authentik
authentik copied to clipboard
goauthentik
How to configure a provider for Odoo?
Describe your question/ Create an OAuth provider for Odoo 14
Relevant infos Latest version of Authentik, on docker.
Screenshots If applicable, add screenshots to help explain your problem.
Context
After trying to connect to my Odoo instance using my Authentik provider, I get error=unsupported_response_type
The authorization server does not support obtaining an authorization code using this method
Could you perhaps provide us with a tutorial on how to integrate OAuth into Odoo using authentik?
I would assume that the devs would need error logs. Is there anything else in your authentik logs, and logs from Odoo?
I have the same issue, currently trying to find out how to get odoo working with authentik. Please update this issue if you find a way!
This is all the output I can find on my installation:
server_1 | {"event": "Invalid response type", "host": "authentik.mycompany.local", "level": "warning", "logger": "authentik.providers.oauth2.views.authorize", "pid": 24, "request_id": "3327a6c17cc048c9975b3cd5d89f617f", "timestamp": "2022-08-15T05:38:20.520072", "type": "token"}
server_1 | {"event": "The authorization server does not support obtaining an authorization code using this method", "host": "authentik.mycompany.local", "level": "warning", "logger": "authentik.providers.oauth2.views.authorize", "pid": 24, "redirect_uri": "http://odoo-staging.mycompany.local/auth_oauth/signin", "request_id": "3327a6c17cc048c9975b3cd5d89f617f", "timestamp": "2022-08-15T05:38:20.521435"}
server_1 | {"event": "/application/o/authorize/?response_type=token&client_id=0896b791387a97780ebb70e5246a0789a21dd73c&redirect_uri=http%3A%2F%2Fodoo-staging.mycompany.local%2Fauth_oauth%2Fsignin&scope=email+openid+profile&state=%7B%22d%22%3A+%22odoo%22%2C+%22p%22%3A+4%2C+%22r%22%3A+%22http%253A%252F%252Fodoo-staging.mycompany.local%252Fweb%22%7D", "host": "authentik.mycompany.local", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 24, "remote": "109.43.50.113", "request_id": "3327a6c17cc048c9975b3cd5d89f617f", "runtime": 15, "scheme": "https", "status": 302, "timestamp": "2022-08-15T05:38:20.524649", "user": "", "user_agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36"}
server_1 | {"event": "/application/o/userinfo/", "host": "authentik.mycompany.local", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 24, "remote": "172.31.100.9", "request_id": "5543e896b4b94fe79f7c9b6ae6934a60", "runtime": 11, "scheme": "https", "status": 401, "timestamp": "2022-08-15T05:38:20.673570", "user": "", "user_agent": "python-requests/2.25.1"}
server_1 | {"event": "Unauthorized: /application/o/userinfo/", "level": "warning", "logger": "django.request", "timestamp": 1660541900.6746342}
server_1 | {"event": "/-/health/ready/", "host": "localhost:9000", "level": "info", "logger": "authentik.asgi", "method": "HEAD", "pid": 24, "remote": "127.0.0.1", "request_id": "f1efe1bca79346b2b0ddb9985bcb6e77", "runtime": 12, "scheme": "http", "status": 204, "timestamp": "2022-08-15T05:38:22.468779", "user": "", "user_agent": "goauthentik.io lifecycle Healthcheck"}
server_1 | {"event": "/-/health/live/", "host": "localhost:8000", "level": "info", "logger": "authentik.asgi", "method": "GET", "pid": 23, "remote": "127.0.0.1", "request_id": "0b346eea0d954008a1787b66c3da94de", "runtime": 11, "scheme": "http", "status": 204, "timestamp": "2022-08-15T05:38:30.061987", "user": "", "user_agent": "goauthentik.io/proxy/healthcheck"}
Odoo Logs:
web_1 | 2022-08-15 05:33:55,665 1 ERROR odoo odoo.addons.auth_oauth.controllers.main: OAuth2: invalid_request
web_1 | Traceback (most recent call last):
web_1 | File "/usr/lib/python3/dist-packages/odoo/addons/auth_oauth/controllers/main.py", line 134, in signin
web_1 | credentials = env['res.users'].sudo().auth_oauth(provider, kw)
web_1 | File "/usr/lib/python3/dist-packages/odoo/addons/auth_oauth/models/res_users.py", line 124, in auth_oauth
web_1 | validation = self._auth_oauth_validate(provider, access_token)
web_1 | File "/usr/lib/python3/dist-packages/odoo/addons/auth_oauth/models/res_users.py", line 49, in _auth_oauth_validate
web_1 | raise Exception(validation['error'])
web_1 | Exception: invalid_request
web_1 | 2022-08-15 05:33:55,668 1 INFO odoo werkzeug: 172.31.100.6 - - [15/Aug/2022 05:33:55] "GET /auth_oauth/signin?error=unsupported_response_type&error_description=The%20authorization%20server%20does%20not%20support%20obtaining%20an%20authorization%20code%20using%20this%20method&state=%7B%22d%22:%20%22odoo%22,%20%22p%22:%204,%20%22r%22:%20%22http%3A%2F%2Fodoo-staging.mycompany.local%2Fweb%22%7D HTTP/1.1" 303 - 2 0.001 0.049
I'm not sure if it's on odoo or goauthentik. My personal guess is more the odoo implementation is crappy, as it's my only app so far without a password field.
I just found out why!
The issue is because Odoo 14 supports the response type token, when Authentik has different response type names.
See the screenshots below.
Odoo configuration
Authentik configuration
The odoo OAuth code was written something like 8 years ago and uses practices that were deemed OK then, but have since been considered insecure. I assume that's why Authentik doesn't seem to support it. I've been banging my head against this very same problem the past couple of days and happened on this thread while madly googling for a solution. Here's how I got it to work: (in each section i will only mention the non obvious fields)
In Authentik: Client Type: Confidential Redirect URI: http://your.odoo/auth_oauth/signin/ --edited to add: The Redirect URI is where I have the most problems. I've had to include serveral URIs in this field for example: http://your.odoo/auth_oauth/signin/ https://your.odoo/auth_oauth/signin/ https://www.your.odoo/auth_oauth/signin/ -- end edit Signing Key: authentik Self-signed certificate (RSA) please note the redirect uri is http NOT https but depending on your setup maybe you can get away with https and you need to specify a signing key or it won't work.
In Odoo:
- Install the auth_oidc module from the OCA repo server-auth
- In Settings enable OAuth and configure a provider
Create a new OAuth provider: Auth Flow: OpenID Connect (authorization code flow) Token Map: email:user_id Fill in all the rest by plugging in values from your Authentik provider: Client ID Client Secret Authorization URL UserInfo URL Token URL JWKS URL For every user you want to enable OAuth open the OAuth tab on the user record:
- OAuth provider: set to the provider you created above
- OAuth User id: the email the user will be using to login If it's a pre-existing user you may have to send a reset password email to get this to work
As a last step: pray to the deity of your choice, maybe go to a sunday service or two, promise to sacrifice your first-born child and...
try not to rip your hair out or throw your computer out the window when it doesn't work anyway.
Wow, thanks a lot for that detailed reply, I'll try that right when I'm back to work
Back on this issue. I'll close it because the problem comes from Odoo (lol). I installed an OAuth module and ~I modified it~ an employee at my workplace modified it because Odoo doesn't support the default authentik response_type.
@Lanhild can you please provide a short description or even better your modified addon? I would love to get it working.
I don't have the module source with me, but it's the default OAuth module you can find in any instance module marketplace. I think the only difference with the original source code is that the modified version I use you can set the response_type in the form when you create a provider
@Lanhild Where can I found this file ? Can you give me the name of file or file path?
I try to run odoo in docker container and everytime I login I still get 'Access Denied' and get this when look into Network tab on browser
error: unsupported_response_type
error_description: The authorization server does not support obtaining an authorization code using this method
