# OpenID Connect Authentication ### Module name g2p\_auth\_oidc ### Module title OpenID Connect Authentication ### Technology base [Odoo](https://www.odoo.com/) ### Functionality The functionality of OpenID Connect (OIDC) Authentication module is * It allows users log in to Odoo using external [OIDC](https://openid.net/specs/openid-connect-core-1_0.html) authentication providers. * It inherits from the Odoo [OAuth2 Authentication](https://github.com/odoo/odoo/tree/17.0/addons/auth_oauth) module and adds support for OIDC flows and additional features described here. * It is a general-purpose Odoo module, not tied to any other G2P modules. ### Alternatives OCA (Odoo Community Association) offers an [OIDC Authentication](https://github.com/OCA/server-auth/tree/17.0/auth_oidc) module that provides functionality similar to this but doesn't contain all of the features described here. This module is not related to the OCA module. This module is also NOT compatible (not supposed to be used together) with the OCA module. ### Features
FeatureDescripton
OIDC FlowsSupports Auth Code flow and Implicit flow
TokenisationSupports Access token and ID token validation
Client Authentication
  • Supports client_secret_post, client_secret_basic, private_key_jwt.
  • If using private_key_jwt, allows overriding Audience claim in client Assertion JWT, otherwise defaults to Token Endpoint. (Helps during testing and development)
Userinfo Responses

  • Userinfo response content-types supported:

    • "application/json"
    • "application/jwt" - TODO perform signature validation
  • Supports mapping of Userinfo Response to fields of Odoo res.user (same as res.partner) table.
Signup Handling

The mechanism involved in handling the users who logged in through the auth provider is not already present in Odoo.-

  • Modes of Signup configurable:

    • Always allow signups through this auth provider.
    • Follow the system default signup settings. (This usually involves enabling signup at the system level and configuring a template for new users to be created. Part of auth_signup Odoo base module. TODO: Update docs.)
    • Do not allow signups through this auth provider at all.
  • If user signups are always allowed for an auth provider, allow configuring default groups to be assigned to the new user.
Group Synchronisation

Sync groups from the Authentication Provider with groups of the Odoo user.

  • Supports groups sync on:

    • every login
    • only when user groups are reset
    • never
  • Matches Odoo user groups with the same name as the group from the auth provider.
User Data UpdateSupports update of Odoo user data with auth provider Userinfo, on login, when reset is requested.
An Icon on Login PageAllows provision for showing an Icon for the auth provider on the login page.
Additional ParametersSupports passing additional parameters to Authorize Endpoint. Allows to configure additional parameters as JSON.
### Guides To learn more on ***Configure Keycloak Auth Provider for User Login***, click [here](https://docs.openg2p.org/pbms/functionality/administration/role-based-access-control/user-guides/configure-keycloak-authentication-provider-for-user-login). ### Configuration OAuth Provider Field Reference (OAuth Providers can be viewed in Settings -> General Settings): The following list includes configuration fields from the base [auth\_oauth](https://github.com/odoo/odoo/tree/17.0/addons/auth_oauth) Odoo module.
Field nameField TitleDescriptionDefault Value
nameProvider nameInternal name given to Identify the auth provider
flowAuth FlowAuthentication Flow to be used.oauth2
token_mapToken MapMap of Userinfo fields to Odoo user fields.
sub:user_id name:name email:email phone_number:phone birthdate:birthdate gender:gender address:address picture:picture groups:groups
enabledAllowedWhether or not to show on login page
bodyLogin button labelText to be shown on the button on login page
image_icon_urlImage Icon UrlUrl of the image to be displayed on the login page
css_classCSS classCSS Class to be assigned to Image Icon on login page
fa fa-fw fa-sign-in text-primary
auth_endpointAuthorization URL
token_endpointToken Endpoint
validation_endpointUserinfo URL
jwks_uriJWKS URL
jwt_assertion_audClient Assertion JWT Aud ClaimOvewrite aud claim in Client assertion JWT. Leave blank to default to Token Endpoint.
client_idClient ID
client_authentication_methodClient Authentication Method

Supported Methods:

  • client_secret_post
  • client_secret_basic
  • private_key_jwt
  • none
client_secret_post
client_secretClient SecretUsed when client_authentication_method is client_secret_post/client_secret_basic.
client_private_keyClient Private Key

Supported File types:

  • PEM file
  • JWKS Json file

Used when client_authentication_method is private_key_jwt

scopeScopeOAuth2 Scope
openid profile email
extra_authorize_paramsExtra Authorize ParamsTo be given as JSON
verify_at_hashVerify AT HashWhether or not to verify Access Token hash during ID Token validationtrue
date_formatDate FormatFormat to be used for parsing dates in Userinfo Response (Like birthdate)
allow_signupAllow Signup

Supported Values:

  • Allows user signup (yes)
  • Denies user signup (no)
  • Use System settings for signup (system_default)
Allows user signup (yes)
signup_default_groupsSignup Default GroupsList of Groups to be assigned to newly created user (when allow_signup == yes)
sync_user_groupsSync User Groups

Supported Values:

  • On every login (on_login)
  • When user groups are reset (on_reset)
  • Never (never)
When user groups are reset (on_reset)
company_idCompanyCompany to which the auth provider belongs to. This will also be used during user creation while signup.
### Source code --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.openg2p.org/1.3/pbms/developer-zone/odoo-modules/openid-connect-authentication.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.