[IMP] Misc: Oauth Azure
closes odoo/documentation#5041 closes odoo/documentation#5248 Signed-off-by: Zachary Straub (zst) <zst@odoo.com> Co-authored-by: Zachary Straub <zst@odoo.com>
This commit is contained in:
parent
8237a079ec
commit
66b2a3d50e
@ -2,9 +2,183 @@
|
||||
Microsoft Azure sign-in authentication
|
||||
======================================
|
||||
|
||||
Due to specific requirements in Azure's OAuth implementation, Microsoft Azure OAuth identification
|
||||
is NOT compatible with Odoo at the moment.
|
||||
The Microsoft Azure OAuth sign-in authentication is a useful function that allows Odoo users to sign
|
||||
in to their database with their Microsoft Azure account.
|
||||
|
||||
This is particularly helpful if the organization uses Azure Workspace, and wants employees within
|
||||
the organization to connect to Odoo using their Microsoft Accounts.
|
||||
|
||||
.. warning::
|
||||
Databases hosted on Odoo.com should not use OAuth login for the owner or administrator of the
|
||||
database as it would unlink the database from their Odoo.com account. If OAuth is set up for that
|
||||
user, the database will no longer be able to be duplicated, renamed, or otherwise managed from
|
||||
the Odoo.com portal.
|
||||
|
||||
|
||||
.. seealso::
|
||||
- :doc:`../../productivity/calendar/outlook`
|
||||
- :doc:`/administration/maintain/azure_oauth`
|
||||
|
||||
Configuration
|
||||
=============
|
||||
|
||||
Integrating the Microsoft sign-in function requires configuration on Microsoft and Odoo.
|
||||
|
||||
Odoo System Parameter
|
||||
---------------------
|
||||
|
||||
First activate the :ref:`developer mode <developer-mode>`, and then go to :menuselection:`Settings
|
||||
--> Technical --> System Parameters`.
|
||||
|
||||
Click :guilabel:`Create` and on the new/blank form that appears, add the following system parameter
|
||||
`auth_oauth.authorization_header` to the :guilabel:`Key` field, and set the :guilabel:`Value` to
|
||||
`1`. Then click :guilabel:`Save` to finish.
|
||||
|
||||
Microsoft Azure dashboard
|
||||
-------------------------
|
||||
|
||||
Create a new application
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
Now that the system parameters in Odoo have been set up, it's time to create a corresponding
|
||||
application inside of Microsoft Azure. To get started creating the new application, go to
|
||||
`Microsoft's Azure Portal <https://portal.azure.com/>`_. Log in with the :guilabel:`Microsoft
|
||||
Outlook Office 365` account if there is one, otherwise, log in with a personal :guilabel:`Microsoft
|
||||
account`.
|
||||
|
||||
.. important::
|
||||
A user with administrative access to the *Azure Settings* must connect and perform the following
|
||||
configuration steps below.
|
||||
|
||||
Next, navigate to the section labeled :guilabel:`Manage Azure Active Directory`. The location of
|
||||
this link is usually in the center of the page.
|
||||
|
||||
Now, click on the :guilabel:`Add (+)` icon, located in the top menu, and then select :guilabel:`App
|
||||
registration` from the drop-down menu. On the :guilabel:`Register an application` screen, rename the
|
||||
:guilabel:`Name` field to `Odoo Login OAuth` or a similarly recognizable title. Under the
|
||||
:guilabel:`Supported account types` section select the option for :guilabel:`Accounts in this
|
||||
organizational directory only (Default Directory only - Single tenant)`.
|
||||
|
||||
Under the :guilabel:`Redirect URL` section, select :guilabel:`Web` as the platform, and then input
|
||||
`https://<odoo base url>/auth_oauth/signin` in the :guilabel:`URL` field. The Odoo base :abbr:`URL
|
||||
(Uniform Resource Locator)` is the canonical domain at which your Odoo instance can be reached (e.g.
|
||||
*mydatabase.odoo.com* if you are hosted on Odoo.com) in the :guilabel:`URL` field. Then, click
|
||||
:guilabel:`Register`, and the application is created.
|
||||
|
||||
Authentication
|
||||
~~~~~~~~~~~~~~
|
||||
|
||||
Edit the new app's authentication by clicking on the :guilabel:`Authentication` menu item in the
|
||||
left menu after being redirected to the application's settings from the previous step.
|
||||
|
||||
Next, the type of *tokens* needed for the OAuth authentication will be chosen. These are not
|
||||
currency tokens but rather authentication tokens that are passed between Microsoft and Odoo.
|
||||
Therefore, there is no cost for these tokens; they are used merely for authentication purposes
|
||||
between two :abbr:`APIs (application programming interfaces)`. Select the tokens that should be
|
||||
issued by the authorization endpoint by scrolling down the screen and check the boxes labeled:
|
||||
:guilabel:`Access tokens (used for implicit flows)` and :guilabel:`ID tokens (used for implicit and
|
||||
hybrid flows)`.
|
||||
|
||||
.. image:: azure/authentication-tokens.png
|
||||
:align: center
|
||||
:alt: Authentication settings and endpoint tokens.
|
||||
|
||||
Click :guilabel:`Save` to ensure these settings are saved.
|
||||
|
||||
Gather credentials
|
||||
~~~~~~~~~~~~~~~~~~
|
||||
|
||||
With the application created and authenticated in the Microsoft Azure console, credentials will be
|
||||
gathered next. To do so, click on the :guilabel:`Overview` menu item in the left-hand column. Select
|
||||
and copy the :guilabel:`Application (client) ID` in the window that appears. Paste this credential
|
||||
to a clipboard / notepad, as this credential will be used in the Odoo configuration later.
|
||||
|
||||
After finishing this step, click on :guilabel:`Endpoints` on the top menu and click the *copy icon*
|
||||
next to :guilabel:`OAuth 2.0 authorization endpoint (v2)` field. Paste this value in the clipboard /
|
||||
notepad.
|
||||
|
||||
The value should equal `https://login.microsoftonline.com/<directory_id>/oauth2/v2.0/authorize`.
|
||||
Replace the `<directory_id>` with the :guilabel:`Directory (tenant) ID` under the
|
||||
:guilabel:`Essentials` section of the *Overview* page if it is not already present in the :abbr:`URL
|
||||
(uniform resource locator)`.
|
||||
|
||||
.. example::
|
||||
Should the :guilabel:`Directory (tenant) ID` be equal to `6729e9df-afbb-4522-a876-f1408d416396`
|
||||
then the new value of the :guilabel:`OAuth 2.0 authorization endpoint (v2)` :abbr:`URL (Uniform
|
||||
Resource Locator)` should be:
|
||||
`https://login.microsoftonline.com/6729e9df-afbb-4522-a876-f1408d416396/oauth2/v2.0/authorize`.
|
||||
|
||||
.. image:: azure/overview-azure-app.png
|
||||
:align: center
|
||||
:alt: Application ID and OAuth 2.0 authorization endpoint (v2) credentials.
|
||||
|
||||
Odoo setup
|
||||
----------
|
||||
|
||||
Finally, the last step in the Microsoft Azure OAuth configuration is to configure some settings in
|
||||
Odoo. Navigate to :menuselection:`Settings --> Integrations --> OAuth Authentication` and check the
|
||||
box to activate the OAuth login feature. Click :guilabel:`Save` to ensure the progress is saved.
|
||||
Then, sign in to the database once the login screen loads.
|
||||
|
||||
Once again, navigate to :menuselection:`Settings --> Integrations --> OAuth Authentication` and
|
||||
click on :guilabel:`OAuth Providers`. Now, select :guilabel:`New` in the upper-left corner and name
|
||||
the provider `Azure`.
|
||||
|
||||
Paste the :guilabel:`Application (client) ID` from the previous section into the :guilabel:`Client
|
||||
ID` field. After completing this, paste the new :guilabel:`OAuth 2.0 authorization endpoint (v2)`
|
||||
value into the :guilabel:`Authorization URL` field.
|
||||
|
||||
For the :guilabel:`UserInfo URL` field, paste the following :abbr:`URL (Uniform Resource Locator)`:
|
||||
`https://graph.microsoft.com/oidc/userinfo`
|
||||
|
||||
In the :guilabel:`Scope` field, paste the following value: `openid profile email`. Next, the Windows
|
||||
logo can be used as the CSS class on the login screen by entering the following value: `fa fa-fw
|
||||
fa-windows`, in the :guilabel:`CSS class` field.
|
||||
|
||||
Check the box next to the :guilabel:`Allowed` field to enable the OAuth provider. Finally, add
|
||||
`Microsoft Azure` to the :guilabel:`Login button label` field. This text will appear next to the
|
||||
Windows logo on the login page.
|
||||
|
||||
.. image:: azure/odoo-provider-settings.png
|
||||
:align: center
|
||||
:alt: Odoo provider setup in the Settings application.
|
||||
|
||||
:guilabel:`Save` the changes to complete the OAuth authentication setup in Odoo.
|
||||
|
||||
User experience flows
|
||||
---------------------
|
||||
|
||||
For a user to log in to Odoo using Microsoft Azure, the user must be on the :menuselection:`Odoo
|
||||
password reset page`. This is the only way that Odoo is able to link the Microsoft Azure account and
|
||||
allow the user to log in.
|
||||
|
||||
.. note::
|
||||
Existing users must :ref:`reset their password <users/reset-password>` to access the
|
||||
:menuselection:`Odoo password reset page`. New Odoo users must click the new user invitation link
|
||||
that was sent via email, then click on :guilabel:`Microsoft Azure`. Users should not set a new
|
||||
password.
|
||||
|
||||
To sign in to Odoo for the first time using the Microsoft Azure OAuth provider, navigate to the
|
||||
:menuselection:`Odoo password reset page` (using the new user invitation link). A password reset
|
||||
page should appear. Then, click on the option labeled :guilabel:`Microsoft Azure`. The page will
|
||||
redirect to the Microsoft login page.
|
||||
|
||||
.. image:: azure/odoo-login.png
|
||||
:align: center
|
||||
:alt: Microsoft Outlook login page.
|
||||
|
||||
Enter the :guilabel:`Microsoft Email Address` and click :guilabel:`Next`. Follow the process to sign
|
||||
in to the account. Should :abbr:`2FA (Two Factor Authentication)` be turned on, then an extra step
|
||||
may be required.
|
||||
|
||||
.. image:: azure/login-next.png
|
||||
:align: center
|
||||
:alt: Enter Microsoft login credentials.
|
||||
|
||||
Finally, after logging in to the account, the page will redirect to a permissions page where the
|
||||
user will be prompted to :guilabel:`Accept` the conditions that the Odoo application will access
|
||||
their Microsoft information.
|
||||
|
||||
.. image:: azure/accept-access.png
|
||||
:align: center
|
||||
:alt: Accept Microsoft conditions for permission access to your account information.
|
||||
|
BIN
content/applications/general/auth/azure/accept-access.png
Normal file
BIN
content/applications/general/auth/azure/accept-access.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 30 KiB |
Binary file not shown.
After Width: | Height: | Size: 25 KiB |
BIN
content/applications/general/auth/azure/login-next.png
Normal file
BIN
content/applications/general/auth/azure/login-next.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 12 KiB |
BIN
content/applications/general/auth/azure/odoo-login.png
Normal file
BIN
content/applications/general/auth/azure/odoo-login.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 27 KiB |
Binary file not shown.
After Width: | Height: | Size: 19 KiB |
BIN
content/applications/general/auth/azure/overview-azure-app.png
Normal file
BIN
content/applications/general/auth/azure/overview-azure-app.png
Normal file
Binary file not shown.
After Width: | Height: | Size: 28 KiB |
@ -8,6 +8,12 @@ database with their Google account.
|
||||
This is particularly helpful if the organization uses Google Workspace, and wants employees within
|
||||
the organization to connect to Odoo using their Google Accounts.
|
||||
|
||||
.. warning::
|
||||
Databases hosted on Odoo.com should not use Oauth login for the owner or administrator of the
|
||||
database as it would unlink the database from their Odoo.com account. If Oauth is set up for that
|
||||
user, the database will no longer be able to be duplicated, renamed or otherwise managed from
|
||||
the Odoo.com portal.
|
||||
|
||||
.. seealso::
|
||||
- :doc:`/applications/productivity/calendar/google`
|
||||
- :doc:`/administration/maintain/google_oauth`
|
||||
|
Loading…
Reference in New Issue
Block a user