1. Mailing Lists
  2. Contributors
  3. Re: Azure AD authentication Advice auth_oauth.

Contributors mailing list archives

contributors@odoo-community.org

Browse archives

Re: Azure AD authentication Advice auth_oauth.

Avatar

Re: Azure AD authentication Advice auth_oauth.

by
Anybox, Pierre Verkest
- 02/01/2017 15:35:19
Sorry to come late on that!

Not sure what is the state of your work on onpenId connect?

At anybox we have 2 customers running with https://github.com/anybox/odoo-auth/tree/master/auth_oauth2 which works with following providers: google and django OIDC provider

regards,

2016-08-08 5:38 GMT+02:00 Graeme Gellatly <gdgellatly@gmail.com>:
Turns out I was using the OpenID Connect authorization flow.  Rather than mangle with oauth2, or try and fix auth_openid, I just created completely separately as I'm sure others will want OpenID connect.  Will clean up the code shortly and publish.  It's been done to work with Microsoft Azure AD, so will be interested in feedback from using other providers.

On Sat, Aug 6, 2016 at 10:27 AM, Graeme Gellatly <gdgellatly@gmail.com> wrote:
Hi all,

My context here is v7, but should apply to all versions.  We use Office 365 which is backed by the free version of AzureAD.  It supports multiple oauth2 authentication flows, but not the one in the auth_oauth module (it does but its quite a lot stricter so the implementation doesn't work and its overkill).

However with some relatively minor hacking of the auth_ouath module it works, however now I want to turn that into a module which extends auth_oauth.

The ORM side is not too difficult, just a few extra fields and function overrides however the problems start with the web side.

The query string sent in auth_oauth is different.  It requires different key value pairs, for example a nonce is required, and the token type is 'id_token'.  It is very much an openid_connect workflow (not like auth_openid which really should be deprecated).

Is there anyway to inherit a javascript function and override it in another module?  The idea would be to take the hard coded query string and have it constructed from an oauth_auth flow type stored on the model.

Similarly in main.py, it queries the response, sets some fields and call res_user.auth_oauth.  The Odoo module does very little in the way of preventing hacks and replay attacks.  Doesn't verify signatures, audience, expiries etc or send randomised state information for validation.  Is there anyway to neatly inherit and override functions in main.py?  The strange thing is that I copied the original and called it auth_auth2 in my hacking.  It isn't installed, but that file gets called rather than my copy.

My alternative is to simply copy the oauth module and make edits, changing endpoints etc, but when I tried it didn't work so any advice on the steps to do this would be appreciated.

Or else any other alternatives.

Any resulting module will be published.

_______________________________________________
Mailing-List: http://odoo-community.org/groups/contributors-15
Post to: mailto:contributors@odoo-community.org
Unsubscribe: http://odoo-community.org/groups?unsubscribe




--
Anybox
Pierre Verkest
06 51 35 50 50
Github: petrus-v - Twitter: petrusv84

Reference