Skip to main content

Mastering Hybrid Authentication in Odoo 18.0 or 19.0

Mastering Hybrid Authentication in Odoo 18.0 or 19.0

 

 Bridging the gap between strict OpenID Connect and standard OAuth2.

Modern enterprise environments often require a mix of strict OpenID Connect (OIDC) providers like Keycloak or AWS Cognito, alongside standard OAuth2 providers like GitHub. While the OCA auth_oidc module is the gold standard for OIDC, it traditionally struggles with OAuth2 providers that do not issue an id_token.

In our latest contribution to the OCA Server-Auth repository, we've introduced a "Hybrid" approach to solve this.

The Technical Challenge: The Missing id_token

When authenticating via GitHub, the server returns an access_token but no id_token. Standard OIDC modules expect both and will fail with an AccessDenied error if the latter is missing.

Our improvement allows the auth_oidc module to detect when an id_token is absent and gracefully fall back to the standard Odoo UserInfo validation.

The Implementation in OCA server-auth (PR #917)

The logic ensures that if you are using the Authorization Code Flow (id_token_code), Odoo will:

  1. Perform the secure server-to-server POST to exchange the code for a token.
  2. If an id_token exists (Keycloak/Cognito), it performs full signature verification.
  3. If only an access_token exists (GitHub), it leverages Odoo's core super() logic to fetch user details from the UserInfo API.

Step-by-Step GitHub Integration

1. GitHub OAuth App

  • Callback URL: https://your-odoo.com
  • Scope: read:user user:email

2. Odoo System Parameters

GitHub requires the token in the header. Set this in Settings > Technical > System Parameters:

  • Key: auth_oauth.authorization_header
  • Value: 1

3. The Odoo Provider Config

  • Auth Flow: id_token_code (Authorization Code Flow)
  • Token Map: {"user_id": "id", "login": "login", "name": "name"}


KOBROS-TECH LTD (info@kobros-tech.com)

Comments

Post a Comment

Popular posts from this blog

Use CS50 library in my local machine offline to run codes in C language

M ake your PC ready to run codes in C language How to use CS50 library in your local machine offline Here are three videos presented by someone, they will guide you to make your PC ready to run C files. How to Download and Install Visual Studio Code ( VS Code ) on Windows 10 How to Download and Install C Cpp Toolset ( gcc g++ gdb ) in Windows 10 using mingw-w64 and msys2 How to Set up Visual Studio Code for C and C++ Programming After watching the above videos and following the steps in them, you can apply the following steps in order to use CS50 library for implementing codes written in C language in your local machine offline. Download the zip file from Github Release,  https://github.com/cs50/libcs50/releases Unzip it, locate to libcs50/src/, you can get cs50.h and cs50.c Copy cs50.h and cs50.c in the Workspace Create and save a C file which uses cs50 libraries in the Workspace. We can call it hello.c, hello.c should be with cs50.h and cs50.c in the same folde...
Post a Comment
Read more

Uninstall an Odoo module via terminal command line

 Uninstall an Odoo module (via terminal/command line) If you're just trying to uninstall a module (disable it in the database), you can run a script using Odoo’s shell: ./odoo-bin shell -d your_database_name Then, once inside the shell: module = env['ir.module.module'].search([('name', '=', 'your_module_name')]) module.button_immediate_uninstall()
Post a Comment
Read more

How to Open Port 80 & 443 in FirewallD

 How to Open Port 80 & 443 in FirewallD FirewallD is the frontend management solution of iptables for most of the Linux distributions. It provides an easy-to-use command line and GUI-based interface to manage iptable rules. This tutorial describes to you to open port 80 (HTTP) and port 443 (HTTPS) in FirewallD. Allow Port 80 & 443 in FirewallD Using firewalld, you can allow/deny any port temporarily or permanently. The temporary allow/deny rules will be removed after the system reboot. But the permanent rules will persist even after the system restart. The following commands allow incoming traffic on TCP ports 80 and 443 in firewalld. sudo firewall-cmd --zone=public --add-port=80/tcp  sudo firewall-cmd --zone=public --add-port=443/tcp  The --permanent option insures to remain firewall rules after system reboots. sudo firewall-cmd --permanent --zone=public --add-port=80/tcp  sudo firewall-cmd --permanent --zone=public --add-port=443/tcp  Next, apply the c...
Post a Comment
Read more