Skip to Content
Вам необхідно зареєструватися, щоб взаємодіяти зі спільнотою.
All Posts Люди Значки
Мітки (View all)
odoo accounting v14 pos v15
Про цей форум
Це запитання позначене
python2.7oauth2azurewaadodoo10
3 Відповіді
14164 Переглядів
Аватар
Chris Palmer

I have been trying to get Oauth2 authentication against Azure AD working and I appear to be running into an error with the python scripts in ODOO's Outh2 Authentication module parsing the token returned from Azure AD.

For background, here is my current Oauth configuration in the ODOO Oauth2 Authentication Module:

  • Provider name:  Azure AD

  • Client ID:  <Azure AD Client ID>

  • Allowed:  Checked

  • Body:  Login with Azure AD

  • Authentication URL:  https://login.microsoftonline.com/<Azure Tenant ID>/oauth2/authorize?resource=https%3A%2F%2Fgraph.microsoft.com&

  • Scope:  mail

  • Validation URL:  https://graph.microsoft.com/v1.0/me

  • Data URL:  <Empty>

In Azure AD for my tenant I have created the following application:

  • Name:  ODOO

  • Sign-on URL:  http://<odoo hostname>:8069

  • Client ID <Azure generated GUID - used above in ODOO Oauth config>

  • Keys:  <Empty>

  • App ID URI:  http://odoo

  • Reply URL:  http://<odoo hostname>:8068/auth_oauth/signin

  • Permissions to other apps:  Windows Azure AD (sign in and read profile), Microsoft Graph (sign in and read profile)

  • Set "oauth2AllowImplicitFlow": true in the application manifest.

I have created a user in ODOO, with following info:

  • Name:  <My name>

  • E-mail: <my email address>

  • OAuth Provider:  Azure AD

  • OAuth ID:  <Blank>

  • Employee Access Rights

When I browse to ODOO and select 'Login to Azure AD' I am directed to:

https://login.microsoftonline.com/<Azure Tenant ID>/oauth2/authorize?resource=https%3A%2F%2Fgraph.microsoft.com&?scope=mail&state={%22p%22%3A+4%2C+%22r%22%3A+%22http%253A%252F%252F<odoo hostname>%253A8069%252Fweb%22%2C+%22d%22%3A+%22<odoo database>%22}&redirect_uri=http%3A%2F%2F<odoo hostname>%3A8069%2Fauth_oauth%2Fsignin&response_type=token&client_id=<Azure AD Client ID>

I login with my Azure AD credentials and am redirected back to ODOO, with the following URL that has the valid token attached (token is expired in example below):

http://<odoo hostname>:8069/auth_oauth/signin?access_token=eyJ0eXAiOiJKV1QiLCJub25jZSI6IkFRQUJBQUFBQUFEUk5ZUlEzZGhSU3JtLTRLLWFkcENKMlBGbGtieWtrOXdZYzV3T2pKWV8xY2F0dmFKWklaRGU1M2lvem5PaGZFVmNjSXEwSWRjZjljdGZqT3NGRFo5WHVBU082ZFN2cU9scG5SSnZTeHFYQ1NBQSIsImFsZyI6IlJTMjU2IiwieDV0IjoiYTNRTjBCWlM3czRuTi1CZHJqYkYwWV9MZE1NIiwia2lkIjoiYTNRTjBCWlM3czRuTi1CZHJqYkYwWV9MZE1NIn0.eyJhdWQiOiJodHRwczovL2dyYXBoLm1pY3Jvc29mdC5jb20iLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC80MzRlOWQyYi1kOGQzLTRiZDktYmQyNy0wM2IyMGExNmQ4NjMvIiwiaWF0IjoxNDkwMDQ0MTg3LCJuYmYiOjE0OTAwNDQxODcsImV4cCI6MTQ5MDA0ODA4NywiYWNyIjoiMSIsImFpbyI6IkFRQUJBQUVBQUFEUk5ZUlEzZGhSU3JtLTRLLWFkcENKWlNNMnlCZHVJdks0aDR1bEk4WEVSZ0R1RmtaLTUzU0xuR3JLVkcyUmVnZmV1TF9iVEVWWE1XUm1LTEU0cHVYa0Z3Y2ZnNDlyeE1SWk5TYlNveGoydU5IeVpwTDJzVmFpaHYtcnFtSjFaaWtnQUEiLCJhbXIiOlsicnNhIiwid2lhIiwibWZhIl0sImFwcF9kaXNwbGF5bmFtZSI6InBjbC1wcmQtb2Rvby13ZWIiLCJhcHBpZCI6IjcwYTJkZWM4LTYzNTgtNDU4Yy05MzMxLWE4NDBlZjdlNTZjZiIsImFwcGlkYWNyIjoiMCIsImRldmljZWlkIjoiZGE4YTMwNTQtNjk2OC00YmI5LWE2NmMtMDczMjM3MTEwODU1IiwiZmFtaWx5X25hbWUiOiJQYWxtZXIiLCJnaXZlbl9uYW1lIjoiQ2hyaXMiLCJpbl9jb3JwIjoidHJ1ZSIsImlwYWRkciI6IjIwNC4xOTEuMTU5LjEwIiwibmFtZSI6IkNocmlzIFBhbG1lciIsIm9pZCI6IjQyNWFhY2UxLTMxMzAtNDYyNy05M2JiLWVlMzI2YzJhNmY2MSIsIm9ucHJlbV9zaWQiOiJTLTEtNS0yMS0xMDEwOTY2ODAwLTc3Nzg3MTcwNy0zOTUzMzk1MTUtMTI0NjIzIiwicGxhdGYiOiIzIiwicHVpZCI6IjEwMDNCRkZEODQ4REIxREYiLCJzY3AiOiJEaXJlY3RvcnkuUmVhZC5BbGwgVXNlci5SZWFkIiwic2lnbmluX3N0YXRlIjpbImlua25vd25udHdrIiwia21zaSJdLCJzdWIiOiJkQjlWME5QN2R3VUF0eVRPSUlKcnZNTU5CRy16UXUyYXdFbGs0aDhwdjVFIiwidGlkIjoiNDM0ZTlkMmItZDhkMy00YmQ5LWJkMjctMDNiMjBhMTZkODYzIiwidW5pcXVlX25hbWUiOiJjcnBhbG1lckBwY2wuY29tIiwidXBuIjoiY3JwYWxtZXJAcGNsLmNvbSIsInZlciI6IjEuMCJ9.gJ-5bow8_FaVhXu3-NkHE2gyI2ui49fPLdw-36PV50ifYk--QOTkxkP9Jj59Ty-_CLY4jFRUTHIFjmPKne2W8k1zgIlDGsNVBSw1mKj0YDeGIkBLUOCi9r5y0s7bUhJ1O_KNxK0b8bEcdwV-GsJpDTDD634TNGdDeqoCkq8I7XIzhAEiKb0fIaAF6hsmZEy7OR5EOLhNi1wNSTScF0UIvUHuPxV7lwvjYKqZ5_LufSfJe4gFSyVuyomYwzQiCIk6cj29nyWpok260tjRwSeU_fYtqdNM8pa8a82Lz88pw9RYZoMjwq2M-ueDGlwRHXj0v8QVDV1fu00DRocj-xECcw&token_type=Bearer&expires_in=3599&state=%7b%22p%22%3a+4%2c+%22r%22%3a+%22http%253A%252F%252F<odoo hostname>%253A8069%252Fweb%22%2c+%22d%22%3a+%22<odoo database>%22%7d&session_state=21ff1548-7947-4c98-8a42-5dc7ca575fea

I have used Postman and confirmed that the token's being returned from Azure AD are valid and allow me to login to Microsoft Graph.  For example, executing a GET against https://graph.microsoft.com/v1.0/me with a header of 'Authorization:bearer <token returned>' successfully returns my user profile information as JSON:

{  "@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",
 "id": "<Azure GUID for my user",
 "businessPhones": [    "<my office phone number>"  ],
 "displayName": "<my display name>",
 "givenName": "<my first name>",
 "jobTitle": "<my job stitle>",
 "mail": "<my e-mail address>",
 "mobilePhone": "<my cell number>",
 "officeLocation": "<mu office location>",
 "preferredLanguage": null,
 "surname": "<my last name>",
 "userPrincipalName": "<my email address>"
}

When I attempt to login however I am redirected to ODOO's generic 'Access Denied' error page (http://<odoo hostname>:8069/web/login?oauth_error=2).  When I look at the odoo-server.log I see a 401 and what appears to be errors in the python script (I do not work on Linux so I apologize if this is an incorrect assumption):

2017-03-20 21:19:20,469 15416 ERROR <odoo database> odoo.addons.auth_oauth.controllers.main: OAuth2: HTTP Error 401: Unauthorized
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/odoo/addons/auth_oauth/controllers/main.py", line 139, in signin
   credentials = env['res.users'].sudo().auth_oauth(provider, kw)
 File "/usr/lib/python2.7/dist-packages/odoo/addons/auth_oauth/models/res_users.py", line 102, in auth_oauth
   validation = self._auth_oauth_validate(provider, access_token)
 File "/usr/lib/python2.7/dist-packages/odoo/addons/auth_oauth/models/res_users.py", line 40, in _auth_oauth_validate
   validation = self._auth_oauth_rpc(oauth_provider.validation_endpoint, access_token)
 File "/usr/lib/python2.7/dist-packages/odoo/addons/auth_oauth/models/res_users.py", line 32, in _auth_oauth_rpc
 f = urllib2.urlopen(url) File "/usr/lib/python2.7/urllib2.py", line 154, in urlopen   return opener.open(url, data, timeout)
 File "/usr/lib/python2.7/urllib2.py", line 435, in open
  response = meth(req, response)
 File "/usr/lib/python2.7/urllib2.py", line 548, in http_response
  'http', request, response, code, msg, hdrs)
 File "/usr/lib/python2.7/urllib2.py", line 473, in error
  return self._call_chain(*args)
 File "/usr/lib/python2.7/urllib2.py", line 407, in _call_chain
  result = func(*args)
 File "/usr/lib/python2.7/urllib2.py", line 556, in http_error_default
  raise HTTPError(req.get_full_url(), code, msg, hdrs, fp)
HTTPError: HTTP Error 401: Unauthorized
2017-03-20 21:19:20,470 15416 INFO <odoo database> werkzeug: <my client IP> - - [20/Mar/2017 21:19:20] "GET /auth_oauth/signin?access_token=eyJ0eXAiOiJKV1QiLCJub25jZSI6IkFRQUJBQUFBQUFEUk5ZUlEzZGhSU3JtLTRLLWFkcENKSjZTaFEyaThZRnJ4MmZZUURqQlRFUkVMZGhWeDVNM3dQODZlb3RSSTY0QUdLYU0xbFVRWlZuazRMRVZ2a1dhZjlVZjNtTjJFVU9QZUFYSTJ0OFE4SUNBQSIsImFsZyI6IlJTMjU2IiwieDV0IjoiYTNRTjBCWlM3czRuTi1CZHJqYkYwWV9MZE1NIiwia2lkIjoiYTNRTjBCWlM3czRuTi1CZHJqYkYwWV9MZE1NIn0.eyJhdWQiOiJodHRwczovL2dyYXBoLm1pY3Jvc29mdC5jb20iLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC80MzRlOWQyYi1kOGQzLTRiZDktYmQyNy0wM2IyMGExNmQ4NjMvIiwiaWF0IjoxNDkwMDQ0NDU5LCJuYmYiOjE0OTAwNDQ0NTksImV4cCI6MTQ5MDA0ODM1OSwiYWNyIjoiMSIsImFpbyI6IkFRQUJBQUVBQUFEUk5ZUlEzZGhSU3JtLTRLLWFkcENKT0ZfVWs3bmx6U3dpTWNfYndmTzJSb2pRVTNEcTRyMjNZakc3aVJ2bTZQdHRHdFY2VUlka3hmekZVc3FWWWxBaGlmSWtlQWM3dmxaWnpRazYtekpLWno4YjhicDdUREcyc01tdEJIZ21Ud0FnQUEiLCJhbXIiOlsicnNhIiwid2lhIiwibWZhIl0sImFwcF9kaXNwbGF5bmFtZSI6InBjbC1wcmQtb2Rvby13ZWIiLCJhcHBpZCI6IjcwYTJkZWM4LTYzNTgtNDU4Yy05MzMxLWE4NDBlZjdlNTZjZiIsImFwcGlkYWNyIjoiMCIsImRldmljZWlkIjoiZGE4YTMwNTQtNjk2OC00YmI5LWE2NmMtMDczMjM3MTEwODU1IiwiZmFtaWx5X25hbWUiOiJQYWxtZXIiLCJnaXZlbl9uYW1lIjoiQ2hyaXMiLCJpbl9jb3JwIjoidHJ1ZSIsImlwYWRkciI6IjIwNC4xOTEuMTU5LjEwIiwibmFtZSI6IkNocmlzIFBhbG1lciIsIm9pZCI6IjQyNWFhY2UxLTMxMzAtNDYyNy05M2JiLWVlMzI2YzJhNmY2MSIsIm9ucHJlbV9zaWQiOiJTLTEtNS0yMS0xMDEwOTY2ODAwLTc3Nzg3MTcwNy0zOTUzMzk1MTUtMTI0NjIzIiwicGxhdGYiOiIzIiwicHVpZCI6IjEwMDNCRkZEODQ4REIxREYiLCJzY3AiOiJEaXJlY3RvcnkuUmVhZC5BbGwgVXNlci5SZWFkIiwic2lnbmluX3N0YXRlIjpbImlua25vd25udHdrIiwia21zaSJdLCJzdWIiOiJkQjlWME5QN2R3VUF0eVRPSUlKcnZNTU5CRy16UXUyYXdFbGs0aDhwdjVFIiwidGlkIjoiNDM0ZTlkMmItZDhkMy00YmQ5LWJkMjctMDNiMjBhMTZkODYzIiwidW5pcXVlX25hbWUiOiJjcnBhbG1lckBwY2wuY29tIiwidXBuIjoiY3JwYWxtZXJAcGNsLmNvbSIsInZlciI6IjEuMCJ9.pkVgObHrBwe8GeYB2jZSib1_EyQcLh3pfWrJhsBEnk8kPTmY1znuOPjCMuqKuNoTRva4qgbCqVYAxv6F2ejLALhm2R4FREZo2fru3D9yrvEWEZxeKkhfGcYuCi5-AmelO5T7fmckdB3eoZEx8bGbFMEc9dAcRSOTk1e9aJCOCZXhY-LaoLVMBxskhRwOd6aK6p_Wo9aDxulwMiTtysSmi1RQMgrwNonjBn6_75tZX285tB_2UtX-H7S_vVLHIyvui46af3VYPJ_jdWMP8SiBW16dgqwyaQjNKeeanXsQvnR3eD58_beYKUOVK5dg9-AUBHxLAx7FazPrte0jXw4GQA&token_type=Bearer&expires_in=3599&state=%7b%22p%22%3a+4%2c+%22r%22%3a+%22http%253A%252F%252F<odoo hostname>%253A8069%252Fweb%22%2c+%22d%22%3a+%22<odoo database>%22%7d&session_state=21ff1548-7947-4c98-8a42-5dc7ca575fea HTTP/1.1" 303 -
2017-03-20 21:19:20,575 15416 INFO <odoo database> werkzeug: <my client IP> - - [20/Mar/2017 21:19:20] "GET /web/login?oauth_error=2 HTTP/1.1" 200 -

Not really sure what to do here and not sure how to further troubleshoot. I did want to ensure ODOO was attempting to connect to Graph as per my Validation URL in the ODOO Oauth Config so I did a tshark network capture, and I do see it attempting to connect:

63 7.792167375     10.0.0.4 -> 168.63.129.16 DNS 79 Standard query 0x3c7c A graph.microsoft.com 
64 7.792175260     10.0.0.4 -> 168.63.129.16 DNS 79 Standard query 0x6dd5 AAAA graph.microsoft.com 
65 7.794738016 168.63.129.16 -> 10.0.0.4     DNS 181 Standard query response 0x3c7c A graph.microsoft.com CNAME graphags.msods.nsatc.net A 65.52.240.164 A 168.62.105.91 A 157.56.28.135 A 157.56.28.58 
66 7.794799227 168.63.129.16 -> 10.0.0.4     DNS 170 Standard query response 0x6dd5 AAAA graph.microsoft.com CNAME graphags.msods.nsatc.net SOA admin.nsatc.net 
67 7.795111297     10.0.0.4 -> 65.52.240.164 TCP 74 54938 → 443 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=565910854 TSecr=0 WS=128 
68 7.810547902 65.52.240.164 -> 10.0.0.4     TCP 74 443 → 54938 [SYN, ACK] Seq=0 Ack=1 Win=8192 Len=0 MSS=1440 WS=256 SACK_PERM=1 TSval=49623082 TSecr=565910854 
69 7.810571142     10.0.0.4 -> 65.52.240.164 TCP 66 54938 → 443 [ACK] Seq=1 Ack=1 Win=29312 Len=0 TSval=565910858 TSecr=49623082 
70 7.810724480     10.0.0.4 -> 65.52.240.164 SSL 583 Client Hello 
71 7.829187589 65.52.240.164 -> 10.0.0.4     TCP 1494 [TCP segment of a reassembled PDU] 
72 7.829190079 65.52.240.164 -> 10.0.0.4     TCP 1494 [TCP segment of a reassembled PDU] 
73 7.829190909 65.52.240.164 -> 10.0.0.4     TLSv1.2 884 Server Hello, Certificate, Server Key Exchange, Server Hello Done 
74 7.829247036     10.0.0.4 -> 65.52.240.164 TCP 66 54938 → 443 [ACK] Seq=518 Ack=1429 Win=32128 Len=0 TSval=565910863 TSecr=49623084 
75 7.829253054     10.0.0.4 -> 65.52.240.164 TCP 66 54938 → 443 [ACK] Seq=518 Ack=2857 Win=35072 Len=0 TSval=565910863 TSecr=49623084 
76 7.829255232     10.0.0.4 -> 65.52.240.164 TCP 66 54938 → 443 [ACK] Seq=518 Ack=3675 Win=37888 Len=0 TSval=565910863 TSecr=49623084 
77 7.831680212     10.0.0.4 -> 65.52.240.164 TLSv1.2 280 Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message 
78 7.851560816 65.52.240.164 -> 10.0.0.4     TLSv1.2 173 Change Cipher Spec, Encrypted Handshake Message 
79 7.851926627     10.0.0.4 -> 65.52.240.164 TLSv1.2 2263 Application Data 
80 7.867082805 65.52.240.164 -> 10.0.0.4     TCP 66 443 → 54938 [ACK] Seq=3782 Ack=2929 Win=131328 Len=0 TSval=49623088 TSecr=565910868 
81 7.871805364 65.52.240.164 -> 10.0.0.4     TLSv1.2 951 Application Data

So above we can see the ODOO server doing a DNS look up for graph.microsoft.com and then make a TLS/SSL connection to that IP address and exchange a small amount of data, so it is definitely trying to validate something

Unfortunately I don't have the knowledge with Linux to man in the middle the connection through a Fiddler proxy or something equivalent to see what is being exchanged so I'm left trying to figure out if the Python messages in the odoo-server.log are errors in the parsing of the token and the validation request to Microsoft Graph is malformed or if the response is valid and that is being parsed incorrectly returns. 

Is there a way to increase debug logging?  Anyone have any suggestions on next steps to resolve?  I feel so close to getting this working.


Аватар
Відмінити
OdooBot

Hello,

 

I got a notice that you replied to my ODOO Oauth2 question but I don’t see any response.  Did you have any suggestions?

 

Cheers,

Chris

 

From: Baiju KS [mailto:baijuks@hotmail.com]
Sent: Tuesday, March 21, 2017 11:27 AM
To: Chris Palmer <crpalmer@pcl.com>
Subject: ODOO 10.0 - Oauth2 with Azure AD and Graph - 401 Unauthorized and Python error parsing token

 

A new question ODOO 10.0 - Oauth2 with Azure AD and Graph - 401 Unauthorized and Python error parsing token on Help has been posted. Click here to access the question :

See question

 

 

Sent by Odoo S.A. using Odoo.

Аватар
Qiqo
Найкраща відповідь

Hi Chris, were you able to make it work? Hope you can share the solution to us, thanks so much.

Аватар
Відмінити
Аватар
Rik Vermeer
Найкраща відповідь

Hey Chris,


did you manage? I found that I could rewrite the Oauth2 module to implement the OpenID Connect flow.

This is a intermediate flow that returns an id_token so you don't have to call the /me endpoint. You can use the id_token to validate or signup. According to openid.net/developers/libraries/  this certified library should be used in python: https://github.com/rohe/pyoidc


The rewriting is not so difficult and I do believe that the pyoidc library does a better job validating the id_token than the odoo addon itself.


Kind regards,

Rik Vermeer

Аватар
Відмінити
Related Posts Відповіді Переглядів Дія
Enable OAUTH2 with Windows Azure Active Directory (WAAD) as a oauth2 provider
v7.0 oauth2 azure waad
Аватар
0
лип. 21
16133
How to return action window or wizard from def copy()or def write method in odoo 10.
python2.7 odoo10
Аватар
Аватар
2
лип. 25
1565
Show edit button on odoo 10 qweb html report.
python2.7 odoo10
Аватар
0
груд. 24
1797
How to hide field on tree in odoo 10 based on a condition. Вирішено
python2.7 odoo10
Аватар
Аватар
2
жовт. 24
2033
Remove html tags in a text field with html widget on an exported xml file in odoo 10.
python2.7 odoo10
Аватар
Аватар
1
серп. 24
3125