Skip to content

Commit

Permalink
Merge pull request #7 from lalithkota/17.0
Browse files Browse the repository at this point in the history 
Migrated Auth oidc module from OpenG2P 15.0
  • Loading branch information
@shibu-narayanan
shibu-narayanan authored Mar 26, 2024
2 parents 1980ff8 + 29f5705 commit 5ae5c8d
Show file tree
Hide file tree
Showing 27 changed files with 3,872 additions and 0 deletions.
211 changes: 211 additions & 0 deletions auth_oidc/README.rst
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,211 @@
=============================
Authentication OpenID Connect
=============================

..
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! This file is generated by oca-gen-addon-readme !!
!! changes will be overwritten. !!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!! source digest: sha256:acfe8d0c9dcffed52abbc2939ddc8e459aab07c68ba3cdb300196c4c367555ea
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
:target: https://odoo-community.org/page/development-status
:alt: Beta
.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png
:target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
:alt: License: AGPL-3
.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
:target: https://github.com/OCA/server-auth/tree/17.0/auth_oidc
:alt: OCA/server-auth
.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
:target: https://translation.odoo-community.org/projects/server-auth-17-0/server-auth-17-0-auth_oidc
:alt: Translate me on Weblate
.. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png
:target: https://runboat.odoo-community.org/builds?repo=OCA/server-auth&target_branch=17.0
:alt: Try me on Runboat

|badge1| |badge2| |badge3| |badge4| |badge5|

This module allows users to login through an OpenID Connect provider
using the authorization code flow or implicit flow.

Note the implicit flow is not recommended because it exposes access
tokens to the browser and in http logs.

**Table of contents**

.. contents::
:local:

Installation
============

This module depends on the
`python-jose <https://pypi.org/project/python-jose/>`__ library, not to
be confused with ``jose`` which is also available on PyPI.

Configuration
=============

Setup for Microsoft Azure
-------------------------

Example configuration with OpenID Connect implicit flow. This
configuration is not recommended because it exposes the access token to
the client, and in logs.

1. configure a new web application in Azure with OpenID and implicit
flow (see the `provider
documentation <https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-provider>`__))
2. in this application the redirect url must be be "<url of your
server>/auth_oauth/signin" and of course this URL should be reachable
from Azure
3. create a new authentication provider in Odoo with the following
parameters (see the `portal
documentation <https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-settings>`__
for more information):

- Provider Name: Azure
- Auth Flow: OpenID Connect
- Client ID: use the value of the OAuth2 autorization endoing (v2) from
the Azure Endpoints list
- Body: Azure SSO
- Authentication URL: use the value of "OAuth2 autorization endpoint
(v2)" from the Azure endpoints list
- Scope: openid email
- Validation URL: use the value of "OAuth2 token endpoint (v2)" from
the Azure endpoints list
- Allowed: yes

Setup for Keycloak
------------------

Example configuration with OpenID Connect authorization code flow.

In Keycloak:

1. configure a new Client
2. make sure Authorization Code Flow is Enabled.
3. configure the client Access Type as "confidential" and take note of
the client secret in the Credentials tab
4. configure the redirect url to be "<url of your
server>/auth_oauth/signin"

In Odoo, create a new Oauth Provider with the following parameters:

- Provider name: Keycloak (or any name you like that identify your
keycloak provider)
- Auth Flow: OpenID Connect (authorization code flow)
- Client ID: the same Client ID you entered when configuring the client
in Keycloak
- Client Secret: found in keycloak on the client Credentials tab
- Allowed: yes
- Body: the link text to appear on the login page, such as Login with
Keycloak
- Scope: openid email
- Authentication URL: The "authorization_endpoint" URL found in the
OpenID Endpoint Configuration of your Keycloak realm
- Token URL: The "token_endpoint" URL found in the OpenID Endpoint
Configuration of your Keycloak realm
- JWKS URL: The "jwks_uri" URL found in the OpenID Endpoint
Configuration of your Keycloak realm

Usage
=====

On the login page, click on the authentication provider you configured.

Known issues / Roadmap
======================

- When going to the login screen, check for a existing token and do a
direct login without the clicking on the SSO link
- When doing a logout an extra option to also logout at the SSO
provider.

Changelog
=========

15.0.1.1.0 2023-11-22
---------------------

- Forward port OpenID Connect fixes from 14.0 to 15.0

15.0.1.0.1 2023-02-12
---------------------

- Readme warnings

15.0.1.0.0 2023-01-06
---------------------

- Odoo 15 migration

14.0.1.0.0 2021-12-10
---------------------

- Odoo 14 migration

13.0.1.0.0 2020-04-10
---------------------

- Odoo 13 migration, add authorization code flow.

10.0.1.0.0 2018-10-05
---------------------

- Initial implementation

Bug Tracker
===========

Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-auth/issues>`_.
In case of trouble, please check there if your issue has already been reported.
If you spotted it first, help us to smash it by providing a detailed and welcomed
`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_oidc%0Aversion:%2017.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.

Do not contact contributors directly about support or help with technical issues.

Credits
=======

Authors
-------

* ICTSTUDIO
* André Schenkels
* ACSONE SA/NV

Contributors
------------

- Alexandre Fayolle <[email protected]>
- Stéphane Bidoul <[email protected]>
- Andreas Perhab <[email protected]>

Maintainers
-----------

This module is maintained by the OCA.

.. image:: https://odoo-community.org/logo.png
:alt: Odoo Community Association
:target: https://odoo-community.org

OCA, or the Odoo Community Association, is a nonprofit organization whose
mission is to support the collaborative development of Odoo features and
promote its widespread use.

.. |maintainer-sbidoul| image:: https://github.com/sbidoul.png?size=40px
:target: https://github.com/sbidoul
:alt: sbidoul

Current `maintainer <https://odoo-community.org/page/maintainer-role>`__:

|maintainer-sbidoul|

This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/17.0/auth_oidc>`_ project on GitHub.

You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.
5 changes: 5 additions & 0 deletions auth_oidc/__init__.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
# Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)

from . import controllers
from . import models
21 changes: 21 additions & 0 deletions auth_oidc/__manifest__.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
# Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
# Copyright 2021 ACSONE SA/NV <https://acsone.eu>
# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)

{
"name": "Authentication OpenID Connect",
"version": "17.0.1.1.0",
"license": "AGPL-3",
"author": (
"ICTSTUDIO, André Schenkels, "
"ACSONE SA/NV, "
"Odoo Community Association (OCA)"
),
"maintainers": ["sbidoul"],
"website": "https://github.com/OCA/server-auth",
"summary": "Allow users to login through OpenID Connect Provider",
"external_dependencies": {"python": ["python-jose"]},
"depends": ["auth_oauth"],
"data": ["views/auth_oauth_provider.xml"],
"demo": ["demo/local_keycloak.xml"],
}
4 changes: 4 additions & 0 deletions auth_oidc/controllers/__init__.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
# Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)

from . import main
80 changes: 80 additions & 0 deletions auth_oidc/controllers/main.py
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,80 @@
# Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
# Copyright 2021 ACSONE SA/NV <https://acsone.eu>
# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)

import base64
import hashlib
import json
import logging
import secrets

from werkzeug.urls import url_decode, url_encode

from odoo.http import request

from odoo.addons.auth_oauth.controllers.main import OAuthLogin

_logger = logging.getLogger(__name__)


class OpenIDLogin(OAuthLogin):
def list_providers_oauth(self, domain=None):
if not domain:
domain = [("enabled", "=", True)]
try:
providers = request.env["auth.oauth.provider"].sudo().search_read(domain)
except Exception:
providers = []
for provider in providers:
return_url = request.httprequest.url_root + "auth_oauth/signin"
state = self.get_state(provider)
params = dict(
response_type="token",
client_id=provider["client_id"],
redirect_uri=return_url,
scope=provider["scope"],
state=json.dumps(state),
# nonce=base64.urlsafe_b64encode(os.urandom(16)),
)
provider["auth_link"] = f"{provider['auth_endpoint']}?{url_encode(params)}"
return providers

def list_providers(self, domain=None):
providers = self.list_providers_oauth(domain)
for provider in providers:
flow = provider.get("flow")
if flow in ("id_token", "id_token_code"):
params = url_decode(provider["auth_link"].split("?")[-1])
# nonce
params["nonce"] = secrets.token_urlsafe()
# response_type
if flow == "id_token":
# https://openid.net/specs/openid-connect-core-1_0.html
# #ImplicitAuthRequest
params["response_type"] = "id_token token"
elif flow == "id_token_code":
# https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
params["response_type"] = "code"
# PKCE (https://tools.ietf.org/html/rfc7636)
code_verifier = provider["code_verifier"]
code_challenge = base64.urlsafe_b64encode(
hashlib.sha256(code_verifier.encode("ascii")).digest()
).rstrip(b"=")
params["code_challenge"] = code_challenge
params["code_challenge_method"] = "S256"
# scope
if provider.get("scope"):
if "openid" not in provider["scope"].split():
_logger.error("openid connect scope must contain 'openid'")
params["scope"] = provider["scope"]

# extra authorize parameters
extra_auth_params = provider.get("extra_authorize_params", "{}")
if extra_auth_params:
params.update(json.loads(extra_auth_params))

# auth link that the user will click
provider["auth_link"] = "{}?{}".format(
provider["auth_endpoint"], url_encode(params)
)
return providers
20 changes: 20 additions & 0 deletions auth_oidc/demo/local_keycloak.xml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
<odoo>
<record id="local_keycloak" model="auth.oauth.provider">
<field name="name">keycloak:8080 on localhost</field>
<field name="flow">id_token_code</field>
<field name="client_id">auth_oidc-test</field>
<field name="token_map">preferred_username:user_id</field>
<field name="body">keycloak:8080 on localhost</field>
<field name="enabled" eval="True" />
<field name="scope">openid email</field>
<field
name="auth_endpoint"
>http://localhost:8080/auth/realms/master/protocol/openid-connect/auth</field>
<field
name="token_endpoint"
>http://localhost:8080/auth/realms/master/protocol/openid-connect/token</field>
<field
name="jwks_uri"
>http://localhost:8080/auth/realms/master/protocol/openid-connect/certs</field>
</record>
</odoo>
Loading

0 comments on commit 5ae5c8d

Please sign in to comment.