Janik von Rotz


3 min read

Odoo OAuth authentication with Keycloak

Introduction

OAuth is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service. It works by delegating user authentication to the service that hosts the user account, and authorizing third-party applications to access the user account.

In our scenario Keycloak acts as the OAuth service and Odoo as the application that delegates the user authentication. In this guide you learn how to configure Odoo and Keycloak to handle an implicit OAuth flow.

This image depicts what we want to achieve. The user accesses Odoo and then decides to authenticate with Keycloak. He gets forwarded to the login page and authorizes the Odoo application to access his account informations. He then gets redirected back to the application. Trust is enabled by only allowing selected applications to be redirected. If you want to know more about OAuth authentication head down to the source chapter.

We assume that we have the following service up and running:
Keycloak Auth Server: login.example.com
Odoo Application: odoo.example.com

Let’s get started!

Setup Keycloak client

Open the Keycloak management console, select your realm, navigate to Configure > Clients and create a new client.

For Client ID use odoo, for Client Protocol openid-connect and as Root URL enter ${authBaseUrl}. Click save.

In the client edit view make the following configurations.

Access type: confidential

Odoo OAuth will pass a secret to intiate the login protocol.

Implicit Flow Enabled: On

Odoo OAuth requires the implicit flow.

Valid Redirect URIs:

Allow redirection to the odoo login page.

Base URL: /realms/example.com/account/

Leave the Admin URL and Web Origins empty.

Save the settings and open the Mappers tab. Click on Add Builtin. Select and add the email entry. Open the email mapper and set as Token Claim Name the value user_id.

This will ensure that the token has the email address set as user id.

Update OAuth module

In order to authenticate with Keycloak the Odoo OAuth module requires some changes. I have created a Odoo module that applies the necessary changes.

Download the module zip from https://github.com/Mint-System/Odoo-App-Auth-OAuth-Keycloak and install the module.

This module makes the following changes:

The new methods support the bearer access token format and therefore make the authentication with Keycloak possible.

Add Keycloak provider in Odoo

Open the Odoo dashboard and navigate to Settings > General Settings > Integrations. If necessary enable OAuth Authentication and then click on OAuth Providers. Create a new provider with the following settings:

Provider Name: Login Example
Client ID: odoo
Allowed: [ x ]
Keycloak: [ x ]
Body: Login Example
Authentication URL: https://login.example.com/auth/realms/example.com/protocol/openid-connect/auth
Scope: profile
Validation URL: https://login.example.com/auth/realms/example.com/protocol/openid-connect/userinfo

Update portal user template

By default Odoo creates a portal user for users that sign in via OAuth. We want Odoo to create a internal user instead.

Enable the developer mode and navigate to Settings > General Settings > Users > Customer Account > Default Access Rights. Edit the template and select for User types: Internal User. Save the portal user template.

Test the login

In Keycloak ensure that a user has been added to the realm. If necessary create one with password credentials.

Logout out of Odoo. You should now see a button Login Example. Click on it and wait to be forwarded. Log in an await to be redirected. If everything has been configured properly you should now be logged in and see the Odoo activity page.

Source

Odoo Help - Keycloak Authentication on v12
Digital OCean Tutorials - An Introduction to OAuth 2

Edits

2021-03-08: Set value for scope parameter when configuring the Odoo OAuth provider.

Categories: Identity and Access Management
Tags: keycloak , odoo , oauth , authentication
Improve this page
Show statistic for this page