Obanana.Corporation
/
auth_oidc
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

up

This commit is contained in:
mark H 2025-01-13 18:00:03 +08:00
commit c2d68ee68c
38 changed files with 4168 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

247
README.rst Normal file
View File

@ -0,0 +1,247 @@
=============================
Authentication OpenID Connect
=============================
..
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! This file is generated by oca-gen-addon-readme !!
!! changes will be overwritten. !!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! source digest: sha256:cd754fc72d2039d02ab1b8aec98af43fb9543c9a70f2150ab6e482954e4e83d6
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
:target: https://odoo-community.org/page/development-status
:alt: Beta
.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png
:target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
:alt: License: AGPL-3
.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
:target: https://github.com/OCA/server-auth/tree/18.0/auth_oidc
:alt: OCA/server-auth
.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
:target: https://translation.odoo-community.org/projects/server-auth-18-0/server-auth-18-0-auth_oidc
:alt: Translate me on Weblate
.. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png
:target: https://runboat.odoo-community.org/builds?repo=OCA/server-auth&target_branch=18.0
:alt: Try me on Runboat
|badge1| |badge2| |badge3| |badge4| |badge5|
This module allows users to login through an OpenID Connect provider
using the authorization code flow or implicit flow.
Note the implicit flow is not recommended because it exposes access
tokens to the browser and in http logs.
**Table of contents**
.. contents::
:local:
Installation
============
This module depends on the
`python-jose <https://pypi.org/project/python-jose/>`__ library, not to
be confused with ``jose`` which is also available on PyPI.
Configuration
=============
Setup for Microsoft Azure
-------------------------
Example configuration with OpenID Connect authorization code flow.
1. configure a new web application in Azure with OpenID and code flow
(see the `provider
documentation <https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-provider>`__))
2. in this application the redirect url must be be "<url of your
server>/auth_oauth/signin" and of course this URL should be reachable
from Azure
3. create a new authentication provider in Odoo with the following
parameters (see the `portal
documentation <https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-settings>`__
for more information):
|image|
|image1|
Single tenant provider limits the access to user of your tenant, while
Multitenants allow access for all AzureAD users, so user of foreign
companies can use their AzureAD login without an guest account.
- Provider Name: Azure AD Single Tenant
- Client ID: Application (client) id
- Client Secret: Client secret
- Allowed: yes
or
- Provider Name: Azure AD Multitenant
- Client ID: Application (client) id
- Client Secret: Client secret
- Allowed: yes
- replace {tenant_id} in urls with your Azure tenant id
|image2|
Setup for Keycloak
------------------
Example configuration with OpenID Connect authorization code flow.
In Keycloak:
1. configure a new Client
2. make sure Authorization Code Flow is Enabled.
3. configure the client Access Type as "confidential" and take note of
the client secret in the Credentials tab
4. configure the redirect url to be "<url of your
server>/auth_oauth/signin"
In Odoo, create a new Oauth Provider with the following parameters:
- Provider name: Keycloak (or any name you like that identify your
keycloak provider)
- Auth Flow: OpenID Connect (authorization code flow)
- Client ID: the same Client ID you entered when configuring the client
in Keycloak
- Client Secret: found in keycloak on the client Credentials tab
- Allowed: yes
- Body: the link text to appear on the login page, such as Login with
Keycloak
- Scope: openid email
- Authentication URL: The "authorization_endpoint" URL found in the
OpenID Endpoint Configuration of your Keycloak realm
- Token URL: The "token_endpoint" URL found in the OpenID Endpoint
Configuration of your Keycloak realm
- JWKS URL: The "jwks_uri" URL found in the OpenID Endpoint
Configuration of your Keycloak realm
.. |image| image:: https://raw.githubusercontent.com/OCA/server-auth/18.0/auth_oidc/static/description/oauth-microsoft_azure-api_permissions.png
.. |image1| image:: https://raw.githubusercontent.com/OCA/server-auth/18.0/auth_oidc/static/description/oauth-microsoft_azure-optional_claims.png
.. |image2| image:: https://raw.githubusercontent.com/OCA/server-auth/18.0/auth_oidc/static/description/odoo-azure_ad_multitenant.png
Usage
=====
On the login page, click on the authentication provider you configured.
Known issues / Roadmap
======================
- When going to the login screen, check for a existing token and do a
direct login without the clicking on the SSO link
- When doing a logout an extra option to also logout at the SSO
provider.
Changelog
=========
18.0.1.0.0 2024-10-09
---------------------
- Odoo 18 migration
17.0.1.0.0 2024-03-20
---------------------
- Odoo 17 migration
16.0.1.1.0 2024-02-28
---------------------
- Forward port OpenID Connect fixes from 15.0 to 16.0
16.0.1.0.2 2023-11-16
---------------------
- Readme link updates
16.0.1.0.1 2023-10-09
---------------------
- Add AzureAD code flow provider
16.0.1.0.0 2023-01-27
---------------------
- Odoo 16 migration
15.0.1.0.0 2023-01-06
---------------------
- Odoo 15 migration
14.0.1.0.0 2021-12-10
---------------------
- Odoo 14 migration
13.0.1.0.0 2020-04-10
---------------------
- Odoo 13 migration, add authorization code flow.
10.0.1.0.0 2018-10-05
---------------------
- Initial implementation
Bug Tracker
===========
Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-auth/issues>`_.
In case of trouble, please check there if your issue has already been reported.
If you spotted it first, help us to smash it by providing a detailed and welcomed
`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_oidc%0Aversion:%2018.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
Do not contact contributors directly about support or help with technical issues.
Credits
=======
Authors
-------
* ICTSTUDIO
* André Schenkels
* ACSONE SA/NV
Contributors
------------
- Alexandre Fayolle <alexandre.fayolle@camptocamp.com>
- Stéphane Bidoul <stephane.bidoul@acsone.eu>
- David Jaen <david.jaen.revert@gmail.com>
- Andreas Perhab <andreas.perhab@wt-io-it.at>
Maintainers
-----------
This module is maintained by the OCA.
.. image:: https://odoo-community.org/logo.png
:alt: Odoo Community Association
:target: https://odoo-community.org
OCA, or the Odoo Community Association, is a nonprofit organization whose
mission is to support the collaborative development of Odoo features and
promote its widespread use.
.. |maintainer-sbidoul| image:: https://github.com/sbidoul.png?size=40px
:target: https://github.com/sbidoul
:alt: sbidoul
Current `maintainer <https://odoo-community.org/page/maintainer-role>`__:
|maintainer-sbidoul|
This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/18.0/auth_oidc>`_ project on GitHub.
You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.

5
__init__.py Normal file
View File

@ -0,0 +1,5 @@
# Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
from . import controllers
from . import models

21
__manifest__.py Normal file
View File

@ -0,0 +1,21 @@
# Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
# Copyright 2021 ACSONE SA/NV <https://acsone.eu>
# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
{
"name": "Authentication OpenID Connect",
"version": "18.0.1.0.0",
"license": "AGPL-3",
"author": (
"ICTSTUDIO, André Schenkels, "
"ACSONE SA/NV, "
"Odoo Community Association (OCA)"
),
"maintainers": ["sbidoul"],
"website": "https://github.com/OCA/server-auth",
"summary": "Allow users to login through OpenID Connect Provider",
"external_dependencies": {"python": ["python-jose"]},
"depends": ["auth_oauth"],
"data": ["views/auth_oauth_provider.xml", "data/auth_oauth_data.xml"],
"demo": ["demo/local_keycloak.xml"],
}

BIN
__pycache__/__init__.cpython-312.pyc Normal file
View File

Binary file not shown.

4
controllers/__init__.py Normal file
View File

@ -0,0 +1,4 @@
# Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
from . import main

BIN
controllers/__pycache__/__init__.cpython-312.pyc Normal file
View File

Binary file not shown.

BIN
controllers/__pycache__/main.cpython-312.pyc Normal file
View File

Binary file not shown.

50
controllers/main.py Normal file
View File

@ -0,0 +1,50 @@
# Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
# Copyright 2021 ACSONE SA/NV <https://acsone.eu>
# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
import base64
import hashlib
import logging
import secrets
from werkzeug.urls import url_decode, url_encode
from odoo.addons.auth_oauth.controllers.main import OAuthLogin
_logger = logging.getLogger(__name__)
class OpenIDLogin(OAuthLogin):
def list_providers(self):
providers = super().list_providers()
for provider in providers:
flow = provider.get("flow")
if flow in ("id_token", "id_token_code"):
params = url_decode(provider["auth_link"].split("?")[-1])
# nonce
params["nonce"] = secrets.token_urlsafe()
# response_type
if flow == "id_token":
# https://openid.net/specs/openid-connect-core-1_0.html
# #ImplicitAuthRequest
params["response_type"] = "id_token token"
elif flow == "id_token_code":
# https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
params["response_type"] = "code"
# PKCE (https://tools.ietf.org/html/rfc7636)
code_verifier = provider["code_verifier"]
code_challenge = base64.urlsafe_b64encode(
hashlib.sha256(code_verifier.encode("ascii")).digest()
).rstrip(b"=")
params["code_challenge"] = code_challenge
params["code_challenge_method"] = "S256"
# scope
if provider.get("scope"):
if "openid" not in provider["scope"].split():
_logger.error("openid connect scope must contain 'openid'")
params["scope"] = provider["scope"]
# auth link that the user will click
provider["auth_link"] = "{}?{}".format(
provider["auth_endpoint"], url_encode(params)
)
return providers

39
data/auth_oauth_data.xml Normal file
View File

@ -0,0 +1,39 @@
<?xml version="1.0" encoding="utf-8" ?>
<odoo noupdate="1">
<record id="provider_azuread_multi" model="auth.oauth.provider">
<field name="name">Azure AD Multitenant</field>
<field name="flow">id_token_code</field>
<field name="enabled">False</field>
<field name="token_map">upn:user_id upn:email</field>
<field
name="auth_endpoint"
>https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize</field>
<field name="scope">profile openid</field>
<field
name="token_endpoint"
>https://login.microsoftonline.com/organizations/oauth2/v2.0/token</field>
<field
name="jwks_uri"
>https://login.microsoftonline.com/organizations/discovery/v2.0/keys</field>
<field name="css_class">fa fa-fw fa-windows</field>
<field name="body">Log in with Microsoft</field>
</record>
<record id="provider_azuread_single" model="auth.oauth.provider">
<field name="name">Azure AD Single Tenant</field>
<field name="flow">id_token_code</field>
<field name="enabled">False</field>
<field name="token_map">upn:user_id upn:email</field>
<field
name="auth_endpoint"
>https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/authorize</field>
<field name="scope">profile openid</field>
<field
name="token_endpoint"
>https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token</field>
<field
name="jwks_uri"
>https://login.microsoftonline.com/{tenant_id}/discovery/v2.0/keys</field>
<field name="css_class">fa fa-fw fa-windows</field>
<field name="body">Log in with Microsoft</field>
</record>
</odoo>

20
demo/local_keycloak.xml Normal file
View File

@ -0,0 +1,20 @@
<odoo>
<record id="local_keycloak" model="auth.oauth.provider">
<field name="name">keycloak:8080 on localhost</field>
<field name="flow">id_token_code</field>
<field name="client_id">auth_oidc-test</field>
<field name="token_map">preferred_username:user_id</field>
<field name="body">keycloak:8080 on localhost</field>
<field name="enabled" eval="True" />
<field name="scope">openid email</field>
<field
name="auth_endpoint"
>http://localhost:8080/auth/realms/master/protocol/openid-connect/auth</field>
<field
name="token_endpoint"
>http://localhost:8080/auth/realms/master/protocol/openid-connect/token</field>
<field
name="jwks_uri"
>http://localhost:8080/auth/realms/master/protocol/openid-connect/certs</field>
</record>
</odoo>

119
i18n/auth_oidc.pot Normal file
View File

@ -0,0 +1,119 @@
# Translation of Odoo Server.
# This file contains the translation of the following modules:
# * auth_oidc
#
msgid ""
msgstr ""
"Project-Id-Version: Odoo Server 18.0\n"
"Report-Msgid-Bugs-To: \n"
"Last-Translator: \n"
"Language-Team: \n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: \n"
"Plural-Forms: \n"
#. module: auth_oidc
#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__flow
msgid "Auth Flow"
msgstr ""
#. module: auth_oidc
#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__client_secret
msgid "Client Secret"
msgstr ""
#. module: auth_oidc
#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__code_verifier
msgid "Code Verifier"
msgstr ""
#. module: auth_oidc
#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__jwks_uri
msgid "JWKS URL"
msgstr ""
#. module: auth_oidc
#: model:auth.oauth.provider,body:auth_oidc.provider_azuread_multi
#: model:auth.oauth.provider,body:auth_oidc.provider_azuread_single
msgid "Log in with Microsoft"
msgstr ""
#. module: auth_oidc
#: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__access_token
msgid "OAuth2"
msgstr ""
#. module: auth_oidc
#: model:ir.model,name:auth_oidc.model_auth_oauth_provider
msgid "OAuth2 provider"
msgstr ""
#. module: auth_oidc
#: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__id_token_code
msgid "OpenID Connect (authorization code flow)"
msgstr ""
#. module: auth_oidc
#: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__id_token
msgid "OpenID Connect (implicit flow, not recommended)"
msgstr ""
#. module: auth_oidc
#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__token_endpoint
msgid "Required for OpenID Connect authorization code flow."
msgstr ""
#. module: auth_oidc
#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__jwks_uri
msgid "Required for OpenID Connect."
msgstr ""
#. module: auth_oidc
#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__token_map
msgid ""
"Some Oauth providers don't map keys in their responses exactly as required."
" It is important to ensure user_id and email at least are mapped. For "
"OpenID Connect user_id is the sub key in the standard."
msgstr ""
#. module: auth_oidc
#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__token_map
msgid "Token Map"
msgstr ""
#. module: auth_oidc
#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__token_endpoint
msgid "Token URL"
msgstr ""
#. module: auth_oidc
#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__code_verifier
msgid "Used for PKCE."
msgstr ""
#. module: auth_oidc
#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__client_secret
msgid ""
"Used in OpenID Connect authorization code flow for confidential clients."
msgstr ""
#. module: auth_oidc
#: model:ir.model,name:auth_oidc.model_res_users
msgid "User"
msgstr ""
#. module: auth_oidc
#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__validation_endpoint
msgid "UserInfo URL"
msgstr ""
#. module: auth_oidc
#: model_terms:ir.ui.view,arch_db:auth_oidc.view_oidc_provider_form
msgid "e.g from:to upn:email sub:user_id"
msgstr ""
#. module: auth_oidc
#: model:auth.oauth.provider,body:auth_oidc.local_keycloak
msgid "keycloak:8080 on localhost"
msgstr ""

128
i18n/es.po Normal file
View File

@ -0,0 +1,128 @@
# Translation of Odoo Server.
# This file contains the translation of the following modules:
# * auth_oidc
#
msgid ""
msgstr ""
"Project-Id-Version: Odoo Server 16.0\n"
"Report-Msgid-Bugs-To: \n"
"PO-Revision-Date: 2023-10-15 19:36+0000\n"
"Last-Translator: Ivorra78 <informatica@totmaterial.es>\n"
"Language-Team: none\n"
"Language: es\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: \n"
"Plural-Forms: nplurals=2; plural=n != 1;\n"
"X-Generator: Weblate 4.17\n"
#. module: auth_oidc
#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__flow
msgid "Auth Flow"
msgstr "Flujo de autenticación"
#. module: auth_oidc
#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__client_secret
msgid "Client Secret"
msgstr "Secreto del cliente"
#. module: auth_oidc
#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__code_verifier
msgid "Code Verifier"
msgstr "Verificador del código"
#. module: auth_oidc
#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__jwks_uri
msgid "JWKS URL"
msgstr "URL JWKS"
#. module: auth_oidc
#: model:auth.oauth.provider,body:auth_oidc.provider_azuread_multi
#: model:auth.oauth.provider,body:auth_oidc.provider_azuread_single
msgid "Log in with Microsoft"
msgstr "Iniciar sesión con Microsoft"
#. module: auth_oidc
#: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__access_token
msgid "OAuth2"
msgstr "OAuth2"
#. module: auth_oidc
#: model:ir.model,name:auth_oidc.model_auth_oauth_provider
msgid "OAuth2 provider"
msgstr "Proveedor OAuth2"
#. module: auth_oidc
#: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__id_token_code
msgid "OpenID Connect (authorization code flow)"
msgstr "OpenID Connect (flujo de código de autorización)"
#. module: auth_oidc
#: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__id_token
msgid "OpenID Connect (implicit flow, not recommended)"
msgstr "OpenID Connect (flujo implícito, no recomendado)"
#. module: auth_oidc
#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__token_endpoint
msgid "Required for OpenID Connect authorization code flow."
msgstr "Necesario para el flujo de código de autorización de OpenID Connect."
#. module: auth_oidc
#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__jwks_uri
msgid "Required for OpenID Connect."
msgstr "Requerido para OpenID Connect."
#. module: auth_oidc
#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__token_map
msgid ""
"Some Oauth providers don't map keys in their responses exactly as required. "
"It is important to ensure user_id and email at least are mapped. For OpenID "
"Connect user_id is the sub key in the standard."
msgstr ""
"Algunos proveedores de Oauth no mapean las claves en sus respuestas "
"exactamente como se requiere. Es importante asegurarse de que al menos "
"user_id y email están mapeados. Para OpenID Connect user_id es la subclave "
"en el estándar."
#. module: auth_oidc
#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__token_map
msgid "Token Map"
msgstr "Mapa de Símbolos"
#. module: auth_oidc
#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__token_endpoint
msgid "Token URL"
msgstr "URL de la ficha"
#. module: auth_oidc
#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__code_verifier
msgid "Used for PKCE."
msgstr "Utilizado para PKCE."
#. module: auth_oidc
#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__client_secret
msgid ""
"Used in OpenID Connect authorization code flow for confidential clients."
msgstr ""
"Se utiliza en el flujo de código de autorización de OpenID Connect para "
"clientes confidenciales."
#. module: auth_oidc
#: model:ir.model,name:auth_oidc.model_res_users
msgid "User"
msgstr "Usuario"
#. module: auth_oidc
#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__validation_endpoint
msgid "UserInfo URL"
msgstr "URL de información del usuario"
#. module: auth_oidc
#: model_terms:ir.ui.view,arch_db:auth_oidc.view_oidc_provider_form
msgid "e.g from:to upn:email sub:user_id"
msgstr "p.ej. from:to upn:email sub:user_id"
#. module: auth_oidc
#: model:auth.oauth.provider,body:auth_oidc.local_keycloak
msgid "keycloak:8080 on localhost"
msgstr "keycloak:8080 en el servidor local"

127
i18n/it.po Normal file
View File

@ -0,0 +1,127 @@
# Translation of Odoo Server.
# This file contains the translation of the following modules:
# * auth_oidc
#
msgid ""
msgstr ""
"Project-Id-Version: Odoo Server 16.0\n"
"Report-Msgid-Bugs-To: \n"
"PO-Revision-Date: 2024-01-05 10:34+0000\n"
"Last-Translator: mymage <stefano.consolaro@mymage.it>\n"
"Language-Team: none\n"
"Language: it\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: \n"
"Plural-Forms: nplurals=2; plural=n != 1;\n"
"X-Generator: Weblate 4.17\n"
#. module: auth_oidc
#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__flow
msgid "Auth Flow"
msgstr "Flusso atorizzazione"
#. module: auth_oidc
#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__client_secret
msgid "Client Secret"
msgstr "Chiave segreta client"
#. module: auth_oidc
#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__code_verifier
msgid "Code Verifier"
msgstr "Verificatore codice"
#. module: auth_oidc
#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__jwks_uri
msgid "JWKS URL"
msgstr "URL JWKS"
#. module: auth_oidc
#: model:auth.oauth.provider,body:auth_oidc.provider_azuread_multi
#: model:auth.oauth.provider,body:auth_oidc.provider_azuread_single
msgid "Log in with Microsoft"
msgstr "Accedi con Mcrosoft"
#. module: auth_oidc
#: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__access_token
msgid "OAuth2"
msgstr "OAuth2"
#. module: auth_oidc
#: model:ir.model,name:auth_oidc.model_auth_oauth_provider
msgid "OAuth2 provider"
msgstr "Provider OAuth2"
#. module: auth_oidc
#: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__id_token_code
msgid "OpenID Connect (authorization code flow)"
msgstr "OpenID Connect (flusso codice autorizzazione)"
#. module: auth_oidc
#: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__id_token
msgid "OpenID Connect (implicit flow, not recommended)"
msgstr "OpenID Connect (flusso implicito, non raccomandato)"
#. module: auth_oidc
#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__token_endpoint
msgid "Required for OpenID Connect authorization code flow."
msgstr "Richiesto per flusso codice atorizzazione OpenID Connect."
#. module: auth_oidc
#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__jwks_uri
msgid "Required for OpenID Connect."
msgstr "Richiesto per OpenID Connect."
#. module: auth_oidc
#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__token_map
msgid ""
"Some Oauth providers don't map keys in their responses exactly as required. "
"It is important to ensure user_id and email at least are mapped. For OpenID "
"Connect user_id is the sub key in the standard."
msgstr ""
"Alcuni Provider Oauth non mappano le chiavi nelle loro risposte esattamente "
"come richiesto. È importante assicurare che almeno user_id ed e-mail siano "
"mappati. Per OpenID Connect user_id è la sotto-chiave nello standard."
#. module: auth_oidc
#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__token_map
msgid "Token Map"
msgstr "Mappa token"
#. module: auth_oidc
#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__token_endpoint
msgid "Token URL"
msgstr "URL token"
#. module: auth_oidc
#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__code_verifier
msgid "Used for PKCE."
msgstr "Utilizzato per PKCE."
#. module: auth_oidc
#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__client_secret
msgid ""
"Used in OpenID Connect authorization code flow for confidential clients."
msgstr ""
"Utilizzato nel flusso codice autorizzazione OpenID Connect per client "
"riservati."
#. module: auth_oidc
#: model:ir.model,name:auth_oidc.model_res_users
msgid "User"
msgstr "Utente"
#. module: auth_oidc
#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__validation_endpoint
msgid "UserInfo URL"
msgstr "URL info utente"
#. module: auth_oidc
#: model_terms:ir.ui.view,arch_db:auth_oidc.view_oidc_provider_form
msgid "e.g from:to upn:email sub:user_id"
msgstr "es. from:to upn:email sub:user_id"
#. module: auth_oidc
#: model:auth.oauth.provider,body:auth_oidc.local_keycloak
msgid "keycloak:8080 on localhost"
msgstr "keycloak:8080 su localhost"

124
i18n/zh_CN.po Normal file
View File

@ -0,0 +1,124 @@
# Translation of Odoo Server.
# This file contains the translation of the following modules:
# * auth_oidc
#
msgid ""
msgstr ""
"Project-Id-Version: Odoo Server 17.0\n"
"Report-Msgid-Bugs-To: \n"
"PO-Revision-Date: 2024-07-03 10:47+0000\n"
"Last-Translator: xtanuiha <feihu.zhang@live.com>\n"
"Language-Team: none\n"
"Language: zh_CN\n"
"MIME-Version: 1.0\n"
"Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: \n"
"Plural-Forms: nplurals=1; plural=0;\n"
"X-Generator: Weblate 4.17\n"
#. module: auth_oidc
#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__flow
msgid "Auth Flow"
msgstr "认证流程"
#. module: auth_oidc
#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__client_secret
msgid "Client Secret"
msgstr "客户端密钥"
#. module: auth_oidc
#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__code_verifier
msgid "Code Verifier"
msgstr "代码验证器"
#. module: auth_oidc
#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__jwks_uri
msgid "JWKS URL"
msgstr "JWKS 网址"
#. module: auth_oidc
#: model:auth.oauth.provider,body:auth_oidc.provider_azuread_multi
#: model:auth.oauth.provider,body:auth_oidc.provider_azuread_single
msgid "Log in with Microsoft"
msgstr "使用 Microsoft 登录"
#. module: auth_oidc
#: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__access_token
msgid "OAuth2"
msgstr "OAuth2"
#. module: auth_oidc
#: model:ir.model,name:auth_oidc.model_auth_oauth_provider
msgid "OAuth2 provider"
msgstr "OAuth2 提供者"
#. module: auth_oidc
#: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__id_token_code
msgid "OpenID Connect (authorization code flow)"
msgstr "OpenID Connect授权码流程"
#. module: auth_oidc
#: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__id_token
msgid "OpenID Connect (implicit flow, not recommended)"
msgstr "OpenID Connect隐式流程不推荐"
#. module: auth_oidc
#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__token_endpoint
msgid "Required for OpenID Connect authorization code flow."
msgstr "OpenID Connect 授权码流程所需。"
#. module: auth_oidc
#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__jwks_uri
msgid "Required for OpenID Connect."
msgstr "OpenID Connect 所需。"
#. module: auth_oidc
#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__token_map
msgid ""
"Some Oauth providers don't map keys in their responses exactly as required. "
"It is important to ensure user_id and email at least are mapped. For OpenID "
"Connect user_id is the sub key in the standard."
msgstr ""
"一些 OAuth 提供者在其响应中并没有完全按照要求映射键。至少需要确保 user_id 和 "
"email 被映射。对于 OpenID Connectuser_id 是标准中的 sub 键。"
#. module: auth_oidc
#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__token_map
msgid "Token Map"
msgstr "令牌映射"
#. module: auth_oidc
#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__token_endpoint
msgid "Token URL"
msgstr "令牌网址"
#. module: auth_oidc
#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__code_verifier
msgid "Used for PKCE."
msgstr "用于 PKCE。"
#. module: auth_oidc
#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__client_secret
msgid ""
"Used in OpenID Connect authorization code flow for confidential clients."
msgstr "在 OpenID Connect 授权码流程中用于保密客户端。"
#. module: auth_oidc
#: model:ir.model,name:auth_oidc.model_res_users
msgid "User"
msgstr "用户"
#. module: auth_oidc
#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__validation_endpoint
msgid "UserInfo URL"
msgstr "用户信息网址"
#. module: auth_oidc
#: model_terms:ir.ui.view,arch_db:auth_oidc.view_oidc_provider_form
msgid "e.g from:to upn:email sub:user_id"
msgstr "例如 from:to upn:email sub:user_id"
#. module: auth_oidc
#: model:auth.oauth.provider,body:auth_oidc.local_keycloak
msgid "keycloak:8080 on localhost"
msgstr "localhost 上的 keycloak:8080"

5
models/__init__.py Normal file
View File

@ -0,0 +1,5 @@
# Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
from . import auth_oauth_provider
from . import res_users

BIN
models/__pycache__/__init__.cpython-312.pyc Normal file
View File

Binary file not shown.

BIN
models/__pycache__/auth_oauth_provider.cpython-312.pyc Normal file
View File

Binary file not shown.

BIN
models/__pycache__/res_users.cpython-312.pyc Normal file
View File

Binary file not shown.

106
models/auth_oauth_provider.py Normal file
View File

@ -0,0 +1,106 @@
# Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
# Copyright 2021 ACSONE SA/NV <https://acsone.eu>
# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
import logging
import secrets
import requests
from odoo import fields, models, tools
try:
from jose import jwt
from jose.exceptions import JWSError, JWTError
except ImportError:
logging.getLogger(__name__).debug("jose library not installed")
class AuthOauthProvider(models.Model):
_inherit = "auth.oauth.provider"
flow = fields.Selection(
[
("access_token", "OAuth2"),
("id_token_code", "OpenID Connect (authorization code flow)"),
("id_token", "OpenID Connect (implicit flow, not recommended)"),
],
string="Auth Flow",
required=True,
default="access_token",
)
token_map = fields.Char(
help="Some Oauth providers don't map keys in their responses "
"exactly as required. It is important to ensure user_id and "
"email at least are mapped. For OpenID Connect user_id is "
"the sub key in the standard."
)
client_secret = fields.Char(
help="Used in OpenID Connect authorization code flow for confidential clients.",
)
code_verifier = fields.Char(
default=lambda self: secrets.token_urlsafe(32), help="Used for PKCE."
)
validation_endpoint = fields.Char(required=False)
token_endpoint = fields.Char(
string="Token URL", help="Required for OpenID Connect authorization code flow."
)
jwks_uri = fields.Char(string="JWKS URL", help="Required for OpenID Connect.")
@tools.ormcache("self.jwks_uri", "kid")
def _get_keys(self, kid):
r = requests.get(self.jwks_uri, timeout=10)
r.raise_for_status()
response = r.json()
# the keys returned here should follow
# JWS Notes on Key Selection
# https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-signature#appendix-D
return [
key
for key in response["keys"]
if kid is None or key.get("kid", None) == kid
]
def _map_token_values(self, res):
if self.token_map:
for pair in self.token_map.split(" "):
from_key, to_key = (k.strip() for k in pair.split(":", 1))
if to_key not in res:
res[to_key] = res.get(from_key, "")
return res
def _parse_id_token(self, id_token, access_token):
self.ensure_one()
res = {}
header = jwt.get_unverified_header(id_token)
res.update(self._decode_id_token(access_token, id_token, header.get("kid")))
res.update(self._map_token_values(res))
return res
def _decode_id_token(self, access_token, id_token, kid):
keys = self._get_keys(kid)
if len(keys) > 1 and kid is None:
# https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.10.1
# If there are multiple keys in the referenced JWK Set document, a kid
# value MUST be provided in the JOSE Header.
raise JWTError(
"OpenID Connect requires kid to be set if there is more"
" than one key in the JWKS"
)
error = None
# we accept multiple keys with the same kid in case a key gets rotated.
for key in keys:
try:
values = jwt.decode(
id_token,
key,
algorithms=["RS256"],
audience=self.client_id,
access_token=access_token,
)
return values
except (JWTError, JWSError) as e:
error = e
if error:
raise error
return {}

82
models/res_users.py Normal file
View File

@ -0,0 +1,82 @@
# Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
# Copyright 2021 ACSONE SA/NV <https://acsone.eu>
# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
import logging
import requests
from odoo import api, models
from odoo.exceptions import AccessDenied
from odoo.http import request
_logger = logging.getLogger(__name__)
class ResUsers(models.Model):
_inherit = "res.users"
def _auth_oauth_get_tokens_implicit_flow(self, oauth_provider, params):
# https://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthResponse
return params.get("access_token"), params.get("id_token")
def _auth_oauth_get_tokens_auth_code_flow(self, oauth_provider, params):
# https://openid.net/specs/openid-connect-core-1_0.html#AuthResponse
code = params.get("code")
# https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest
auth = None
if oauth_provider.client_secret:
auth = (oauth_provider.client_id, oauth_provider.client_secret)
response = requests.post(
oauth_provider.token_endpoint,
data=dict(
client_id=oauth_provider.client_id,
grant_type="authorization_code",
code=code,
code_verifier=oauth_provider.code_verifier, # PKCE
redirect_uri=request.httprequest.url_root + "auth_oauth/signin",
),
auth=auth,
timeout=10,
)
response.raise_for_status()
response_json = response.json()
# https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse
return response_json.get("access_token"), response_json.get("id_token")
@api.model
def auth_oauth(self, provider, params):
oauth_provider = self.env["auth.oauth.provider"].browse(provider)
if oauth_provider.flow == "id_token":
access_token, id_token = self._auth_oauth_get_tokens_implicit_flow(
oauth_provider, params
)
elif oauth_provider.flow == "id_token_code":
access_token, id_token = self._auth_oauth_get_tokens_auth_code_flow(
oauth_provider, params
)
else:
return super().auth_oauth(provider, params)
if not access_token:
_logger.error("No access_token in response.")
raise AccessDenied()
if not id_token:
_logger.error("No id_token in response.")
raise AccessDenied()
validation = oauth_provider._parse_id_token(id_token, access_token)
# required check
if "sub" in validation and "user_id" not in validation:
# set user_id for auth_oauth, user_id is not an OpenID Connect standard
# claim:
# https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
validation["user_id"] = validation["sub"]
elif not validation.get("user_id"):
_logger.error("user_id claim not found in id_token (after mapping).")
raise AccessDenied()
# retrieve and sign in user
params["access_token"] = access_token
login = self._auth_oauth_signin(provider, validation, params)
if not login:
raise AccessDenied()
# return user credentials
return (self.env.cr.dbname, login, access_token)

3
pyproject.toml Normal file
View File

@ -0,0 +1,3 @@
[build-system]
requires = ["whool"]
build-backend = "whool.buildapi"

72
readme/CONFIGURE.md Normal file
View File

@ -0,0 +1,72 @@
## Setup for Microsoft Azure
Example configuration with OpenID Connect authorization code flow.
1. configure a new web application in Azure with OpenID and code flow (see
the [provider
documentation](https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-provider)))
2. in this application the redirect url must be be "\<url of your
server\>/auth_oauth/signin" and of course this URL should be reachable
from Azure
3. create a new authentication provider in Odoo with the following
parameters (see the [portal
documentation](https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-settings)
for more information):
![image](../static/description/oauth-microsoft_azure-api_permissions.png)
![image](../static/description/oauth-microsoft_azure-optional_claims.png)
Single tenant provider limits the access to user of your tenant, while
Multitenants allow access for all AzureAD users, so user of foreign
companies can use their AzureAD login without an guest account.
- Provider Name: Azure AD Single Tenant
- Client ID: Application (client) id
- Client Secret: Client secret
- Allowed: yes
or
- Provider Name: Azure AD Multitenant
- Client ID: Application (client) id
- Client Secret: Client secret
- Allowed: yes
- replace {tenant_id} in urls with your Azure tenant id
![image](../static/description/odoo-azure_ad_multitenant.png)
## Setup for Keycloak
Example configuration with OpenID Connect authorization code flow.
In Keycloak:
1. configure a new Client
2. make sure Authorization Code Flow is
Enabled.
3. configure the client Access Type as "confidential" and take
note of the client secret in the Credentials tab
4. configure the
redirect url to be "\<url of your server\>/auth_oauth/signin"
In Odoo, create a new Oauth Provider with the following parameters:
- Provider name: Keycloak (or any name you like that identify your
keycloak provider)
- Auth Flow: OpenID Connect (authorization code flow)
- Client ID: the same Client ID you entered when configuring the client
in Keycloak
- Client Secret: found in keycloak on the client Credentials tab
- Allowed: yes
- Body: the link text to appear on the login page, such as Login with
Keycloak
- Scope: openid email
- Authentication URL: The "authorization_endpoint" URL found in the
OpenID Endpoint Configuration of your Keycloak realm
- Token URL: The "token_endpoint" URL found in the OpenID Endpoint
Configuration of your Keycloak realm
- JWKS URL: The "jwks_uri" URL found in the OpenID Endpoint
Configuration of your Keycloak realm

4
readme/CONTRIBUTORS.md Normal file
View File

@ -0,0 +1,4 @@
- Alexandre Fayolle \<<alexandre.fayolle@camptocamp.com>\>
- Stéphane Bidoul \<<stephane.bidoul@acsone.eu>\>
- David Jaen \<<david.jaen.revert@gmail.com>\>
- Andreas Perhab \<<andreas.perhab@wt-io-it.at>\>

5
readme/DESCRIPTION.md Normal file
View File

@ -0,0 +1,5 @@
This module allows users to login through an OpenID Connect provider
using the authorization code flow or implicit flow.
Note the implicit flow is not recommended because it exposes access
tokens to the browser and in http logs.

39
readme/HISTORY.md Normal file
View File

@ -0,0 +1,39 @@
## 18.0.1.0.0 2024-10-09
- Odoo 18 migration
## 17.0.1.0.0 2024-03-20
- Odoo 17 migration
## 16.0.1.1.0 2024-02-28
- Forward port OpenID Connect fixes from 15.0 to 16.0
## 16.0.1.0.2 2023-11-16
- Readme link updates
## 16.0.1.0.1 2023-10-09
- Add AzureAD code flow provider
## 16.0.1.0.0 2023-01-27
- Odoo 16 migration
## 15.0.1.0.0 2023-01-06
- Odoo 15 migration
## 14.0.1.0.0 2021-12-10
- Odoo 14 migration
## 13.0.1.0.0 2020-04-10
- Odoo 13 migration, add authorization code flow.
## 10.0.1.0.0 2018-10-05
- Initial implementation

3
readme/INSTALL.md Normal file
View File

@ -0,0 +1,3 @@
This module depends on the
[python-jose](https://pypi.org/project/python-jose/) library, not to be
confused with `jose` which is also available on PyPI.

4
readme/ROADMAP.md Normal file
View File

@ -0,0 +1,4 @@
- When going to the login screen, check for a existing token and do a
direct login without the clicking on the SSO link
- When doing a logout an extra option to also logout at the SSO
provider.

1
readme/USAGE.md Normal file
View File

@ -0,0 +1 @@
On the login page, click on the authentication provider you configured.

BIN
static/description/icon.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.7 KiB

607
static/description/index.html Normal file
View File

@ -0,0 +1,607 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="generator" content="Docutils: https://docutils.sourceforge.io/" />
<title>Authentication OpenID Connect</title>
<style type="text/css">
/*
:Author: David Goodger (goodger@python.org)
:Id: $Id: html4css1.css 9511 2024-01-13 09:50:07Z milde $
:Copyright: This stylesheet has been placed in the public domain.
Default cascading style sheet for the HTML output of Docutils.
Despite the name, some widely supported CSS2 features are used.
See https://docutils.sourceforge.io/docs/howto/html-stylesheets.html for how to
customize this style sheet.
*/
/* used to remove borders from tables and images */
.borderless, table.borderless td, table.borderless th {
border: 0 }
table.borderless td, table.borderless th {
/* Override padding for "table.docutils td" with "! important".
The right padding separates the table cells. */
padding: 0 0.5em 0 0 ! important }
.first {
/* Override more specific margin styles with "! important". */
margin-top: 0 ! important }
.last, .with-subtitle {
margin-bottom: 0 ! important }
.hidden {
display: none }
.subscript {
vertical-align: sub;
font-size: smaller }
.superscript {
vertical-align: super;
font-size: smaller }
a.toc-backref {
text-decoration: none ;
color: black }
blockquote.epigraph {
margin: 2em 5em ; }
dl.docutils dd {
margin-bottom: 0.5em }
object[type="image/svg+xml"], object[type="application/x-shockwave-flash"] {
overflow: hidden;
}
/* Uncomment (and remove this text!) to get bold-faced definition list terms
dl.docutils dt {
font-weight: bold }
*/
div.abstract {
margin: 2em 5em }
div.abstract p.topic-title {
font-weight: bold ;
text-align: center }
div.admonition, div.attention, div.caution, div.danger, div.error,
div.hint, div.important, div.note, div.tip, div.warning {
margin: 2em ;
border: medium outset ;
padding: 1em }
div.admonition p.admonition-title, div.hint p.admonition-title,
div.important p.admonition-title, div.note p.admonition-title,
div.tip p.admonition-title {
font-weight: bold ;
font-family: sans-serif }
div.attention p.admonition-title, div.caution p.admonition-title,
div.danger p.admonition-title, div.error p.admonition-title,
div.warning p.admonition-title, .code .error {
color: red ;
font-weight: bold ;
font-family: sans-serif }
/* Uncomment (and remove this text!) to get reduced vertical space in
compound paragraphs.
div.compound .compound-first, div.compound .compound-middle {
margin-bottom: 0.5em }
div.compound .compound-last, div.compound .compound-middle {
margin-top: 0.5em }
*/
div.dedication {
margin: 2em 5em ;
text-align: center ;
font-style: italic }
div.dedication p.topic-title {
font-weight: bold ;
font-style: normal }
div.figure {
margin-left: 2em ;
margin-right: 2em }
div.footer, div.header {
clear: both;
font-size: smaller }
div.line-block {
display: block ;
margin-top: 1em ;
margin-bottom: 1em }
div.line-block div.line-block {
margin-top: 0 ;
margin-bottom: 0 ;
margin-left: 1.5em }
div.sidebar {
margin: 0 0 0.5em 1em ;
border: medium outset ;
padding: 1em ;
background-color: #ffffee ;
width: 40% ;
float: right ;
clear: right }
div.sidebar p.rubric {
font-family: sans-serif ;
font-size: medium }
div.system-messages {
margin: 5em }
div.system-messages h1 {
color: red }
div.system-message {
border: medium outset ;
padding: 1em }
div.system-message p.system-message-title {
color: red ;
font-weight: bold }
div.topic {
margin: 2em }
h1.section-subtitle, h2.section-subtitle, h3.section-subtitle,
h4.section-subtitle, h5.section-subtitle, h6.section-subtitle {
margin-top: 0.4em }
h1.title {
text-align: center }
h2.subtitle {
text-align: center }
hr.docutils {
width: 75% }
img.align-left, .figure.align-left, object.align-left, table.align-left {
clear: left ;
float: left ;
margin-right: 1em }
img.align-right, .figure.align-right, object.align-right, table.align-right {
clear: right ;
float: right ;
margin-left: 1em }
img.align-center, .figure.align-center, object.align-center {
display: block;
margin-left: auto;
margin-right: auto;
}
table.align-center {
margin-left: auto;
margin-right: auto;
}
.align-left {
text-align: left }
.align-center {
clear: both ;
text-align: center }
.align-right {
text-align: right }
/* reset inner alignment in figures */
div.align-right {
text-align: inherit }
/* div.align-center * { */
/* text-align: left } */
.align-top {
vertical-align: top }
.align-middle {
vertical-align: middle }
.align-bottom {
vertical-align: bottom }
ol.simple, ul.simple {
margin-bottom: 1em }
ol.arabic {
list-style: decimal }
ol.loweralpha {
list-style: lower-alpha }
ol.upperalpha {
list-style: upper-alpha }
ol.lowerroman {
list-style: lower-roman }
ol.upperroman {
list-style: upper-roman }
p.attribution {
text-align: right ;
margin-left: 50% }
p.caption {
font-style: italic }
p.credits {
font-style: italic ;
font-size: smaller }
p.label {
white-space: nowrap }
p.rubric {
font-weight: bold ;
font-size: larger ;
color: maroon ;
text-align: center }
p.sidebar-title {
font-family: sans-serif ;
font-weight: bold ;
font-size: larger }
p.sidebar-subtitle {
font-family: sans-serif ;
font-weight: bold }
p.topic-title {
font-weight: bold }
pre.address {
margin-bottom: 0 ;
margin-top: 0 ;
font: inherit }
pre.literal-block, pre.doctest-block, pre.math, pre.code {
margin-left: 2em ;
margin-right: 2em }
pre.code .ln { color: gray; } /* line numbers */
pre.code, code { background-color: #eeeeee }
pre.code .comment, code .comment { color: #5C6576 }
pre.code .keyword, code .keyword { color: #3B0D06; font-weight: bold }
pre.code .literal.string, code .literal.string { color: #0C5404 }
pre.code .name.builtin, code .name.builtin { color: #352B84 }
pre.code .deleted, code .deleted { background-color: #DEB0A1}
pre.code .inserted, code .inserted { background-color: #A3D289}
span.classifier {
font-family: sans-serif ;
font-style: oblique }
span.classifier-delimiter {
font-family: sans-serif ;
font-weight: bold }
span.interpreted {
font-family: sans-serif }
span.option {
white-space: nowrap }
span.pre {
white-space: pre }
span.problematic, pre.problematic {
color: red }
span.section-subtitle {
/* font-size relative to parent (h1..h6 element) */
font-size: 80% }
table.citation {
border-left: solid 1px gray;
margin-left: 1px }
table.docinfo {
margin: 2em 4em }
table.docutils {
margin-top: 0.5em ;
margin-bottom: 0.5em }
table.footnote {
border-left: solid 1px black;
margin-left: 1px }
table.docutils td, table.docutils th,
table.docinfo td, table.docinfo th {
padding-left: 0.5em ;
padding-right: 0.5em ;
vertical-align: top }
table.docutils th.field-name, table.docinfo th.docinfo-name {
font-weight: bold ;
text-align: left ;
white-space: nowrap ;
padding-left: 0 }
/* "booktabs" style (no vertical lines) */
table.docutils.booktabs {
border: 0px;
border-top: 2px solid;
border-bottom: 2px solid;
border-collapse: collapse;
}
table.docutils.booktabs * {
border: 0px;
}
table.docutils.booktabs th {
border-bottom: thin solid;
text-align: left;
}
h1 tt.docutils, h2 tt.docutils, h3 tt.docutils,
h4 tt.docutils, h5 tt.docutils, h6 tt.docutils {
font-size: 100% }
ul.auto-toc {
list-style-type: none }
</style>
</head>
<body>
<div class="document" id="authentication-openid-connect">
<h1 class="title">Authentication OpenID Connect</h1>
<!-- !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! This file is generated by oca-gen-addon-readme !!
!! changes will be overwritten. !!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! source digest: sha256:cd754fc72d2039d02ab1b8aec98af43fb9543c9a70f2150ab6e482954e4e83d6
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->
<p><a class="reference external image-reference" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external image-reference" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/licence-AGPL--3-blue.png" /></a> <a class="reference external image-reference" href="https://github.com/OCA/server-auth/tree/18.0/auth_oidc"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external image-reference" href="https://translation.odoo-community.org/projects/server-auth-18-0/server-auth-18-0-auth_oidc"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external image-reference" href="https://runboat.odoo-community.org/builds?repo=OCA/server-auth&amp;target_branch=18.0"><img alt="Try me on Runboat" src="https://img.shields.io/badge/runboat-Try%20me-875A7B.png" /></a></p>
<p>This module allows users to login through an OpenID Connect provider
using the authorization code flow or implicit flow.</p>
<p>Note the implicit flow is not recommended because it exposes access
tokens to the browser and in http logs.</p>
<p><strong>Table of contents</strong></p>
<div class="contents local topic" id="contents">
<ul class="simple">
<li><a class="reference internal" href="#installation" id="toc-entry-1">Installation</a></li>
<li><a class="reference internal" href="#configuration" id="toc-entry-2">Configuration</a><ul>
<li><a class="reference internal" href="#setup-for-microsoft-azure" id="toc-entry-3">Setup for Microsoft Azure</a></li>
<li><a class="reference internal" href="#setup-for-keycloak" id="toc-entry-4">Setup for Keycloak</a></li>
</ul>
</li>
<li><a class="reference internal" href="#usage" id="toc-entry-5">Usage</a></li>
<li><a class="reference internal" href="#known-issues-roadmap" id="toc-entry-6">Known issues / Roadmap</a></li>
<li><a class="reference internal" href="#changelog" id="toc-entry-7">Changelog</a><ul>
<li><a class="reference internal" href="#section-1" id="toc-entry-8">18.0.1.0.0 2024-10-09</a></li>
<li><a class="reference internal" href="#section-2" id="toc-entry-9">17.0.1.0.0 2024-03-20</a></li>
<li><a class="reference internal" href="#section-3" id="toc-entry-10">16.0.1.1.0 2024-02-28</a></li>
<li><a class="reference internal" href="#section-4" id="toc-entry-11">16.0.1.0.2 2023-11-16</a></li>
<li><a class="reference internal" href="#section-5" id="toc-entry-12">16.0.1.0.1 2023-10-09</a></li>
<li><a class="reference internal" href="#section-6" id="toc-entry-13">16.0.1.0.0 2023-01-27</a></li>
<li><a class="reference internal" href="#section-7" id="toc-entry-14">15.0.1.0.0 2023-01-06</a></li>
<li><a class="reference internal" href="#section-8" id="toc-entry-15">14.0.1.0.0 2021-12-10</a></li>
<li><a class="reference internal" href="#section-9" id="toc-entry-16">13.0.1.0.0 2020-04-10</a></li>
<li><a class="reference internal" href="#section-10" id="toc-entry-17">10.0.1.0.0 2018-10-05</a></li>
</ul>
</li>
<li><a class="reference internal" href="#bug-tracker" id="toc-entry-18">Bug Tracker</a></li>
<li><a class="reference internal" href="#credits" id="toc-entry-19">Credits</a><ul>
<li><a class="reference internal" href="#authors" id="toc-entry-20">Authors</a></li>
<li><a class="reference internal" href="#contributors" id="toc-entry-21">Contributors</a></li>
<li><a class="reference internal" href="#maintainers" id="toc-entry-22">Maintainers</a></li>
</ul>
</li>
</ul>
</div>
<div class="section" id="installation">
<h1><a class="toc-backref" href="#toc-entry-1">Installation</a></h1>
<p>This module depends on the
<a class="reference external" href="https://pypi.org/project/python-jose/">python-jose</a> library, not to
be confused with <tt class="docutils literal">jose</tt> which is also available on PyPI.</p>
</div>
<div class="section" id="configuration">
<h1><a class="toc-backref" href="#toc-entry-2">Configuration</a></h1>
<div class="section" id="setup-for-microsoft-azure">
<h2><a class="toc-backref" href="#toc-entry-3">Setup for Microsoft Azure</a></h2>
<p>Example configuration with OpenID Connect authorization code flow.</p>
<ol class="arabic simple">
<li>configure a new web application in Azure with OpenID and code flow
(see the <a class="reference external" href="https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-provider">provider
documentation</a>))</li>
<li>in this application the redirect url must be be “&lt;url of your
server&gt;/auth_oauth/signin” and of course this URL should be reachable
from Azure</li>
<li>create a new authentication provider in Odoo with the following
parameters (see the <a class="reference external" href="https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-settings">portal
documentation</a>
for more information):</li>
</ol>
<p><img alt="image" src="https://raw.githubusercontent.com/OCA/server-auth/18.0/auth_oidc/static/description/oauth-microsoft_azure-api_permissions.png" /></p>
<p><img alt="image1" src="https://raw.githubusercontent.com/OCA/server-auth/18.0/auth_oidc/static/description/oauth-microsoft_azure-optional_claims.png" /></p>
<p>Single tenant provider limits the access to user of your tenant, while
Multitenants allow access for all AzureAD users, so user of foreign
companies can use their AzureAD login without an guest account.</p>
<ul class="simple">
<li>Provider Name: Azure AD Single Tenant</li>
<li>Client ID: Application (client) id</li>
<li>Client Secret: Client secret</li>
<li>Allowed: yes</li>
</ul>
<p>or</p>
<ul class="simple">
<li>Provider Name: Azure AD Multitenant</li>
<li>Client ID: Application (client) id</li>
<li>Client Secret: Client secret</li>
<li>Allowed: yes</li>
<li>replace {tenant_id} in urls with your Azure tenant id</li>
</ul>
<p><img alt="image2" src="https://raw.githubusercontent.com/OCA/server-auth/18.0/auth_oidc/static/description/odoo-azure_ad_multitenant.png" /></p>
</div>
<div class="section" id="setup-for-keycloak">
<h2><a class="toc-backref" href="#toc-entry-4">Setup for Keycloak</a></h2>
<p>Example configuration with OpenID Connect authorization code flow.</p>
<p>In Keycloak:</p>
<ol class="arabic simple">
<li>configure a new Client</li>
<li>make sure Authorization Code Flow is Enabled.</li>
<li>configure the client Access Type as “confidential” and take note of
the client secret in the Credentials tab</li>
<li>configure the redirect url to be “&lt;url of your
server&gt;/auth_oauth/signin”</li>
</ol>
<p>In Odoo, create a new Oauth Provider with the following parameters:</p>
<ul class="simple">
<li>Provider name: Keycloak (or any name you like that identify your
keycloak provider)</li>
<li>Auth Flow: OpenID Connect (authorization code flow)</li>
<li>Client ID: the same Client ID you entered when configuring the client
in Keycloak</li>
<li>Client Secret: found in keycloak on the client Credentials tab</li>
<li>Allowed: yes</li>
<li>Body: the link text to appear on the login page, such as Login with
Keycloak</li>
<li>Scope: openid email</li>
<li>Authentication URL: The “authorization_endpoint” URL found in the
OpenID Endpoint Configuration of your Keycloak realm</li>
<li>Token URL: The “token_endpoint” URL found in the OpenID Endpoint
Configuration of your Keycloak realm</li>
<li>JWKS URL: The “jwks_uri” URL found in the OpenID Endpoint
Configuration of your Keycloak realm</li>
</ul>
</div>
</div>
<div class="section" id="usage">
<h1><a class="toc-backref" href="#toc-entry-5">Usage</a></h1>
<p>On the login page, click on the authentication provider you configured.</p>
</div>
<div class="section" id="known-issues-roadmap">
<h1><a class="toc-backref" href="#toc-entry-6">Known issues / Roadmap</a></h1>
<ul class="simple">
<li>When going to the login screen, check for a existing token and do a
direct login without the clicking on the SSO link</li>
<li>When doing a logout an extra option to also logout at the SSO
provider.</li>
</ul>
</div>
<div class="section" id="changelog">
<h1><a class="toc-backref" href="#toc-entry-7">Changelog</a></h1>
<div class="section" id="section-1">
<h2><a class="toc-backref" href="#toc-entry-8">18.0.1.0.0 2024-10-09</a></h2>
<ul class="simple">
<li>Odoo 18 migration</li>
</ul>
</div>
<div class="section" id="section-2">
<h2><a class="toc-backref" href="#toc-entry-9">17.0.1.0.0 2024-03-20</a></h2>
<ul class="simple">
<li>Odoo 17 migration</li>
</ul>
</div>
<div class="section" id="section-3">
<h2><a class="toc-backref" href="#toc-entry-10">16.0.1.1.0 2024-02-28</a></h2>
<ul class="simple">
<li>Forward port OpenID Connect fixes from 15.0 to 16.0</li>
</ul>
</div>
<div class="section" id="section-4">
<h2><a class="toc-backref" href="#toc-entry-11">16.0.1.0.2 2023-11-16</a></h2>
<ul class="simple">
<li>Readme link updates</li>
</ul>
</div>
<div class="section" id="section-5">
<h2><a class="toc-backref" href="#toc-entry-12">16.0.1.0.1 2023-10-09</a></h2>
<ul class="simple">
<li>Add AzureAD code flow provider</li>
</ul>
</div>
<div class="section" id="section-6">
<h2><a class="toc-backref" href="#toc-entry-13">16.0.1.0.0 2023-01-27</a></h2>
<ul class="simple">
<li>Odoo 16 migration</li>
</ul>
</div>
<div class="section" id="section-7">
<h2><a class="toc-backref" href="#toc-entry-14">15.0.1.0.0 2023-01-06</a></h2>
<ul class="simple">
<li>Odoo 15 migration</li>
</ul>
</div>
<div class="section" id="section-8">
<h2><a class="toc-backref" href="#toc-entry-15">14.0.1.0.0 2021-12-10</a></h2>
<ul class="simple">
<li>Odoo 14 migration</li>
</ul>
</div>
<div class="section" id="section-9">
<h2><a class="toc-backref" href="#toc-entry-16">13.0.1.0.0 2020-04-10</a></h2>
<ul class="simple">
<li>Odoo 13 migration, add authorization code flow.</li>
</ul>
</div>
<div class="section" id="section-10">
<h2><a class="toc-backref" href="#toc-entry-17">10.0.1.0.0 2018-10-05</a></h2>
<ul class="simple">
<li>Initial implementation</li>
</ul>
</div>
</div>
<div class="section" id="bug-tracker">
<h1><a class="toc-backref" href="#toc-entry-18">Bug Tracker</a></h1>
<p>Bugs are tracked on <a class="reference external" href="https://github.com/OCA/server-auth/issues">GitHub Issues</a>.
In case of trouble, please check there if your issue has already been reported.
If you spotted it first, help us to smash it by providing a detailed and welcomed
<a class="reference external" href="https://github.com/OCA/server-auth/issues/new?body=module:%20auth_oidc%0Aversion:%2018.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**">feedback</a>.</p>
<p>Do not contact contributors directly about support or help with technical issues.</p>
</div>
<div class="section" id="credits">
<h1><a class="toc-backref" href="#toc-entry-19">Credits</a></h1>
<div class="section" id="authors">
<h2><a class="toc-backref" href="#toc-entry-20">Authors</a></h2>
<ul class="simple">
<li>ICTSTUDIO</li>
<li>André Schenkels</li>
<li>ACSONE SA/NV</li>
</ul>
</div>
<div class="section" id="contributors">
<h2><a class="toc-backref" href="#toc-entry-21">Contributors</a></h2>
<ul class="simple">
<li>Alexandre Fayolle &lt;<a class="reference external" href="mailto:alexandre.fayolle&#64;camptocamp.com">alexandre.fayolle&#64;camptocamp.com</a>&gt;</li>
<li>Stéphane Bidoul &lt;<a class="reference external" href="mailto:stephane.bidoul&#64;acsone.eu">stephane.bidoul&#64;acsone.eu</a>&gt;</li>
<li>David Jaen &lt;<a class="reference external" href="mailto:david.jaen.revert&#64;gmail.com">david.jaen.revert&#64;gmail.com</a>&gt;</li>
<li>Andreas Perhab &lt;<a class="reference external" href="mailto:andreas.perhab&#64;wt-io-it.at">andreas.perhab&#64;wt-io-it.at</a>&gt;</li>
</ul>
</div>
<div class="section" id="maintainers">
<h2><a class="toc-backref" href="#toc-entry-22">Maintainers</a></h2>
<p>This module is maintained by the OCA.</p>
<a class="reference external image-reference" href="https://odoo-community.org">
<img alt="Odoo Community Association" src="https://odoo-community.org/logo.png" />
</a>
<p>OCA, or the Odoo Community Association, is a nonprofit organization whose
mission is to support the collaborative development of Odoo features and
promote its widespread use.</p>
<p>Current <a class="reference external" href="https://odoo-community.org/page/maintainer-role">maintainer</a>:</p>
<p><a class="reference external image-reference" href="https://github.com/sbidoul"><img alt="sbidoul" src="https://github.com/sbidoul.png?size=40px" /></a></p>
<p>This module is part of the <a class="reference external" href="https://github.com/OCA/server-auth/tree/18.0/auth_oidc">OCA/server-auth</a> project on GitHub.</p>
<p>You are welcome to contribute. To learn how please visit <a class="reference external" href="https://odoo-community.org/page/Contribute">https://odoo-community.org/page/Contribute</a>.</p>
</div>
</div>
</div>
</body>
</html>

BIN
static/description/oauth-microsoft_azure-api_permissions.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 58 KiB

BIN
static/description/oauth-microsoft_azure-optional_claims.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 43 KiB

BIN
static/description/odoo-azure_ad_multitenant.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 36 KiB

1
tests/__init__.py Normal file
View File

@ -0,0 +1 @@
from . import test_auth_oidc_auth_code

1997
tests/keycloak/keycloak-config.json Normal file
View File

File diff suppressed because it is too large Load Diff

10
tests/keycloak/keycloak.sh Normal file
View File

@ -0,0 +1,10 @@
#!/bin/sh
set -x
$(which docker || which podman) run --rm \
-v $(dirname $0)/keycloak-config.json:/tmp/keycloak-config.json \
-p 8080:8080 \
quay.io/keycloak/keycloak:12.0.4 \
-Dkeycloak.migration.action=import \
-Dkeycloak.migration.provider=singleFile \
-Dkeycloak.migration.file=/tmp/keycloak-config.json \
-Dkeycloak.migration.strategy=OVERWRITE_EXISTING

321
tests/test_auth_oidc_auth_code.py Normal file
View File

@ -0,0 +1,321 @@
# Copyright 2021 ACSONE SA/NV <https://acsone.eu>
# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
import contextlib
import json
import logging
from urllib.parse import parse_qs, urlparse
import responses
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
from jose import jwt
from jose.exceptions import JWTError
from jose.utils import long_to_base64
import odoo
from odoo.exceptions import AccessDenied
from odoo.tests import common
from odoo.addons.website.tools import MockRequest as _MockRequest
from ..controllers.main import OpenIDLogin
BASE_URL = f"http://localhost:{odoo.tools.config['http_port']}"
@contextlib.contextmanager
def MockRequest(env):
with _MockRequest(env) as request:
request.httprequest.url_root = BASE_URL + "/"
request.params = {}
yield request
class TestAuthOIDCAuthorizationCodeFlow(common.HttpCase):
@classmethod
def setUpClass(cls):
super().setUpClass()
(
cls.rsa_key_pem,
cls.rsa_key_public_pem,
cls.rsa_key_public_jwk,
) = cls._generate_key()
_, cls.second_key_public_pem, _ = cls._generate_key()
@staticmethod
def _generate_key():
rsa_key = rsa.generate_private_key(
public_exponent=65537,
key_size=4096,
)
rsa_key_pem = rsa_key.private_bytes(
serialization.Encoding.PEM,
serialization.PrivateFormat.TraditionalOpenSSL,
serialization.NoEncryption(),
).decode("utf8")
rsa_key_public = rsa_key.public_key()
rsa_key_public_pem = rsa_key_public.public_bytes(
serialization.Encoding.PEM,
serialization.PublicFormat.SubjectPublicKeyInfo,
).decode("utf8")
jwk = {
# https://datatracker.ietf.org/doc/html/rfc7518#section-6.1
"kty": "RSA",
"use": "sig",
"n": long_to_base64(rsa_key_public.public_numbers().n).decode("utf-8"),
"e": long_to_base64(rsa_key_public.public_numbers().e).decode("utf-8"),
}
return rsa_key_pem, rsa_key_public_pem, jwk
def setUp(self):
super().setUp()
# search our test provider and bind the demo user to it
self.provider_rec = self.env["auth.oauth.provider"].search(
[("client_id", "=", "auth_oidc-test")]
)
self.assertEqual(len(self.provider_rec), 1)
def test_auth_link(self):
"""Test that the authentication link is correct."""
# disable existing providers except our test provider
self.env["auth.oauth.provider"].search(
[("client_id", "!=", "auth_oidc-test")]
).write(dict(enabled=False))
with MockRequest(self.env):
providers = OpenIDLogin().list_providers()
self.assertEqual(len(providers), 1)
auth_link = providers[0]["auth_link"]
assert auth_link.startswith(self.provider_rec.auth_endpoint)
params = parse_qs(urlparse(auth_link).query)
self.assertEqual(params["response_type"], ["code"])
self.assertEqual(params["client_id"], [self.provider_rec.client_id])
self.assertEqual(params["scope"], ["openid email"])
self.assertTrue(params["code_challenge"])
self.assertEqual(params["code_challenge_method"], ["S256"])
self.assertTrue(params["nonce"])
self.assertTrue(params["state"])
self.assertEqual(params["redirect_uri"], [BASE_URL + "/auth_oauth/signin"])
def _prepare_login_test_user(self):
user = self.env.ref("base.user_demo")
user.write({"oauth_provider_id": self.provider_rec.id, "oauth_uid": user.login})
return user
def _prepare_login_test_responses(
self, access_token="42", id_token_body=None, id_token_headers=None, keys=None
):
if id_token_body is None:
id_token_body = {}
if id_token_headers is None:
id_token_headers = {"kid": "the_key_id"}
responses.add(
responses.POST,
"http://localhost:8080/auth/realms/master/protocol/openid-connect/token",
json={
"access_token": access_token,
"id_token": jwt.encode(
id_token_body,
self.rsa_key_pem,
algorithm="RS256",
headers=id_token_headers,
),
},
)
if keys is None:
if "kid" in id_token_headers:
keys = [{"kid": "the_key_id", "keys": [self.rsa_key_public_pem]}]
else:
keys = [{"keys": [self.rsa_key_public_pem]}]
responses.add(
responses.GET,
"http://localhost:8080/auth/realms/master/protocol/openid-connect/certs",
json={"keys": keys},
)
@responses.activate
def test_login(self):
"""Test that login works"""
user = self._prepare_login_test_user()
self._prepare_login_test_responses(id_token_body={"user_id": user.login})
params = {"state": json.dumps({})}
with MockRequest(self.env):
db, login, token = self.env["res.users"].auth_oauth(
self.provider_rec.id,
params,
)
self.assertEqual(token, "42")
self.assertEqual(login, user.login)
@responses.activate
def test_login_without_kid(self):
"""Test that login works when ID Token has no kid in header"""
user = self._prepare_login_test_user()
self._prepare_login_test_responses(
id_token_body={"user_id": user.login},
id_token_headers={},
access_token=chr(42),
)
params = {"state": json.dumps({})}
with MockRequest(self.env):
db, login, token = self.env["res.users"].auth_oauth(
self.provider_rec.id,
params,
)
self.assertEqual(token, "*")
self.assertEqual(login, user.login)
@responses.activate
def test_login_with_sub_claim(self):
"""Test that login works when ID Token contains only standard claims"""
self.provider_rec.token_map = False
user = self._prepare_login_test_user()
self._prepare_login_test_responses(
id_token_body={"sub": user.login}, access_token="1764"
)
params = {"state": json.dumps({})}
with MockRequest(self.env):
db, login, token = self.env["res.users"].auth_oauth(
self.provider_rec.id,
params,
)
self.assertEqual(token, "1764")
self.assertEqual(login, user.login)
@responses.activate
def test_login_without_kid_multiple_keys_in_jwks(self):
"""
Test that login fails if no kid is provided in ID Token and JWKS has multiple
keys
"""
user = self._prepare_login_test_user()
self._prepare_login_test_responses(
id_token_body={"user_id": user.login},
id_token_headers={},
access_token="6*7",
keys=[
{"kid": "other_key_id", "keys": [self.second_key_public_pem]},
{"kid": "the_key_id", "keys": [self.rsa_key_public_pem]},
],
)
with self.assertRaises(
JWTError,
msg="OpenID Connect requires kid to be set if there is"
" more than one key in the JWKS",
):
with MockRequest(self.env):
self.env["res.users"].auth_oauth(
self.provider_rec.id,
{"state": json.dumps({})},
)
@responses.activate
def test_login_without_matching_key(self):
"""Test that login fails if no matching key can be found"""
user = self._prepare_login_test_user()
self._prepare_login_test_responses(
id_token_body={"user_id": user.login},
id_token_headers={},
access_token="168/4",
keys=[{"kid": "other_key_id", "keys": [self.second_key_public_pem]}],
)
with self.assertRaises(JWTError):
with MockRequest(self.env):
self.env["res.users"].auth_oauth(
self.provider_rec.id,
{"state": json.dumps({})},
)
@responses.activate
def test_login_without_any_key(self):
"""Test that login fails if no key is provided by JWKS"""
user = self._prepare_login_test_user()
self._prepare_login_test_responses(
id_token_body={"user_id": user.login},
id_token_headers={},
access_token="168/4",
keys=[],
)
with (
self.assertRaises(AccessDenied),
MockRequest(self.env),
self.assertLogs(level=logging.ERROR) as logs,
):
self.env["res.users"].auth_oauth(
self.provider_rec.id,
{"state": json.dumps({})},
)
self.assertEqual(len(logs.records), 1)
self.assertEqual(logs.records[0].levelno, logging.ERROR)
self.assertEqual(
"ERROR:odoo.addons.auth_oidc.models.res_users:user_id claim not found in"
" id_token (after mapping).",
logs.output[0],
)
@responses.activate
def test_login_with_multiple_keys_in_jwks(self):
"""Test that login works with multiple keys present in jwks"""
user = self._prepare_login_test_user()
self._prepare_login_test_responses(
id_token_body={"user_id": user.login},
access_token="2*3*7",
keys=[
{"kid": "other_key_id", "keys": [self.second_key_public_pem]},
{"kid": "the_key_id", "keys": [self.rsa_key_public_pem]},
],
)
with MockRequest(self.env):
db, login, token = self.env["res.users"].auth_oauth(
self.provider_rec.id,
{"state": json.dumps({})},
)
self.assertEqual(token, "2*3*7")
self.assertEqual(login, user.login)
@responses.activate
def test_login_with_multiple_keys_in_jwks_same_kid(self):
"""Test that login works with multiple keys with the same kid present in jwks"""
user = self._prepare_login_test_user()
self._prepare_login_test_responses(
id_token_body={"user_id": user.login},
access_token="84/2",
keys=[
{"kid": "the_key_id", "keys": [self.second_key_public_pem]},
{"kid": "the_key_id", "keys": [self.rsa_key_public_pem]},
],
)
with MockRequest(self.env):
db, login, token = self.env["res.users"].auth_oauth(
self.provider_rec.id,
{"state": json.dumps({})},
)
self.assertEqual(token, "84/2")
self.assertEqual(login, user.login)
@responses.activate
def test_login_with_jwk_format(self):
"""Test that login works with proper jwks format"""
user = self._prepare_login_test_user()
self.rsa_key_public_jwk["kid"] = "the_key_id"
self._prepare_login_test_responses(
id_token_body={"user_id": user.login},
keys=[self.rsa_key_public_jwk],
access_token="122/3",
)
with MockRequest(self.env):
db, login, token = self.env["res.users"].auth_oauth(
self.provider_rec.id,
{"state": json.dumps({})},
)
self.assertEqual(token, "122/3")
self.assertEqual(login, user.login)

24
views/auth_oauth_provider.xml Normal file
View File

@ -0,0 +1,24 @@
<?xml version="1.0" ?>
<odoo>
<record model="ir.ui.view" id="view_oidc_provider_form">
<field name="name">auth.oidc.provider.form</field>
<field name="model">auth.oauth.provider</field>
<field name="inherit_id" ref="auth_oauth.view_oauth_provider_form" />
<field name="arch" type="xml">
<field name="name" position="after">
<field name="flow" />
<field
name="token_map"
placeholder="e.g from:to upn:email sub:user_id"
/>
</field>
<field name="client_id" position="after">
<field name="client_secret" />
</field>
<field name="validation_endpoint" position="after">
<field name="token_endpoint" />
<field name="jwks_uri" />
</field>
</field>
</record>
</odoo>