Issues with auth_oidc and odoo v15
looeee opened this issue · 9 comments
I have set up Keycloak oidc auth for Odoo v15 using this module. My keycloak is hoasted at auth.myadminsite.com, odoo is at odoo.mybusiness.com.
I ran into two issues. The second at least can be resolved by better documentation.
First issue: Redirect URI being reported by Odoo as http instead of https.
First, I was getting an invalid_redirect_URI error in Keycloak. I had set the redirect URI in Keycloak as https://odoo.mybusiness.com/auth_oauth/signin
However when I checked the logs, I can see that Odoo is sending over http://odoo.mybusiness.com/auth_oauth/signin. I think it's coming from this line:
https://github.com/OCA/server-auth/blob/14.0/auth_oidc/models/res_users.py#L37
To fix this, I had to edit the Keycloak Realm and set Require SSL to none then change the redirect URI for the Odoo client to the http version. However, this is not ideal because I don't want to allow non SSL logins.
Second issue: Need to create a mapping in Keycloak from email to user_id
Next, I was getting this error log:
odoo.addons.auth_oidc.models.res_users: user_id claim not found in id_token (after mapping).
To resolve this I needed to create a Mapping in Keycloak from email -> user_id as described here.
Once that is done, I put the keycloak user email in the as user_id in Odoo.
To Reproduce
I'm using the code from PR #393 since I'm on odoo 15. However I don't think there are an relevant changes compared to V14.
@looeee I am trying to test this but stuck on the mapping email -> user_id. Can you reference some documentation on how to do so. Atleast that way I can test, implement and hopefully be one of the two approvals needed to kick in a merge. Im running latest odoo 15 from git and latest quarkas based version of keycloak.
Here are my keycloak settings in Odoo
Then here's my user oauth setting
Here's the keycloak Odoo client
Next you need to select the Mappers tab and create the user_id to email mapping
And finally, the bit which I'm less happy about, I have to go the the Keycloak realm settings and set SSL required to "none" which affects all clients on the realm, not just odoo.
Hi,
I've not tested on 15.0 so take what I say here with a grain of salt.
For your 1st problem (http/https) I suspect a configuration issue with your odoo (not keycloak). For instance, make sure to run odoo with --proxy-mode if running behind a proxy.
For the second problem, the mapping mechanism in auth_oidc is known to work. so email:user_id in the "Token map" field. Also make sure that you request openid email in the scope field.
For instance, make sure to run odoo with --proxy-mode if running behind a proxy.
Hmm, that would make sense. I'm using docker, is there a way to set that in docker compose or odoo.conf?
proxy_mode = True in odoo.conf, yes.
I always get this error on the screen tried mapping using both methods detailed above
server logs:
2022-08-31 08:55:12,838 2293 INFO eajglobal odoo.addons.auth_oauth.controllers.main: OAuth2: access denied, redirect to main page in case a valid session exists, without setting cookies 2022-08-31 08:55:12,842 2293 INFO eajglobal werkzeug: 185.6.153.43 - - [31/Aug/2022 08:55:12] "GET /auth_oauth/signin?state=%7B%22d%22%3A+%22eajglobal%22%2C+%22p%22%3A+4%2C+%22r%22%3A+%22https%253A%252F%252Fmy.eajglobal.com%252Fweb%22%7D&session_state=f78a204d-8248-4b3f-96a4-0b15db235302&code=9159ae0a-7688-4173-8112-4a6ca6de781c.f99a204d-8248-4b3f-96a4-0b15db2486431202.d21ea262-8b1b-4352-804c-20cb7eae50d8 HTTP/1.0" 303 - 43 0.060 3.720
Customer account is set to free signup and the example portal user is not archived.
@EAJGlobal I had the same error message.
I my case the user/account already existed in Odoo, after deleting it in Odoo and trying again the Odoo account was created at first login.
There hasn't been any activity on this issue in the past 6 months, so it has been marked as stale and it will be closed automatically if no further activity occurs in the next 30 days.
If you want this issue to never become stale, please ask a PSC member to apply the "no stale" label.