auth-odic displaying "access denied" when used with Authentic ODIC Provider

[23brewert]

Module

auth-odic

Describe the bug

After logging in with ODIC odoo displays "Access Denied" and prints an error in docker.

To Reproduce

Affected versions:v16

Steps to reproduce the behavior:

1. Install Plugin
2. Configure for Authentik ODIC
3. Try to Login

Expected behavior
To allow the user to login, and if a user does not exist to provision a new account based off the default access rights.

Error Output: [sensitive values changed]
2023-10-24 00:44:09,644 1 ERROR waspdb odoo.addons.auth_oauth.controllers.main: OAuth2: 'keys' Traceback (most recent call last): File "/usr/lib/python3/dist-packages/odoo/tools/cache.py", line 85, in lookup r = d[key] File "<decorator-gen-6>", line 2, in __getitem__ File "/usr/lib/python3/dist-packages/odoo/tools/func.py", line 87, in locked return func(inst, *args, **kwargs) File "/usr/lib/python3/dist-packages/odoo/tools/lru.py", line 34, in __getitem__ a = self.d[obj] KeyError: ('auth.oauth.provider', <function AuthOauthProvider._get_key at 0x7f4869cf3040>, 'https://sso.REDACTED.com/application/o/hr/jwks/', None) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/odoo/addons/auth_oauth/controllers/main.py", line 134, in signin db, login, key = env['res.users'].sudo().auth_oauth(provider, kw) File "/mnt/extra-addons/auth_oidc/models/res_users.py", line 66, in auth_oauth validation = oauth_provider._parse_id_token(id_token, access_token) File "/mnt/extra-addons/auth_oidc/models/auth_oauth_provider.py", line 74, in _parse_id_token self._get_key(header.get("kid")), File "<decorator-gen-188>", line 2, in _get_key File "/usr/lib/python3/dist-packages/odoo/tools/cache.py", line 90, in lookup value = d[key] = self.method(*args, **kwargs) File "/mnt/extra-addons/auth_oidc/models/auth_oauth_provider.py", line 54, in _get_key for key in response["keys"]: KeyError: 'keys' 2023-10-24 00:44:09,646 1 INFO waspdb werkzeug: 192.xxx.xx.x - - [24/Oct/2023 00:44:09] "GET /auth_oauth/signin?code=171dba0&state=%7B%22d%22%3A+%22waspdb%22%2C+%22p%22%3A+%22r%22%3A+%22https%253A%252F%252Fhr.REDACTED.com%252Fweb%22%7D HTTP/1.1" 303 - 3 0.004 0.165 2023-10-24 00:44:09,823 1 INFO waspdb werkzeug: 192.xxx.xxx.xxx- - [24/Oct/2023 00:44:09] "GET /web/login?oauth_error=2 HTTP/1.1" 200 - 11 0.008 0.038

Odoo Config:
[Yes the error still displays when I do put in the user endpoint but it should get its data from the JWT]

Authentik Config:

[manfred-warta]

Can confirm, same here with odoo v16 and authentik 2023.10.2

[CRogos]

Can you check if there is a keys and kid attribute in your jwks_uri result?

https://login.microsoftonline.com/organizations/discovery/v2.0/keys

[bbaumgartl]

I did get it to work with Odoo 17.0, the auth_oidc plugin from the 17.0 branch and Authentik 2024.2.2. It is important that a signing cert is selected in Authentik otherwise the JWKS response is empty. The other settings shown above seem fine.

One thing to note is that i had to manually map the user to the oauth id. What i couldn't get to work is the automatic user creation.

[Raimoncoral]

Hi, I'm also trying to setup Odoo 17.0 with authentik 2024.2.2, and when I tried to log in i get an error "Redirect URI error"

In authentik i have 3 URL configured:

• http://your.odoo/auth_oauth/signin/
• https://your.odoo/auth_oauth/signin/
• https://www.your.odoo/auth_oauth/signin/

Can someone help me with this?

Thanks

[github-actions]

There hasn't been any activity on this issue in the past 6 months, so it has been marked as stale and it will be closed automatically if no further activity occurs in the next 30 days.
If you want this issue to never become stale, please ask a PSC member to apply the "no stale" label.