I have been trying to get Oauth2 authentication against Azure AD working and I appear to be running into an error with the python scripts in ODOO's Outh2 Authentication module parsing the token returned from Azure AD.
For background, here is my current Oauth configuration in the ODOO Oauth2 Authentication Module:
Provider name: Azure AD
Client ID: <Azure AD Client ID>
Allowed: Checked
Body: Login with Azure AD
Authentication URL: https://login.microsoftonline.com/<Azure Tenant ID>/oauth2/authorize?resource=https%3A%2F%2Fgraph.microsoft.com&
Scope: mail
Validation URL: https://graph.microsoft.com/v1.0/me
Data URL: <Empty>
In Azure AD for my tenant I have created the following application:
Name: ODOO
Sign-on URL: http://<odoo hostname>:8069
Client ID <Azure generated GUID - used above in ODOO Oauth config>
Keys: <Empty>
App ID URI: http://odoo
Reply URL: http://<odoo hostname>:8068/auth_oauth/signin
Permissions to other apps: Windows Azure AD (sign in and read profile), Microsoft Graph (sign in and read profile)
Set "oauth2AllowImplicitFlow": true in the application manifest.
I have created a user in ODOO, with following info:
Name: <My name>
E-mail: <my email address>
OAuth Provider: Azure AD
OAuth ID: <Blank>
Employee Access Rights
When I browse to ODOO and select 'Login to Azure AD' I am directed to:
https://login.microsoftonline.com/<Azure Tenant ID>/oauth2/authorize?resource=https%3A%2F%2Fgraph.microsoft.com&?scope=mail&state={%22p%22%3A+4%2C+%22r%22%3A+%22http%253A%252F%252F<odoo hostname>%253A8069%252Fweb%22%2C+%22d%22%3A+%22<odoo database>%22}&redirect_uri=http%3A%2F%2F<odoo hostname>%3A8069%2Fauth_oauth%2Fsignin&response_type=token&client_id=<Azure AD Client ID>I login with my Azure AD credentials and am redirected back to ODOO, with the following URL that has the valid token attached (token is expired in example below):
http://<odoo hostname>:8069/auth_oauth/signin?access_token=eyJ0eXAiOiJKV1QiLCJub25jZSI6IkFRQUJBQUFBQUFEUk5ZUlEzZGhSU3JtLTRLLWFkcENKMlBGbGtieWtrOXdZYzV3T2pKWV8xY2F0dmFKWklaRGU1M2lvem5PaGZFVmNjSXEwSWRjZjljdGZqT3NGRFo5WHVBU082ZFN2cU9scG5SSnZTeHFYQ1NBQSIsImFsZyI6IlJTMjU2IiwieDV0IjoiYTNRTjBCWlM3czRuTi1CZHJqYkYwWV9MZE1NIiwia2lkIjoiYTNRTjBCWlM3czRuTi1CZHJqYkYwWV9MZE1NIn0.eyJhdWQiOiJodHRwczovL2dyYXBoLm1pY3Jvc29mdC5jb20iLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC80MzRlOWQyYi1kOGQzLTRiZDktYmQyNy0wM2IyMGExNmQ4NjMvIiwiaWF0IjoxNDkwMDQ0MTg3LCJuYmYiOjE0OTAwNDQxODcsImV4cCI6MTQ5MDA0ODA4NywiYWNyIjoiMSIsImFpbyI6IkFRQUJBQUVBQUFEUk5ZUlEzZGhSU3JtLTRLLWFkcENKWlNNMnlCZHVJdks0aDR1bEk4WEVSZ0R1RmtaLTUzU0xuR3JLVkcyUmVnZmV1TF9iVEVWWE1XUm1LTEU0cHVYa0Z3Y2ZnNDlyeE1SWk5TYlNveGoydU5IeVpwTDJzVmFpaHYtcnFtSjFaaWtnQUEiLCJhbXIiOlsicnNhIiwid2lhIiwibWZhIl0sImFwcF9kaXNwbGF5bmFtZSI6InBjbC1wcmQtb2Rvby13ZWIiLCJhcHBpZCI6IjcwYTJkZWM4LTYzNTgtNDU4Yy05MzMxLWE4NDBlZjdlNTZjZiIsImFwcGlkYWNyIjoiMCIsImRldmljZWlkIjoiZGE4YTMwNTQtNjk2OC00YmI5LWE2NmMtMDczMjM3MTEwODU1IiwiZmFtaWx5X25hbWUiOiJQYWxtZXIiLCJnaXZlbl9uYW1lIjoiQ2hyaXMiLCJpbl9jb3JwIjoidHJ1ZSIsImlwYWRkciI6IjIwNC4xOTEuMTU5LjEwIiwibmFtZSI6IkNocmlzIFBhbG1lciIsIm9pZCI6IjQyNWFhY2UxLTMxMzAtNDYyNy05M2JiLWVlMzI2YzJhNmY2MSIsIm9ucHJlbV9zaWQiOiJTLTEtNS0yMS0xMDEwOTY2ODAwLTc3Nzg3MTcwNy0zOTUzMzk1MTUtMTI0NjIzIiwicGxhdGYiOiIzIiwicHVpZCI6IjEwMDNCRkZEODQ4REIxREYiLCJzY3AiOiJEaXJlY3RvcnkuUmVhZC5BbGwgVXNlci5SZWFkIiwic2lnbmluX3N0YXRlIjpbImlua25vd25udHdrIiwia21zaSJdLCJzdWIiOiJkQjlWME5QN2R3VUF0eVRPSUlKcnZNTU5CRy16UXUyYXdFbGs0aDhwdjVFIiwidGlkIjoiNDM0ZTlkMmItZDhkMy00YmQ5LWJkMjctMDNiMjBhMTZkODYzIiwidW5pcXVlX25hbWUiOiJjcnBhbG1lckBwY2wuY29tIiwidXBuIjoiY3JwYWxtZXJAcGNsLmNvbSIsInZlciI6IjEuMCJ9.gJ-5bow8_FaVhXu3-NkHE2gyI2ui49fPLdw-36PV50ifYk--QOTkxkP9Jj59Ty-_CLY4jFRUTHIFjmPKne2W8k1zgIlDGsNVBSw1mKj0YDeGIkBLUOCi9r5y0s7bUhJ1O_KNxK0b8bEcdwV-GsJpDTDD634TNGdDeqoCkq8I7XIzhAEiKb0fIaAF6hsmZEy7OR5EOLhNi1wNSTScF0UIvUHuPxV7lwvjYKqZ5_LufSfJe4gFSyVuyomYwzQiCIk6cj29nyWpok260tjRwSeU_fYtqdNM8pa8a82Lz88pw9RYZoMjwq2M-ueDGlwRHXj0v8QVDV1fu00DRocj-xECcw&token_type=Bearer&expires_in=3599&state=%7b%22p%22%3a+4%2c+%22r%22%3a+%22http%253A%252F%252F<odoo hostname>%253A8069%252Fweb%22%2c+%22d%22%3a+%22<odoo database>%22%7d&session_state=21ff1548-7947-4c98-8a42-5dc7ca575fea
I have used Postman and confirmed that the token's being returned from Azure AD are valid and allow me to login to Microsoft Graph. For example, executing a GET against https://graph.microsoft.com/v1.0/me with a header of 'Authorization:bearer <token returned>' successfully returns my user profile information as JSON:
{ "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",
"id": "<Azure GUID for my user",
"businessPhones": [ "<my office phone number>" ],
"displayName": "<my display name>",
"givenName": "<my first name>",
"jobTitle": "<my job stitle>",
"mail": "<my e-mail address>",
"mobilePhone": "<my cell number>",
"officeLocation": "<mu office location>",
"preferredLanguage": null,
"surname": "<my last name>",
"userPrincipalName": "<my email address>"
}
When I attempt to login however I am redirected to ODOO's generic 'Access Denied' error page (http://<odoo hostname>:8069/web/login?oauth_error=2). When I look at the odoo-server.log I see a 401 and what appears to be errors in the python script (I do not work on Linux so I apologize if this is an incorrect assumption):
2017-03-20 21:19:20,469 15416 ERROR <odoo database> odoo.addons.auth_oauth.controllers.main: OAuth2: HTTP Error 401: Unauthorized
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/odoo/addons/auth_oauth/controllers/main.py", line 139, in signin
credentials = env['res.users'].sudo().auth_oauth(provider, kw)
File "/usr/lib/python2.7/dist-packages/odoo/addons/auth_oauth/models/res_users.py", line 102, in auth_oauth
validation = self._auth_oauth_validate(provider, access_token)
File "/usr/lib/python2.7/dist-packages/odoo/addons/auth_oauth/models/res_users.py", line 40, in _auth_oauth_validate
validation = self._auth_oauth_rpc(oauth_provider.validation_endpoint, access_token)
File "/usr/lib/python2.7/dist-packages/odoo/addons/auth_oauth/models/res_users.py", line 32, in _auth_oauth_rpc
f = urllib2.urlopen(url) File "/usr/lib/python2.7/urllib2.py", line 154, in urlopen return opener.open(url, data, timeout)
File "/usr/lib/python2.7/urllib2.py", line 435, in open
response = meth(req, response)
File "/usr/lib/python2.7/urllib2.py", line 548, in http_response
'http', request, response, code, msg, hdrs)
File "/usr/lib/python2.7/urllib2.py", line 473, in error
return self._call_chain(*args)
File "/usr/lib/python2.7/urllib2.py", line 407, in _call_chain
result = func(*args)
File "/usr/lib/python2.7/urllib2.py", line 556, in http_error_default
raise HTTPError(req.get_full_url(), code, msg, hdrs, fp)
HTTPError: HTTP Error 401: Unauthorized
2017-03-20 21:19:20,470 15416 INFO <odoo database> werkzeug: <my client IP> - - [20/Mar/2017 21:19:20] "GET /auth_oauth/signin?access_token=eyJ0eXAiOiJKV1QiLCJub25jZSI6IkFRQUJBQUFBQUFEUk5ZUlEzZGhSU3JtLTRLLWFkcENKSjZTaFEyaThZRnJ4MmZZUURqQlRFUkVMZGhWeDVNM3dQODZlb3RSSTY0QUdLYU0xbFVRWlZuazRMRVZ2a1dhZjlVZjNtTjJFVU9QZUFYSTJ0OFE4SUNBQSIsImFsZyI6IlJTMjU2IiwieDV0IjoiYTNRTjBCWlM3czRuTi1CZHJqYkYwWV9MZE1NIiwia2lkIjoiYTNRTjBCWlM3czRuTi1CZHJqYkYwWV9MZE1NIn0.eyJhdWQiOiJodHRwczovL2dyYXBoLm1pY3Jvc29mdC5jb20iLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC80MzRlOWQyYi1kOGQzLTRiZDktYmQyNy0wM2IyMGExNmQ4NjMvIiwiaWF0IjoxNDkwMDQ0NDU5LCJuYmYiOjE0OTAwNDQ0NTksImV4cCI6MTQ5MDA0ODM1OSwiYWNyIjoiMSIsImFpbyI6IkFRQUJBQUVBQUFEUk5ZUlEzZGhSU3JtLTRLLWFkcENKT0ZfVWs3bmx6U3dpTWNfYndmTzJSb2pRVTNEcTRyMjNZakc3aVJ2bTZQdHRHdFY2VUlka3hmekZVc3FWWWxBaGlmSWtlQWM3dmxaWnpRazYtekpLWno4YjhicDdUREcyc01tdEJIZ21Ud0FnQUEiLCJhbXIiOlsicnNhIiwid2lhIiwibWZhIl0sImFwcF9kaXNwbGF5bmFtZSI6InBjbC1wcmQtb2Rvby13ZWIiLCJhcHBpZCI6IjcwYTJkZWM4LTYzNTgtNDU4Yy05MzMxLWE4NDBlZjdlNTZjZiIsImFwcGlkYWNyIjoiMCIsImRldmljZWlkIjoiZGE4YTMwNTQtNjk2OC00YmI5LWE2NmMtMDczMjM3MTEwODU1IiwiZmFtaWx5X25hbWUiOiJQYWxtZXIiLCJnaXZlbl9uYW1lIjoiQ2hyaXMiLCJpbl9jb3JwIjoidHJ1ZSIsImlwYWRkciI6IjIwNC4xOTEuMTU5LjEwIiwibmFtZSI6IkNocmlzIFBhbG1lciIsIm9pZCI6IjQyNWFhY2UxLTMxMzAtNDYyNy05M2JiLWVlMzI2YzJhNmY2MSIsIm9ucHJlbV9zaWQiOiJTLTEtNS0yMS0xMDEwOTY2ODAwLTc3Nzg3MTcwNy0zOTUzMzk1MTUtMTI0NjIzIiwicGxhdGYiOiIzIiwicHVpZCI6IjEwMDNCRkZEODQ4REIxREYiLCJzY3AiOiJEaXJlY3RvcnkuUmVhZC5BbGwgVXNlci5SZWFkIiwic2lnbmluX3N0YXRlIjpbImlua25vd25udHdrIiwia21zaSJdLCJzdWIiOiJkQjlWME5QN2R3VUF0eVRPSUlKcnZNTU5CRy16UXUyYXdFbGs0aDhwdjVFIiwidGlkIjoiNDM0ZTlkMmItZDhkMy00YmQ5LWJkMjctMDNiMjBhMTZkODYzIiwidW5pcXVlX25hbWUiOiJjcnBhbG1lckBwY2wuY29tIiwidXBuIjoiY3JwYWxtZXJAcGNsLmNvbSIsInZlciI6IjEuMCJ9.pkVgObHrBwe8GeYB2jZSib1_EyQcLh3pfWrJhsBEnk8kPTmY1znuOPjCMuqKuNoTRva4qgbCqVYAxv6F2ejLALhm2R4FREZo2fru3D9yrvEWEZxeKkhfGcYuCi5-AmelO5T7fmckdB3eoZEx8bGbFMEc9dAcRSOTk1e9aJCOCZXhY-LaoLVMBxskhRwOd6aK6p_Wo9aDxulwMiTtysSmi1RQMgrwNonjBn6_75tZX285tB_2UtX-H7S_vVLHIyvui46af3VYPJ_jdWMP8SiBW16dgqwyaQjNKeeanXsQvnR3eD58_beYKUOVK5dg9-AUBHxLAx7FazPrte0jXw4GQA&token_type=Bearer&expires_in=3599&state=%7b%22p%22%3a+4%2c+%22r%22%3a+%22http%253A%252F%252F<odoo hostname>%253A8069%252Fweb%22%2c+%22d%22%3a+%22<odoo database>%22%7d&session_state=21ff1548-7947-4c98-8a42-5dc7ca575fea HTTP/1.1" 303 -
2017-03-20 21:19:20,575 15416 INFO <odoo database> werkzeug: <my client IP> - - [20/Mar/2017 21:19:20] "GET /web/login?oauth_error=2 HTTP/1.1" 200 -
Not really sure what to do here and not sure how to further troubleshoot. I did want to ensure ODOO was attempting to connect to Graph as per my Validation URL in the ODOO Oauth Config so I did a tshark network capture, and I do see it attempting to connect:
63 7.792167375 10.0.0.4 -> 168.63.129.16 DNS 79 Standard query 0x3c7c A graph.microsoft.com
64 7.792175260 10.0.0.4 -> 168.63.129.16 DNS 79 Standard query 0x6dd5 AAAA graph.microsoft.com
65 7.794738016 168.63.129.16 -> 10.0.0.4 DNS 181 Standard query response 0x3c7c A graph.microsoft.com CNAME graphags.msods.nsatc.net A 65.52.240.164 A 168.62.105.91 A 157.56.28.135 A 157.56.28.58
66 7.794799227 168.63.129.16 -> 10.0.0.4 DNS 170 Standard query response 0x6dd5 AAAA graph.microsoft.com CNAME graphags.msods.nsatc.net SOA admin.nsatc.net
67 7.795111297 10.0.0.4 -> 65.52.240.164 TCP 74 54938 → 443 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=565910854 TSecr=0 WS=128
68 7.810547902 65.52.240.164 -> 10.0.0.4 TCP 74 443 → 54938 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1440 WS=256 SACK_PERM=1 TSval=49623082 TSecr=565910854
69 7.810571142 10.0.0.4 -> 65.52.240.164 TCP 66 54938 → 443 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=565910858 TSecr=49623082
70 7.810724480 10.0.0.4 -> 65.52.240.164 SSL 583 Client Hello
71 7.829187589 65.52.240.164 -> 10.0.0.4 TCP 1494 [TCP segment of a reassembled PDU]
72 7.829190079 65.52.240.164 -> 10.0.0.4 TCP 1494 [TCP segment of a reassembled PDU]
73 7.829190909 65.52.240.164 -> 10.0.0.4 TLSv1.2 884 Server Hello, Certificate, Server Key Exchange, Server Hello Done
74 7.829247036 10.0.0.4 -> 65.52.240.164 TCP 66 54938 → 443 [ACK] Seq=518 Ack=1429 Win=32128 Len=0 TSval=565910863 TSecr=49623084
75 7.829253054 10.0.0.4 -> 65.52.240.164 TCP 66 54938 → 443 [ACK] Seq=518 Ack=2857 Win=35072 Len=0 TSval=565910863 TSecr=49623084
76 7.829255232 10.0.0.4 -> 65.52.240.164 TCP 66 54938 → 443 [ACK] Seq=518 Ack=3675 Win=37888 Len=0 TSval=565910863 TSecr=49623084
77 7.831680212 10.0.0.4 -> 65.52.240.164 TLSv1.2 280 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message
78 7.851560816 65.52.240.164 -> 10.0.0.4 TLSv1.2 173 Change Cipher Spec, Encrypted Handshake Message
79 7.851926627 10.0.0.4 -> 65.52.240.164 TLSv1.2 2263 Application Data
80 7.867082805 65.52.240.164 -> 10.0.0.4 TCP 66 443 → 54938 [ACK] Seq=3782 Ack=2929 Win=131328 Len=0 TSval=49623088 TSecr=565910868
81 7.871805364 65.52.240.164 -> 10.0.0.4 TLSv1.2 951 Application Data
So above we can see the ODOO server doing a DNS look up for graph.microsoft.com and then make a TLS/SSL connection to that IP address and exchange a small amount of data, so it is definitely trying to validate something.
Unfortunately I don't have the knowledge with Linux to man in the middle the connection through a Fiddler proxy or something equivalent to see what is being exchanged so I'm left trying to figure out if the Python messages in the odoo-server.log are errors in the parsing of the token and the validation request to Microsoft Graph is malformed or if the response is valid and that is being parsed incorrectly returns.
Is there a way to increase debug logging? Anyone have any suggestions on next steps to resolve? I feel so close to getting this working.
Hello,
I got a notice that you replied to my ODOO Oauth2 question but I don’t see any response. Did you have any suggestions?
Cheers,
Chris
From: Baiju KS [mailto:baijuks@hotmail.com]
Sent: Tuesday, March 21, 2017 11:27 AM
To: Chris Palmer <crpalmer@pcl.com>
Subject: ODOO 10.0 - Oauth2 with Azure AD and Graph - 401 Unauthorized and Python error parsing token
View Forum Post
A new question ODOO 10.0 - Oauth2 with Azure AD and Graph - 401 Unauthorized and Python error parsing token on Help has been posted. Click here to access the question :
See question
Sent by Odoo S.A. using Odoo.