Initial commit: OCA Server Auth packages (29 packages)

odoo-bringout-oca-server-auth-auth_oidc/auth_oidc/models/__init__.py

@@ -0,0 +1,5 @@
+# Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
+# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
+
+from . import auth_oauth_provider
+from . import res_users

odoo-bringout-oca-server-auth-auth_oidc/auth_oidc/models/auth_oauth_provider.py

@@ -0,0 +1,109 @@
+# Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
+# Copyright 2021 ACSONE SA/NV <https://acsone.eu>
+# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
+
+import logging
+import secrets
+
+import requests
+
+from odoo import fields, models, tools
+
+try:
+    from jose import jwt
+    from jose.exceptions import JWSError, JWTError
+except ImportError:
+    logging.getLogger(__name__).debug("jose library not installed")
+
+
+class AuthOauthProvider(models.Model):
+    _inherit = "auth.oauth.provider"
+
+    flow = fields.Selection(
+        [
+            ("access_token", "OAuth2"),
+            ("id_token_code", "OpenID Connect (authorization code flow)"),
+            ("id_token", "OpenID Connect (implicit flow, not recommended)"),
+        ],
+        string="Auth Flow",
+        required=True,
+        default="access_token",
+    )
+    token_map = fields.Char(
+        help="Some Oauth providers don't map keys in their responses "
+        "exactly as required.  It is important to ensure user_id and "
+        "email at least are mapped. For OpenID Connect user_id is "
+        "the sub key in the standard."
+    )
+    client_secret = fields.Char(
+        help="Used in OpenID Connect authorization code flow for confidential clients.",
+    )
+    code_verifier = fields.Char(
+        default=lambda self: secrets.token_urlsafe(32), help="Used for PKCE."
+    )
+    validation_endpoint = fields.Char(required=False)
+    token_endpoint = fields.Char(
+        string="Token URL", help="Required for OpenID Connect authorization code flow."
+    )
+    jwks_uri = fields.Char(string="JWKS URL", help="Required for OpenID Connect.")
+    auth_link_params = fields.Char(
+        help="Additional parameters for the auth link. For example: {'prompt':'select_account'}"
+    )
+
+    @tools.ormcache("self.jwks_uri", "kid")
+    def _get_keys(self, kid):
+        r = requests.get(self.jwks_uri, timeout=10)
+        r.raise_for_status()
+        response = r.json()
+        # the keys returned here should follow
+        # JWS Notes on Key Selection
+        # https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-signature#appendix-D
+        return [
+            key
+            for key in response["keys"]
+            if kid is None or key.get("kid", None) == kid
+        ]
+
+    def _map_token_values(self, res):
+        if self.token_map:
+            for pair in self.token_map.split(" "):
+                from_key, to_key = [k.strip() for k in pair.split(":", 1)]
+                if to_key not in res:
+                    res[to_key] = res.get(from_key, "")
+        return res
+
+    def _parse_id_token(self, id_token, access_token):
+        self.ensure_one()
+        res = {}
+        header = jwt.get_unverified_header(id_token)
+        res.update(self._decode_id_token(access_token, id_token, header.get("kid")))
+        res.update(self._map_token_values(res))
+        return res
+
+    def _decode_id_token(self, access_token, id_token, kid):
+        keys = self._get_keys(kid)
+        if len(keys) > 1 and kid is None:
+            # https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.10.1
+            # If there are multiple keys in the referenced JWK Set document, a kid
+            # value MUST be provided in the JOSE Header.
+            raise JWTError(
+                "OpenID Connect requires kid to be set if there is more"
+                " than one key in the JWKS"
+            )
+        error = None
+        # we accept multiple keys with the same kid in case a key gets rotated.
+        for key in keys:
+            try:
+                values = jwt.decode(
+                    id_token,
+                    key,
+                    algorithms=["RS256"],
+                    audience=self.client_id,
+                    access_token=access_token,
+                )
+                return values
+            except (JWTError, JWSError) as e:
+                error = e
+        if error:
+            raise error
+        return {}

odoo-bringout-oca-server-auth-auth_oidc/auth_oidc/models/res_users.py

@@ -0,0 +1,82 @@
+# Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
+# Copyright 2021 ACSONE SA/NV <https://acsone.eu>
+# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
+
+import logging
+
+import requests
+
+from odoo import api, models
+from odoo.exceptions import AccessDenied
+from odoo.http import request
+
+_logger = logging.getLogger(__name__)
+
+
+class ResUsers(models.Model):
+    _inherit = "res.users"
+
+    def _auth_oauth_get_tokens_implicit_flow(self, oauth_provider, params):
+        # https://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthResponse
+        return params.get("access_token"), params.get("id_token")
+
+    def _auth_oauth_get_tokens_auth_code_flow(self, oauth_provider, params):
+        # https://openid.net/specs/openid-connect-core-1_0.html#AuthResponse
+        code = params.get("code")
+        # https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest
+        auth = None
+        if oauth_provider.client_secret:
+            auth = (oauth_provider.client_id, oauth_provider.client_secret)
+        response = requests.post(
+            oauth_provider.token_endpoint,
+            data=dict(
+                client_id=oauth_provider.client_id,
+                grant_type="authorization_code",
+                code=code,
+                code_verifier=oauth_provider.code_verifier,  # PKCE
+                redirect_uri=request.httprequest.url_root + "auth_oauth/signin",
+            ),
+            auth=auth,
+            timeout=10,
+        )
+        response.raise_for_status()
+        response_json = response.json()
+        # https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse
+        return response_json.get("access_token"), response_json.get("id_token")
+
+    @api.model
+    def auth_oauth(self, provider, params):
+        oauth_provider = self.env["auth.oauth.provider"].browse(provider)
+        if oauth_provider.flow == "id_token":
+            access_token, id_token = self._auth_oauth_get_tokens_implicit_flow(
+                oauth_provider, params
+            )
+        elif oauth_provider.flow == "id_token_code":
+            access_token, id_token = self._auth_oauth_get_tokens_auth_code_flow(
+                oauth_provider, params
+            )
+        else:
+            return super(ResUsers, self).auth_oauth(provider, params)
+        if not access_token:
+            _logger.error("No access_token in response.")
+            raise AccessDenied()
+        if not id_token:
+            _logger.error("No id_token in response.")
+            raise AccessDenied()
+        validation = oauth_provider._parse_id_token(id_token, access_token)
+        # required check
+        if "sub" in validation and "user_id" not in validation:
+            # set user_id for auth_oauth, user_id is not an OpenID Connect standard
+            # claim:
+            # https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
+            validation["user_id"] = validation["sub"]
+        elif not validation.get("user_id"):
+            _logger.error("user_id claim not found in id_token (after mapping).")
+            raise AccessDenied()
+        # retrieve and sign in user
+        params["access_token"] = access_token
+        login = self._auth_oauth_signin(provider, validation, params)
+        if not login:
+            raise AccessDenied()
+        # return user credentials
+        return (self.env.cr.dbname, login, access_token)