✅ Environment
- Odoo version: 19 (Enterprise / Community, same behavior)
- Deployment: Self-hosted via Docker
- Database: PostgreSQL 15 / 16
- OS: Ubuntu 24.04 LTS
- Python: 3.11
- Reverse proxy: Nginx
location / { proxy_pass http://127.0.0.1:8069; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; }
🧪 Reproducible on a Brand-New Server (No Legacy Data)
- Fresh Ubuntu 24.04 VPS
-
Installed using the official script:
wget -O - https://nightly.odoo.com/odoo.sh | bash - Only module enabled: auth_oauth
- Google OAuth configured from scratch with valid credentials
Results:
- http://localhost:8069 → ✅ Works perfectly
- https://mydomain.com (with Let's Encrypt & proxy) → 🔁 Infinite redirect loop
🧩 Symptoms
- Click “Login with Google”
- Google consent → success
-
Redirects back to Odoo → infinite loop:
/web/login → /auth_oauth/signin → /web/login?redirect=/web → ...
- Browser DevTools shows multiple 302 redirects
-
Sometimes appears as:
- “Invalid Credentials”
- “CSRF cookie not set”
🔍 Odoo Log Extracts
2025-10-28 14:xx:xx,xxx WARNING ? werkzeug: Invalid OAuth2 token 2025-10-28 14:xx:xx,xxx INFO ? odoo.addons.auth_oauth.controllers.main: OAuth2 callback: code received 2025-10-28 14:xx:xx,xxx ERROR ? odoo.addons.auth_oauth.controllers.main: Failed to fetch user info: 401 Unauthorized
⚙️ Google Cloud OAuth Config
-
Authorized redirect URIs:
https://mydomain.com/auth_oauth/signin http://localhost:8069/auth_oauth/signin
- APIs enabled: People API, OAuth consent screen: External (Published)
⚙️ Odoo Provider Settings
| Field | Value |
| Name | |
| Flow | OAuth 2.0 |
| Client ID | xxxxxxx.apps.googleusercontent.com |
| Scope | openid email profile |
| Authorization URL | https://accounts.google.com/o/oauth2/auth |
| Token URL | https://oauth2.googleapis.com/token |
| User Info URL | https://www.googleapis.com/oauth2/v3/userinfo |
🧪 Things Already Tried (All Failed)
- ✅ web.base.url = https://mydomain.com + web.base.url.freeze = True
- ✅ proxy_mode = True
- ✅ Cleared all auth_oauth.google* from ir.config_parameter
- ✅ Reinstalled auth_oauth
- ✅ Disabled Cloudflare proxy
- ✅ Created new domain + new Google project + new credentials
- ✅ Works perfectly on localhost (HTTP)
- ❌ Fails on HTTPS (any domain or Odoo.sh)
🧭 Key Findings
- http://localhost:8069 → 100% success
- https://... → 100% loop
- Postman manual flow can successfully exchange code → id_token + access_token
- _auth_oauth_signin() in auth_oauth/controllers/main.py line ~98 returns False
- Log shows 401 Unauthorized from userinfo endpoint
❓ Questions for the Community
- Did something change in Odoo 18+ regarding Google id_token validation? (sub vs user_id?)
- Is web.base.url still being overridden even when frozen?
- Are extra “Allowed Domains” or CORS settings now required for OAuth?
- Does anyone have a working Google OAuth config (2025-tested) for Odoo 19 under HTTPS?
💡 Additional Clues
- When enabling debug logging in auth_oauth, the callback works up to token exchange but fails when Odoo tries to fetch user info.
- Same issue occurs even on a minimal installation with only auth_oauth, no custom modules, no cache, no proxy cache.
- Appears identical across Odoo 18 nightly and 19 stable builds.
🧩 Hypothesis
It seems HTTPS reverse proxy environments fail to preserve proper protocol/host headers for Odoo’s OAuth state verification or Secure cookies, causing session mismatch → redirect loop.
But I’ve also seen 401 from userinfo endpoint even with valid access token — possibly due to missing Authorization: Bearer header.
🙏 Looking for
- Any confirmed working Odoo 19 Google OAuth setup under HTTPS
- Or a patch / commit referencing this regression in recent versions
Would appreciate if Odoo team or community could reproduce this cleanly on a fresh Docker setup — it’s 100% reproducible here.
