OpenID Connect Authentication

Module name

g2p_auth_oidc

Module title

Technology base

Odoo

Functionality

The functionality of OpenID Connect (OIDC) Authentication module is

It allows users log in to Odoo using external OIDC authentication providers.
It inherits from the Odoo OAuth2 Authentication module and adds support for OIDC flows and additional features described here.
It is a general-purpose Odoo module, not tied to any other G2P modules.

Alternatives

OCA (Odoo Community Association) offers an OIDC Authentication module that provides functionality similar to this but doesn't contain all of the features described here. This module is not related to the OCA module. This module is also NOT compatible (not supposed to be used together) with the OCA module.

Features

Feature Descripton

Feature	Descripton
OIDC Flows	Supports Auth Code flow and Implicit flow
Tokenisation	Supports Access token and ID token validation
Client Authentication	Supports client_secret_post, client_secret_basic, private_key_jwt. If using private_key_jwt, allows overriding Audience claim in client Assertion JWT, otherwise defaults to Token Endpoint. (Helps during testing and development)
Userinfo Responses	Userinfo response content-types supported: "application/json" "application/jwt" - TODO perform signature validation Supports mapping of Userinfo Response to fields of Odoo `res.user` (same as `res.partner`) table.
Signup Handling	The mechanism involved in handling the users who logged in through the auth provider is not already present in Odoo.- Modes of Signup configurable: Always allow signups through this auth provider. Follow the system default signup settings. (This usually involves enabling signup at the system level and configuring a template for new users to be created. Part of auth_signup Odoo base module. TODO: Update docs.) Do not allow signups through this auth provider at all. If user signups are always allowed for an auth provider, allow configuring default groups to be assigned to the new user.
Group Synchronisation	Sync groups from the Authentication Provider with groups of the Odoo user. Supports groups sync on: every login only when user groups are reset never Matches Odoo user groups with the same name as the group from the auth provider.
User Data Update	Supports update of Odoo user data with auth provider Userinfo, on login, when reset is requested.
An Icon on Login Page	Allows provision for showing an Icon for the auth provider on the login page.
Additional Parameters	Supports passing additional parameters to Authorize Endpoint. Allows to configure additional parameters as JSON.

OIDC Flows

Supports Auth Code flow and Implicit flow

Tokenisation

Supports Access token and ID token validation

Client Authentication

Supports client_secret_post, client_secret_basic, private_key_jwt.
If using private_key_jwt, allows overriding Audience claim in client Assertion JWT, otherwise defaults to Token Endpoint. (Helps during testing and development)

Userinfo Responses

Userinfo response content-types supported:
- "application/json"
- "application/jwt" - TODO perform signature validation
Supports mapping of Userinfo Response to fields of Odoo res.user (same as res.partner) table.

Signup Handling

The mechanism involved in handling the users who logged in through the auth provider is not already present in Odoo.-

Modes of Signup configurable:
- Always allow signups through this auth provider.
- Follow the system default signup settings. (This usually involves enabling signup at the system level and configuring a template for new users to be created. Part of auth_signup Odoo base module. TODO: Update docs.)
- Do not allow signups through this auth provider at all.
If user signups are always allowed for an auth provider, allow configuring default groups to be assigned to the new user.

Group Synchronisation

Sync groups from the Authentication Provider with groups of the Odoo user.

Supports groups sync on:
- every login
- only when user groups are reset
- never
Matches Odoo user groups with the same name as the group from the auth provider.

User Data Update

Supports update of Odoo user data with auth provider Userinfo, on login, when reset is requested.

An Icon on Login Page

Allows provision for showing an Icon for the auth provider on the login page.

Additional Parameters

Supports passing additional parameters to Authorize Endpoint. Allows to configure additional parameters as JSON.

Guides

To learn more on Configure Keycloak Auth Provider for User Login, click here.

Configuration

OAuth Provider Field Reference (OAuth Providers can be viewed in Settings -> General Settings):

The following list includes configuration fields from the base auth_oauth Odoo module.

Field name Field Title Description Default Value

Field name	Field Title	Description	Default Value
name	Provider name	Internal name given to Identify the auth provider
flow	Auth Flow	Authentication Flow to be used.	oauth2
token_map	Token Map	Map of Userinfo fields to Odoo user fields.	`sub:user_id name:name email:email phone_number:phone birthdate:birthdate gender:gender address:address picture:picture groups:groups`
enabled	Allowed	Whether or not to show on login page
body	Login button label	Text to be shown on the button on login page
image_icon_url	Image Icon Url	Url of the image to be displayed on the login page
css_class	CSS class	CSS Class to be assigned to Image Icon on login page	`fa fa-fw fa-sign-in text-primary`
auth_endpoint	Authorization URL
token_endpoint	Token Endpoint
validation_endpoint	Userinfo URL
jwks_uri	JWKS URL
jwt_assertion_aud	Client Assertion JWT Aud Claim	Ovewrite aud claim in Client assertion JWT. Leave blank to default to Token Endpoint.
client_id	Client ID
client_authentication_method	Client Authentication Method	Supported Methods: client_secret_post client_secret_basic private_key_jwt none	client_secret_post
client_secret	Client Secret	Used when client_authentication_method is client_secret_post/client_secret_basic.
client_private_key	Client Private Key	Supported File types: PEM file JWKS Json file Used when client_authentication_method is private_key_jwt
scope	Scope	OAuth2 Scope	`openid profile email`
extra_authorize_params	Extra Authorize Params	To be given as JSON
verify_at_hash	Verify AT Hash	Whether or not to verify Access Token hash during ID Token validation	true
date_format	Date Format	Format to be used for parsing dates in Userinfo Response (Like birthdate)
allow_signup	Allow Signup	Supported Values: Allows user signup (yes) Denies user signup (no) Use System settings for signup (system_default)	Allows user signup (yes)
signup_default_groups	Signup Default Groups	List of Groups to be assigned to newly created user (when allow_signup == yes)
sync_user_groups	Sync User Groups	Supported Values: On every login (on_login) When user groups are reset (on_reset) Never (never)	When user groups are reset (on_reset)
company_id	Company	Company to which the auth provider belongs to. This will also be used during user creation while signup.

name

Provider name

Internal name given to Identify the auth provider

flow

Auth Flow

Authentication Flow to be used.

oauth2

token_map

Token Map

Map of Userinfo fields to Odoo user fields.

sub:user_id name:name email:email phone_number:phone birthdate:birthdate gender:gender address:address picture:picture groups:groups

enabled

Allowed

Whether or not to show on login page

body

Text to be shown on the button on login page

image_icon_url

Image Icon Url

Url of the image to be displayed on the login page

css_class

CSS class

CSS Class to be assigned to Image Icon on login page

fa fa-fw fa-sign-in text-primary

auth_endpoint

Authorization URL

token_endpoint

Token Endpoint

validation_endpoint

Userinfo URL

jwks_uri

JWKS URL

jwt_assertion_aud

Client Assertion JWT Aud Claim

Ovewrite aud claim in Client assertion JWT. Leave blank to default to Token Endpoint.

client_id

Client ID

client_authentication_method

Client Authentication Method

Supported Methods:

client_secret_post
client_secret_basic
private_key_jwt
none

client_secret_post

client_secret

Client Secret

Used when client_authentication_method is client_secret_post/client_secret_basic.

client_private_key

Client Private Key

Supported File types:

PEM file
JWKS Json file

Used when client_authentication_method is private_key_jwt

scope

Scope

OAuth2 Scope

openid profile email

extra_authorize_params

Extra Authorize Params

To be given as JSON

verify_at_hash

Verify AT Hash

Whether or not to verify Access Token hash during ID Token validation

true

date_format

Date Format

Format to be used for parsing dates in Userinfo Response (Like birthdate)

allow_signup

Allow Signup

Supported Values:

Allows user signup (yes)
Denies user signup (no)
Use System settings for signup (system_default)

Allows user signup (yes)

signup_default_groups

Signup Default Groups

List of Groups to be assigned to newly created user (when allow_signup == yes)

sync_user_groups

Sync User Groups

Supported Values:

On every login (on_login)
When user groups are reset (on_reset)
Never (never)

When user groups are reset (on_reset)

company_id

Company

Company to which the auth provider belongs to. This will also be used during user creation while signup.

Source code

https://github.com/OpenG2P/openg2p-odoo-commons/tree/17.0-develop/g2p_auth_oidc

PreviousG2P Service Provider Beneficiary Management NextG2P Auth: OIDC - Reg ID

Last updated 17 days ago