diff --git a/auth_oauth_ropc/README.rst b/auth_oauth_ropc/README.rst new file mode 100644 index 0000000000..63dab04b84 --- /dev/null +++ b/auth_oauth_ropc/README.rst @@ -0,0 +1,104 @@ +=============== +Auth OAuth ROPC +=============== + +.. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + !! This file is generated by oca-gen-addon-readme !! + !! changes will be overwritten. !! + !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! + +.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png + :target: https://odoo-community.org/page/development-status + :alt: Beta +.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png + :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html + :alt: License: AGPL-3 +.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github + :target: https://github.com/OCA/server-auth/tree/16.0/auth_oauth_ropc + :alt: OCA/server-auth +.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png + :target: https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-auth_oauth_ropc + :alt: Translate me on Weblate +.. |badge5| image:: https://img.shields.io/badge/runbot-Try%20me-875A7B.png + :target: https://runbot.odoo-community.org/runbot/251/16.0 + :alt: Try me on Runbot + +|badge1| |badge2| |badge3| |badge4| |badge5| + +This module add the possibility to login with OAuth Resource Owner Password Credentials Grant + +https://datatracker.ietf.org/doc/html/rfc6749#section-4.3 + +In most scenarios, more secure alternatives are available and recommended. This flow requires a very high degree of trust in the application, and carries risks that are not present in other flows. You should only use this flow when other more secure flows aren't viable. + +This module is useful for the Odoo mobile application, which only supports user/password authentication. + + +**Table of contents** + +.. contents:: + :local: + +Configuration +============= + +The configuration of this module is based with Microsoft Azure ad OAuth provider + +https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc + +To configure this module, you need to: + +#. Go to Settings/Users/OAuth ROPC providers and create a new one + +.. figure:: https://raw.githubusercontent.com/OCA/server-auth/16.0/auth_oauth_ropc/static/description/configuration.png + :alt: provider description + :width: 600 px + +Usage +===== + +To use this module, you need to: + +#. Go on the login screen +#. Fill your Odoo user name (must be the same in OAuth provider) +#. Fill your OAuth password + +Bug Tracker +=========== + +Bugs are tracked on `GitHub Issues `_. +In case of trouble, please check there if your issue has already been reported. +If you spotted it first, help us smashing it by providing a detailed and welcomed +`feedback `_. + +Do not contact contributors directly about support or help with technical issues. + +Credits +======= + +Authors +~~~~~~~ + +* ACSONE SA/NV + +Contributors +~~~~~~~~~~~~ + +Adrien Peiffer + +Maintainers +~~~~~~~~~~~ + +This module is maintained by the OCA. + +.. image:: https://odoo-community.org/logo.png + :alt: Odoo Community Association + :target: https://odoo-community.org + +OCA, or the Odoo Community Association, is a nonprofit organization whose +mission is to support the collaborative development of Odoo features and +promote its widespread use. + +This module is part of the `OCA/server-auth `_ project on GitHub. + +You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute. diff --git a/auth_oauth_ropc/__init__.py b/auth_oauth_ropc/__init__.py new file mode 100644 index 0000000000..0650744f6b --- /dev/null +++ b/auth_oauth_ropc/__init__.py @@ -0,0 +1 @@ +from . import models diff --git a/auth_oauth_ropc/__manifest__.py b/auth_oauth_ropc/__manifest__.py new file mode 100644 index 0000000000..f055dc539f --- /dev/null +++ b/auth_oauth_ropc/__manifest__.py @@ -0,0 +1,17 @@ +# Copyright 2023 ACSONE SA/NV +# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl). + +{ + "name": "Auth OAuth ROPC", + "summary": """ + Allow to login with OAuth Resource Owner Password Credentials Grant""", + "version": "16.0.1.0.0", + "license": "AGPL-3", + "author": "ACSONE SA/NV,Odoo Community Association (OCA)", + "website": "https://github.com/OCA/server-auth", + "depends": ["base"], + "data": [ + "security/oauth_ropc_provider.xml", + "views/oauth_ropc_provider.xml", + ], +} diff --git a/auth_oauth_ropc/models/__init__.py b/auth_oauth_ropc/models/__init__.py new file mode 100644 index 0000000000..c136e1765e --- /dev/null +++ b/auth_oauth_ropc/models/__init__.py @@ -0,0 +1,2 @@ +from . import oauth_ropc_provider +from . import res_users diff --git a/auth_oauth_ropc/models/oauth_ropc_provider.py b/auth_oauth_ropc/models/oauth_ropc_provider.py new file mode 100644 index 0000000000..095c4abf3e --- /dev/null +++ b/auth_oauth_ropc/models/oauth_ropc_provider.py @@ -0,0 +1,44 @@ +# Copyright 2023 ACSONE SA/NV +# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl). + +import requests + +from odoo import _, api, fields, models +from odoo.exceptions import ValidationError + + +class OAuthRopcProvider(models.Model): + + _name = "oauth.ropc.provider" + _description = "OAuth ROPC Provider" + + name = fields.Char() + client_id = fields.Char(string="Client ID") + client_secret = fields.Char() + auth_endpoint = fields.Char(string="Authorization URL", required=True) + resource = fields.Char() + scope = fields.Char() + active = fields.Boolean(default=True) + + @api.constrains("active") + def _check_active(self): + records_to_check = self.filtered(lambda r: r.active) + for record in records_to_check: + if self.search([("id", "!=", record.id)]): + raise ValidationError(_("""You can define only one active provider""")) + + def _authenticate(self, login, password): + self.ensure_one() + data = { + "client_id": self.client_id, + "client_secret": self.client_secret, + "resource": self.resource, + "scope": self.scope, + "grant_type": "password", + "username": login, + "password": password, + } + r = requests.post(self.auth_endpoint, data=data, timeout=5) + if r.status_code == 200: + return True + return False diff --git a/auth_oauth_ropc/models/res_users.py b/auth_oauth_ropc/models/res_users.py new file mode 100644 index 0000000000..3bf8dff43d --- /dev/null +++ b/auth_oauth_ropc/models/res_users.py @@ -0,0 +1,23 @@ +# Copyright 2023 ACSONE SA/NV +# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl). + +from odoo import models +from odoo.exceptions import AccessDenied + + +class ResUsers(models.Model): + + _inherit = "res.users" + + def _check_credentials(self, password, env): + try: + return super(ResUsers, self)._check_credentials(password, env) + except AccessDenied: + passwd_allowed = ( + env["interactive"] or not self.env.user._rpc_api_keys_only() + ) + if passwd_allowed and self.env.user.active: + if ropc_provider := self.env["oauth.ropc.provider"].sudo().search([]): + if ropc_provider._authenticate(self.env.user.login, password): + return + raise diff --git a/auth_oauth_ropc/readme/CONFIGURE.rst b/auth_oauth_ropc/readme/CONFIGURE.rst new file mode 100644 index 0000000000..7ade86e028 --- /dev/null +++ b/auth_oauth_ropc/readme/CONFIGURE.rst @@ -0,0 +1,11 @@ +The configuration of this module is based with Microsoft Azure ad OAuth provider + +https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc + +To configure this module, you need to: + +#. Go to Settings/Users/OAuth ROPC providers and create a new one + +.. figure:: ../static/description/configuration.png + :alt: provider description + :width: 600 px diff --git a/auth_oauth_ropc/readme/CONTRIBUTORS.rst b/auth_oauth_ropc/readme/CONTRIBUTORS.rst new file mode 100644 index 0000000000..e2bc6777dc --- /dev/null +++ b/auth_oauth_ropc/readme/CONTRIBUTORS.rst @@ -0,0 +1 @@ +Adrien Peiffer diff --git a/auth_oauth_ropc/readme/DESCRIPTION.rst b/auth_oauth_ropc/readme/DESCRIPTION.rst new file mode 100644 index 0000000000..79a7b4ffb5 --- /dev/null +++ b/auth_oauth_ropc/readme/DESCRIPTION.rst @@ -0,0 +1,7 @@ +This module add the possibility to login with OAuth Resource Owner Password Credentials Grant + +https://datatracker.ietf.org/doc/html/rfc6749#section-4.3 + +In most scenarios, more secure alternatives are available and recommended. This flow requires a very high degree of trust in the application, and carries risks that are not present in other flows. You should only use this flow when other more secure flows aren't viable. + +This module is useful for the Odoo mobile application, which only supports user/password authentication. diff --git a/auth_oauth_ropc/readme/USAGE.rst b/auth_oauth_ropc/readme/USAGE.rst new file mode 100644 index 0000000000..2b8eb9cdaa --- /dev/null +++ b/auth_oauth_ropc/readme/USAGE.rst @@ -0,0 +1,5 @@ +To use this module, you need to: + +#. Go on the login screen +#. Fill your Odoo user name (must be the same in OAuth provider) +#. Fill your OAuth password diff --git a/auth_oauth_ropc/security/oauth_ropc_provider.xml b/auth_oauth_ropc/security/oauth_ropc_provider.xml new file mode 100644 index 0000000000..dfb9201231 --- /dev/null +++ b/auth_oauth_ropc/security/oauth_ropc_provider.xml @@ -0,0 +1,16 @@ + + + + + + oauth.ropc.provider access system + + + + + + + + + diff --git a/auth_oauth_ropc/static/description/configuration.png b/auth_oauth_ropc/static/description/configuration.png new file mode 100644 index 0000000000..370233cacd Binary files /dev/null and b/auth_oauth_ropc/static/description/configuration.png differ diff --git a/auth_oauth_ropc/static/description/icon.png b/auth_oauth_ropc/static/description/icon.png new file mode 100644 index 0000000000..3a0328b516 Binary files /dev/null and b/auth_oauth_ropc/static/description/icon.png differ diff --git a/auth_oauth_ropc/static/description/index.html b/auth_oauth_ropc/static/description/index.html new file mode 100644 index 0000000000..a100600ffa --- /dev/null +++ b/auth_oauth_ropc/static/description/index.html @@ -0,0 +1,443 @@ + + + + + + +Auth OAuth ROPC + + + +
+

Auth OAuth ROPC

+ + +

Beta License: AGPL-3 OCA/server-auth Translate me on Weblate Try me on Runbot

+

This module add the possibility to login with OAuth Resource Owner Password Credentials Grant

+

https://datatracker.ietf.org/doc/html/rfc6749#section-4.3

+

In most scenarios, more secure alternatives are available and recommended. This flow requires a very high degree of trust in the application, and carries risks that are not present in other flows. You should only use this flow when other more secure flows aren’t viable.

+

This module is usefull for the Odoo mobile application, which only supports user/password authentication.

+

Table of contents

+ +
+

Configuration

+

The configuration of this module is based with Microsoft Azure ad OAuth provider

+

https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc

+

To configure this module, you need to:

+
    +
  1. Go to Settings/Users/OAuth ROPC providers and create a new one
    2. +
+
+provider description +
+
+
+

Usage

+

To use this module, you need to:

+
    +
  1. Go on the login screen
    2. +
  2. Fill your Odoo user name (must be the same in OAuth provider)
    3. +
  3. Fill your OAuth password
    4. +
+
+
+

Bug Tracker

+

Bugs are tracked on GitHub Issues. +In case of trouble, please check there if your issue has already been reported. +If you spotted it first, help us smashing it by providing a detailed and welcomed +feedback.

+

Do not contact contributors directly about support or help with technical issues.

+
+
+

Credits

+
+

Authors

+
    +
  • ACSONE SA/NV
    • +
+
+ +
+

Maintainers

+

This module is maintained by the OCA.

+Odoo Community Association +

OCA, or the Odoo Community Association, is a nonprofit organization whose +mission is to support the collaborative development of Odoo features and +promote its widespread use.

+

This module is part of the OCA/server-auth project on GitHub.

+

You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.

+
+
+
+ + diff --git a/auth_oauth_ropc/views/oauth_ropc_provider.xml b/auth_oauth_ropc/views/oauth_ropc_provider.xml new file mode 100644 index 0000000000..ee69abb61b --- /dev/null +++ b/auth_oauth_ropc/views/oauth_ropc_provider.xml @@ -0,0 +1,53 @@ + + + + + + oauth.ropc.provider.form (in auth_oauth_ropc) + oauth.ropc.provider + +
+ + + + + + + + + + + +
+ + + + + + oauth.ropc.provider.tree (in auth_oauth_ropc) + oauth.ropc.provider + + + + + + + + + + oauth ROPC Providers + oauth.ropc.provider + tree,form + [] + {} + + + + oauth ROPC Providers + + + + + + diff --git a/setup/auth_oauth_ropc/odoo/addons/auth_oauth_ropc b/setup/auth_oauth_ropc/odoo/addons/auth_oauth_ropc new file mode 120000 index 0000000000..d5d7c3d385 --- /dev/null +++ b/setup/auth_oauth_ropc/odoo/addons/auth_oauth_ropc @@ -0,0 +1 @@ +../../../../auth_oauth_ropc \ No newline at end of file diff --git a/setup/auth_oauth_ropc/setup.py b/setup/auth_oauth_ropc/setup.py new file mode 100644 index 0000000000..28c57bb640 --- /dev/null +++ b/setup/auth_oauth_ropc/setup.py @@ -0,0 +1,6 @@ +import setuptools + +setuptools.setup( + setup_requires=['setuptools-odoo'], + odoo_addon=True, +)