diff --git a/content/applications/general/auth/azure.rst b/content/applications/general/auth/azure.rst index 82d1470d2..a89306a01 100644 --- a/content/applications/general/auth/azure.rst +++ b/content/applications/general/auth/azure.rst @@ -2,9 +2,183 @@ Microsoft Azure sign-in authentication ====================================== -Due to specific requirements in Azure's OAuth implementation, Microsoft Azure OAuth identification -is NOT compatible with Odoo at the moment. +The Microsoft Azure OAuth sign-in authentication is a useful function that allows Odoo users to sign +in to their database with their Microsoft Azure account. + +This is particularly helpful if the organization uses Azure Workspace, and wants employees within +the organization to connect to Odoo using their Microsoft Accounts. + +.. warning:: + Databases hosted on Odoo.com should not use OAuth login for the owner or administrator of the + database as it would unlink the database from their Odoo.com account. If OAuth is set up for that + user, the database will no longer be able to be duplicated, renamed, or otherwise managed from + the Odoo.com portal. + .. seealso:: - :doc:`../../productivity/calendar/outlook` - :doc:`/administration/maintain/azure_oauth` + +Configuration +============= + +Integrating the Microsoft sign-in function requires configuration on Microsoft and Odoo. + +Odoo System Parameter +--------------------- + +First activate the :ref:`developer mode `, and then go to :menuselection:`Settings +--> Technical --> System Parameters`. + +Click :guilabel:`Create` and on the new/blank form that appears, add the following system parameter +`auth_oauth.authorization_header` to the :guilabel:`Key` field, and set the :guilabel:`Value` to +`1`. Then click :guilabel:`Save` to finish. + +Microsoft Azure dashboard +------------------------- + +Create a new application +~~~~~~~~~~~~~~~~~~~~~~~~ + +Now that the system parameters in Odoo have been set up, it's time to create a corresponding +application inside of Microsoft Azure. To get started creating the new application, go to +`Microsoft's Azure Portal `_. Log in with the :guilabel:`Microsoft +Outlook Office 365` account if there is one, otherwise, log in with a personal :guilabel:`Microsoft +account`. + +.. important:: + A user with administrative access to the *Azure Settings* must connect and perform the following + configuration steps below. + +Next, navigate to the section labeled :guilabel:`Manage Azure Active Directory`. The location of +this link is usually in the center of the page. + +Now, click on the :guilabel:`Add (+)` icon, located in the top menu, and then select :guilabel:`App +registration` from the drop-down menu. On the :guilabel:`Register an application` screen, rename the +:guilabel:`Name` field to `Odoo Login OAuth` or a similarly recognizable title. Under the +:guilabel:`Supported account types` section select the option for :guilabel:`Accounts in this +organizational directory only (Default Directory only - Single tenant)`. + +Under the :guilabel:`Redirect URL` section, select :guilabel:`Web` as the platform, and then input +`https:///auth_oauth/signin` in the :guilabel:`URL` field. The Odoo base :abbr:`URL +(Uniform Resource Locator)` is the canonical domain at which your Odoo instance can be reached (e.g. +*mydatabase.odoo.com* if you are hosted on Odoo.com) in the :guilabel:`URL` field. Then, click +:guilabel:`Register`, and the application is created. + +Authentication +~~~~~~~~~~~~~~ + +Edit the new app's authentication by clicking on the :guilabel:`Authentication` menu item in the +left menu after being redirected to the application's settings from the previous step. + +Next, the type of *tokens* needed for the OAuth authentication will be chosen. These are not +currency tokens but rather authentication tokens that are passed between Microsoft and Odoo. +Therefore, there is no cost for these tokens; they are used merely for authentication purposes +between two :abbr:`APIs (application programming interfaces)`. Select the tokens that should be +issued by the authorization endpoint by scrolling down the screen and check the boxes labeled: +:guilabel:`Access tokens (used for implicit flows)` and :guilabel:`ID tokens (used for implicit and +hybrid flows)`. + +.. image:: azure/authentication-tokens.png + :align: center + :alt: Authentication settings and endpoint tokens. + +Click :guilabel:`Save` to ensure these settings are saved. + +Gather credentials +~~~~~~~~~~~~~~~~~~ + +With the application created and authenticated in the Microsoft Azure console, credentials will be +gathered next. To do so, click on the :guilabel:`Overview` menu item in the left-hand column. Select +and copy the :guilabel:`Application (client) ID` in the window that appears. Paste this credential +to a clipboard / notepad, as this credential will be used in the Odoo configuration later. + +After finishing this step, click on :guilabel:`Endpoints` on the top menu and click the *copy icon* +next to :guilabel:`OAuth 2.0 authorization endpoint (v2)` field. Paste this value in the clipboard / +notepad. + +The value should equal `https://login.microsoftonline.com//oauth2/v2.0/authorize`. +Replace the `` with the :guilabel:`Directory (tenant) ID` under the +:guilabel:`Essentials` section of the *Overview* page if it is not already present in the :abbr:`URL +(uniform resource locator)`. + +.. example:: + Should the :guilabel:`Directory (tenant) ID` be equal to `6729e9df-afbb-4522-a876-f1408d416396` + then the new value of the :guilabel:`OAuth 2.0 authorization endpoint (v2)` :abbr:`URL (Uniform + Resource Locator)` should be: + `https://login.microsoftonline.com/6729e9df-afbb-4522-a876-f1408d416396/oauth2/v2.0/authorize`. + +.. image:: azure/overview-azure-app.png + :align: center + :alt: Application ID and OAuth 2.0 authorization endpoint (v2) credentials. + +Odoo setup +---------- + +Finally, the last step in the Microsoft Azure OAuth configuration is to configure some settings in +Odoo. Navigate to :menuselection:`Settings --> Integrations --> OAuth Authentication` and check the +box to activate the OAuth login feature. Click :guilabel:`Save` to ensure the progress is saved. +Then, sign in to the database once the login screen loads. + +Once again, navigate to :menuselection:`Settings --> Integrations --> OAuth Authentication` and +click on :guilabel:`OAuth Providers`. Now, select :guilabel:`New` in the upper-left corner and name +the provider `Azure`. + +Paste the :guilabel:`Application (client) ID` from the previous section into the :guilabel:`Client +ID` field. After completing this, paste the new :guilabel:`OAuth 2.0 authorization endpoint (v2)` +value into the :guilabel:`Authorization URL` field. + +For the :guilabel:`UserInfo URL` field, paste the following :abbr:`URL (Uniform Resource Locator)`: +`https://graph.microsoft.com/oidc/userinfo` + +In the :guilabel:`Scope` field, paste the following value: `openid profile email`. Next, the Windows +logo can be used as the CSS class on the login screen by entering the following value: `fa fa-fw +fa-windows`, in the :guilabel:`CSS class` field. + +Check the box next to the :guilabel:`Allowed` field to enable the OAuth provider. Finally, add +`Microsoft Azure` to the :guilabel:`Login button label` field. This text will appear next to the +Windows logo on the login page. + +.. image:: azure/odoo-provider-settings.png + :align: center + :alt: Odoo provider setup in the Settings application. + +:guilabel:`Save` the changes to complete the OAuth authentication setup in Odoo. + +User experience flows +--------------------- + +For a user to log in to Odoo using Microsoft Azure, the user must be on the :menuselection:`Odoo +password reset page`. This is the only way that Odoo is able to link the Microsoft Azure account and +allow the user to log in. + +.. note:: + Existing users must :ref:`reset their password ` to access the + :menuselection:`Odoo password reset page`. New Odoo users must click the new user invitation link + that was sent via email, then click on :guilabel:`Microsoft Azure`. Users should not set a new + password. + +To sign in to Odoo for the first time using the Microsoft Azure OAuth provider, navigate to the +:menuselection:`Odoo password reset page` (using the new user invitation link). A password reset +page should appear. Then, click on the option labeled :guilabel:`Microsoft Azure`. The page will +redirect to the Microsoft login page. + +.. image:: azure/odoo-login.png + :align: center + :alt: Microsoft Outlook login page. + +Enter the :guilabel:`Microsoft Email Address` and click :guilabel:`Next`. Follow the process to sign +in to the account. Should :abbr:`2FA (Two Factor Authentication)` be turned on, then an extra step +may be required. + +.. image:: azure/login-next.png + :align: center + :alt: Enter Microsoft login credentials. + +Finally, after logging in to the account, the page will redirect to a permissions page where the +user will be prompted to :guilabel:`Accept` the conditions that the Odoo application will access +their Microsoft information. + +.. image:: azure/accept-access.png + :align: center + :alt: Accept Microsoft conditions for permission access to your account information. diff --git a/content/applications/general/auth/azure/accept-access.png b/content/applications/general/auth/azure/accept-access.png new file mode 100644 index 000000000..2b25035e1 Binary files /dev/null and b/content/applications/general/auth/azure/accept-access.png differ diff --git a/content/applications/general/auth/azure/authentication-tokens.png b/content/applications/general/auth/azure/authentication-tokens.png new file mode 100644 index 000000000..f12bd2e7c Binary files /dev/null and b/content/applications/general/auth/azure/authentication-tokens.png differ diff --git a/content/applications/general/auth/azure/login-next.png b/content/applications/general/auth/azure/login-next.png new file mode 100644 index 000000000..190791d12 Binary files /dev/null and b/content/applications/general/auth/azure/login-next.png differ diff --git a/content/applications/general/auth/azure/odoo-login.png b/content/applications/general/auth/azure/odoo-login.png new file mode 100644 index 000000000..fe4f73d37 Binary files /dev/null and b/content/applications/general/auth/azure/odoo-login.png differ diff --git a/content/applications/general/auth/azure/odoo-provider-settings.png b/content/applications/general/auth/azure/odoo-provider-settings.png new file mode 100644 index 000000000..e095758f2 Binary files /dev/null and b/content/applications/general/auth/azure/odoo-provider-settings.png differ diff --git a/content/applications/general/auth/azure/overview-azure-app.png b/content/applications/general/auth/azure/overview-azure-app.png new file mode 100644 index 000000000..eb121a024 Binary files /dev/null and b/content/applications/general/auth/azure/overview-azure-app.png differ diff --git a/content/applications/general/auth/google.rst b/content/applications/general/auth/google.rst index 406d84c5b..4b8373c3f 100644 --- a/content/applications/general/auth/google.rst +++ b/content/applications/general/auth/google.rst @@ -8,6 +8,12 @@ database with their Google account. This is particularly helpful if the organization uses Google Workspace, and wants employees within the organization to connect to Odoo using their Google Accounts. +.. warning:: + Databases hosted on Odoo.com should not use Oauth login for the owner or administrator of the + database as it would unlink the database from their Odoo.com account. If Oauth is set up for that + user, the database will no longer be able to be duplicated, renamed or otherwise managed from + the Odoo.com portal. + .. seealso:: - :doc:`/applications/productivity/calendar/google` - :doc:`/administration/maintain/google_oauth`