Community mailing list archives

community@mail.odoo.com

Azure AD authentication Advice auth_oauth.

by
Graeme Gellatly
- 08/05/2016 18:27:28
Hi all,

My context here is v7, but should apply to all versions.  We use Office 365 which is backed by the free version of AzureAD.  It supports multiple oauth2 authentication flows, but not the one in the auth_oauth module (it does but its quite a lot stricter so the implementation doesn't work and its overkill).

However with some relatively minor hacking of the auth_ouath module it works, however now I want to turn that into a module which extends auth_oauth.

The ORM side is not too difficult, just a few extra fields and function overrides however the problems start with the web side.

The query string sent in auth_oauth is different.  It requires different key value pairs, for example a nonce is required, and the token type is 'id_token'.  It is very much an openid_connect workflow (not like auth_openid which really should be deprecated).

Is there anyway to inherit a javascript function and override it in another module?  The idea would be to take the hard coded query string and have it constructed from an oauth_auth flow type stored on the model.

Similarly in main.py, it queries the response, sets some fields and call res_user.auth_oauth.  The Odoo module does very little in the way of preventing hacks and replay attacks.  Doesn't verify signatures, audience, expiries etc or send randomised state information for validation.  Is there anyway to neatly inherit and override functions in main.py?  The strange thing is that I copied the original and called it auth_auth2 in my hacking.  It isn't installed, but that file gets called rather than my copy.

My alternative is to simply copy the oauth module and make edits, changing endpoints etc, but when I tried it didn't work so any advice on the steps to do this would be appreciated.

Or else any other alternatives.

Any resulting module will be published.