[IMP] Misc: Oauth Azure

closes odoo/documentation#5041

closes odoo/documentation#5248

Signed-off-by: Zachary Straub (zst) <zst@odoo.com>
Co-authored-by: Zachary Straub <zst@odoo.com>
This commit is contained in:
tiku-odoo 2023-07-06 17:54:47 +00:00 committed by Zachary Straub (ZST)
parent 8237a079ec
commit 66b2a3d50e
8 changed files with 182 additions and 2 deletions

View File

@ -2,9 +2,183 @@
Microsoft Azure sign-in authentication
======================================
Due to specific requirements in Azure's OAuth implementation, Microsoft Azure OAuth identification
is NOT compatible with Odoo at the moment.
The Microsoft Azure OAuth sign-in authentication is a useful function that allows Odoo users to sign
in to their database with their Microsoft Azure account.
This is particularly helpful if the organization uses Azure Workspace, and wants employees within
the organization to connect to Odoo using their Microsoft Accounts.
.. warning::
Databases hosted on Odoo.com should not use OAuth login for the owner or administrator of the
database as it would unlink the database from their Odoo.com account. If OAuth is set up for that
user, the database will no longer be able to be duplicated, renamed, or otherwise managed from
the Odoo.com portal.
.. seealso::
- :doc:`../../productivity/calendar/outlook`
- :doc:`/administration/maintain/azure_oauth`
Configuration
=============
Integrating the Microsoft sign-in function requires configuration on Microsoft and Odoo.
Odoo System Parameter
---------------------
First activate the :ref:`developer mode <developer-mode>`, and then go to :menuselection:`Settings
--> Technical --> System Parameters`.
Click :guilabel:`Create` and on the new/blank form that appears, add the following system parameter
`auth_oauth.authorization_header` to the :guilabel:`Key` field, and set the :guilabel:`Value` to
`1`. Then click :guilabel:`Save` to finish.
Microsoft Azure dashboard
-------------------------
Create a new application
~~~~~~~~~~~~~~~~~~~~~~~~
Now that the system parameters in Odoo have been set up, it's time to create a corresponding
application inside of Microsoft Azure. To get started creating the new application, go to
`Microsoft's Azure Portal <https://portal.azure.com/>`_. Log in with the :guilabel:`Microsoft
Outlook Office 365` account if there is one, otherwise, log in with a personal :guilabel:`Microsoft
account`.
.. important::
A user with administrative access to the *Azure Settings* must connect and perform the following
configuration steps below.
Next, navigate to the section labeled :guilabel:`Manage Azure Active Directory`. The location of
this link is usually in the center of the page.
Now, click on the :guilabel:`Add (+)` icon, located in the top menu, and then select :guilabel:`App
registration` from the drop-down menu. On the :guilabel:`Register an application` screen, rename the
:guilabel:`Name` field to `Odoo Login OAuth` or a similarly recognizable title. Under the
:guilabel:`Supported account types` section select the option for :guilabel:`Accounts in this
organizational directory only (Default Directory only - Single tenant)`.
Under the :guilabel:`Redirect URL` section, select :guilabel:`Web` as the platform, and then input
`https://<odoo base url>/auth_oauth/signin` in the :guilabel:`URL` field. The Odoo base :abbr:`URL
(Uniform Resource Locator)` is the canonical domain at which your Odoo instance can be reached (e.g.
*mydatabase.odoo.com* if you are hosted on Odoo.com) in the :guilabel:`URL` field. Then, click
:guilabel:`Register`, and the application is created.
Authentication
~~~~~~~~~~~~~~
Edit the new app's authentication by clicking on the :guilabel:`Authentication` menu item in the
left menu after being redirected to the application's settings from the previous step.
Next, the type of *tokens* needed for the OAuth authentication will be chosen. These are not
currency tokens but rather authentication tokens that are passed between Microsoft and Odoo.
Therefore, there is no cost for these tokens; they are used merely for authentication purposes
between two :abbr:`APIs (application programming interfaces)`. Select the tokens that should be
issued by the authorization endpoint by scrolling down the screen and check the boxes labeled:
:guilabel:`Access tokens (used for implicit flows)` and :guilabel:`ID tokens (used for implicit and
hybrid flows)`.
.. image:: azure/authentication-tokens.png
:align: center
:alt: Authentication settings and endpoint tokens.
Click :guilabel:`Save` to ensure these settings are saved.
Gather credentials
~~~~~~~~~~~~~~~~~~
With the application created and authenticated in the Microsoft Azure console, credentials will be
gathered next. To do so, click on the :guilabel:`Overview` menu item in the left-hand column. Select
and copy the :guilabel:`Application (client) ID` in the window that appears. Paste this credential
to a clipboard / notepad, as this credential will be used in the Odoo configuration later.
After finishing this step, click on :guilabel:`Endpoints` on the top menu and click the *copy icon*
next to :guilabel:`OAuth 2.0 authorization endpoint (v2)` field. Paste this value in the clipboard /
notepad.
The value should equal `https://login.microsoftonline.com/<directory_id>/oauth2/v2.0/authorize`.
Replace the `<directory_id>` with the :guilabel:`Directory (tenant) ID` under the
:guilabel:`Essentials` section of the *Overview* page if it is not already present in the :abbr:`URL
(uniform resource locator)`.
.. example::
Should the :guilabel:`Directory (tenant) ID` be equal to `6729e9df-afbb-4522-a876-f1408d416396`
then the new value of the :guilabel:`OAuth 2.0 authorization endpoint (v2)` :abbr:`URL (Uniform
Resource Locator)` should be:
`https://login.microsoftonline.com/6729e9df-afbb-4522-a876-f1408d416396/oauth2/v2.0/authorize`.
.. image:: azure/overview-azure-app.png
:align: center
:alt: Application ID and OAuth 2.0 authorization endpoint (v2) credentials.
Odoo setup
----------
Finally, the last step in the Microsoft Azure OAuth configuration is to configure some settings in
Odoo. Navigate to :menuselection:`Settings --> Integrations --> OAuth Authentication` and check the
box to activate the OAuth login feature. Click :guilabel:`Save` to ensure the progress is saved.
Then, sign in to the database once the login screen loads.
Once again, navigate to :menuselection:`Settings --> Integrations --> OAuth Authentication` and
click on :guilabel:`OAuth Providers`. Now, select :guilabel:`New` in the upper-left corner and name
the provider `Azure`.
Paste the :guilabel:`Application (client) ID` from the previous section into the :guilabel:`Client
ID` field. After completing this, paste the new :guilabel:`OAuth 2.0 authorization endpoint (v2)`
value into the :guilabel:`Authorization URL` field.
For the :guilabel:`UserInfo URL` field, paste the following :abbr:`URL (Uniform Resource Locator)`:
`https://graph.microsoft.com/oidc/userinfo`
In the :guilabel:`Scope` field, paste the following value: `openid profile email`. Next, the Windows
logo can be used as the CSS class on the login screen by entering the following value: `fa fa-fw
fa-windows`, in the :guilabel:`CSS class` field.
Check the box next to the :guilabel:`Allowed` field to enable the OAuth provider. Finally, add
`Microsoft Azure` to the :guilabel:`Login button label` field. This text will appear next to the
Windows logo on the login page.
.. image:: azure/odoo-provider-settings.png
:align: center
:alt: Odoo provider setup in the Settings application.
:guilabel:`Save` the changes to complete the OAuth authentication setup in Odoo.
User experience flows
---------------------
For a user to log in to Odoo using Microsoft Azure, the user must be on the :menuselection:`Odoo
password reset page`. This is the only way that Odoo is able to link the Microsoft Azure account and
allow the user to log in.
.. note::
Existing users must :ref:`reset their password <users/reset-password>` to access the
:menuselection:`Odoo password reset page`. New Odoo users must click the new user invitation link
that was sent via email, then click on :guilabel:`Microsoft Azure`. Users should not set a new
password.
To sign in to Odoo for the first time using the Microsoft Azure OAuth provider, navigate to the
:menuselection:`Odoo password reset page` (using the new user invitation link). A password reset
page should appear. Then, click on the option labeled :guilabel:`Microsoft Azure`. The page will
redirect to the Microsoft login page.
.. image:: azure/odoo-login.png
:align: center
:alt: Microsoft Outlook login page.
Enter the :guilabel:`Microsoft Email Address` and click :guilabel:`Next`. Follow the process to sign
in to the account. Should :abbr:`2FA (Two Factor Authentication)` be turned on, then an extra step
may be required.
.. image:: azure/login-next.png
:align: center
:alt: Enter Microsoft login credentials.
Finally, after logging in to the account, the page will redirect to a permissions page where the
user will be prompted to :guilabel:`Accept` the conditions that the Odoo application will access
their Microsoft information.
.. image:: azure/accept-access.png
:align: center
:alt: Accept Microsoft conditions for permission access to your account information.

Binary file not shown.

After

Width:  |  Height:  |  Size: 30 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 25 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 12 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 27 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 19 KiB

Binary file not shown.

After

Width:  |  Height:  |  Size: 28 KiB

View File

@ -8,6 +8,12 @@ database with their Google account.
This is particularly helpful if the organization uses Google Workspace, and wants employees within
the organization to connect to Odoo using their Google Accounts.
.. warning::
Databases hosted on Odoo.com should not use Oauth login for the owner or administrator of the
database as it would unlink the database from their Odoo.com account. If Oauth is set up for that
user, the database will no longer be able to be duplicated, renamed or otherwise managed from
the Odoo.com portal.
.. seealso::
- :doc:`/applications/productivity/calendar/google`
- :doc:`/administration/maintain/google_oauth`