code = params.get("code")
        # https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest
        auth = None
        if oauth_provider.client_secret:
            auth = (oauth_provider.client_id, oauth_provider.client_secret)
        response = requests.post(
            oauth_provider.token_endpoint,
            data=dict(
                client_id=oauth_provider.client_id,
                grant_type="authorization_code",
                code=code,
                code_verifier=oauth_provider.code_verifier,  # PKCE
                redirect_uri=request.httprequest.url_root + "auth_oauth/signin",
            ),
            auth=auth,
            timeout=10,
        )
        response.raise_for_status()
        response_json = response.json()
        # https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse
        return response_json.get("access_token"), response_json.get("id_token")
    @api.model
    def auth_oauth(self, provider, params):
        oauth_provider = self.env["auth.oauth.provider"].browse(provider)
        if oauth_provider.flow == "id_token":
            access_token, id_token = self._auth_oauth_get_tokens_implicit_flow(
                oauth_provider, params
            )
        elif oauth_provider.flow == "id_token_code":
            access_token, id_token = self._auth_oauth_get_tokens_auth_code_flow(
                oauth_provider, params
            )
        else:
            return super().auth_oauth(provider, params)
        if not access_token:
            _logger.error("No access_token in response.")
            raise AccessDenied()
        if not id_token:
            _logger.error("No id_token in response.")
            raise AccessDenied()
        validation = oauth_provider._parse_id_token(id_token, access_token)
        # required check
        if "sub" in validation and "user_id" not in validation:
            # set user_id for auth_oauth, user_id is not an OpenID Connect standard
            # claim:
            # https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
            validation["user_id"] = validation["sub"]
        elif not validation.get("user_id"):
            _logger.error("user_id claim not found in id_token (after mapping).")
            raise AccessDenied()
        # retrieve and sign in user
        params["access_token"] = access_token
        login = self._auth_oauth_signin(provider, validation, params)
        if not login:
            raise AccessDenied()
        # return user credentials
        return (self.env.cr.dbname, login, access_token)
--- a/pyproject.toml
+++ b/pyproject.toml
@ -0,0 +1,3 @@
 [build-system]
 requires = ["whool"]
 build-backend = "whool.buildapi"
--- a/readme/CONFIGURE.md
+++ b/readme/CONFIGURE.md
@ -0,0 +1,72 @@
 ## Setup for Microsoft Azure
 Example configuration with OpenID Connect authorization code flow.
 1. configure a new web application in Azure with OpenID and code flow (see
 the [provider
 documentation](https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-provider)))
 2. in this application the redirect url must be be "\<url of your
 server\>/auth_oauth/signin" and of course this URL should be reachable
 from Azure
 3. create a new authentication provider in Odoo with the following
 parameters (see the [portal
 documentation](https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-settings)
 for more information):
 ![image](../static/description/oauth-microsoft_azure-api_permissions.png)
 ![image](../static/description/oauth-microsoft_azure-optional_claims.png)
 Single tenant provider limits the access to user of your tenant, while
 Multitenants allow access for all AzureAD users, so user of foreign
 companies can use their AzureAD login without an guest account.
 - Provider Name: Azure AD Single Tenant
 - Client ID: Application (client) id
 - Client Secret: Client secret
 - Allowed: yes
 or
 - Provider Name: Azure AD Multitenant
 - Client ID: Application (client) id
 - Client Secret: Client secret
 - Allowed: yes
 - replace {tenant_id} in urls with your Azure tenant id
 ![image](../static/description/odoo-azure_ad_multitenant.png)
 ## Setup for Keycloak
 Example configuration with OpenID Connect authorization code flow.
 In Keycloak:
 1. configure a new Client
 2. make sure Authorization Code Flow is
 Enabled.
 3. configure the client Access Type as "confidential" and take
 note of the client secret in the Credentials tab
 4. configure the
 redirect url to be "\<url of your server\>/auth_oauth/signin"
 In Odoo, create a new Oauth Provider with the following parameters:
 - Provider name: Keycloak (or any name you like that identify your
  keycloak provider)
 - Auth Flow: OpenID Connect (authorization code flow)
 - Client ID: the same Client ID you entered when configuring the client
  in Keycloak
 - Client Secret: found in keycloak on the client Credentials tab
 - Allowed: yes
 - Body: the link text to appear on the login page, such as Login with
  Keycloak
 - Scope: openid email
 - Authentication URL: The "authorization_endpoint" URL found in the
  OpenID Endpoint Configuration of your Keycloak realm
 - Token URL: The "token_endpoint" URL found in the OpenID Endpoint
  Configuration of your Keycloak realm
 - JWKS URL: The "jwks_uri" URL found in the OpenID Endpoint
  Configuration of your Keycloak realm
--- a/readme/CONTRIBUTORS.md
+++ b/readme/CONTRIBUTORS.md
@ -0,0 +1,4 @@
 - Alexandre Fayolle \<<alexandre.fayolle@camptocamp.com>\>
 - Stéphane Bidoul \<<stephane.bidoul@acsone.eu>\>
 - David Jaen \<<david.jaen.revert@gmail.com>\>
 - Andreas Perhab \<<andreas.perhab@wt-io-it.at>\>
--- a/readme/DESCRIPTION.md
+++ b/readme/DESCRIPTION.md
@ -0,0 +1,5 @@
 This module allows users to login through an OpenID Connect provider
 using the authorization code flow or implicit flow.
 Note the implicit flow is not recommended because it exposes access
 tokens to the browser and in http logs.
--- a/readme/HISTORY.md
+++ b/readme/HISTORY.md
@ -0,0 +1,39 @@
 ## 18.0.1.0.0 2024-10-09
 - Odoo 18 migration
 ## 17.0.1.0.0 2024-03-20
 - Odoo 17 migration
 ## 16.0.1.1.0 2024-02-28
 - Forward port OpenID Connect fixes from 15.0 to 16.0
 ## 16.0.1.0.2 2023-11-16
 - Readme link updates
 ## 16.0.1.0.1 2023-10-09
 - Add AzureAD code flow provider
 ## 16.0.1.0.0 2023-01-27
 - Odoo 16 migration
 ## 15.0.1.0.0 2023-01-06
 - Odoo 15 migration
 ## 14.0.1.0.0 2021-12-10
 - Odoo 14 migration
 ## 13.0.1.0.0 2020-04-10
 - Odoo 13 migration, add authorization code flow.
 ## 10.0.1.0.0 2018-10-05
 - Initial implementation
--- a/readme/INSTALL.md
+++ b/readme/INSTALL.md
@ -0,0 +1,3 @@
 This module depends on the
 [python-jose](https://pypi.org/project/python-jose/) library, not to be
 confused with `jose` which is also available on PyPI.
--- a/readme/ROADMAP.md
+++ b/readme/ROADMAP.md
@ -0,0 +1,4 @@
 - When going to the login screen, check for a existing token and do a
  direct login without the clicking on the SSO link
 - When doing a logout an extra option to also logout at the SSO
  provider.
--- a/readme/USAGE.md
+++ b/readme/USAGE.md
@ -0,0 +1 @@
 On the login page, click on the authentication provider you configured.
--- a/static/description/icon.png
+++ b/static/description/icon.png
--- a/static/description/index.html
+++ b/static/description/index.html
@ -0,0 +1,607 @@
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
 <meta name="generator" content="Docutils: https://docutils.sourceforge.io/" />
 <title>Authentication OpenID Connect</title>
 <style type="text/css">
 /*
 :Author: David Goodger (goodger@python.org)
 :Id: $Id: html4css1.css 9511 2024-01-13 09:50:07Z milde $
 :Copyright: This stylesheet has been placed in the public domain.
 Default cascading style sheet for the HTML output of Docutils.
 Despite the name, some widely supported CSS2 features are used.
 See https://docutils.sourceforge.io/docs/howto/html-stylesheets.html for how to
 customize this style sheet.
 */
 /* used to remove borders from tables and images */
 .borderless, table.borderless td, table.borderless th {
  border: 0 }
 table.borderless td, table.borderless th {
  /* Override padding for "table.docutils td" with "! important".
     The right padding separates the table cells. */
  padding: 0 0.5em 0 0 ! important }
 .first {
  /* Override more specific margin styles with "! important". */
  margin-top: 0 ! important }
 .last, .with-subtitle {
  margin-bottom: 0 ! important }
 .hidden {
  display: none }
 .subscript {
  vertical-align: sub;
  font-size: smaller }
 .superscript {
  vertical-align: super;
  font-size: smaller }
 a.toc-backref {
  text-decoration: none ;
  color: black }
 blockquote.epigraph {
  margin: 2em 5em ; }
 dl.docutils dd {
  margin-bottom: 0.5em }
 object[type="image/svg+xml"], object[type="application/x-shockwave-flash"] {
  overflow: hidden;
 }
 /* Uncomment (and remove this text!) to get bold-faced definition list terms
 dl.docutils dt {
  font-weight: bold }
 */
 div.abstract {
  margin: 2em 5em }
 div.abstract p.topic-title {
  font-weight: bold ;
  text-align: center }
 div.admonition, div.attention, div.caution, div.danger, div.error,
 div.hint, div.important, div.note, div.tip, div.warning {
  margin: 2em ;
  border: medium outset ;
  padding: 1em }
 div.admonition p.admonition-title, div.hint p.admonition-title,
 div.important p.admonition-title, div.note p.admonition-title,
 div.tip p.admonition-title {
  font-weight: bold ;
  font-family: sans-serif }
 div.attention p.admonition-title, div.caution p.admonition-title,
 div.danger p.admonition-title, div.error p.admonition-title,
 div.warning p.admonition-title, .code .error {
  color: red ;
  font-weight: bold ;
  font-family: sans-serif }
 /* Uncomment (and remove this text!) to get reduced vertical space in
   compound paragraphs.
 div.compound .compound-first, div.compound .compound-middle {
  margin-bottom: 0.5em }
 div.compound .compound-last, div.compound .compound-middle {
  margin-top: 0.5em }
 */
 div.dedication {
  margin: 2em 5em ;
  text-align: center ;
  font-style: italic }
 div.dedication p.topic-title {
  font-weight: bold ;
  font-style: normal }
 div.figure {
  margin-left: 2em ;
  margin-right: 2em }
 div.footer, div.header {
  clear: both;
  font-size: smaller }
 div.line-block {
  display: block ;
  margin-top: 1em ;
  margin-bottom: 1em }
 div.line-block div.line-block {
  margin-top: 0 ;
  margin-bottom: 0 ;
  margin-left: 1.5em }
 div.sidebar {
  margin: 0 0 0.5em 1em ;
  border: medium outset ;
  padding: 1em ;
  background-color: #ffffee ;
  width: 40% ;
  float: right ;
  clear: right }
 div.sidebar p.rubric {
  font-family: sans-serif ;
  font-size: medium }
 div.system-messages {
  margin: 5em }
 div.system-messages h1 {
  color: red }
 div.system-message {
  border: medium outset ;
  padding: 1em }
 div.system-message p.system-message-title {
  color: red ;
  font-weight: bold }
 div.topic {
  margin: 2em }
 h1.section-subtitle, h2.section-subtitle, h3.section-subtitle,
 h4.section-subtitle, h5.section-subtitle, h6.section-subtitle {
  margin-top: 0.4em }
 h1.title {
  text-align: center }
 h2.subtitle {
  text-align: center }
 hr.docutils {
  width: 75% }
 img.align-left, .figure.align-left, object.align-left, table.align-left {
  clear: left ;
  float: left ;
  margin-right: 1em }
 img.align-right, .figure.align-right, object.align-right, table.align-right {
  clear: right ;
  float: right ;
  margin-left: 1em }
 img.align-center, .figure.align-center, object.align-center {
  display: block;
  margin-left: auto;
  margin-right: auto;
 }
 table.align-center {
  margin-left: auto;
  margin-right: auto;
 }
 .align-left {
  text-align: left }
 .align-center {
  clear: both ;
  text-align: center }
 .align-right {
  text-align: right }
 /* reset inner alignment in figures */
 div.align-right {
  text-align: inherit }
 /* div.align-center * { */
 /*   text-align: left } */
 .align-top    {
  vertical-align: top }
 .align-middle {
  vertical-align: middle }
 .align-bottom {
  vertical-align: bottom }
 ol.simple, ul.simple {
  margin-bottom: 1em }
 ol.arabic {
  list-style: decimal }
 ol.loweralpha {
  list-style: lower-alpha }
 ol.upperalpha {
  list-style: upper-alpha }
 ol.lowerroman {
  list-style: lower-roman }
 ol.upperroman {
  list-style: upper-roman }
 p.attribution {
  text-align: right ;
  margin-left: 50% }
 p.caption {
  font-style: italic }
 p.credits {
  font-style: italic ;
  font-size: smaller }
 p.label {
  white-space: nowrap }
 p.rubric {
  font-weight: bold ;
  font-size: larger ;
  color: maroon ;
  text-align: center }
 p.sidebar-title {
  font-family: sans-serif ;
  font-weight: bold ;
  font-size: larger }
 p.sidebar-subtitle {
  font-family: sans-serif ;
  font-weight: bold }
 p.topic-title {
  font-weight: bold }
 pre.address {
  margin-bottom: 0 ;
  margin-top: 0 ;
  font: inherit }
 pre.literal-block, pre.doctest-block, pre.math, pre.code {
  margin-left: 2em ;
  margin-right: 2em }
 pre.code .ln { color: gray; } /* line numbers */
 pre.code, code { background-color: #eeeeee }
 pre.code .comment, code .comment { color: #5C6576 }
 pre.code .keyword, code .keyword { color: #3B0D06; font-weight: bold }
 pre.code .literal.string, code .literal.string { color: #0C5404 }
 pre.code .name.builtin, code .name.builtin { color: #352B84 }
 pre.code .deleted, code .deleted { background-color: #DEB0A1}
 pre.code .inserted, code .inserted { background-color: #A3D289}
 span.classifier {
  font-family: sans-serif ;
  font-style: oblique }
 span.classifier-delimiter {
  font-family: sans-serif ;
  font-weight: bold }
 span.interpreted {
  font-family: sans-serif }
 span.option {
  white-space: nowrap }
 span.pre {
  white-space: pre }
 span.problematic, pre.problematic {
  color: red }
 span.section-subtitle {
  /* font-size relative to parent (h1..h6 element) */
  font-size: 80% }
 table.citation {
  border-left: solid 1px gray;
  margin-left: 1px }
 table.docinfo {
  margin: 2em 4em }
 table.docutils {
  margin-top: 0.5em ;
  margin-bottom: 0.5em }
 table.footnote {
  border-left: solid 1px black;
  margin-left: 1px }
 table.docutils td, table.docutils th,
 table.docinfo td, table.docinfo th {
  padding-left: 0.5em ;
  padding-right: 0.5em ;
  vertical-align: top }
 table.docutils th.field-name, table.docinfo th.docinfo-name {
  font-weight: bold ;
  text-align: left ;
  white-space: nowrap ;
  padding-left: 0 }
 /* "booktabs" style (no vertical lines) */
 table.docutils.booktabs {
  border: 0px;
  border-top: 2px solid;
  border-bottom: 2px solid;
  border-collapse: collapse;
 }
 table.docutils.booktabs * {
  border: 0px;
 }
 table.docutils.booktabs th {
  border-bottom: thin solid;
  text-align: left;
 }
 h1 tt.docutils, h2 tt.docutils, h3 tt.docutils,
 h4 tt.docutils, h5 tt.docutils, h6 tt.docutils {
  font-size: 100% }
 ul.auto-toc {
  list-style-type: none }
 </style>
 </head>
 <body>
 <div class="document" id="authentication-openid-connect">
 <h1 class="title">Authentication OpenID Connect</h1>
 <!-- !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !! This file is generated by oca-gen-addon-readme !!
 !! changes will be overwritten.                   !!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !! source digest: sha256:cd754fc72d2039d02ab1b8aec98af43fb9543c9a70f2150ab6e482954e4e83d6
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->
 <p><a class="reference external image-reference" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external image-reference" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/licence-AGPL--3-blue.png" /></a> <a class="reference external image-reference" href="https://github.com/OCA/server-auth/tree/18.0/auth_oidc"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external image-reference" href="https://translation.odoo-community.org/projects/server-auth-18-0/server-auth-18-0-auth_oidc"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external image-reference" href="https://runboat.odoo-community.org/builds?repo=OCA/server-auth&amp;target_branch=18.0"><img alt="Try me on Runboat" src="https://img.shields.io/badge/runboat-Try%20me-875A7B.png" /></a></p>
 <p>This module allows users to login through an OpenID Connect provider
 using the authorization code flow or implicit flow.</p>
 <p>Note the implicit flow is not recommended because it exposes access
 tokens to the browser and in http logs.</p>
 <p><strong>Table of contents</strong></p>
 <div class="contents local topic" id="contents">
 <ul class="simple">
 <li><a class="reference internal" href="#installation" id="toc-entry-1">Installation</a></li>
 <li><a class="reference internal" href="#configuration" id="toc-entry-2">Configuration</a><ul>
 <li><a class="reference internal" href="#setup-for-microsoft-azure" id="toc-entry-3">Setup for Microsoft Azure</a></li>
 <li><a class="reference internal" href="#setup-for-keycloak" id="toc-entry-4">Setup for Keycloak</a></li>
 </ul>
 </li>
 <li><a class="reference internal" href="#usage" id="toc-entry-5">Usage</a></li>
 <li><a class="reference internal" href="#known-issues-roadmap" id="toc-entry-6">Known issues / Roadmap</a></li>
 <li><a class="reference internal" href="#changelog" id="toc-entry-7">Changelog</a><ul>
 <li><a class="reference internal" href="#section-1" id="toc-entry-8">18.0.1.0.0 2024-10-09</a></li>
 <li><a class="reference internal" href="#section-2" id="toc-entry-9">17.0.1.0.0 2024-03-20</a></li>
 <li><a class="reference internal" href="#section-3" id="toc-entry-10">16.0.1.1.0 2024-02-28</a></li>
 <li><a class="reference internal" href="#section-4" id="toc-entry-11">16.0.1.0.2 2023-11-16</a></li>
 <li><a class="reference internal" href="#section-5" id="toc-entry-12">16.0.1.0.1 2023-10-09</a></li>
 <li><a class="reference internal" href="#section-6" id="toc-entry-13">16.0.1.0.0 2023-01-27</a></li>
 <li><a class="reference internal" href="#section-7" id="toc-entry-14">15.0.1.0.0 2023-01-06</a></li>
 <li><a class="reference internal" href="#section-8" id="toc-entry-15">14.0.1.0.0 2021-12-10</a></li>
 <li><a class="reference internal" href="#section-9" id="toc-entry-16">13.0.1.0.0 2020-04-10</a></li>
 <li><a class="reference internal" href="#section-10" id="toc-entry-17">10.0.1.0.0 2018-10-05</a></li>
 </ul>
 </li>
 <li><a class="reference internal" href="#bug-tracker" id="toc-entry-18">Bug Tracker</a></li>
 <li><a class="reference internal" href="#credits" id="toc-entry-19">Credits</a><ul>
 <li><a class="reference internal" href="#authors" id="toc-entry-20">Authors</a></li>
 <li><a class="reference internal" href="#contributors" id="toc-entry-21">Contributors</a></li>
 <li><a class="reference internal" href="#maintainers" id="toc-entry-22">Maintainers</a></li>
 </ul>
 </li>
 </ul>
 </div>
 <div class="section" id="installation">
 <h1><a class="toc-backref" href="#toc-entry-1">Installation</a></h1>
 <p>This module depends on the
 <a class="reference external" href="https://pypi.org/project/python-jose/">python-jose</a> library, not to
 be confused with <tt class="docutils literal">jose</tt> which is also available on PyPI.</p>
 </div>
 <div class="section" id="configuration">
 <h1><a class="toc-backref" href="#toc-entry-2">Configuration</a></h1>
 <div class="section" id="setup-for-microsoft-azure">
 <h2><a class="toc-backref" href="#toc-entry-3">Setup for Microsoft Azure</a></h2>
 <p>Example configuration with OpenID Connect authorization code flow.</p>
 <ol class="arabic simple">
 <li>configure a new web application in Azure with OpenID and code flow
 (see the <a class="reference external" href="https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-provider">provider
 documentation</a>))</li>
 <li>in this application the redirect url must be be “&lt;url of your
 server&gt;/auth_oauth/signin” and of course this URL should be reachable
 from Azure</li>
 <li>create a new authentication provider in Odoo with the following
 parameters (see the <a class="reference external" href="https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-settings">portal
 documentation</a>
 for more information):</li>
 </ol>
 <p><img alt="image" src="https://raw.githubusercontent.com/OCA/server-auth/18.0/auth_oidc/static/description/oauth-microsoft_azure-api_permissions.png" /></p>
 <p><img alt="image1" src="https://raw.githubusercontent.com/OCA/server-auth/18.0/auth_oidc/static/description/oauth-microsoft_azure-optional_claims.png" /></p>
 <p>Single tenant provider limits the access to user of your tenant, while
 Multitenants allow access for all AzureAD users, so user of foreign
 companies can use their AzureAD login without an guest account.</p>
 <ul class="simple">
 <li>Provider Name: Azure AD Single Tenant</li>
 <li>Client ID: Application (client) id</li>
 <li>Client Secret: Client secret</li>
 <li>Allowed: yes</li>
 </ul>
 <p>or</p>
 <ul class="simple">
 <li>Provider Name: Azure AD Multitenant</li>
 <li>Client ID: Application (client) id</li>
 <li>Client Secret: Client secret</li>
 <li>Allowed: yes</li>
 <li>replace {tenant_id} in urls with your Azure tenant id</li>
 </ul>
 <p><img alt="image2" src="https://raw.githubusercontent.com/OCA/server-auth/18.0/auth_oidc/static/description/odoo-azure_ad_multitenant.png" /></p>
 </div>
 <div class="section" id="setup-for-keycloak">
 <h2><a class="toc-backref" href="#toc-entry-4">Setup for Keycloak</a></h2>
 <p>Example configuration with OpenID Connect authorization code flow.</p>
 <p>In Keycloak:</p>
 <ol class="arabic simple">
 <li>configure a new Client</li>
 <li>make sure Authorization Code Flow is Enabled.</li>
 <li>configure the client Access Type as “confidential” and take note of
 the client secret in the Credentials tab</li>
 <li>configure the redirect url to be “&lt;url of your
 server&gt;/auth_oauth/signin”</li>
 </ol>
 <p>In Odoo, create a new Oauth Provider with the following parameters:</p>
 <ul class="simple">
 <li>Provider name: Keycloak (or any name you like that identify your
 keycloak provider)</li>
 <li>Auth Flow: OpenID Connect (authorization code flow)</li>
 <li>Client ID: the same Client ID you entered when configuring the client
 in Keycloak</li>
 <li>Client Secret: found in keycloak on the client Credentials tab</li>
 <li>Allowed: yes</li>
 <li>Body: the link text to appear on the login page, such as Login with
 Keycloak</li>
 <li>Scope: openid email</li>
 <li>Authentication URL: The “authorization_endpoint” URL found in the
 OpenID Endpoint Configuration of your Keycloak realm</li>
 <li>Token URL: The “token_endpoint” URL found in the OpenID Endpoint
 Configuration of your Keycloak realm</li>
 <li>JWKS URL: The “jwks_uri” URL found in the OpenID Endpoint
 Configuration of your Keycloak realm</li>
 </ul>
 </div>
 </div>
 <div class="section" id="usage">
 <h1><a class="toc-backref" href="#toc-entry-5">Usage</a></h1>
 <p>On the login page, click on the authentication provider you configured.</p>
 </div>
 <div class="section" id="known-issues-roadmap">
 <h1><a class="toc-backref" href="#toc-entry-6">Known issues / Roadmap</a></h1>
 <ul class="simple">
 <li>When going to the login screen, check for a existing token and do a
 direct login without the clicking on the SSO link</li>
 <li>When doing a logout an extra option to also logout at the SSO
 provider.</li>
 </ul>
 </div>
 <div class="section" id="changelog">
 <h1><a class="toc-backref" href="#toc-entry-7">Changelog</a></h1>
 <div class="section" id="section-1">
 <h2><a class="toc-backref" href="#toc-entry-8">18.0.1.0.0 2024-10-09</a></h2>
 <ul class="simple">
 <li>Odoo 18 migration</li>
 </ul>
 </div>
 <div class="section" id="section-2">
 <h2><a class="toc-backref" href="#toc-entry-9">17.0.1.0.0 2024-03-20</a></h2>
 <ul class="simple">
 <li>Odoo 17 migration</li>
 </ul>
 </div>
 <div class="section" id="section-3">
 <h2><a class="toc-backref" href="#toc-entry-10">16.0.1.1.0 2024-02-28</a></h2>
 <ul class="simple">
 <li>Forward port OpenID Connect fixes from 15.0 to 16.0</li>
 </ul>
 </div>
 <div class="section" id="section-4">
 <h2><a class="toc-backref" href="#toc-entry-11">16.0.1.0.2 2023-11-16</a></h2>
 <ul class="simple">
 <li>Readme link updates</li>
 </ul>
 </div>
 <div class="section" id="section-5">
 <h2><a class="toc-backref" href="#toc-entry-12">16.0.1.0.1 2023-10-09</a></h2>
 <ul class="simple">
 <li>Add AzureAD code flow provider</li>
 </ul>
 </div>
 <div class="section" id="section-6">
 <h2><a class="toc-backref" href="#toc-entry-13">16.0.1.0.0 2023-01-27</a></h2>
 <ul class="simple">
 <li>Odoo 16 migration</li>
 </ul>
 </div>
 <div class="section" id="section-7">
 <h2><a class="toc-backref" href="#toc-entry-14">15.0.1.0.0 2023-01-06</a></h2>
 <ul class="simple">
 <li>Odoo 15 migration</li>
 </ul>
 </div>
 <div class="section" id="section-8">
 <h2><a class="toc-backref" href="#toc-entry-15">14.0.1.0.0 2021-12-10</a></h2>
 <ul class="simple">
 <li>Odoo 14 migration</li>
 </ul>
 </div>
 <div class="section" id="section-9">
 <h2><a class="toc-backref" href="#toc-entry-16">13.0.1.0.0 2020-04-10</a></h2>
 <ul class="simple">
 <li>Odoo 13 migration, add authorization code flow.</li>
 </ul>
 </div>
 <div class="section" id="section-10">
 <h2><a class="toc-backref" href="#toc-entry-17">10.0.1.0.0 2018-10-05</a></h2>
 <ul class="simple">
 <li>Initial implementation</li>
 </ul>
 </div>
 </div>
 <div class="section" id="bug-tracker">
 <h1><a class="toc-backref" href="#toc-entry-18">Bug Tracker</a></h1>
 <p>Bugs are tracked on <a class="reference external" href="https://github.com/OCA/server-auth/issues">GitHub Issues</a>.
 In case of trouble, please check there if your issue has already been reported.
 If you spotted it first, help us to smash it by providing a detailed and welcomed
 <a class="reference external" href="https://github.com/OCA/server-auth/issues/new?body=module:%20auth_oidc%0Aversion:%2018.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**">feedback</a>.</p>
 <p>Do not contact contributors directly about support or help with technical issues.</p>
 </div>
 <div class="section" id="credits">
 <h1><a class="toc-backref" href="#toc-entry-19">Credits</a></h1>
 <div class="section" id="authors">
 <h2><a class="toc-backref" href="#toc-entry-20">Authors</a></h2>
 <ul class="simple">
 <li>ICTSTUDIO</li>
 <li>André Schenkels</li>
 <li>ACSONE SA/NV</li>
 </ul>
 </div>
 <div class="section" id="contributors">
 <h2><a class="toc-backref" href="#toc-entry-21">Contributors</a></h2>
 <ul class="simple">
 <li>Alexandre Fayolle &lt;<a class="reference external" href="mailto:alexandre.fayolle&#64;camptocamp.com">alexandre.fayolle&#64;camptocamp.com</a>&gt;</li>
 <li>Stéphane Bidoul &lt;<a class="reference external" href="mailto:stephane.bidoul&#64;acsone.eu">stephane.bidoul&#64;acsone.eu</a>&gt;</li>
 <li>David Jaen &lt;<a class="reference external" href="mailto:david.jaen.revert&#64;gmail.com">david.jaen.revert&#64;gmail.com</a>&gt;</li>
 <li>Andreas Perhab &lt;<a class="reference external" href="mailto:andreas.perhab&#64;wt-io-it.at">andreas.perhab&#64;wt-io-it.at</a>&gt;</li>
 </ul>
 </div>
 <div class="section" id="maintainers">
 <h2><a class="toc-backref" href="#toc-entry-22">Maintainers</a></h2>
 <p>This module is maintained by the OCA.</p>
 <a class="reference external image-reference" href="https://odoo-community.org">
 <img alt="Odoo Community Association" src="https://odoo-community.org/logo.png" />
 </a>
 <p>OCA, or the Odoo Community Association, is a nonprofit organization whose
 mission is to support the collaborative development of Odoo features and
 promote its widespread use.</p>
 <p>Current <a class="reference external" href="https://odoo-community.org/page/maintainer-role">maintainer</a>:</p>
 <p><a class="reference external image-reference" href="https://github.com/sbidoul"><img alt="sbidoul" src="https://github.com/sbidoul.png?size=40px" /></a></p>
 <p>This module is part of the <a class="reference external" href="https://github.com/OCA/server-auth/tree/18.0/auth_oidc">OCA/server-auth</a> project on GitHub.</p>
 <p>You are welcome to contribute. To learn how please visit <a class="reference external" href="https://odoo-community.org/page/Contribute">https://odoo-community.org/page/Contribute</a>.</p>
 </div>
 </div>
 </div>
 </body>
 </html>
--- a/static/description/oauth-microsoft_azure-api_permissions.png
+++ b/static/description/oauth-microsoft_azure-api_permissions.png
--- a/static/description/oauth-microsoft_azure-optional_claims.png
+++ b/static/description/oauth-microsoft_azure-optional_claims.png
--- a/static/description/odoo-azure_ad_multitenant.png
+++ b/static/description/odoo-azure_ad_multitenant.png
--- a/tests/init.py
+++ b/tests/init.py
@ -0,0 +1 @@
 from . import test_auth_oidc_auth_code
--- a/tests/keycloak/keycloak-config.json
+++ b/tests/keycloak/keycloak-config.json
--- a/tests/keycloak/keycloak.sh
+++ b/tests/keycloak/keycloak.sh
@ -0,0 +1,10 @@
 #!/bin/sh
 set -x
 $(which docker || which podman) run --rm \
  -v $(dirname $0)/keycloak-config.json:/tmp/keycloak-config.json \
  -p 8080:8080 \
  quay.io/keycloak/keycloak:12.0.4 \
  -Dkeycloak.migration.action=import \
  -Dkeycloak.migration.provider=singleFile \
  -Dkeycloak.migration.file=/tmp/keycloak-config.json \
  -Dkeycloak.migration.strategy=OVERWRITE_EXISTING
--- a/tests/test_auth_oidc_auth_code.py
+++ b/tests/test_auth_oidc_auth_code.py
@ -0,0 +1,321 @@
 # Copyright 2021 ACSONE SA/NV <https://acsone.eu>
 # License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
 import contextlib
 import json
 import logging
 from urllib.parse import parse_qs, urlparse
 import responses
 from cryptography.hazmat.primitives import serialization
 from cryptography.hazmat.primitives.asymmetric import rsa
 from jose import jwt
 from jose.exceptions import JWTError
 from jose.utils import long_to_base64
 import odoo
 from odoo.exceptions import AccessDenied
 from odoo.tests import common
 from odoo.addons.website.tools import MockRequest as _MockRequest
 from ..controllers.main import OpenIDLogin
 BASE_URL = f"http://localhost:{odoo.tools.config['http_port']}"
@contextlib.contextmanager
 def MockRequest(env):
    with _MockRequest(env) as request:
        request.httprequest.url_root = BASE_URL + "/"
        request.params = {}
        yield request
 class TestAuthOIDCAuthorizationCodeFlow(common.HttpCase):
    @classmethod
    def setUpClass(cls):
        super().setUpClass()
        (
            cls.rsa_key_pem,
            cls.rsa_key_public_pem,
            cls.rsa_key_public_jwk,
        ) = cls._generate_key()
        _, cls.second_key_public_pem, _ = cls._generate_key()
    @staticmethod
    def _generate_key():
        rsa_key = rsa.generate_private_key(
            public_exponent=65537,
            key_size=4096,
        )
        rsa_key_pem = rsa_key.private_bytes(
            serialization.Encoding.PEM,
            serialization.PrivateFormat.TraditionalOpenSSL,
            serialization.NoEncryption(),
        ).decode("utf8")
        rsa_key_public = rsa_key.public_key()
        rsa_key_public_pem = rsa_key_public.public_bytes(
            serialization.Encoding.PEM,
            serialization.PublicFormat.SubjectPublicKeyInfo,
        ).decode("utf8")
        jwk = {
            # https://datatracker.ietf.org/doc/html/rfc7518#section-6.1
            "kty": "RSA",
            "use": "sig",
            "n": long_to_base64(rsa_key_public.public_numbers().n).decode("utf-8"),
            "e": long_to_base64(rsa_key_public.public_numbers().e).decode("utf-8"),
        }
        return rsa_key_pem, rsa_key_public_pem, jwk
    def setUp(self):
        super().setUp()
        # search our test provider and bind the demo user to it
        self.provider_rec = self.env["auth.oauth.provider"].search(
            [("client_id", "=", "auth_oidc-test")]
        )
        self.assertEqual(len(self.provider_rec), 1)
    def test_auth_link(self):
        """Test that the authentication link is correct."""
        # disable existing providers except our test provider
        self.env["auth.oauth.provider"].search(
            [("client_id", "!=", "auth_oidc-test")]
        ).write(dict(enabled=False))
        with MockRequest(self.env):
            providers = OpenIDLogin().list_providers()
            self.assertEqual(len(providers), 1)
            auth_link = providers[0]["auth_link"]
            assert auth_link.startswith(self.provider_rec.auth_endpoint)
            params = parse_qs(urlparse(auth_link).query)
            self.assertEqual(params["response_type"], ["code"])
            self.assertEqual(params["client_id"], [self.provider_rec.client_id])
            self.assertEqual(params["scope"], ["openid email"])
            self.assertTrue(params["code_challenge"])
            self.assertEqual(params["code_challenge_method"], ["S256"])
            self.assertTrue(params["nonce"])
            self.assertTrue(params["state"])
            self.assertEqual(params["redirect_uri"], [BASE_URL + "/auth_oauth/signin"])
    def _prepare_login_test_user(self):
        user = self.env.ref("base.user_demo")
        user.write({"oauth_provider_id": self.provider_rec.id, "oauth_uid": user.login})
        return user
    def _prepare_login_test_responses(
        self, access_token="42", id_token_body=None, id_token_headers=None, keys=None
    ):
        if id_token_body is None:
            id_token_body = {}
        if id_token_headers is None:
            id_token_headers = {"kid": "the_key_id"}
        responses.add(
            responses.POST,
            "http://localhost:8080/auth/realms/master/protocol/openid-connect/token",
            json={
                "access_token": access_token,
                "id_token": jwt.encode(
                    id_token_body,
                    self.rsa_key_pem,
                    algorithm="RS256",
                    headers=id_token_headers,
                ),
            },
        )
        if keys is None:
            if "kid" in id_token_headers:
                keys = [{"kid": "the_key_id", "keys": [self.rsa_key_public_pem]}]
            else:
                keys = [{"keys": [self.rsa_key_public_pem]}]
        responses.add(
            responses.GET,
            "http://localhost:8080/auth/realms/master/protocol/openid-connect/certs",
            json={"keys": keys},
        )
    @responses.activate
    def test_login(self):
        """Test that login works"""
        user = self._prepare_login_test_user()
        self._prepare_login_test_responses(id_token_body={"user_id": user.login})
        params = {"state": json.dumps({})}
        with MockRequest(self.env):
            db, login, token = self.env["res.users"].auth_oauth(
                self.provider_rec.id,
                params,
            )
        self.assertEqual(token, "42")
        self.assertEqual(login, user.login)
    @responses.activate
    def test_login_without_kid(self):
        """Test that login works when ID Token has no kid in header"""
        user = self._prepare_login_test_user()
        self._prepare_login_test_responses(
            id_token_body={"user_id": user.login},
            id_token_headers={},
            access_token=chr(42),
        )
        params = {"state": json.dumps({})}
        with MockRequest(self.env):
            db, login, token = self.env["res.users"].auth_oauth(
                self.provider_rec.id,
                params,
            )
        self.assertEqual(token, "*")
        self.assertEqual(login, user.login)
    @responses.activate
    def test_login_with_sub_claim(self):
        """Test that login works when ID Token contains only standard claims"""
        self.provider_rec.token_map = False
        user = self._prepare_login_test_user()
        self._prepare_login_test_responses(
            id_token_body={"sub": user.login}, access_token="1764"
        )
        params = {"state": json.dumps({})}
        with MockRequest(self.env):
            db, login, token = self.env["res.users"].auth_oauth(
                self.provider_rec.id,
                params,
            )
        self.assertEqual(token, "1764")
        self.assertEqual(login, user.login)
    @responses.activate
    def test_login_without_kid_multiple_keys_in_jwks(self):
        """
        Test that login fails if no kid is provided in ID Token and JWKS has multiple
        keys
        """
        user = self._prepare_login_test_user()
        self._prepare_login_test_responses(
            id_token_body={"user_id": user.login},
            id_token_headers={},
            access_token="6*7",
            keys=[
                {"kid": "other_key_id", "keys": [self.second_key_public_pem]},
                {"kid": "the_key_id", "keys": [self.rsa_key_public_pem]},
            ],
        )
        with self.assertRaises(
            JWTError,
            msg="OpenID Connect requires kid to be set if there is"
            " more than one key in the JWKS",
        ):
            with MockRequest(self.env):
                self.env["res.users"].auth_oauth(
                    self.provider_rec.id,
                    {"state": json.dumps({})},
                )
    @responses.activate
    def test_login_without_matching_key(self):
        """Test that login fails if no matching key can be found"""
        user = self._prepare_login_test_user()
        self._prepare_login_test_responses(
            id_token_body={"user_id": user.login},
            id_token_headers={},
            access_token="168/4",
            keys=[{"kid": "other_key_id", "keys": [self.second_key_public_pem]}],
        )
        with self.assertRaises(JWTError):
            with MockRequest(self.env):
                self.env["res.users"].auth_oauth(
                    self.provider_rec.id,
                    {"state": json.dumps({})},
                )
    @responses.activate
    def test_login_without_any_key(self):
        """Test that login fails if no key is provided by JWKS"""
        user = self._prepare_login_test_user()
        self._prepare_login_test_responses(
            id_token_body={"user_id": user.login},
            id_token_headers={},
            access_token="168/4",
            keys=[],
        )
        with (
            self.assertRaises(AccessDenied),
            MockRequest(self.env),
            self.assertLogs(level=logging.ERROR) as logs,
        ):
            self.env["res.users"].auth_oauth(
                self.provider_rec.id,
                {"state": json.dumps({})},
            )
        self.assertEqual(len(logs.records), 1)
        self.assertEqual(logs.records[0].levelno, logging.ERROR)
        self.assertEqual(
            "ERROR:odoo.addons.auth_oidc.models.res_users:user_id claim not found in"
            " id_token (after mapping).",
            logs.output[0],
        )
    @responses.activate
    def test_login_with_multiple_keys_in_jwks(self):
        """Test that login works with multiple keys present in jwks"""
        user = self._prepare_login_test_user()
        self._prepare_login_test_responses(
            id_token_body={"user_id": user.login},
            access_token="2*3*7",
            keys=[
                {"kid": "other_key_id", "keys": [self.second_key_public_pem]},
                {"kid": "the_key_id", "keys": [self.rsa_key_public_pem]},
            ],
        )
        with MockRequest(self.env):
            db, login, token = self.env["res.users"].auth_oauth(
                self.provider_rec.id,
                {"state": json.dumps({})},
            )
        self.assertEqual(token, "2*3*7")
        self.assertEqual(login, user.login)
    @responses.activate
    def test_login_with_multiple_keys_in_jwks_same_kid(self):
        """Test that login works with multiple keys with the same kid present in jwks"""
        user = self._prepare_login_test_user()
        self._prepare_login_test_responses(
            id_token_body={"user_id": user.login},
            access_token="84/2",
            keys=[
                {"kid": "the_key_id", "keys": [self.second_key_public_pem]},
                {"kid": "the_key_id", "keys": [self.rsa_key_public_pem]},
            ],
        )
        with MockRequest(self.env):
            db, login, token = self.env["res.users"].auth_oauth(
                self.provider_rec.id,
                {"state": json.dumps({})},
            )
        self.assertEqual(token, "84/2")
        self.assertEqual(login, user.login)
    @responses.activate
    def test_login_with_jwk_format(self):
        """Test that login works with proper jwks format"""
        user = self._prepare_login_test_user()
        self.rsa_key_public_jwk["kid"] = "the_key_id"
        self._prepare_login_test_responses(
            id_token_body={"user_id": user.login},
            keys=[self.rsa_key_public_jwk],
            access_token="122/3",
        )
        with MockRequest(self.env):
            db, login, token = self.env["res.users"].auth_oauth(
                self.provider_rec.id,
                {"state": json.dumps({})},
            )
        self.assertEqual(token, "122/3")
        self.assertEqual(login, user.login)
--- a/views/auth_oauth_provider.xml
+++ b/views/auth_oauth_provider.xml
@ -0,0 +1,24 @@
 <?xml version="1.0" ?>
 <odoo>
    <record model="ir.ui.view" id="view_oidc_provider_form">
        <field name="name">auth.oidc.provider.form</field>
        <field name="model">auth.oauth.provider</field>
        <field name="inherit_id" ref="auth_oauth.view_oauth_provider_form" />
        <field name="arch" type="xml">
            <field name="name" position="after">
                <field name="flow" />
                <field
                    name="token_map"
                    placeholder="e.g from:to upn:email sub:user_id"
                />
            </field>
            <field name="client_id" position="after">
                <field name="client_secret" />
            </field>
            <field name="validation_endpoint" position="after">
                <field name="token_endpoint" />
                <field name="jwks_uri" />
            </field>
        </field>
    </record>
 </odoo>
		`@ -0,0 +1 @@`
							`On the login page, click on the authentication provider you configured.`