From f83c58860676610987779540858588624b1d44f1 Mon Sep 17 00:00:00 2001 From: wluyima Date: Mon, 10 Jun 2024 13:12:04 +0300 Subject: [PATCH 1/5] [IMP] auth_oidc: add end_session_endpoint field to AuthOauthProvider import Session from sessions file overwrite logout super to allow non local redirect Original commit: 9b6f5eed7932bfcabfe5ac4887119f8f94a10939 * Added a mechanism to logout the user from the auth provider * Skip IDP logout if user has no IDP account * Fixed IDP redirect url to include base URL and logout URL to provider form * Skip IDP logout of no logout URL is configured for the provider * Fixed logout for user with no IDP account * Added support for params in logout URL and encoded post redirect URL * Updated logout URL's help tip to mention it maps to end_session_endpoint * Added support for full URLs as redirects * Allow redirect URLs containing http or https but do not start with them * Apply formatting changes * Apply formatting changes * Apply formatting changes * Renamed logout_endpoint to end_session_endpoint * Switched to using urllib.parse.urljoin * Switched to using urllib to parse, create urls and query params * Added initial test for oidc logout * Added more tests for oidc logout * Cleaned up test to verify individual redirect url components * Use url_root instead of web base url * Applied changes as requested Co-authored-by: @konykon --- auth_oidc/models/auth_oauth_provider.py | 1 + auth_oidc/views/auth_oauth_provider.xml | 1 + 2 files changed, 2 insertions(+) diff --git a/auth_oidc/models/auth_oauth_provider.py b/auth_oidc/models/auth_oauth_provider.py index d05197da72..bd89f2c335 100644 --- a/auth_oidc/models/auth_oauth_provider.py +++ b/auth_oidc/models/auth_oauth_provider.py @@ -50,6 +50,7 @@ class AuthOauthProvider(models.Model): help="Additional parameters for the auth link. " "For example: {'prompt':'select_account'}" ) + end_session_endpoint = fields.Char(string="End Session URL") @tools.ormcache("self.jwks_uri", "kid") def _get_keys(self, kid): diff --git a/auth_oidc/views/auth_oauth_provider.xml b/auth_oidc/views/auth_oauth_provider.xml index c63f2cef60..7e1f876862 100644 --- a/auth_oidc/views/auth_oauth_provider.xml +++ b/auth_oidc/views/auth_oauth_provider.xml @@ -18,6 +18,7 @@ + From 3f0242257476d20d9be1d3d7fde0221dd6543e03 Mon Sep 17 00:00:00 2001 From: oca-ci Date: Fri, 31 Oct 2025 09:27:26 +0000 Subject: [PATCH 2/5] [UPD] Update auth_oidc.pot --- auth_oidc/i18n/auth_oidc.pot | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/auth_oidc/i18n/auth_oidc.pot b/auth_oidc/i18n/auth_oidc.pot index e41f75c994..cce928fa85 100644 --- a/auth_oidc/i18n/auth_oidc.pot +++ b/auth_oidc/i18n/auth_oidc.pot @@ -40,6 +40,11 @@ msgstr "" msgid "Code Verifier" msgstr "" +#. module: auth_oidc +#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__end_session_endpoint +msgid "End Session URL" +msgstr "" + #. module: auth_oidc #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__jwks_uri msgid "JWKS URL" From b52e498ac1df18739cc2cf4559938a217579aa37 Mon Sep 17 00:00:00 2001 From: OCA-git-bot Date: Fri, 31 Oct 2025 09:32:00 +0000 Subject: [PATCH 3/5] [BOT] post-merge updates --- README.md | 2 +- auth_oidc/README.rst | 96 +++++++++++++------------ auth_oidc/__manifest__.py | 2 +- auth_oidc/static/description/index.html | 58 ++++++++------- 4 files changed, 84 insertions(+), 74 deletions(-) diff --git a/README.md b/README.md index 5bd64b86a6..a2f6e2deeb 100644 --- a/README.md +++ b/README.md @@ -31,7 +31,7 @@ addon | version | maintainers | summary [auth_ldaps](auth_ldaps/) | 17.0.1.0.0 | | Allows to use LDAP over SSL authentication [auth_oauth_autologin](auth_oauth_autologin/) | 17.0.1.0.0 | sbidoul | Automatically redirect to the OAuth provider for login [auth_oauth_multi_token](auth_oauth_multi_token/) | 17.0.1.1.1 | | Allow multiple connection with the same OAuth account -[auth_oidc](auth_oidc/) | 17.0.1.1.0 | sbidoul | Allow users to login through OpenID Connect Provider +[auth_oidc](auth_oidc/) | 17.0.1.2.0 | sbidoul | Allow users to login through OpenID Connect Provider [auth_saml](auth_saml/) | 17.0.1.0.3 | vincent-hatakeyama | SAML2 Authentication [auth_session_timeout](auth_session_timeout/) | 17.0.1.0.1 | | This module disable all inactive sessions since a given delay [auth_signup_verify_email](auth_signup_verify_email/) | 17.0.1.0.0 | | Force uninvited users to use a good email for signup diff --git a/auth_oidc/README.rst b/auth_oidc/README.rst index aaae547e08..1fb2c42059 100644 --- a/auth_oidc/README.rst +++ b/auth_oidc/README.rst @@ -1,3 +1,7 @@ +.. image:: https://odoo-community.org/readme-banner-image + :target: https://odoo-community.org/get-involved?utm_source=readme + :alt: Odoo Community Association + ============================= Authentication OpenID Connect ============================= @@ -7,13 +11,13 @@ Authentication OpenID Connect !! This file is generated by oca-gen-addon-readme !! !! changes will be overwritten. !! !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! - !! source digest: sha256:3096227b4ab79c036812a7fefcac69f61356e55ece061ec82bd3b51c54fce263 + !! source digest: sha256:9fb171c24622a7ada2230b91cec8ce45289545f3124d9e18492e260023d6410f !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! .. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png :target: https://odoo-community.org/page/development-status :alt: Beta -.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png +.. |badge2| image:: https://img.shields.io/badge/license-AGPL--3-blue.png :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html :alt: License: AGPL-3 .. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github @@ -75,23 +79,23 @@ Single tenant provider limits the access to user of your tenant, while Multitenants allow access for all AzureAD users, so user of foreign companies can use their AzureAD login without an guest account. -- Provider Name: Azure AD Single Tenant -- Client ID: Application (client) id -- Client Secret: Client secret -- Allowed: yes +- Provider Name: Azure AD Single Tenant +- Client ID: Application (client) id +- Client Secret: Client secret +- Allowed: yes or -- Provider Name: Azure AD Multitenant -- Client ID: Application (client) id -- Client Secret: Client secret -- Allowed: yes -- replace {tenant_id} in urls with your Azure tenant id +- Provider Name: Azure AD Multitenant +- Client ID: Application (client) id +- Client Secret: Client secret +- Allowed: yes +- replace {tenant_id} in urls with your Azure tenant id |image2| -- Auth Link Params: Add {'prompt':'select_account'} to the auth link to - get the account selection screen |image3| +- Auth Link Params: Add {'prompt':'select_account'} to the auth link to + get the account selection screen |image3| Setup for Keycloak ------------------ @@ -109,22 +113,22 @@ In Keycloak: In Odoo, create a new Oauth Provider with the following parameters: -- Provider name: Keycloak (or any name you like that identify your - keycloak provider) -- Auth Flow: OpenID Connect (authorization code flow) -- Client ID: the same Client ID you entered when configuring the client - in Keycloak -- Client Secret: found in keycloak on the client Credentials tab -- Allowed: yes -- Body: the link text to appear on the login page, such as Login with - Keycloak -- Scope: openid email -- Authentication URL: The "authorization_endpoint" URL found in the - OpenID Endpoint Configuration of your Keycloak realm -- Token URL: The "token_endpoint" URL found in the OpenID Endpoint - Configuration of your Keycloak realm -- JWKS URL: The "jwks_uri" URL found in the OpenID Endpoint - Configuration of your Keycloak realm +- Provider name: Keycloak (or any name you like that identify your + keycloak provider) +- Auth Flow: OpenID Connect (authorization code flow) +- Client ID: the same Client ID you entered when configuring the client + in Keycloak +- Client Secret: found in keycloak on the client Credentials tab +- Allowed: yes +- Body: the link text to appear on the login page, such as Login with + Keycloak +- Scope: openid email +- Authentication URL: The "authorization_endpoint" URL found in the + OpenID Endpoint Configuration of your Keycloak realm +- Token URL: The "token_endpoint" URL found in the OpenID Endpoint + Configuration of your Keycloak realm +- JWKS URL: The "jwks_uri" URL found in the OpenID Endpoint + Configuration of your Keycloak realm .. |image| image:: https://raw.githubusercontent.com/OCA/server-auth/17.0/auth_oidc/static/description/oauth-microsoft_azure-api_permissions.png .. |image1| image:: https://raw.githubusercontent.com/OCA/server-auth/17.0/auth_oidc/static/description/oauth-microsoft_azure-optional_claims.png @@ -139,10 +143,10 @@ On the login page, click on the authentication provider you configured. Known issues / Roadmap ====================== -- When going to the login screen, check for a existing token and do a - direct login without the clicking on the SSO link -- When doing a logout an extra option to also logout at the SSO - provider. +- When going to the login screen, check for a existing token and do a + direct login without the clicking on the SSO link +- When doing a logout an extra option to also logout at the SSO + provider. Changelog ========= @@ -150,47 +154,47 @@ Changelog 17.0.1.0.0 2024-03-20 --------------------- -- Odoo 17 migration +- Odoo 17 migration 16.0.1.1.0 2024-02-28 --------------------- -- Forward port OpenID Connect fixes from 15.0 to 16.0 +- Forward port OpenID Connect fixes from 15.0 to 16.0 16.0.1.0.2 2023-11-16 --------------------- -- Readme link updates +- Readme link updates 16.0.1.0.1 2023-10-09 --------------------- -- Add AzureAD code flow provider +- Add AzureAD code flow provider 16.0.1.0.0 2023-01-27 --------------------- -- Odoo 16 migration +- Odoo 16 migration 15.0.1.0.0 2023-01-06 --------------------- -- Odoo 15 migration +- Odoo 15 migration 14.0.1.0.0 2021-12-10 --------------------- -- Odoo 14 migration +- Odoo 14 migration 13.0.1.0.0 2020-04-10 --------------------- -- Odoo 13 migration, add authorization code flow. +- Odoo 13 migration, add authorization code flow. 10.0.1.0.0 2018-10-05 --------------------- -- Initial implementation +- Initial implementation Bug Tracker =========== @@ -215,10 +219,10 @@ Authors Contributors ------------ -- Alexandre Fayolle -- Stéphane Bidoul -- David Jaen -- Andreas Perhab +- Alexandre Fayolle +- Stéphane Bidoul +- David Jaen +- Andreas Perhab Maintainers ----------- diff --git a/auth_oidc/__manifest__.py b/auth_oidc/__manifest__.py index e9186bd6d8..c6c21eff21 100644 --- a/auth_oidc/__manifest__.py +++ b/auth_oidc/__manifest__.py @@ -4,7 +4,7 @@ { "name": "Authentication OpenID Connect", - "version": "17.0.1.1.0", + "version": "17.0.1.2.0", "license": "AGPL-3", "author": ( "ICTSTUDIO, André Schenkels, " diff --git a/auth_oidc/static/description/index.html b/auth_oidc/static/description/index.html index ee94393082..638502739b 100644 --- a/auth_oidc/static/description/index.html +++ b/auth_oidc/static/description/index.html @@ -3,7 +3,7 @@ -Authentication OpenID Connect +README.rst -
-

Authentication OpenID Connect

+
+ + +Odoo Community Association + +
+

Authentication OpenID Connect

-

Beta License: AGPL-3 OCA/server-auth Translate me on Weblate Try me on Runboat

+

Beta License: AGPL-3 OCA/server-auth Translate me on Weblate Try me on Runboat

This module allows users to login through an OpenID Connect provider using the authorization code flow or implicit flow.

Note the implicit flow is not recommended because it exposes access @@ -407,15 +412,15 @@

Authentication OpenID Connect

-

Installation

+

Installation

This module depends on the python-jose library, not to be confused with jose which is also available on PyPI.

-

Configuration

+

Configuration

-

Setup for Microsoft Azure

+

Setup for Microsoft Azure

Example configuration with OpenID Connect authorization code flow.

  1. configure a new web application in Azure with OpenID and code flow @@ -455,7 +460,7 @@

    Setup for Microsoft Azure

-

Setup for Keycloak

+

Setup for Keycloak

Example configuration with OpenID Connect authorization code flow.

In Keycloak:

    @@ -488,11 +493,11 @@

    Setup for Keycloak

-

Usage

+

Usage

On the login page, click on the authentication provider you configured.

-

Known issues / Roadmap

+

Known issues / Roadmap

  • When going to the login screen, check for a existing token and do a direct login without the clicking on the SSO link
    • @@ -501,64 +506,64 @@

    Known issues / Roadmap

-

Changelog

+

Changelog

-

16.0.1.1.0 2024-02-28

+

16.0.1.1.0 2024-02-28

  • Forward port OpenID Connect fixes from 15.0 to 16.0
-

16.0.1.0.1 2023-10-09

+

16.0.1.0.1 2023-10-09

  • Add AzureAD code flow provider
-

13.0.1.0.0 2020-04-10

+

13.0.1.0.0 2020-04-10

  • Odoo 13 migration, add authorization code flow.
-

10.0.1.0.0 2018-10-05

+

10.0.1.0.0 2018-10-05

  • Initial implementation
-

Bug Tracker

+

Bug Tracker

Bugs are tracked on GitHub Issues. In case of trouble, please check there if your issue has already been reported. If you spotted it first, help us to smash it by providing a detailed and welcomed @@ -566,9 +571,9 @@

Bug Tracker

Do not contact contributors directly about support or help with technical issues.

-

Credits

+

Credits

-

Authors

+

Authors

  • ICTSTUDIO
  • André Schenkels
    • @@ -576,7 +581,7 @@

    Authors

-

Contributors

+

Contributors

-

Maintainers

+

Maintainers

This module is maintained by the OCA.

Odoo Community Association @@ -600,5 +605,6 @@

Maintainers

+
From ad2fcebbde226a66bd9f3ebf718ffb908d0a950f Mon Sep 17 00:00:00 2001 From: Weblate Date: Fri, 31 Oct 2025 09:32:09 +0000 Subject: [PATCH 4/5] Update translation files Updated by "Update PO files to match POT (msgmerge)" hook in Weblate. Translation: server-auth-17.0/server-auth-17.0-auth_oidc Translate-URL: https://translation.odoo-community.org/projects/server-auth-17-0/server-auth-17-0-auth_oidc/ --- auth_oidc/i18n/es.po | 5 +++++ auth_oidc/i18n/it.po | 5 +++++ auth_oidc/i18n/zh_CN.po | 5 +++++ 3 files changed, 15 insertions(+) diff --git a/auth_oidc/i18n/es.po b/auth_oidc/i18n/es.po index fd2026eb2b..05292d2c2b 100644 --- a/auth_oidc/i18n/es.po +++ b/auth_oidc/i18n/es.po @@ -43,6 +43,11 @@ msgstr "Secreto del cliente" msgid "Code Verifier" msgstr "Verificador del código" +#. module: auth_oidc +#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__end_session_endpoint +msgid "End Session URL" +msgstr "" + #. module: auth_oidc #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__jwks_uri msgid "JWKS URL" diff --git a/auth_oidc/i18n/it.po b/auth_oidc/i18n/it.po index 821636985c..56498fa643 100644 --- a/auth_oidc/i18n/it.po +++ b/auth_oidc/i18n/it.po @@ -45,6 +45,11 @@ msgstr "Chiave segreta client" msgid "Code Verifier" msgstr "Verificatore codice" +#. module: auth_oidc +#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__end_session_endpoint +msgid "End Session URL" +msgstr "" + #. module: auth_oidc #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__jwks_uri msgid "JWKS URL" diff --git a/auth_oidc/i18n/zh_CN.po b/auth_oidc/i18n/zh_CN.po index 4466ea0cb8..95751f9650 100644 --- a/auth_oidc/i18n/zh_CN.po +++ b/auth_oidc/i18n/zh_CN.po @@ -43,6 +43,11 @@ msgstr "客户端密钥" msgid "Code Verifier" msgstr "代码验证器" +#. module: auth_oidc +#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__end_session_endpoint +msgid "End Session URL" +msgstr "" + #. module: auth_oidc #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__jwks_uri msgid "JWKS URL" From 3bc493a72111882d5d459f1799054c597b7cd6a3 Mon Sep 17 00:00:00 2001 From: mymage Date: Mon, 3 Nov 2025 07:39:53 +0000 Subject: [PATCH 5/5] Translated using Weblate (Italian) Currently translated at 100.0% (23 of 23 strings) Translation: server-auth-17.0/server-auth-17.0-auth_oidc Translate-URL: https://translation.odoo-community.org/projects/server-auth-17-0/server-auth-17-0-auth_oidc/it/ --- auth_oidc/i18n/it.po | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/auth_oidc/i18n/it.po b/auth_oidc/i18n/it.po index 56498fa643..4efa092210 100644 --- a/auth_oidc/i18n/it.po +++ b/auth_oidc/i18n/it.po @@ -6,7 +6,7 @@ msgid "" msgstr "" "Project-Id-Version: Odoo Server 16.0\n" "Report-Msgid-Bugs-To: \n" -"PO-Revision-Date: 2024-10-23 09:06+0000\n" +"PO-Revision-Date: 2025-11-03 09:42+0000\n" "Last-Translator: mymage \n" "Language-Team: none\n" "Language: it\n" @@ -14,7 +14,7 @@ msgstr "" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: \n" "Plural-Forms: nplurals=2; plural=n != 1;\n" -"X-Generator: Weblate 5.6.2\n" +"X-Generator: Weblate 5.10.4\n" #. module: auth_oidc #: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__auth_link_params @@ -48,7 +48,7 @@ msgstr "Verificatore codice" #. module: auth_oidc #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__end_session_endpoint msgid "End Session URL" -msgstr "" +msgstr "URL fine sessione" #. module: auth_oidc #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__jwks_uri