Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

auth-odic displaying "access denied" when used with Authentic ODIC Provider #565

Open
23brewert opened this issue Oct 24, 2023 · 5 comments
Labels
bug stale PR/Issue without recent activity, it'll be soon closed automatically.

Comments

@23brewert
Copy link

23brewert commented Oct 24, 2023

Module

auth-odic

Describe the bug

After logging in with ODIC odoo displays "Access Denied" and prints an error in docker.
image

To Reproduce

Affected versions:v16

Steps to reproduce the behavior:

  1. Install Plugin
  2. Configure for Authentik ODIC
  3. Try to Login

Expected behavior
To allow the user to login, and if a user does not exist to provision a new account based off the default access rights.

Error Output: [sensitive values changed]
2023-10-24 00:44:09,644 1 ERROR waspdb odoo.addons.auth_oauth.controllers.main: OAuth2: 'keys' Traceback (most recent call last): File "/usr/lib/python3/dist-packages/odoo/tools/cache.py", line 85, in lookup r = d[key] File "<decorator-gen-6>", line 2, in __getitem__ File "/usr/lib/python3/dist-packages/odoo/tools/func.py", line 87, in locked return func(inst, *args, **kwargs) File "/usr/lib/python3/dist-packages/odoo/tools/lru.py", line 34, in __getitem__ a = self.d[obj] KeyError: ('auth.oauth.provider', <function AuthOauthProvider._get_key at 0x7f4869cf3040>, 'https://sso.REDACTED.com/application/o/hr/jwks/', None) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/odoo/addons/auth_oauth/controllers/main.py", line 134, in signin db, login, key = env['res.users'].sudo().auth_oauth(provider, kw) File "/mnt/extra-addons/auth_oidc/models/res_users.py", line 66, in auth_oauth validation = oauth_provider._parse_id_token(id_token, access_token) File "/mnt/extra-addons/auth_oidc/models/auth_oauth_provider.py", line 74, in _parse_id_token self._get_key(header.get("kid")), File "<decorator-gen-188>", line 2, in _get_key File "/usr/lib/python3/dist-packages/odoo/tools/cache.py", line 90, in lookup value = d[key] = self.method(*args, **kwargs) File "/mnt/extra-addons/auth_oidc/models/auth_oauth_provider.py", line 54, in _get_key for key in response["keys"]: KeyError: 'keys' 2023-10-24 00:44:09,646 1 INFO waspdb werkzeug: 192.xxx.xx.x - - [24/Oct/2023 00:44:09] "GET /auth_oauth/signin?code=171dba0&state=%7B%22d%22%3A+%22waspdb%22%2C+%22p%22%3A+%22r%22%3A+%22https%253A%252F%252Fhr.REDACTED.com%252Fweb%22%7D HTTP/1.1" 303 - 3 0.004 0.165 2023-10-24 00:44:09,823 1 INFO waspdb werkzeug: 192.xxx.xxx.xxx- - [24/Oct/2023 00:44:09] "GET /web/login?oauth_error=2 HTTP/1.1" 200 - 11 0.008 0.038

Odoo Config:
[Yes the error still displays when I do put in the user endpoint but it should get its data from the JWT]
authentik-conf-1
image
image

Authentik Config:
authentik-conf-2
authentik-conf-3

@23brewert 23brewert added the bug label Oct 24, 2023
@manfred-warta
Copy link

Can confirm, same here with odoo v16 and authentik 2023.10.2

@CRogos
Copy link
Contributor

CRogos commented Nov 14, 2023

Can you check if there is a keys and kid attribute in your jwks_uri result?

https://login.microsoftonline.com/organizations/discovery/v2.0/keys
image

@bbaumgartl
Copy link

bbaumgartl commented Apr 16, 2024

I did get it to work with Odoo 17.0, the auth_oidc plugin from the 17.0 branch and Authentik 2024.2.2. It is important that a signing cert is selected in Authentik otherwise the JWKS response is empty. The other settings shown above seem fine.

One thing to note is that i had to manually map the user to the oauth id. What i couldn't get to work is the automatic user creation.

@Raimoncoral
Copy link

Hi, I'm also trying to setup Odoo 17.0 with authentik 2024.2.2, and when I tried to log in i get an error "Redirect URI error"

In authentik i have 3 URL configured:

Can someone help me with this?

Thanks

Copy link

There hasn't been any activity on this issue in the past 6 months, so it has been marked as stale and it will be closed automatically if no further activity occurs in the next 30 days.
If you want this issue to never become stale, please ask a PSC member to apply the "no stale" label.

@github-actions github-actions bot added the stale PR/Issue without recent activity, it'll be soon closed automatically. label Nov 24, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug stale PR/Issue without recent activity, it'll be soon closed automatically.
Projects
None yet
Development

No branches or pull requests

5 participants