Myceliandre
/
galicea-odoo-addons-ecosystem
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
6 Branches
0 Tags
609 KiB
Tree: 5f7f206e57
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5f7f206e57'
${ noResults }
galicea-odoo-addons-ecosystem/galicea_openid_connect/static/description/index.html

139 lines
6.8 KiB
Raw Normal View History

[openid_connect]
6 years ago
[openid_connect] Warning
6 years ago
[openid_connect]
6 years ago
  1. <section class="oe_container">
  2. <div class="oe_row oe_spaced">
  3. <div class="oe_span12">
  4. <h2 class="oe_slogan">Galicea OpenID Connect Provider</h2>
  5. <h3 class="oe_slogan">
  6. OpenID Connect Provider for Odoo &amp; OAuth2 resource server
  7. </h3>
  8. <p>
  9. This add-on allows Odoo to become an OpenID Connect Identity Provider (or just OAuth2 authorization server). The supported use-case is to allow several company-owned applications (possibly other Odoo instances) to reuse identities provided by Odoo, by becoming its OpenID Connect Clients. <i>There is no technical reason not to allow third-party clients, but keep in mind that as is, there is no support for custom scopes (other than <tt>openid</tt>) and no permission is required from the user to share their identity with the client.</i></p>
  11. <p>The add-on also provides OAuth2 token validation for use in custom API endpoints. This allows the clients to securely fetch data from Odoo.</p>
  13. <h2>Prerequisites</h2>
  14. <pre>
  15. pip install -r galicea_openid_connect/requirements.txt
  16. </pre>
  17. <h2>Client configuration</h2>
  18. <p>
  19. Simply go to <tt>OpenID Connect Provider</tt> menu to register a new client. Make sure that the <tt>Redirect URI</tt> exactly matches <tt>redirect_uri</tt> parameter your client is going to send. Copy generated <tt>Client ID</tt> and <tt>Client secret</tt> to configure your client.
  20. </p>
  21. <p>
  22. You can use <a href="https://openid.net/specs/openid-connect-discovery-1_0.html">OpenID Connect Discovery</a> to set up your client. The discovery document URL will be located at <tt>&lt;odoo-base-url&gt;/.well-known/openid-configuration</tt> and it looks like this: <pre>
  23. {
  24. "authorization_endpoint": "&lt;odoo-base-url&gt;/oauth/authorize",
  25. "grant_types_supported": [
  26. "authorization_code",
  27. "implicit"
  28. ],
  29. "id_token_signing_alg_values_supported": [
  30. "RS256"
  31. ],
  32. "issuer": "&lt;odoo-base-url&gt;/",
  33. "jwks_uri": "&lt;odoo-base-url&gt;/oauth/jwks",
  34. "response_types_supported": [
  35. "code",
  36. "token",
  37. "id_token token",
  38. "id_token"
  39. ],
  40. "scopes_supported": [
  41. "openid"
  42. ],
  43. "subject_types_supported": [
  44. "public"
  45. ],
  46. "token_endpoint": "&lt;odoo-base-url&gt;/oauth/token",
  47. "token_endpoint_auth_methods_supported": [
  48. "client_secret_post"
  49. ],
  50. "userinfo_endpoint": "&lt;odoo-base-url&gt;/oauth/userinfo"
  51. }
  52. </pre>
  54. <h3>Configuring other Odoo instance/DB to be the client</h3>
  55. <p>Let's say that you want to allow users registered in your <tt>master.odoo.com</tt> Odoo instance to be able to log into <tt>client.odoo.com</tt> instance, without having to create a separate account.</p>
  57. <p>To do that, simply install this module on <tt>master.odoo.com</tt> and add the client, using <tt>/auth_oauth/signin</tt> as a redirect_uri:</p>
  58. <img class="oe_picture oe_screenshot" src="images/master_screenshot.png" />
  60. <p>Now, in <tt>client.odoo.com</tt>:
  61. <ul>
  62. <li>install the <tt>auth_oauth</tt> add-on,</li>
  63. <li>enable developer mode,</li>
  64. <li>make sure that <tt>Allow external users to sign up</tt> option is enabled in <tt>General settings</tt></li>
  65. <li>add the following OAuth Provider data in the settings:</li>
  66. <img class="oe_picture oe_screenshot" src="images/client_screenshot.png" />
  67. </p>
  68. Now, the users of <tt>client.odoo.com</tt> will be able to login using new <tt>Login with Master</tt> link.
  69. <img class="oe_picture oe_screenshot" src="images/login_screenshot.png" />
  70. In case they are already logged into <tt>master.odoo.com</tt>, all they need to do is to click it. Otherwise, they will be redirected to <tt>master.odoo.com</tt> to provide their credentials.
  72. <div class="alert alert-danger" role="alert">
  73. <b>Warning!</b> The user of <tt>master.odoo.com</tt> will not be able to log into <tt>client.odoo.com</tt> if there already is a regular account with the same e-mail address in <tt>client.odoo.com</tt>. In that case you will see this message:
  74. <img class="oe_picture oe_screenshot" src="images/error_screenshot.png" />
  75. </div>
  78. <h2>Creating JSON APIs with OAuth2 authorization</h2>
  79. <p>Along with the ID token, it's possible for the OpenID Connect Client to request access token, that can be used to authorize access to a custom JSON API.</p>
  80. <p>You can create such API in a way that is similar to creating regular Odoo controllers:</p>
  81. <pre>
  82. # -*- coding: utf-8 -*-
  84. from odoo import http
  85. from odoo.addons.galicea_openid_connect.api import resource
  87. class ExternalAPI(http.Controller):
  88. @resource('/oauth/userinfo', method='GET')
  89. def userinfo(self, req, **query):
  90. user = req.env.user
  91. return {
  92. 'sub': str(user.id),
  93. 'name': user.name,
  94. 'email': user.email
  95. }
  96. </pre>
  97. (note that this particular endpoint is bundled into <tt>galicea_openid_connect</tt> add-on). The client can then call this endpoint with either a header that looks like <tt>Authorization: Bearer &lt;token&gt;</tt> or <tt>&amp;access_token=&lt;token&gt;</tt> query parameter.
  98. <pre>
  99. $ curl --header 'Authorization: Bearer 9Dkv2W...gzpz' '&lt;odoo-base-url&gt;/oauth/userinfo'
  101. {"email": false, "sub": "1", "name": "Administrator"}
  102. </pre>
  104. <h3>API authorized with client credentials tokens</h3>
  105. It's also possible to create APIs for server-to-server requests from the Client.
  106. <pre>
  107. # -*- coding: utf-8 -*-
  109. from odoo import http
  110. from odoo.addons.galicea_openid_connect.api import resource
  112. class ExternalAPI(http.Controller):
  113. @resource('/oauth/clientinfo', method='GET'<b>, auth='client'</b>)
  114. def clientinfo(self, req, **query):
  115. client = req.env['galicea_openid_connect.client'].browse(req.context['client_id'])
  116. return {
  117. 'name': client.name
  118. }
  119. </pre>
  120. (note that this particular endpoint is bundled into <tt>galicea_openid_connect</tt> add-on as well). In order to receive the access token, the client needs to call the <tt>/oauth/token</tt> endpoint with <tt>&amp;grant_type=client_credentials</tt> parameter:
  121. <pre>
  122. $ curl -X POST '&lt;odoo-base-url&gt;/oauth/token?grant_type=client_credentials&client_id=dr...ds&client_secret=DL...gO'
  124. {"access_token": "WWy74uJIIRA4bonJHdVUeY3N8Jn2vuMecIfQntLf5FvCj3C3nNJY9tRER0qcoHRw", "token_type": "bearer"}
  125. </pre>
  126. Such token can then be used to access the resource:
  127. <pre>
  128. $ curl --header 'Authorization: Bearer WWy...coHRw' '&lt;odoo-base-url&gt;/oauth/clientinfo'
  130. {"name": "Test Client"}
  131. </pre>
  132. <h2>Additional notes</h2>
  133. <ul>
  134. <li>In order to support OpenID Connect features related to authentication time, this also adds time of the user log-in to Odoo session.</li>
  135. <li>For each client, a special kind of public user ("system user") is created to be impersonated during the server-server API requests.</li>
  136. </ul>
  137. </div>
  138. </div>
  139. </section>