Merge pull request #513 from OCA/18.0

Syncing from upstream OCA/server-auth (18.0)

README.md

@@ -24,6 +24,7 @@ addon | version | maintainers | summary
 [auth_api_key](auth_api_key/) | 18.0.1.0.0 |  | Authenticate http requests from an API key
 [auth_api_key_group](auth_api_key_group/) | 18.0.1.0.0 | [![simahawk](https://github.com/simahawk.png?size=30px)](https://github.com/simahawk) | Allow grouping API keys together. Grouping per se does nothing. This feature is supposed to be used by other modules to limit access to services or records based on groups of keys.
 [auth_api_key_server_env](auth_api_key_server_env/) | 18.0.1.0.0 |  | Configure api keys via server env. This can be very useful to avoid mixing your keys between your various environments when restoring databases. All you have to do is to add a new section to your configuration file according to the following convention:
+[auth_oidc](auth_oidc/) | 18.0.1.0.0 | [![sbidoul](https://github.com/sbidoul.png?size=30px)](https://github.com/sbidoul) | Allow users to login through OpenID Connect Provider
 [base_user_empty_password](base_user_empty_password/) | 18.0.1.0.0 | [![grindtildeath](https://github.com/grindtildeath.png?size=30px)](https://github.com/grindtildeath) | Allows to empty password of users
 
 [//]: # (end addons)

auth_oidc/README.rst

@@ -0,0 +1,247 @@
+=============================
+Authentication OpenID Connect
+=============================
+
+.. 
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! This file is generated by oca-gen-addon-readme !!
+   !! changes will be overwritten.                   !!
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! source digest: sha256:cd754fc72d2039d02ab1b8aec98af43fb9543c9a70f2150ab6e482954e4e83d6
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
+    :target: https://odoo-community.org/page/development-status
+    :alt: Beta
+.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png
+    :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
+    :alt: License: AGPL-3
+.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
+    :target: https://github.com/OCA/server-auth/tree/18.0/auth_oidc
+    :alt: OCA/server-auth
+.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
+    :target: https://translation.odoo-community.org/projects/server-auth-18-0/server-auth-18-0-auth_oidc
+    :alt: Translate me on Weblate
+.. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png
+    :target: https://runboat.odoo-community.org/builds?repo=OCA/server-auth&target_branch=18.0
+    :alt: Try me on Runboat
+
+|badge1| |badge2| |badge3| |badge4| |badge5|
+
+This module allows users to login through an OpenID Connect provider
+using the authorization code flow or implicit flow.
+
+Note the implicit flow is not recommended because it exposes access
+tokens to the browser and in http logs.
+
+**Table of contents**
+
+.. contents::
+   :local:
+
+Installation
+============
+
+This module depends on the
+`python-jose <https://pypi.org/project/python-jose/>`__ library, not to
+be confused with ``jose`` which is also available on PyPI.
+
+Configuration
+=============
+
+Setup for Microsoft Azure
+-------------------------
+
+Example configuration with OpenID Connect authorization code flow.
+
+1. configure a new web application in Azure with OpenID and code flow
+   (see the `provider
+   documentation <https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-provider>`__))
+
+2. in this application the redirect url must be be "<url of your
+   server>/auth_oauth/signin" and of course this URL should be reachable
+   from Azure
+
+3. create a new authentication provider in Odoo with the following
+   parameters (see the `portal
+   documentation <https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-settings>`__
+   for more information):
+
+|image|
+
+|image1|
+
+Single tenant provider limits the access to user of your tenant, while
+Multitenants allow access for all AzureAD users, so user of foreign
+companies can use their AzureAD login without an guest account.
+
+-  Provider Name: Azure AD Single Tenant
+-  Client ID: Application (client) id
+-  Client Secret: Client secret
+-  Allowed: yes
+
+or
+
+-  Provider Name: Azure AD Multitenant
+-  Client ID: Application (client) id
+-  Client Secret: Client secret
+-  Allowed: yes
+-  replace {tenant_id} in urls with your Azure tenant id
+
+|image2|
+
+Setup for Keycloak
+------------------
+
+Example configuration with OpenID Connect authorization code flow.
+
+In Keycloak:
+
+1. configure a new Client
+2. make sure Authorization Code Flow is Enabled.
+3. configure the client Access Type as "confidential" and take note of
+   the client secret in the Credentials tab
+4. configure the redirect url to be "<url of your
+   server>/auth_oauth/signin"
+
+In Odoo, create a new Oauth Provider with the following parameters:
+
+-  Provider name: Keycloak (or any name you like that identify your
+   keycloak provider)
+-  Auth Flow: OpenID Connect (authorization code flow)
+-  Client ID: the same Client ID you entered when configuring the client
+   in Keycloak
+-  Client Secret: found in keycloak on the client Credentials tab
+-  Allowed: yes
+-  Body: the link text to appear on the login page, such as Login with
+   Keycloak
+-  Scope: openid email
+-  Authentication URL: The "authorization_endpoint" URL found in the
+   OpenID Endpoint Configuration of your Keycloak realm
+-  Token URL: The "token_endpoint" URL found in the OpenID Endpoint
+   Configuration of your Keycloak realm
+-  JWKS URL: The "jwks_uri" URL found in the OpenID Endpoint
+   Configuration of your Keycloak realm
+
+.. |image| image:: https://raw.githubusercontent.com/OCA/server-auth/18.0/auth_oidc/static/description/oauth-microsoft_azure-api_permissions.png
+.. |image1| image:: https://raw.githubusercontent.com/OCA/server-auth/18.0/auth_oidc/static/description/oauth-microsoft_azure-optional_claims.png
+.. |image2| image:: https://raw.githubusercontent.com/OCA/server-auth/18.0/auth_oidc/static/description/odoo-azure_ad_multitenant.png
+
+Usage
+=====
+
+On the login page, click on the authentication provider you configured.
+
+Known issues / Roadmap
+======================
+
+-  When going to the login screen, check for a existing token and do a
+   direct login without the clicking on the SSO link
+-  When doing a logout an extra option to also logout at the SSO
+   provider.
+
+Changelog
+=========
+
+18.0.1.0.0 2024-10-09
+---------------------
+
+-  Odoo 18 migration
+
+17.0.1.0.0 2024-03-20
+---------------------
+
+-  Odoo 17 migration
+
+16.0.1.1.0 2024-02-28
+---------------------
+
+-  Forward port OpenID Connect fixes from 15.0 to 16.0
+
+16.0.1.0.2 2023-11-16
+---------------------
+
+-  Readme link updates
+
+16.0.1.0.1 2023-10-09
+---------------------
+
+-  Add AzureAD code flow provider
+
+16.0.1.0.0 2023-01-27
+---------------------
+
+-  Odoo 16 migration
+
+15.0.1.0.0 2023-01-06
+---------------------
+
+-  Odoo 15 migration
+
+14.0.1.0.0 2021-12-10
+---------------------
+
+-  Odoo 14 migration
+
+13.0.1.0.0 2020-04-10
+---------------------
+
+-  Odoo 13 migration, add authorization code flow.
+
+10.0.1.0.0 2018-10-05
+---------------------
+
+-  Initial implementation
+
+Bug Tracker
+===========
+
+Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-auth/issues>`_.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_oidc%0Aversion:%2018.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+
+Do not contact contributors directly about support or help with technical issues.
+
+Credits
+=======
+
+Authors
+-------
+
+* ICTSTUDIO
+* André Schenkels
+* ACSONE SA/NV
+
+Contributors
+------------
+
+-  Alexandre Fayolle <alexandre.fayolle@camptocamp.com>
+-  Stéphane Bidoul <stephane.bidoul@acsone.eu>
+-  David Jaen <david.jaen.revert@gmail.com>
+-  Andreas Perhab <andreas.perhab@wt-io-it.at>
+
+Maintainers
+-----------
+
+This module is maintained by the OCA.
+
+.. image:: https://odoo-community.org/logo.png
+   :alt: Odoo Community Association
+   :target: https://odoo-community.org
+
+OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.
+
+.. |maintainer-sbidoul| image:: https://github.com/sbidoul.png?size=40px
+    :target: https://github.com/sbidoul
+    :alt: sbidoul
+
+Current `maintainer <https://odoo-community.org/page/maintainer-role>`__:
+
+|maintainer-sbidoul| 
+
+This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/18.0/auth_oidc>`_ project on GitHub.
+
+You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.

auth_oidc/__init__.py

@@ -0,0 +1,5 @@
+# Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
+# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
+
+from . import controllers
+from . import models

auth_oidc/__manifest__.py

@@ -0,0 +1,21 @@
+# Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
+# Copyright 2021 ACSONE SA/NV <https://acsone.eu>
+# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
+
+{
+    "name": "Authentication OpenID Connect",
+    "version": "18.0.1.0.0",
+    "license": "AGPL-3",
+    "author": (
+        "ICTSTUDIO, André Schenkels, "
+        "ACSONE SA/NV, "
+        "Odoo Community Association (OCA)"
+    ),
+    "maintainers": ["sbidoul"],
+    "website": "https://github.com/OCA/server-auth",
+    "summary": "Allow users to login through OpenID Connect Provider",
+    "external_dependencies": {"python": ["python-jose"]},
+    "depends": ["auth_oauth"],
+    "data": ["views/auth_oauth_provider.xml", "data/auth_oauth_data.xml"],
+    "demo": ["demo/local_keycloak.xml"],
+}

auth_oidc/controllers/__init__.py

@@ -0,0 +1,4 @@
+# Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
+# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
+
+from . import main

auth_oidc/controllers/main.py

@@ -0,0 +1,50 @@
+# Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
+# Copyright 2021 ACSONE SA/NV <https://acsone.eu>
+# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
+
+import base64
+import hashlib
+import logging
+import secrets
+
+from werkzeug.urls import url_decode, url_encode
+
+from odoo.addons.auth_oauth.controllers.main import OAuthLogin
+
+_logger = logging.getLogger(__name__)
+
+
+class OpenIDLogin(OAuthLogin):
+    def list_providers(self):
+        providers = super().list_providers()
+        for provider in providers:
+            flow = provider.get("flow")
+            if flow in ("id_token", "id_token_code"):
+                params = url_decode(provider["auth_link"].split("?")[-1])
+                # nonce
+                params["nonce"] = secrets.token_urlsafe()
+                # response_type
+                if flow == "id_token":
+                    # https://openid.net/specs/openid-connect-core-1_0.html
+                    # #ImplicitAuthRequest
+                    params["response_type"] = "id_token token"
+                elif flow == "id_token_code":
+                    # https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
+                    params["response_type"] = "code"
+                # PKCE (https://tools.ietf.org/html/rfc7636)
+                code_verifier = provider["code_verifier"]
+                code_challenge = base64.urlsafe_b64encode(
+                    hashlib.sha256(code_verifier.encode("ascii")).digest()
+                ).rstrip(b"=")
+                params["code_challenge"] = code_challenge
+                params["code_challenge_method"] = "S256"
+                # scope
+                if provider.get("scope"):
+                    if "openid" not in provider["scope"].split():
+                        _logger.error("openid connect scope must contain 'openid'")
+                    params["scope"] = provider["scope"]
+                # auth link that the user will click
+                provider["auth_link"] = "{}?{}".format(
+                    provider["auth_endpoint"], url_encode(params)
+                )
+        return providers

auth_oidc/data/auth_oauth_data.xml

@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<odoo noupdate="1">
+    <record id="provider_azuread_multi" model="auth.oauth.provider">
+        <field name="name">Azure AD Multitenant</field>
+        <field name="flow">id_token_code</field>
+        <field name="enabled">False</field>
+        <field name="token_map">upn:user_id upn:email</field>
+        <field
+            name="auth_endpoint"
+        >https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize</field>
+        <field name="scope">profile openid</field>
+        <field
+            name="token_endpoint"
+        >https://login.microsoftonline.com/organizations/oauth2/v2.0/token</field>
+        <field
+            name="jwks_uri"
+        >https://login.microsoftonline.com/organizations/discovery/v2.0/keys</field>
+        <field name="css_class">fa fa-fw fa-windows</field>
+        <field name="body">Log in with Microsoft</field>
+    </record>
+    <record id="provider_azuread_single" model="auth.oauth.provider">
+        <field name="name">Azure AD Single Tenant</field>
+        <field name="flow">id_token_code</field>
+        <field name="enabled">False</field>
+        <field name="token_map">upn:user_id upn:email</field>
+        <field
+            name="auth_endpoint"
+        >https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/authorize</field>
+        <field name="scope">profile openid</field>
+        <field
+            name="token_endpoint"
+        >https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token</field>
+        <field
+            name="jwks_uri"
+        >https://login.microsoftonline.com/{tenant_id}/discovery/v2.0/keys</field>
+        <field name="css_class">fa fa-fw fa-windows</field>
+        <field name="body">Log in with Microsoft</field>
+    </record>
+</odoo>