Initial commit: OCA Server Auth packages (29 packages)

2026-04-18 10:12:01 +02:00 · 2025-08-29 15:43:06 +02:00 · 2025-08-29 15:43:06 +02:00 · 3ed80311c4
commit 3ed80311c4
1325 changed files with 127292 additions and 0 deletions
--- a/odoo-bringout-oca-server-auth-auth_oidc/auth_oidc/controllers/main.py
+++ b/odoo-bringout-oca-server-auth-auth_oidc/auth_oidc/controllers/main.py
@ -0,0 +1,57 @@
+# Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
+# Copyright 2021 ACSONE SA/NV <https://acsone.eu>
+# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
+
+import base64
+import hashlib
+import logging
+import secrets
+from ast import literal_eval
+
+from werkzeug.urls import url_decode, url_encode
+
+from odoo.addons.auth_oauth.controllers.main import OAuthLogin
+
+_logger = logging.getLogger(__name__)
+
+
+class OpenIDLogin(OAuthLogin):
+    def list_providers(self):
+        providers = super(OpenIDLogin, self).list_providers()
+        for provider in providers:
+            flow = provider.get("flow")
+            if flow in ("id_token", "id_token_code"):
+                params = url_decode(provider["auth_link"].split("?")[-1])
+                # nonce
+                params["nonce"] = secrets.token_urlsafe()
+                # response_type
+                if flow == "id_token":
+                    # https://openid.net/specs/openid-connect-core-1_0.html
+                    # #ImplicitAuthRequest
+                    params["response_type"] = "id_token token"
+                elif flow == "id_token_code":
+                    # https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
+                    params["response_type"] = "code"
+                # PKCE (https://tools.ietf.org/html/rfc7636)
+                code_verifier = provider["code_verifier"]
+                code_challenge = base64.urlsafe_b64encode(
+                    hashlib.sha256(code_verifier.encode("ascii")).digest()
+                ).rstrip(b"=")
+                params["code_challenge"] = code_challenge
+                params["code_challenge_method"] = "S256"
+                # scope
+                if provider.get("scope"):
+                    if "openid" not in provider["scope"].split():
+                        _logger.error("openid connect scope must contain 'openid'")
+                    params["scope"] = provider["scope"]
+
+                # append provider specific auth link params
+                if provider["auth_link_params"]:
+                    params_upd = literal_eval(provider["auth_link_params"])
+                    params.update(params_upd)
+
+                # auth link that the user will click
+                provider["auth_link"] = "{}?{}".format(
+                    provider["auth_endpoint"], url_encode(params)
+                )
+        return providers