From a0ca0a04124bbfab53af71929df783b8a3071984 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Bidoul?= <stephane.bidoul@acsone.eu>
Date: Wed, 28 Apr 2021 11:29:55 +0200
Subject: [PATCH 01/43] [ADD] auth_jwt

---
 auth_jwt/README.rst                         | 129 +++++++++++
 auth_jwt/__init__.py                        |   1 +
 auth_jwt/__manifest__.py                    |  17 ++
 auth_jwt/exceptions.py                      |  32 +++
 auth_jwt/models/__init__.py                 |   2 +
 auth_jwt/models/auth_jwt_validator.py       | 186 ++++++++++++++++
 auth_jwt/models/ir_http.py                  |  80 +++++++
 auth_jwt/readme/CONTRIBUTORS.rst            |   1 +
 auth_jwt/readme/DESCRIPTION.rst             |   1 +
 auth_jwt/readme/INSTALL.rst                 |   1 +
 auth_jwt/readme/USAGE.rst                   |  39 ++++
 auth_jwt/security/ir.model.access.csv       |   2 +
 auth_jwt/static/description/icon.png        | Bin 0 -> 9455 bytes
 auth_jwt/tests/__init__.py                  |   1 +
 auth_jwt/tests/test_auth_jwt.py             | 229 ++++++++++++++++++++
 auth_jwt/views/auth_jwt_validator_views.xml |  88 ++++++++
 16 files changed, 809 insertions(+)
 create mode 100644 auth_jwt/README.rst
 create mode 100644 auth_jwt/__init__.py
 create mode 100644 auth_jwt/__manifest__.py
 create mode 100644 auth_jwt/exceptions.py
 create mode 100644 auth_jwt/models/__init__.py
 create mode 100644 auth_jwt/models/auth_jwt_validator.py
 create mode 100644 auth_jwt/models/ir_http.py
 create mode 100644 auth_jwt/readme/CONTRIBUTORS.rst
 create mode 100644 auth_jwt/readme/DESCRIPTION.rst
 create mode 100644 auth_jwt/readme/INSTALL.rst
 create mode 100644 auth_jwt/readme/USAGE.rst
 create mode 100644 auth_jwt/security/ir.model.access.csv
 create mode 100644 auth_jwt/static/description/icon.png
 create mode 100644 auth_jwt/tests/__init__.py
 create mode 100644 auth_jwt/tests/test_auth_jwt.py
 create mode 100644 auth_jwt/views/auth_jwt_validator_views.xml

diff --git a/auth_jwt/README.rst b/auth_jwt/README.rst
new file mode 100644
index 0000000000..cf670acff7
--- /dev/null
+++ b/auth_jwt/README.rst
@@ -0,0 +1,129 @@
+========
+Auth JWT
+========
+
+.. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! This file is generated by oca-gen-addon-readme !!
+   !! changes will be overwritten.                   !!
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
+    :target: https://odoo-community.org/page/development-status
+    :alt: Beta
+.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png
+    :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
+    :alt: License: AGPL-3
+.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
+    :target: https://github.com/OCA/server-auth/tree/13.0/auth_jwt
+    :alt: OCA/server-auth
+.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
+    :target: https://translation.odoo-community.org/projects/server-auth-13-0/server-auth-13-0-auth_jwt
+    :alt: Translate me on Weblate
+.. |badge5| image:: https://img.shields.io/badge/runbot-Try%20me-875A7B.png
+    :target: https://runbot.odoo-community.org/runbot/251/13.0
+    :alt: Try me on Runbot
+
+|badge1| |badge2| |badge3| |badge4| |badge5| 
+
+JWT bearer token authentication.
+
+**Table of contents**
+
+.. contents::
+   :local:
+
+Installation
+============
+
+This module requires the ``python-jose`` library to be installed.
+
+Usage
+=====
+
+This module lets developpers add a new ``jwt`` authentication method on Odoo
+controller routes.
+
+To use it, you must:
+
+* Create an ``auth.jwt.validator`` record to configure how the JWT token will
+  be validated.
+* Add an ``auth="jwt_{validator-name}"`` attribute to the routes
+  you want to protect where ``{validator-name}`` corresponds to the name
+  attribute of the JWT validator record.
+
+The ``auth_jwt_test`` module provides examples.
+
+The JWT validator can be configured with the following properties:
+
+* ``name``: the validator name, to match the ``auth="jwt_{validator-name}"``
+  route property.
+* ``audience``: used to validate the ``aud`` claim.
+* ``issuer``: used to validate the ``iss`` claim.
+* Signature type (secret or public key), algorithm, secret and JWK URI
+  are used to validate the token signature.
+
+In addition, the ``exp`` claim is validated to reject expired tokens.
+
+If the ``Authorization`` HTTP header is missing, malformed, or contains
+an invalid token, the request is rejected with a 401 (Unauthorized) code.
+
+If the token is valid, the request executes with the configured user id. By
+default the user id selection strategy is ``static`` (i.e. the same for all
+requests) and the selected user is configured on the JWT validator. Additional
+strategies can be provided by overriding the ``_get_uid()`` method and
+extending the ``user_id_strategy`` selection field..
+
+Additionally, if a ``partner_id_strategy`` is configured, a partner is searched
+and if found, its id is stored in the ``request.partner_id`` attribute. If
+``partner_id_required`` is set, a 401 (Unauthorized) is returned if no partner
+was found. Otherwise ``request.partner_id`` is left falsy. Additional
+strategies can be provided by overriding the ``_get_partner_id()`` method
+and extending the ``partner_id_strategy`` selection field.
+
+Bug Tracker
+===========
+
+Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-auth/issues>`_.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us smashing it by providing a detailed and welcomed
+`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_jwt%0Aversion:%2013.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+
+Do not contact contributors directly about support or help with technical issues.
+
+Credits
+=======
+
+Authors
+~~~~~~~
+
+* ACSONE SA/NV
+
+Contributors
+~~~~~~~~~~~~
+
+* Stéphane Bidoul <stephane.bidoul@acsone.eu>
+
+Maintainers
+~~~~~~~~~~~
+
+This module is maintained by the OCA.
+
+.. image:: https://odoo-community.org/logo.png
+   :alt: Odoo Community Association
+   :target: https://odoo-community.org
+
+OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.
+
+.. |maintainer-sbidoul| image:: https://github.com/sbidoul.png?size=40px
+    :target: https://github.com/sbidoul
+    :alt: sbidoul
+
+Current `maintainer <https://odoo-community.org/page/maintainer-role>`__:
+
+|maintainer-sbidoul| 
+
+This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/13.0/auth_jwt>`_ project on GitHub.
+
+You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.
diff --git a/auth_jwt/__init__.py b/auth_jwt/__init__.py
new file mode 100644
index 0000000000..0650744f6b
--- /dev/null
+++ b/auth_jwt/__init__.py
@@ -0,0 +1 @@
+from . import models
diff --git a/auth_jwt/__manifest__.py b/auth_jwt/__manifest__.py
new file mode 100644
index 0000000000..e632e255c8
--- /dev/null
+++ b/auth_jwt/__manifest__.py
@@ -0,0 +1,17 @@
+# Copyright 2021 ACSONE SA/NV
+# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl).
+
+{
+    "name": "Auth JWT",
+    "summary": """
+        JWT bearer token authentication.""",
+    "version": "13.0.1.0.0",
+    "license": "AGPL-3",
+    "author": "ACSONE SA/NV,Odoo Community Association (OCA)",
+    "maintainers": ["sbidoul"],
+    "website": "https://github.com/OCA/server-auth",
+    "depends": [],
+    "external_dependencies": {"python": ["python-jose", "cryptography"]},
+    "data": ["security/ir.model.access.csv", "views/auth_jwt_validator_views.xml"],
+    "demo": [],
+}
diff --git a/auth_jwt/exceptions.py b/auth_jwt/exceptions.py
new file mode 100644
index 0000000000..dbebaff04d
--- /dev/null
+++ b/auth_jwt/exceptions.py
@@ -0,0 +1,32 @@
+# Copyright 2021 ACSONE SA/NV
+# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl).
+
+from werkzeug.exceptions import InternalServerError, Unauthorized
+
+
+class UnauthorizedMissingAuthorizationHeader(Unauthorized):
+    pass
+
+
+class UnauthorizedMalformedAuthorizationHeader(Unauthorized):
+    pass
+
+
+class UnauthorizedSessionMismatch(Unauthorized):
+    pass
+
+
+class AmbiguousJwtValidator(InternalServerError):
+    pass
+
+
+class JwtValidatorNotFound(InternalServerError):
+    pass
+
+
+class UnauthorizedInvalidToken(Unauthorized):
+    pass
+
+
+class UnauthorizedPartnerNotFound(Unauthorized):
+    pass
diff --git a/auth_jwt/models/__init__.py b/auth_jwt/models/__init__.py
new file mode 100644
index 0000000000..49b44a2b20
--- /dev/null
+++ b/auth_jwt/models/__init__.py
@@ -0,0 +1,2 @@
+from . import auth_jwt_validator
+from . import ir_http
diff --git a/auth_jwt/models/auth_jwt_validator.py b/auth_jwt/models/auth_jwt_validator.py
new file mode 100644
index 0000000000..5490356ccc
--- /dev/null
+++ b/auth_jwt/models/auth_jwt_validator.py
@@ -0,0 +1,186 @@
+# Copyright 2021 ACSONE SA/NV
+# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl).
+
+import logging
+from functools import partial
+
+import requests
+from jose import jwt  # pylint: disable=missing-manifest-dependency
+from werkzeug.exceptions import InternalServerError
+
+from odoo import _, api, fields, models, tools
+from odoo.exceptions import ValidationError
+
+from ..exceptions import (
+    AmbiguousJwtValidator,
+    JwtValidatorNotFound,
+    UnauthorizedInvalidToken,
+    UnauthorizedPartnerNotFound,
+)
+
+_logger = logging.getLogger(__name__)
+
+
+class AuthJwtValidator(models.Model):
+    _name = "auth.jwt.validator"
+    _description = "JWT Validator Configuration"
+
+    name = fields.Char(required=True)
+    signature_type = fields.Selection(
+        [("secret", "Secret"), ("public_key", "Public key")], required=True
+    )
+    secret_key = fields.Char()
+    secret_algorithm = fields.Selection([("HS256", "HS256")], default="HS256")  # TODO
+    public_key_jwk_uri = fields.Char()
+    public_key_algorithm = fields.Selection(
+        [("RS256", "RS256")], default="RS256"
+    )  # TODO
+    audience = fields.Char(required=True, help="To validate aud.")
+    issuer = fields.Char(required=True, help="To validate iss.")
+    user_id_strategy = fields.Selection(
+        [("static", "Static")], required=True, default="static"
+    )
+    static_user_id = fields.Many2one("res.users", default=1)
+    partner_id_strategy = fields.Selection([("email", "From email claim")])
+    partner_id_required = fields.Boolean()
+
+    _sql_constraints = [
+        ("name_uniq", "unique(name)", "JWT validator names must be unique !"),
+    ]
+
+    @api.constrains("name")
+    def _check_name(self):
+        for rec in self:
+            if not rec.name.isidentifier():
+                raise ValidationError(
+                    _("Name %r is not a valid python identifier.") % (rec.name,)
+                )
+
+    @api.model
+    def _get_validator_by_name_domain(self, validator_name):
+        if validator_name:
+            return [("name", "=", validator_name)]
+        return []
+
+    @api.model
+    def _get_validator_by_name(self, validator_name):
+        domain = self._get_validator_by_name_domain(validator_name)
+        validator = self.search(domain)
+        if not validator:
+            _logger.error("JWT validator not found for name %r", validator_name)
+            raise JwtValidatorNotFound()
+        if len(validator) != 1:
+            _logger.error(
+                "More than one JWT validator found for name %r", validator_name
+            )
+            raise AmbiguousJwtValidator()
+        return validator
+
+    @tools.ormcache("self.public_key_jwk_uri", "kid")
+    def _get_key(self, kid):
+        r = requests.get(self.public_key_jwk_uri)
+        r.raise_for_status()
+        response = r.json()
+        for key in response["keys"]:
+            if key["kid"] == kid:
+                return key
+        return {}
+
+    def _decode(self, token):
+        """Validate and decode a JWT token, return the payload."""
+        if self.signature_type == "secret":
+            key = self.secret_key
+            algorithm = self.secret_algorithm
+        else:
+            try:
+                header = jwt.get_unverified_header(token)
+            except jwt.JWTError as e:
+                _logger.info("Invalid token: %s", e)
+                raise UnauthorizedInvalidToken()
+            key = self._get_key(header.get("kid"))
+            algorithm = self.public_key_algorithm
+        try:
+            payload = jwt.decode(
+                token,
+                key=key,
+                algorithms=[algorithm],
+                options=dict(
+                    require_exp=True, verify_exp=True, verify_aud=True, verify_iss=True
+                ),
+                audience=self.audience,
+                issuer=self.issuer,
+            )
+        except jwt.JWTError as e:
+            _logger.info("Invalid token: %s", e)
+            raise UnauthorizedInvalidToken()
+        return payload
+
+    def _get_uid(self, payload):
+        # override for additional strategies
+        if self.user_id_strategy == "static":
+            return self.static_user_id.id
+
+    def _get_and_check_uid(self, payload):
+        uid = self._get_uid(payload)
+        if not uid:
+            _logger.error("_get_uid did not return a user id")
+            raise InternalServerError()
+        return uid
+
+    def _get_partner_id(self, payload):
+        # override for additional strategies
+        if self.partner_id_strategy == "email":
+            email = payload.get("email")
+            if not email:
+                _logger.debug("JWT payload does not have an email claim")
+                return
+            partner = self.env["res.partner"].search([("email", "=", email)])
+            if len(partner) != 1:
+                _logger.debug("%d partners found for email %s", len(partner), email)
+                return
+            return partner.id
+
+    def _get_and_check_partner_id(self, payload):
+        partner_id = self._get_partner_id(payload)
+        if not partner_id and self.partner_id_required:
+            raise UnauthorizedPartnerNotFound()
+        return partner_id
+
+    def _register_hook(self):
+        res = super()._register_hook()
+        self.search([])._register_auth_method()
+        return res
+
+    def _register_auth_method(self):
+        IrHttp = self.env["ir.http"]
+        for rec in self:
+            setattr(
+                IrHttp.__class__,
+                f"_auth_method_jwt_{rec.name}",
+                partial(IrHttp.__class__._auth_method_jwt, validator_name=rec.name),
+            )
+
+    def _unregister_auth_method(self):
+        IrHttp = self.env["ir.http"]
+        for rec in self:
+            try:
+                delattr(IrHttp.__class__, f"_auth_method_jwt_{rec.name}")
+            except AttributeError:
+                pass
+
+    @api.model_create_multi
+    def create(self, vals):
+        rec = super().create(vals)
+        rec._register_auth_method()
+        return rec
+
+    def write(self, vals):
+        if "name" in vals:
+            self._unregister_auth_method()
+        res = super().write(vals)
+        self._register_auth_method()
+        return res
+
+    def unlink(self):
+        self._unregister_auth_method()
+        return super().unlink()
diff --git a/auth_jwt/models/ir_http.py b/auth_jwt/models/ir_http.py
new file mode 100644
index 0000000000..5100fdfdac
--- /dev/null
+++ b/auth_jwt/models/ir_http.py
@@ -0,0 +1,80 @@
+# Copyright 2021 ACSONE SA/NV
+# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl).
+
+import logging
+import re
+
+from odoo import SUPERUSER_ID, api, models, registry as registry_get
+from odoo.http import request
+
+from ..exceptions import (
+    UnauthorizedMalformedAuthorizationHeader,
+    UnauthorizedMissingAuthorizationHeader,
+    UnauthorizedSessionMismatch,
+)
+
+_logger = logging.getLogger(__name__)
+
+
+AUTHORIZATION_RE = re.compile(r"^Bearer ([^ ]+)$")
+
+
+class IrHttpJwt(models.AbstractModel):
+
+    _inherit = "ir.http"
+
+    @classmethod
+    def _authenticate(cls, auth_method="user"):
+        """Protect the _authenticate method.
+
+        This is to ensure that the _authenticate method is called
+        in the correct conditions to invoke _auth_method_jwt below.
+        When migrating, review this method carefully by reading the original
+        _authenticate method and make sure the conditions have not changed.
+        """
+        if auth_method == "jwt" or auth_method.startswith("jwt_"):
+            if request.session.uid:
+                _logger.warning(
+                    'A route with auth="jwt" must not be used within a user session.'
+                )
+                raise UnauthorizedSessionMismatch()
+            if request.uid:
+                _logger.error(
+                    'A route with auth="jwt" should not have a request.uid here.'
+                )
+                raise UnauthorizedSessionMismatch()
+        return super()._authenticate(auth_method)
+
+    @classmethod
+    def _auth_method_jwt(cls, validator_name=None):
+        assert request.db
+        assert not request.uid
+        assert not request.session.uid
+        token = cls._get_bearer_token()
+        assert token
+        registry = registry_get(request.db)
+        with registry.cursor() as cr:
+            env = api.Environment(cr, SUPERUSER_ID, {})
+            validator = env["auth.jwt.validator"]._get_validator_by_name(validator_name)
+            assert len(validator) == 1
+            payload = validator._decode(token)
+            uid = validator._get_and_check_uid(payload)
+            assert uid
+            partner_id = validator._get_and_check_partner_id(payload)
+        request.uid = uid  # this resets request.env
+        request.jwt_payload = payload
+        request.jwt_partner_id = partner_id
+
+    @classmethod
+    def _get_bearer_token(cls):
+        # https://tools.ietf.org/html/rfc2617#section-3.2.2
+        authorization = request.httprequest.environ.get("HTTP_AUTHORIZATION")
+        if not authorization:
+            _logger.info("Missing Authorization header.")
+            raise UnauthorizedMissingAuthorizationHeader()
+        # https://tools.ietf.org/html/rfc6750#section-2.1
+        mo = AUTHORIZATION_RE.match(authorization)
+        if not mo:
+            _logger.info("Malformed Authorization header.")
+            raise UnauthorizedMalformedAuthorizationHeader()
+        return mo.group(1)
diff --git a/auth_jwt/readme/CONTRIBUTORS.rst b/auth_jwt/readme/CONTRIBUTORS.rst
new file mode 100644
index 0000000000..f323b44ab0
--- /dev/null
+++ b/auth_jwt/readme/CONTRIBUTORS.rst
@@ -0,0 +1 @@
+* Stéphane Bidoul <stephane.bidoul@acsone.eu>
diff --git a/auth_jwt/readme/DESCRIPTION.rst b/auth_jwt/readme/DESCRIPTION.rst
new file mode 100644
index 0000000000..9322c82e13
--- /dev/null
+++ b/auth_jwt/readme/DESCRIPTION.rst
@@ -0,0 +1 @@
+JWT bearer token authentication.
diff --git a/auth_jwt/readme/INSTALL.rst b/auth_jwt/readme/INSTALL.rst
new file mode 100644
index 0000000000..62a3d4fc43
--- /dev/null
+++ b/auth_jwt/readme/INSTALL.rst
@@ -0,0 +1 @@
+This module requires the ``python-jose`` library to be installed.
diff --git a/auth_jwt/readme/USAGE.rst b/auth_jwt/readme/USAGE.rst
new file mode 100644
index 0000000000..d8bd837037
--- /dev/null
+++ b/auth_jwt/readme/USAGE.rst
@@ -0,0 +1,39 @@
+This module lets developpers add a new ``jwt`` authentication method on Odoo
+controller routes.
+
+To use it, you must:
+
+* Create an ``auth.jwt.validator`` record to configure how the JWT token will
+  be validated.
+* Add an ``auth="jwt_{validator-name}"`` attribute to the routes
+  you want to protect where ``{validator-name}`` corresponds to the name
+  attribute of the JWT validator record.
+
+The ``auth_jwt_test`` module provides examples.
+
+The JWT validator can be configured with the following properties:
+
+* ``name``: the validator name, to match the ``auth="jwt_{validator-name}"``
+  route property.
+* ``audience``: used to validate the ``aud`` claim.
+* ``issuer``: used to validate the ``iss`` claim.
+* Signature type (secret or public key), algorithm, secret and JWK URI
+  are used to validate the token signature.
+
+In addition, the ``exp`` claim is validated to reject expired tokens.
+
+If the ``Authorization`` HTTP header is missing, malformed, or contains
+an invalid token, the request is rejected with a 401 (Unauthorized) code.
+
+If the token is valid, the request executes with the configured user id. By
+default the user id selection strategy is ``static`` (i.e. the same for all
+requests) and the selected user is configured on the JWT validator. Additional
+strategies can be provided by overriding the ``_get_uid()`` method and
+extending the ``user_id_strategy`` selection field..
+
+Additionally, if a ``partner_id_strategy`` is configured, a partner is searched
+and if found, its id is stored in the ``request.partner_id`` attribute. If
+``partner_id_required`` is set, a 401 (Unauthorized) is returned if no partner
+was found. Otherwise ``request.partner_id`` is left falsy. Additional
+strategies can be provided by overriding the ``_get_partner_id()`` method
+and extending the ``partner_id_strategy`` selection field.
diff --git a/auth_jwt/security/ir.model.access.csv b/auth_jwt/security/ir.model.access.csv
new file mode 100644
index 0000000000..3935420e6e
--- /dev/null
+++ b/auth_jwt/security/ir.model.access.csv
@@ -0,0 +1,2 @@
+id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
+access_auth_jwt_validator_admin,auth_jwt_validator admin,model_auth_jwt_validator,base.group_system,1,1,1,1
diff --git a/auth_jwt/static/description/icon.png b/auth_jwt/static/description/icon.png
new file mode 100644
index 0000000000000000000000000000000000000000..3a0328b516c4980e8e44cdb63fd945757ddd132d
GIT binary patch
literal 9455
zcmW++2RxMjAAjx~&dlBk9S+%}OXg)AGE&Cb*&}<C%<R2Kc9faym6aW`f0Dh5$js*d
z_}}Z!;XIG;_cPz`_vag-p{7Ve$Uq1H00~A(?iu(VaQlMefnU3&OozZXm@69d91cGG
z;O61r&je0NdamH#&)mKsXk?Zb_)B^>d0jUxM@u(PQx^-s)6<jB#=*|j%+$$(&(Xyy
zYgd8+09XKwoa}S2?48%%ZU#L~n^g{fE40h%YEx5by;GuJ(K|vI1uO;0m}=J7R4@Bs
z>97TX<v{QF=s?r`z`m$a0ZvrhBU7}{15RN9M`j!kv_Mp+3~{||YNuFzHNvhMYm3=Q
zo!q+OJ5(%-oNM^I^M%*luKMiVL`lo`bcKGymX7i3MIFWj1i|9+CGNvn`cu-RsK0Qh
zoYlwB>`ehR4?GS^qbkof1cslKgk<Uw6DeIxZyT_?=OwX|lwC*A?ac*gHF7jmS080$
z>U)h65qZ9Oc=ml_0temigYLJfnz{IDzUf>bGs4N!v3=Z3jMq&A#7%rM5eQ#dc?k~!
zVpnB`o+K7|Al`Q_U<UrcmRnh6jExs}l(hZs0%T~Dnpu-NENdhioRv(T{Qmv>;eD$B
zfJtP*jH`siUq~{KE)`jP2|#TUEFGRryE2`i0**z#*^6~AI|YzIWy$Cu#CSLW3q=GA
z6`?GZymC;dCPk~rBS%eCb`5OLr;RUZ;D`}um=H)BfVIq%7VhiMr)_#G0N#zrNH|__
zc+blN2UAB0=617@>_<D4$IPL<k1zq(*VmlDPer&h1n6`AG;9A!_W=N$JthhQWXZ<i
zGURc6f<i*joK3xSWaOOXxAc8ES>u;MPHN;P;N#YoE=)R#i$k_`UAA>WWCcEVMh~L_
zj--gtp&|K1#58Yz*AHCTMziU1Jzt_jG0I@qAOHsk$2}yTmVkBp_eHuY$A9)>P6o~I
z%aQ?!(GqeQ-Y+b0I(m9pwgi(IIZZzsbMv+9w{PFtd_<_(LA~0H(xz<Z(Qt1jC2cC|
z6WbMo9YgON{L#ZDl$sV4*<CP(>{=FhLB@(1&qHA5EJw1>>=%q2f&^X>IQ{!GJ4e9U
z&KlB)z(84HmNgm2hg2C0>WM{E(DdPr+EeU_N@57;PC2&DmGFW_9kP&%?X4}+xWi)(
z;)z%wI5>D4a*5XwD)P--sPkoY(a~WBw;E~AW`Yue4kFa^LM3X`8x|}ZUeMnqr}>kH
zG%WWW>3ml$Yez?i%)2pbKPI7?5o?hydokgQyZsNEr{a|mLdt;X2TX(#B1j35xPnPW
z*bMSSOauW>o;*=kO8ojw91VX!qoOQb)zHJ!odWB}d+*K?#sY_jqPdg{Sm2HdYzdEx
zOGVPhVRTGPtv0o}RfVP;Nd(|CB)<HrC1(%ZOEd8PI?r9b_$Cp-${bh59Z_R7n&YCp
zl8lfMpes*8{FVm;oJH@0LLoWmxD59u?JwHz2iRrAaE0`Hc&g;t5~$P*kdeOZn9OJ3
zRczo@ZkWU)RG+hcfH~{49Vvb3D(W0wRX#|$cA0Iqy^VR~(4hqA2AFI-rK!FM!#fJ_
zGFI@iqJOPXZ!=VjTS3dMuu~9xU3K1&?th;$)cqM#WGxbDEyB$y`#9j%>I;*t&QO8h
zFfekr30S!-LHmV_Su-W+rEwYXJ^;6&3|L$mMC8*bQptyOo9;>Qb9Q9`ySe3%V$A*9
zeKEe+b0{#KWGp$F+tga)0RtI)nhMa-K@JS}2krK~n8vJ=Ngm?R!9G<~RyuU0d?nz#
z-5EK$o(!F?hmX*2Yt6+coY`6jGbb7t<dboft~zeDZwK=+l2bFWs5^+|r{J6GO9Cwl
z&SW58BRs?XdFLuhtzl7WLbQ#~z#`jAB3AbSUg6jW6@qVd2Q~9qN(izT1y*>F#6nHA
zuKk=GGJ;ZwON1iAfG$E#Y7MnZVmrY|j0eVI(DN_MNFJmyZ|;w4tf@=CCDZ#5N_0K=
z$;R~bbk?}TpfDjfB&aiQ$VA}s?P}xPERJG{kxk5~R`iRS(SK5d+Xs9swCozZISbnS
zk!)I0>t=A<-^z(cmSFz3=jZ23u13X><0b)P)^1T_))Kr`e!-pb#q&J*Q`p+B6la%C
zuVl&0duN<;uOsB3%T9Fp8t{ED108<?)`y_~Hnd9AUX7h-H?jVuU|}My+C=TjH(jKz
zqMVr0re3S$H@t{zI95qa)+Crz*5Zj}Ao%4Z><+W(nOZd?gDnfNBC3>M8WE61$So|P
zVvqH0SNtDTcs<xiU1;=a39$d&&l5EwoIH1db#`S9Kw!YC1jhR)VbCWMptlUUkpfif
zMzi-i8)WL?|C$*Q?iqbS{w<lA9XN(rD)VS<zn>UdzaMDpT=Ty0pDHHNL@Z0w$Y`XO
z2M-_r1S+GaH%pz#Uy0*w$Vdl=X=rQXEzO}d6J^R6zjM1u&c9vYLvLp?W7w(?np9x1
zE_0JSAJCPB%i7p*Wvg)pn5T`8k3-uR?*NT|J`eS#_#54p>!p(mLDvmc-3o0mX*mp_
zN*AeS<>#^-{S%W<*mz^!X$w_2dHWpcJ6^j64qFBft-o}o_Vx80o0>}Du;>kLts;$8
zC`7q$QI(dKYG`Wa8#wl@V4jVWBRGQ@1dr-hstpQL)Tl+aqVpGpbSfN>5i&QMXfiZ>
zaA?T1VGe?rpQ@;+pkrVdd{klI&jVS@I5_iz!=UMpTsa~mBga?1r}a<Xwa$pLotZk<
zsykXwQO37I=aXew7x=}YWiW)^p)|C#g+)an!@j?EcY8C0t)BlK#y{YLtkJ6=D6H-5
zp2*ANf@>RBm1WS;TT*s0f0lY=JBl66Upy)-k4J}lh=P^8(SXk~0xW=T9v*B|gzIhN
z>qsO7dFd~mgxAy4V?&)=5ieYq?zi?ZEoj)&2o)RLy=<bK!vY7J*RP!&i_xU}i*o6o
z?xN*1<rEe1L2HBkCSgiYM3a|4w?Bo7CJL7?Eh;9An1m$1t?h1v92<Xg2(#)bjbL|o
zH_H0}!Og=1dOBynXHu>@hbCRcfT5ji<pmK_U*~T(A$I-*rM$8-BCv{=@=7F)2pdtU
z5==tp!}A*&Xgf{F>gwtQGE{L*8<@Yd{zg;CsL5mvzfDY}P-wos_6PfprFVaeqNE%h
zKZhLtcQld;ZD+>=nqN~>GvROfueSzJD&<KAVm#0W>BE*}XfU|H&(FssBqY=hPCt`d
zH?@s2>I(|;fcW&YM6#V<T#ysvE$@4oRO>#!kUIP8$Nkdh0A(bEVj``-AAyYgwY~jB
zT|I7Bf@%;7aL7Wf4dZ%VqF$eiaC38OV6oy3Z#TER2G+fOCd9Iaoy6aLYbPTN{XRPz
z;U!V|vBf%H!}52L2gH_+j;`bTcQRXB+y9onc^wLm5wi3-Be}U>k_u>2Eg$=k!(l@I
zcCg+flakT2Nej3i0yn+g+}%NYb?ta;R<sv-KjYb}UVFjITQ)VAEWu*)Lz7*-f^A*H
z<25#Ynt~-Qh?$wWx4$1=T2`j@bKp!)3IXh(LC@)%WGW$+j(tGz(6#bGw&K0j=Np@B
zt}@t$R`z(>?(g5SnwsQ49U8Wng8d|{B+lyRcEDvR3+`O{zfmrmvFrL6acVP%yG98X
zo&+VBg@px@i)%o?dG(`T;n*$S5*rnyiR#=wW}}GsAcfyQpE|>a{=$Hjg=-*_K;UtD
z<sX7(ZJc+Q;#xP8uk`jnF@a^|TWw*55if6@@}%7lOBaGo9Ia-e?`RPQc^w^EWfhe}
zHWHTvDA+r}Xf5Yqpr;QU-88%QC9F_>#z-)AXwSRY?<M%E84!g*1GC?E>OPefw^iI+
z)AXz#PfEjlwTes|_{sB?4(O@fg0AJ^g8gP}ex9Ucf*@_^J(s_5jJV}c)s$`Myn|Kd
z$<h)Fm>6>}#q^n{4vN@+Os$m7KV+`}c%4)4pv@06af4-x5#wj!KKb%caK{A&Y#Rfs
z-po?Dcb1({W=6FKIUirH&(yg=*6aLCekcKwyfK^JN5{wcA3nhO(o}SK#!CINhI`-I
z1)6&n7O&ZmyFMuNwvEic#IiOAwNkR=u5it{B9n2sAJV5pNhar=j5`*N!Na;c7g!l$
z3aYBqUkqqTJ=Re-;)s!EOeij=7SQZ3Hq}ZRds%IM*PtM$wV<GYik+VfZene%bm(n6
z`r@rc^TVw7EN{|O7rORMlw)zt(Z#enc3joE#IIk!M)L8gk^go9E9AxiP9o#OqmvV>
z@;rlc*NRK7i3y5BETSKuumEN`Xu_8<BQ)z0!-JuC8x}?$qo8SEko}oUWNI(4h*VHO
zAi!Egy!f(o9aHs2dhSE6ki(be*&w&+WLOB<(b3T_Hide(NvVvLQV{BN|2?UJFaY*@
z9CXA5B_*8i5Bf6sn~d`R>GP1Ri=OK<SGIb#BCTo3qI#UBUg+dkR+2ilUwIg%XFV;l
z+>Q$@I^ko8>H6)4rjiG5{VBM>B|%`&&s^)jS|-_95&yc=GqjNo{zFkw%%HHhS~e=s
zD#sfS+-?*t|J!+ozP6KvtOl!R)@@-z24}`9{QaVLD^9VCSR2b`b!KC#o;Ki<+wXB6
zx3&O0LOWcg4&rv4QG0)4yb}7BFSEg~=IR5<g6yi=XozU}zReXL{rA%c`$IQAs<ObZ
zep*ITZ0C(~W*`?XH^l1t7&+qigAfY9tVJ5DH!~jY>#ZRj8kg}dS7_V&^%#Do==#`u
zpy6{ox?jWuR(;pg+f@mT>#HGWHAJRRDDDv~@(IDw&R>9643kK<aUZ^OhBu;1e6t#{
zxKehVgz`HT;A`FMivG<tq0OcrXwHUX_<$j<uk%m>#HN`!1vBJHnC+RM&yIh8{gG2q
zA%e*U3|N0XSRa~oX-3EAneep)@{h2vvd3Xvy$7og(sayr@95+e6~Xvi1tUqnIxoIH
zVWo*OwYElb#uyW{Imam6f2<eMTQj#)z8+N&ZY?tSPo%&2eVNU=4=?rlO<*9Twaxco
zEVE=Jh?_x>rGbjR!Y3`#gPqkv57dB6K^wRGxc9B(t|aYDGS=m$&S!NmCtrMMaUg(c
zc2qC=2Z`EEFMW-me5B)24AqF*bV5Dr-M5ig(l-WPS%CgaPzs6p_gnCIvTJ=Y<6!gT
zVt@AfYCzjjsMEGi=rDQHo0yc;HqoRNnNFeWZgcm?f;cp(6CNylj36DoL(?TS7eU#+
z7&mfr#y))+CJOXQKUMZ7QIdS9@#-}7y2K1{8)cCt0~-X0O!O?Qx#E4Og+;A2SjalQ
zs7r?qn0H044=sDN$SRG$arw~n=+T_DNdSrarmu)V6@|?1-ZB#hRn`uilTGPJ@fqEy
zGt(f0B+^JDP&f=r{#Y_wi#AVDf-y!RIXU^0jXsFpf>=Ji*TeqSY!H~AMbJdCGLhC)
zn7Rx+sXw6uYj;WRYrLd^5IZq@6JI1C^YkgnedZEYy<&4(z%Q$5yv#B<pkvWZft^C&
z;+zNo+VJNluxaDF!`gW+F0=MxsCQ~~#CYKa;ULfj5hTa8a6;d*(<eeQ7-ZQgz2et^
zf|7URfj;x*#HiF0wuBCOTEpbeD&kkENqolCm2#cQGHCeEC<&I3j+P6?sX?BPp4~46
zx-S~EJ>oo{AH8n$<d4loB?vL3RqXwK_COrQ6xRoWGOdFnWy(hhzrG8k;2k}8Zj&>a
zhb4Y3PWdr269&?V%uI$xMcUrMzl=;w<_nm*qr=c3Rl@i5wWB;e-`t7D&c-mcQl7x!
zZWB`UGcw=Y2=}~wzrfLx=uet<;m3~=8I~ZRuzvMQUQdr+yTV|ATf1Uuomr__nDf=X
zZ3WYJtHp_ri(}SQAPjv+Y+0=<GD??Na(2AG`s>fH4krOP@S&=zZ-t1jW1o@}z;xk8
z(Nz1co&El^HK^NrhVHa-_;&88vTU>_J33=%{if;BEY*J#1n59=07jrGQ#IP>@u#3A
z;!q+E1Rj3ZJ+!4bq9F8PXJ@yMgZL;>&gYA0%_Kbi8?S=XGM~dnQZQ!yBSgcZhY96H
zrWnU;k)qy`rX&&xlDyA%(a1Hhi5CWkmg(`Gb%m(HKi-7Z!LKGRP_B8@`7&hdDy5n=
z`OIxqxiVfX@OX1p(mQu>0Ai*v_cTMiw4qRt3~N<X{IYiJ3k=4u-u*nJEBnJ<OdI8P
zXmK`OYkO5a{YDhI3PL|H4m=p>Bvr9oBy0)r>w3p~V0SCm=An6@3n)>@z!|o-$HvDK
z|3D2ZMJkLE5loMKl6R^ez@Zz%S$&mbeoqH5`Bb){Ei21q&VP)hWS2tjShfFtGE+$z
zzCR$P#uktu+#!w)cX!<osOkId_HzAT-HD2N`M+v2l+zwdW%GgZbQMuhfE*hHjKXKg
z45hphqVETPDbX6wpTlZqza0gFaRGh`3L~0id)F6#%@9;w(e%PjzuD7@inuToA!B?F
zCMLJc!u{3N)s?lB-!11!GxXsCak8zQomO)gmn02f-5~OkMYnm~#jVwwYNw@LAv!KN
z-n`q1|AXw*TW>lWN1XU%K-r=s{|j?)Akf@q#3b#{6cZCuJ~gCxuMXRmI$nGtnH+-h
z+GEi!*X=AP<|fG`1>MBdTb?28JYc=fGvAi2I<$B(rs$;eoJCyR6_bc~p!XR@O-+sD
z=eH`-ye})I5ic1eL~TDmtfJ|8`0VJ*Yr=hNCd)G1p2MMz4C3^Mj?7;!w|Ly%JqmuW
zlIEW^Ft%z?*|fpXda>Jr^1noFZEwFgVV%|*XhH@acv8rdGxeEX{M$(vG{Zw+x(ei@
zmfXb22}8-?Fi`vo-YVrTH*C?a8%M=Hv9MqVH7H^J$KsD?>!SFZ;ZsvnHr_gn=7acz
z#W?0eCdVhVMWN12VV^$>WlQ?f;P^{(&pYTops|btm6aj>_Uz+hqpGwB)vWp0Cf5y<
zft8-je~nn?W11plq}N)4A{l8I7$!ks_x$PXW-2XaRFswX_BnF{R#6YIwMhAgd5F9X
zGmwdadS6(a^fjHtXg8=l?Rc0Sm%hk6E9!5cLVloEy4eh(=FwgP`)~I^5~pBEWo+F6
zSf2ncyMurJN91#cJTy_u8Y}@%!bq1RkGC~-bV@SXRd4F{R-*V<h953|jk-C&|3)z%
ze&_30-6q1)a0(!xXqA+_t(WC`HA_yYaW@>`bS+6;W5vZ(&+I<9$;-V|eNfLa5n-6%
z2(}&uGRF;p9<Q%jdNy1%e7XTzyu7EEQT(5LrnvX~T%K!IuDyHY`ZneVJu#k_1T)xA
z*yxB?y4!pOJ$DTZzBm|8OIQq+AtV25aJ+X5EJjAu><tfuiNClI2BSoMgqLnU-5t95
zEnZ(^g~1RgD=UMB({c;$HujG&%DqGF;5jI~roRT+(rOoS$6f6SsURIuAVkAeIVc~{
z5ZxLN%m%Z*Sg;qYCf3<$dE6~&w_!EBx%yl4YC~LH{FCFNRBc_I>2eS*sE*o<YSPrx
z{M(reV{~jKue#Y6ZOnqJia{fQc!UxV4m)l389OmzR6A3|2!i<P{r82jKw+zq4%@ny
znopi6g!1Vx9Bml#a~KdL2lp2C)qSTKIh43vgycQHfQb_I!kQY&p;X@Bz|{^SXsW1K
zP&Ag1CW_r6u5-4=s(W>R$@pexaqr*meB)VhmIg@h{uzkk$9~qh#cHhw#>O%)b@+(|
z^IQgqzuj~Sk(J;swEM-3TrJAPCq9k^^^`q{IItKBRXYe}e0Tdr=Huf7da3$l4<V=<
zfr<*%iOB1EY}w3tF2Cwl7a2OS&~Y-lu<s)T^9=OFU8(CeN|63BiMxf*)5gesGU<eZ
z9DigzL3+quZ1o2T<KAZbCGJx&lrl*e#}Dpv24bZO$B<Yoc5hbeP0y?@P%|Tvw||e%
zV#e^q0D2R_Oq_c+=x5vP&hg4k+df{o7$aNZCM>PdpwWDop%^}n;dD#K4s#DYA8SHZ
z&1!riV4W4R7R#C))JH1~axJ)RYnM$$lIR%6fIVA@zV{XVyx}C+a-Dt8Y9M)^KU0+H
zR4IUb2CJ{Hg>CuaXtD50jB(_Tcx=Z$^W<wsNa}nUDpNk$q{>Yu2u5kubqmwp%drJ6
z?Fo40g!Qd<-l=TQxqHEOuPX0;^z7iX?Ke^a%XT<13TA^5`4Xcw6D@Ur&VT&CUe0d}
z1GjOVF1^L@>O)l@?bD~$wzgf(nxX1OGD8fEV?TdJcZc2KoUe|oP1#=$$7ee|xbY)A
zDZq+cuTpc(fFdj^=!;{k03C69lMQ(|>uhRfRu%+!k&<F<Z7l=VnwB^RA&^APMi=Tn
zNc}%IJL~xB4OP6bJNwAw)~Ma2=UP0dhr%X=kco(it+@F<#$xrIJ8@|{Buh<)h`xg?
z_U}pe=3#zmDfdqE4`Hyn<!?&CfCp#GTeXo8;AYd1Opd&cXER8cBSOF3iFJ#XPgQVp
zZSiQf7V^Dt?ITs8aMF~e1hq0P@^oB)#byh|6q_7F1B%ST%WL~J?ySn>YOi-3|1QKB
z<?_cUy)V3go%%^l)lRa=dmY_XQG3Z{Q?52d$qG}vIe|EZbYEtrR$rh(iS)O#dU-(>
z?n?eq1XP>p-IM$Z^C;2L3itnbJZAip*Zo0aw2bs8@(s^~*8T9go!%dHcAz2lM;`yp
zD=7&xjFV$S&5uDaiScyD?B-i1ze`+CoRtz`Wn+Zl&#<i<Zx(`=7k~{%`w&<EbG}U<
z0%E^8lyw>s4&}MO{@N!ufrzjG$B79)Y2d3tBk&)TxUTw@<TSeYlROCt(gU?O((-qu
zs>QS0TEL_?njX|<LXnSC4TlId(D4W|GQ?L@$3Ue@N8p=l9-sC<=z(lPk;^sT(v2*k
zc~vp#Hp`mXjzhml2NMCh^h5)sqsan+jJ_l<a4w|G&ac02hrz8#6|kFraA~rta0}!q
zB4BE{QWY7MtxHn_xB);Avf#Lf<GG<A?Q3JVyc1p8^H}$8(Gn=_&F1!m8$sKyeue+L
z5&392wm+wO;_oXoTEJ=wxVXk}dt<d~CgUUMW_PPTe(c<7n18#mVaX)vK}-PzZq7<b
zNJbVTFaq(8ZLx|A*G$H3ugT2aVziDEGa66FVt@hr1|D{RWN6yuqlglM!rp^YG;UpG
zrnm?ek079l3VoOU^p%f^A9Yzn8IVX?^rB4LbgJ|PONhzM_0{P?S(V$OI=u5IBjfT#
z0ntLLnhg5$0fAHJaG6HCx4X7;RmvMtE}8C>@vq?Uz(nBFK5Pq7*xj#u*R&i|?7+6#
z+|r_n#SW&LXhtheZdah{ZVoqwyT{D>MC3nkFF#N)xLi{p7J1jXlmVeb;cP5?e(=f#
zuT7fv<Q3o5LspCx-RPkzLw{VsDE>jSbjS781v?7{)-X3*?>tq?)Yd)~|1{BDS(pqC
zC}~H#WXlkUW*H5CDOo<)#x7%RY)A;ShGhI5s*#cRDA8YgqG(HeKDx+#(ZQ?386dv!
zlXCO)w91~Vw4AmOcATuV653fa9R$fyK8<JV*@W33SMHM;w!OmUXar{O;_8j>ul%rG
z-<zwGD)!Y{+(T{%ob~79zpXX%zulyiy1_UHWvu@YqxKAK3e9GO6Os4R0Naujn>wfS
zihugoZyr38Im?Zuh6@RcF~t1anQu7>#lPpb#}4cOA!EM11`%f*07RqOVkmX{p~KJ9
z^zP;K#|)$`^Rb{rnH<AdQ^(;gQMcF>GH{~>1(fawV0*Z#)}M`m8-?ZJV<+e}s9wE#
z)l&az?w^5{)`S(%MRzxdNqrs1n*-=jS^_jqE*5XDrA0+VE`5^*p3CuM<&dZEeCjoz
zR;uu_H9ZPZV|fQq`Cyw4nscrVwi!fE6ciMmX$!_hN7uF;jjKG)d2@aC4ropY)8<!P
zAOHj?oPbjQ%hh|vE_1IMB)43eQpeLi&)R>etW=xJvni)8eHi`H$%#zn^WJ<U7gogJ
z?A^!2J~rI78JH|Ml2EldmKY5K8;Zx(FGcBdM<5oe#G+nd6dObqz@Af%%M*aBE_pn8
zXQo2`Bw*IwvP3#1Ev<%YocpBodO9+Rw~`5*CY3{L;qf1PxV!r%NI+#Q1f8GU7$~#U
zAA9$4&g-k=8BYi*3i@0^UX}nTQVyOf)8T(}G^Ti?Vqvk~bJRR#EAQ?u`dClPxk@{;
zxvO?%jSX`2{8|^z0*C5DR1Z^>5NLc-rqk|u&&4Z6fD_m&JfSI1Bvb?b<*n&sfl0^t
z=HnmRl`XrFvMKB%9}>PaA`m-fK6a0(8=qPkWS5bb4=v?XcWi&hRY?O5HdulRi4?fN
zlsJ*N-0Qw+Yic@s0(2uy%F@ib;GjXt01F<S%GT3P{Ck&Y*^gWuie`o_g+ZNDNIV|F
z)zEe|Ij*4$H1(<RLz0($;AD3VsUJwI@liw^?fh(V?VC`Sz7h`*Q<VYlhbHJ?&h+!W
zAJC)U;Lx_QRaSNFYbyi|7+MeNTgA+Znh}qFzf>mx5XbRo6+n|pP(&nodMoap^z{~q
ziEeaUT@Mxe3vJSfI6?uLND(CNr=#^W<1b}jzW58bIfyWTDle$mmS(|x-0|2UlX+9k
zQ<WB5+u#`K#~J$81)#?BuTOKLk|+S>^EX7Nw}?EzVoBfT(-LT|=9N@^hcn-_p&sqG
z&*oVs2JSU+N4ZD`FhCAWaS;>|wH2G*Id|?pa#@>tyxX`+4HyIArWDvVrX)2WAOQff
z0qyHu&-S@i^MS-+j--!pr4fPBj~_8({~e1bfcl0wI1kaoN>mJL6KUPQm5N7lB(ui1
zE-o%kq)&djzWJ}ob<-GfDlkB;F31j-VHKvQUGQ3sp`CwyGJk_i!y^sD0fqC@$9|jO
zOqN!r!8-p==F@ZVP=U$qSpY(gQ0)59P1&t@y?5rvg<}E+GB}2<F#{*|k0E{$&_`~)
zkzDcsi#!7r<a8lPUCMj?{CK;e|9#-xj>6NYPp4f2YFQrQtot5mn3wu_qprZ=>Ig-$
zbW26Ws~IgY>}^5w`vTB(G`PTZaDiGBo5o(tp)qli|NeV(<Rzgqw(Ze!7hEGKKx((>
z@H_=R8V39rt5J5YB2Ky?4eJJ#b`_iBe2ot~6%7mLt5t8Vwi^Jy7|jWXqa3amOIoRb
zOr}WVFP--DsS`1WpN%~)t3R!arKF^Q$e12KEqU36AWwnCBICpH4XCsfnyrHr>$I$4
z!DpKX$OKLWarN7nv@!uIA+~RNO)l$$w}p(;b>mx8pwYvu;dD_unryX_N<mojSrG!`
zgkqx4t<XLL6ZUppvjeV9PJ6dG>hT8*Tj>BTrTTL&!?O+%Rv;b?B??gSzdp?6Uug9{
zd@V08Z$BdI?fpoCS$)t4mg4rT8Q_I}h`0d-vYZ^|dOB*Q^S|xqTV*<bTMtKO;_Z)R
zRSOJrd5TFO0aO%#%-sNa{`SiQ^$$1^@oUd&^lB{MKZ>vIg?@fVFSmMpaw0qtTRbx}
z({Pg?#{2`sc9)M5N$*N|4;^t$+Q<Wh^yJ?FzJ*$wiB{j;CMy+?m1MbsJo0ubR==f9
z>P?#mo<zt1E6=Ilm*nbmYmpxfAj7*m*Wh@=7|;!%(-pviW`nuCktLveet9^$*y^>v
zGVC@I*lBVrOU-%2y!7%)fAKjpEFsgQc4{amtiHb95KQEwvf<(3T<9-Zm$xIew#P22
zc2Ix|App^>v6(3L_MCU0d3W##AB<Fxl*nmny6_RsCu%1a)so}}uCXSzwY70Y@uTxK
z=5nu(N*2HDbrIcL)t_*{*84mvmV_Y9<vxHJJ;0gUdNjyW)jDb|@|j*qR8;gsMa5Ir
z02fHv=%xyN9VLv_ZLL4y|F*p$S^^T47m{aok5{rmM{$s7^Xu2!_fo1$IG6kkG_Tgx
zFfjPm3;g>0M~3D00EWoKZqsJYT(#@w$Y_H7G22M~ApVFTRHMI_3be)Lkn#0F*V8Pq
zc}`Cjy$bE;FJ6H7p=0y#R>`}-m4(0F>%@P|?7fx{=R^uFdISRnZ2W_xQhD{YuR3t<
z{6yxu=4~JkeA;|(J6_nv#>Nvs&FuLA&PW^he@t(UwFFE8)|a!R{`E`K`i^ZnyE4$k
z;(749Ix|oi$c3QbEJ3b~D_kQsPz~fIUKym($a_7dJ?o+40*OLl^{=&oq$<#Q(yyrp
z{J-FAniyAw9tPbe&IhQ|a`DqFTVQGQ&Gq3!C2==4x{6EJwiPZ8zub-iXoUtkJiG{}
zPaR&}_fn8_z~(=;5lD-aPWD3z8PZS@AaUiomF!G8I}Mf>e~0g#BelA-5#`cj;O5>N
Xviia!U7SGha1wx#SCgwmn*{w2TRX*I

literal 0
HcmV?d00001

diff --git a/auth_jwt/tests/__init__.py b/auth_jwt/tests/__init__.py
new file mode 100644
index 0000000000..3a4e62d18f
--- /dev/null
+++ b/auth_jwt/tests/__init__.py
@@ -0,0 +1 @@
+from . import test_auth_jwt
diff --git a/auth_jwt/tests/test_auth_jwt.py b/auth_jwt/tests/test_auth_jwt.py
new file mode 100644
index 0000000000..5d8c660f84
--- /dev/null
+++ b/auth_jwt/tests/test_auth_jwt.py
@@ -0,0 +1,229 @@
+# Copyright 2021 ACSONE SA/NV
+# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl).
+
+import contextlib
+import time
+from unittest.mock import Mock
+
+from jose import jwt
+
+import odoo.http
+from odoo.exceptions import ValidationError
+from odoo.tests.common import TransactionCase
+from odoo.tools import mute_logger
+from odoo.tools.misc import DotDict
+
+from ..exceptions import (
+    AmbiguousJwtValidator,
+    JwtValidatorNotFound,
+    UnauthorizedInvalidToken,
+    UnauthorizedMalformedAuthorizationHeader,
+    UnauthorizedMissingAuthorizationHeader,
+    UnauthorizedPartnerNotFound,
+)
+
+
+class TestAuthMethod(TransactionCase):
+    @contextlib.contextmanager
+    def _mock_request(self, authorization):
+        request = Mock(
+            context={},
+            db=self.env.cr.dbname,
+            uid=None,
+            httprequest=Mock(environ={"HTTP_AUTHORIZATION": authorization}),
+            session=DotDict(),
+        )
+
+        with contextlib.ExitStack() as s:
+            odoo.http._request_stack.push(request)
+            s.callback(odoo.http._request_stack.pop)
+            yield request
+
+    def _create_token(
+        self,
+        key="thesecret",
+        audience="me",
+        issuer="http://the.issuer",
+        exp_delta=100,
+        email=None,
+    ):
+        payload = dict(aud=audience, iss=issuer, exp=time.time() + exp_delta)
+        if email:
+            payload["email"] = email
+        return jwt.encode(payload, key=key, algorithm="HS256")
+
+    def _create_validator(self, name, audience="me", partner_id_required=False):
+        return self.env["auth.jwt.validator"].create(
+            dict(
+                name=name,
+                signature_type="secret",
+                secret_algorithm="HS256",
+                secret_key="thesecret",
+                audience=audience,
+                issuer="http://the.issuer",
+                user_id_strategy="static",
+                partner_id_strategy="email",
+                partner_id_required=partner_id_required,
+            )
+        )
+
+    @contextlib.contextmanager
+    def _commit_validator(self, name, audience="me", partner_id_required=False):
+        validator = self._create_validator(
+            name=name, audience=audience, partner_id_required=partner_id_required
+        )
+        # commit because IrHttp._auth_method_jwt will look for validator in another tx
+        self.env.cr.commit()  # pylint: disable=invalid-commit
+        try:
+            yield validator
+        finally:
+            validator.unlink()
+            self.env.cr.commit()  # pylint: disable=invalid-commit
+
+    def test_missing_authorization_header(self):
+        with self._mock_request(authorization=None):
+            with self.assertRaises(UnauthorizedMissingAuthorizationHeader):
+                self.env["ir.http"]._auth_method_jwt()
+
+    def test_malformed_authorization_header(self):
+        for authorization in (
+            "a",
+            "Bearer",
+            "Bearer ",
+            "Bearer x y",
+            "Bearer token ",
+            "bearer token",
+        ):
+            with self._mock_request(authorization=authorization):
+                with self.assertRaises(UnauthorizedMalformedAuthorizationHeader):
+                    self.env["ir.http"]._auth_method_jwt()
+
+    def test_auth_method_valid_token(self):
+        with self._commit_validator("validator"):
+            authorization = "Bearer " + self._create_token()
+            with self._mock_request(authorization=authorization):
+                self.env["ir.http"]._auth_method_jwt_validator()
+
+    def test_auth_method_valid_token_two_validators(self):
+        with self._commit_validator(
+            "validator2", audience="bad"
+        ), self._commit_validator("validator3"):
+            authorization = "Bearer " + self._create_token()
+            with self._mock_request(authorization=authorization):
+                # first validator rejects the token because of invalid audience
+                with self.assertRaises(UnauthorizedInvalidToken):
+                    self.env["ir.http"]._auth_method_jwt_validator2()
+                # second validator accepts the token
+                self.env["ir.http"]._auth_method_jwt_validator3()
+
+    def test_auth_method_invalid_token(self):
+        # Test invalid token via _auth_method_jwt
+        # Other types of invalid tokens are unit tested elswhere.
+        with self._commit_validator("validator4"):
+            authorization = "Bearer " + self._create_token(audience="bad")
+            with self._mock_request(authorization=authorization):
+                with self.assertRaises(UnauthorizedInvalidToken):
+                    self.env["ir.http"]._auth_method_jwt_validator4()
+
+    def test_user_id_strategy(self):
+        with self._commit_validator("validator5") as validator:
+            authorization = "Bearer " + self._create_token()
+            with self._mock_request(authorization=authorization) as request:
+                self.env["ir.http"]._auth_method_jwt_validator5()
+                self.assertEqual(request.uid, validator.static_user_id.id)
+
+    def test_partner_id_strategy_email_found(self):
+        partner = self.env["res.partner"].search([("email", "!=", False)])[0]
+        with self._commit_validator("validator6"):
+            authorization = "Bearer " + self._create_token(email=partner.email)
+            with self._mock_request(authorization=authorization) as request:
+                self.env["ir.http"]._auth_method_jwt_validator6()
+                self.assertEqual(request.jwt_partner_id, partner.id)
+
+    def test_partner_id_strategy_email_not_found(self):
+        with self._commit_validator("validator6"):
+            authorization = "Bearer " + self._create_token(
+                email="notanemail@example.com"
+            )
+            with self._mock_request(authorization=authorization) as request:
+                self.env["ir.http"]._auth_method_jwt_validator6()
+                self.assertFalse(request.jwt_partner_id)
+
+    def test_partner_id_strategy_email_not_found_partner_required(self):
+        with self._commit_validator("validator6", partner_id_required=True):
+            authorization = "Bearer " + self._create_token(
+                email="notanemail@example.com"
+            )
+            with self._mock_request(authorization=authorization):
+                with self.assertRaises(UnauthorizedPartnerNotFound):
+                    self.env["ir.http"]._auth_method_jwt_validator6()
+
+    def test_get_validator(self):
+        AuthJwtValidator = self.env["auth.jwt.validator"]
+        AuthJwtValidator.search([]).unlink()
+        with self.assertRaises(JwtValidatorNotFound), mute_logger(
+            "odoo.addons.auth_jwt.models.auth_jwt_validator"
+        ):
+            AuthJwtValidator._get_validator_by_name(None)
+        with self.assertRaises(JwtValidatorNotFound), mute_logger(
+            "odoo.addons.auth_jwt.models.auth_jwt_validator"
+        ):
+            AuthJwtValidator._get_validator_by_name("notavalidator")
+        validator1 = self._create_validator(name="validator1")
+        with self.assertRaises(JwtValidatorNotFound), mute_logger(
+            "odoo.addons.auth_jwt.models.auth_jwt_validator"
+        ):
+            AuthJwtValidator._get_validator_by_name("notavalidator")
+        self.assertEqual(AuthJwtValidator._get_validator_by_name(None), validator1)
+        self.assertEqual(
+            AuthJwtValidator._get_validator_by_name("validator1"), validator1
+        )
+        # create a second validator
+        validator2 = self._create_validator(name="validator2")
+        with self.assertRaises(AmbiguousJwtValidator), mute_logger(
+            "odoo.addons.auth_jwt.models.auth_jwt_validator"
+        ):
+            AuthJwtValidator._get_validator_by_name(None)
+        self.assertEqual(
+            AuthJwtValidator._get_validator_by_name("validator2"), validator2
+        )
+
+    def test_bad_tokens(self):
+        validator = self._create_validator("validator")
+        token = self._create_token(key="badsecret")
+        with self.assertRaises(UnauthorizedInvalidToken):
+            validator._decode(token)
+        token = self._create_token(audience="badaudience")
+        with self.assertRaises(UnauthorizedInvalidToken):
+            validator._decode(token)
+        token = self._create_token(issuer="badissuer")
+        with self.assertRaises(UnauthorizedInvalidToken):
+            validator._decode(token)
+        token = self._create_token(exp_delta=-100)
+        with self.assertRaises(UnauthorizedInvalidToken):
+            validator._decode(token)
+
+    def test_auth_method_registration_on_create(self):
+        IrHttp = self.env["ir.http"]
+        self.assertFalse(hasattr(IrHttp.__class__, "_auth_method_jwt_validator1"))
+        self._create_validator("validator1")
+        self.assertTrue(hasattr(IrHttp.__class__, "_auth_method_jwt_validator1"))
+
+    def test_auth_method_unregistration_on_unlink(self):
+        IrHttp = self.env["ir.http"]
+        validator = self._create_validator("validator1")
+        self.assertTrue(hasattr(IrHttp.__class__, "_auth_method_jwt_validator1"))
+        validator.unlink()
+        self.assertFalse(hasattr(IrHttp.__class__, "_auth_method_jwt_validator1"))
+
+    def test_auth_method_registration_on_rename(self):
+        IrHttp = self.env["ir.http"]
+        validator = self._create_validator("validator1")
+        self.assertTrue(hasattr(IrHttp.__class__, "_auth_method_jwt_validator1"))
+        validator.name = "validator2"
+        self.assertFalse(hasattr(IrHttp.__class__, "_auth_method_jwt_validator1"))
+        self.assertTrue(hasattr(IrHttp.__class__, "_auth_method_jwt_validator2"))
+
+    def test_name_check(self):
+        with self.assertRaises(ValidationError):
+            self._create_validator(name="not an identifier")
diff --git a/auth_jwt/views/auth_jwt_validator_views.xml b/auth_jwt/views/auth_jwt_validator_views.xml
new file mode 100644
index 0000000000..11c9c42e75
--- /dev/null
+++ b/auth_jwt/views/auth_jwt_validator_views.xml
@@ -0,0 +1,88 @@
+<?xml version="1.0" ?>
+<odoo>
+    <record id="view_auth_jwt_validator_form" model="ir.ui.view">
+        <field name="name">auth.jwt.validator.form</field>
+        <field name="model">auth.jwt.validator</field>
+        <field name="arch" type="xml">
+            <form string="arch">
+                <sheet>
+                    <group col="4">
+                        <group colspan="2">
+                            <field name="name" />
+                            <field name="audience" />
+                        </group>
+                        <group colspan="2">
+                            <field name="issuer" />
+                            <field name="signature_type" />
+                            <field
+                                name="secret_key"
+                                string="Key"
+                                attrs="{'invisible': [('signature_type', '!=', 'secret')],
+                                    'required': [('signature_type', '=', 'secret')]}"
+                            />
+                            <field
+                                name="secret_algorithm"
+                                string="Algorithm"
+                                attrs="{'invisible': [('signature_type', '!=', 'secret')],
+                                    'required': [('signature_type', '=', 'secret')]}"
+                            />
+                            <field
+                                name="public_key_jwk_uri"
+                                string="JWK URI"
+                                attrs="{'invisible': [('signature_type', '!=', 'public_key')],
+                                    'required': [('signature_type', '=', 'public_key')]}"
+                                widget="url"
+                            />
+                            <field
+                                name="public_key_algorithm"
+                                string="Algorithm"
+                                attrs="{'invisible': [('signature_type', '!=', 'public_key')],
+                                    'required': [('signature_type', '=', 'public_key')]}"
+                            />
+                        </group>
+                        <group colspan="2">
+                            <field name="user_id_strategy" />
+                            <field
+                                name="static_user_id"
+                                attrs="{'invisible': [('user_id_strategy', '!=', 'static')],
+                                        'required': [('user_id_strategy', '=', 'static')]}"
+                            />
+                        </group>
+                        <group colspan="2">
+                            <field name="partner_id_strategy" />
+                            <field name="partner_id_required" />
+                        </group>
+                    </group>
+                </sheet>
+            </form>
+        </field>
+    </record>
+    <record id="view_auth_jwt_validator_tree" model="ir.ui.view">
+        <field name="name">auth.jwt.validator.tree</field>
+        <field name="model">auth.jwt.validator</field>
+        <field name="arch" type="xml">
+            <tree string="arch">
+                <field name="name" />
+                <field name="issuer" />
+                <field name="audience" />
+                <field name="signature_type" />
+                <field name="user_id_strategy" />
+                <field name="partner_id_strategy" />
+                <field name="partner_id_required" />
+            </tree>
+        </field>
+    </record>
+    <record id="action_auth_jwt_validator" model="ir.actions.act_window">
+        <field name="name">JWT Validators</field>
+        <field name="res_model">auth.jwt.validator</field>
+        <field name="view_mode">tree,form</field>
+    </record>
+    <menuitem
+        id="menu_auth_jwt_validator"
+        name="JWT Validators"
+        parent="base.menu_users"
+        sequence="30"
+        action="action_auth_jwt_validator"
+        groups="base.group_no_one"
+    />
+</odoo>

From da4dfd00c2cccceea41a392aa3c87024e3c4a5aa Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Bidoul?= <stephane.bidoul@acsone.eu>
Date: Wed, 28 Apr 2021 15:01:08 +0200
Subject: [PATCH 02/43] auth_jwt: use PyJWT instead of python-jose

Because it allows validating with a list of audiences.
---
 auth_jwt/README.rst                   |  2 +-
 auth_jwt/__manifest__.py              |  2 +-
 auth_jwt/models/auth_jwt_validator.py | 13 ++++++++-----
 auth_jwt/readme/INSTALL.rst           |  2 +-
 auth_jwt/tests/test_auth_jwt.py       |  2 +-
 5 files changed, 12 insertions(+), 9 deletions(-)

diff --git a/auth_jwt/README.rst b/auth_jwt/README.rst
index cf670acff7..cf7ec02b57 100644
--- a/auth_jwt/README.rst
+++ b/auth_jwt/README.rst
@@ -35,7 +35,7 @@ JWT bearer token authentication.
 Installation
 ============
 
-This module requires the ``python-jose`` library to be installed.
+This module requires the ``pyjwt`` library to be installed.
 
 Usage
 =====
diff --git a/auth_jwt/__manifest__.py b/auth_jwt/__manifest__.py
index e632e255c8..af3a772047 100644
--- a/auth_jwt/__manifest__.py
+++ b/auth_jwt/__manifest__.py
@@ -11,7 +11,7 @@
     "maintainers": ["sbidoul"],
     "website": "https://github.com/OCA/server-auth",
     "depends": [],
-    "external_dependencies": {"python": ["python-jose", "cryptography"]},
+    "external_dependencies": {"python": ["pyjwt", "cryptography"]},
     "data": ["security/ir.model.access.csv", "views/auth_jwt_validator_views.xml"],
     "demo": [],
 }
diff --git a/auth_jwt/models/auth_jwt_validator.py b/auth_jwt/models/auth_jwt_validator.py
index 5490356ccc..b25ace08a0 100644
--- a/auth_jwt/models/auth_jwt_validator.py
+++ b/auth_jwt/models/auth_jwt_validator.py
@@ -4,8 +4,8 @@
 import logging
 from functools import partial
 
+import jwt  # pylint: disable=missing-manifest-dependency
 import requests
-from jose import jwt  # pylint: disable=missing-manifest-dependency
 from werkzeug.exceptions import InternalServerError
 
 from odoo import _, api, fields, models, tools
@@ -94,7 +94,7 @@ def _decode(self, token):
         else:
             try:
                 header = jwt.get_unverified_header(token)
-            except jwt.JWTError as e:
+            except Exception as e:
                 _logger.info("Invalid token: %s", e)
                 raise UnauthorizedInvalidToken()
             key = self._get_key(header.get("kid"))
@@ -105,12 +105,15 @@ def _decode(self, token):
                 key=key,
                 algorithms=[algorithm],
                 options=dict(
-                    require_exp=True, verify_exp=True, verify_aud=True, verify_iss=True
+                    require=["exp", "aud", "iss"],
+                    verify_exp=True,
+                    verify_aud=True,
+                    verify_iss=True,
                 ),
-                audience=self.audience,
+                audience=[self.audience],
                 issuer=self.issuer,
             )
-        except jwt.JWTError as e:
+        except Exception as e:
             _logger.info("Invalid token: %s", e)
             raise UnauthorizedInvalidToken()
         return payload
diff --git a/auth_jwt/readme/INSTALL.rst b/auth_jwt/readme/INSTALL.rst
index 62a3d4fc43..9d8ccacf56 100644
--- a/auth_jwt/readme/INSTALL.rst
+++ b/auth_jwt/readme/INSTALL.rst
@@ -1 +1 @@
-This module requires the ``python-jose`` library to be installed.
+This module requires the ``pyjwt`` library to be installed.
diff --git a/auth_jwt/tests/test_auth_jwt.py b/auth_jwt/tests/test_auth_jwt.py
index 5d8c660f84..e30b078233 100644
--- a/auth_jwt/tests/test_auth_jwt.py
+++ b/auth_jwt/tests/test_auth_jwt.py
@@ -5,7 +5,7 @@
 import time
 from unittest.mock import Mock
 
-from jose import jwt
+import jwt
 
 import odoo.http
 from odoo.exceptions import ValidationError

From 22e8c80637e6b8b53193b62fc93bc0a3d10932a6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Bidoul?= <stephane.bidoul@acsone.eu>
Date: Wed, 28 Apr 2021 15:08:31 +0200
Subject: [PATCH 03/43] auth_jwt: add signature algorithms

---
 auth_jwt/models/auth_jwt_validator.py | 27 ++++++++++++++++++++++++---
 1 file changed, 24 insertions(+), 3 deletions(-)

diff --git a/auth_jwt/models/auth_jwt_validator.py b/auth_jwt/models/auth_jwt_validator.py
index b25ace08a0..855c49c08d 100644
--- a/auth_jwt/models/auth_jwt_validator.py
+++ b/auth_jwt/models/auth_jwt_validator.py
@@ -30,11 +30,32 @@ class AuthJwtValidator(models.Model):
         [("secret", "Secret"), ("public_key", "Public key")], required=True
     )
     secret_key = fields.Char()
-    secret_algorithm = fields.Selection([("HS256", "HS256")], default="HS256")  # TODO
+    secret_algorithm = fields.Selection(
+        [
+            # https://pyjwt.readthedocs.io/en/stable/algorithms.html
+            ("HS256", "HS256 - HMAC using SHA-256 hash algorithm"),
+            ("HS384", "HS384 - HMAC using SHA-384 hash algorithm"),
+            ("HS512", "HS512 - HMAC using SHA-512 hash algorithm"),
+        ],
+        default="HS256",
+    )
     public_key_jwk_uri = fields.Char()
     public_key_algorithm = fields.Selection(
-        [("RS256", "RS256")], default="RS256"
-    )  # TODO
+        [
+            # https://pyjwt.readthedocs.io/en/stable/algorithms.html
+            ("ES256", "ES256 - ECDSA using SHA-256"),
+            ("ES256K", "ES256K - ECDSA with secp256k1 curve using SHA-256"),
+            ("ES384", "ES384 - ECDSA using SHA-384"),
+            ("ES512", "ES512 - ECDSA using SHA-512"),
+            ("RS256", "RS256 - RSASSA-PKCS1-v1_5 using SHA-256"),
+            ("RS384", "RS384 - RSASSA-PKCS1-v1_5 using SHA-384"),
+            ("RS512", "RS512 - RSASSA-PKCS1-v1_5 using SHA-512"),
+            ("PS256", "PS256 - RSASSA-PSS using SHA-256 and MGF1 padding with SHA-256"),
+            ("PS384", "PS384 - RSASSA-PSS using SHA-384 and MGF1 padding with SHA-384"),
+            ("PS512", "PS512 - RSASSA-PSS using SHA-512 and MGF1 padding with SHA-512"),
+        ],
+        default="RS256",
+    )
     audience = fields.Char(required=True, help="To validate aud.")
     issuer = fields.Char(required=True, help="To validate iss.")
     user_id_strategy = fields.Selection(

From 910a716044f8a70fe1109c2983f92f8b0317f592 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Bidoul?= <stephane.bidoul@acsone.eu>
Date: Wed, 28 Apr 2021 15:17:53 +0200
Subject: [PATCH 04/43] auth_jwt: support multiple audiences

---
 auth_jwt/models/auth_jwt_validator.py |  6 ++++--
 auth_jwt/readme/USAGE.rst             |  3 ++-
 auth_jwt/tests/test_auth_jwt.py       | 10 ++++++++++
 3 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/auth_jwt/models/auth_jwt_validator.py b/auth_jwt/models/auth_jwt_validator.py
index 855c49c08d..c8a6f397ab 100644
--- a/auth_jwt/models/auth_jwt_validator.py
+++ b/auth_jwt/models/auth_jwt_validator.py
@@ -56,7 +56,9 @@ class AuthJwtValidator(models.Model):
         ],
         default="RS256",
     )
-    audience = fields.Char(required=True, help="To validate aud.")
+    audience = fields.Char(
+        required=True, help="Comma separated list of audiences, to validate aud."
+    )
     issuer = fields.Char(required=True, help="To validate iss.")
     user_id_strategy = fields.Selection(
         [("static", "Static")], required=True, default="static"
@@ -131,7 +133,7 @@ def _decode(self, token):
                     verify_aud=True,
                     verify_iss=True,
                 ),
-                audience=[self.audience],
+                audience=self.audience.split(","),
                 issuer=self.issuer,
             )
         except Exception as e:
diff --git a/auth_jwt/readme/USAGE.rst b/auth_jwt/readme/USAGE.rst
index d8bd837037..749615fa1f 100644
--- a/auth_jwt/readme/USAGE.rst
+++ b/auth_jwt/readme/USAGE.rst
@@ -15,7 +15,8 @@ The JWT validator can be configured with the following properties:
 
 * ``name``: the validator name, to match the ``auth="jwt_{validator-name}"``
   route property.
-* ``audience``: used to validate the ``aud`` claim.
+* ``audience``: a comma-separated list of allowed audiences, used to validate
+  the ``aud`` claim.
 * ``issuer``: used to validate the ``iss`` claim.
 * Signature type (secret or public key), algorithm, secret and JWK URI
   are used to validate the token signature.
diff --git a/auth_jwt/tests/test_auth_jwt.py b/auth_jwt/tests/test_auth_jwt.py
index e30b078233..fd115ec246 100644
--- a/auth_jwt/tests/test_auth_jwt.py
+++ b/auth_jwt/tests/test_auth_jwt.py
@@ -203,6 +203,16 @@ def test_bad_tokens(self):
         with self.assertRaises(UnauthorizedInvalidToken):
             validator._decode(token)
 
+    def test_multiple_aud(self):
+        validator = self._create_validator("validator", audience="a1,a2")
+        token = self._create_token(audience="a1")
+        validator._decode(token)
+        token = self._create_token(audience="a2")
+        validator._decode(token)
+        token = self._create_token(audience="a3")
+        with self.assertRaises(UnauthorizedInvalidToken):
+            validator._decode(token)
+
     def test_auth_method_registration_on_create(self):
         IrHttp = self.env["ir.http"]
         self.assertFalse(hasattr(IrHttp.__class__, "_auth_method_jwt_validator1"))

From 40aedcca5f7ae37d942a5a9bd246a076da7c6c32 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Bidoul?= <stephane.bidoul@acsone.eu>
Date: Wed, 28 Apr 2021 15:28:26 +0200
Subject: [PATCH 05/43] auth_jwt: add nbf validation test

---
 auth_jwt/tests/test_auth_jwt.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/auth_jwt/tests/test_auth_jwt.py b/auth_jwt/tests/test_auth_jwt.py
index fd115ec246..c38f522daa 100644
--- a/auth_jwt/tests/test_auth_jwt.py
+++ b/auth_jwt/tests/test_auth_jwt.py
@@ -45,11 +45,14 @@ def _create_token(
         audience="me",
         issuer="http://the.issuer",
         exp_delta=100,
+        nbf=None,
         email=None,
     ):
         payload = dict(aud=audience, iss=issuer, exp=time.time() + exp_delta)
         if email:
             payload["email"] = email
+        if nbf:
+            payload["nbf"] = nbf
         return jwt.encode(payload, key=key, algorithm="HS256")
 
     def _create_validator(self, name, audience="me", partner_id_required=False):
@@ -213,6 +216,14 @@ def test_multiple_aud(self):
         with self.assertRaises(UnauthorizedInvalidToken):
             validator._decode(token)
 
+    def test_nbf(self):
+        validator = self._create_validator("validator")
+        token = self._create_token(nbf=time.time() - 60)
+        validator._decode(token)
+        token = self._create_token(nbf=time.time() + 60)
+        with self.assertRaises(UnauthorizedInvalidToken):
+            validator._decode(token)
+
     def test_auth_method_registration_on_create(self):
         IrHttp = self.env["ir.http"]
         self.assertFalse(hasattr(IrHttp.__class__, "_auth_method_jwt_validator1"))

From 06897a44667a1e64f7d54a04afe7389ea90f52f2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Bidoul?= <stephane.bidoul@acsone.eu>
Date: Thu, 29 Apr 2021 14:37:15 +0200
Subject: [PATCH 06/43] auth_jwt: docs clarification and fixes

---
 auth_jwt/readme/USAGE.rst | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/auth_jwt/readme/USAGE.rst b/auth_jwt/readme/USAGE.rst
index 749615fa1f..03390e3cf0 100644
--- a/auth_jwt/readme/USAGE.rst
+++ b/auth_jwt/readme/USAGE.rst
@@ -30,11 +30,18 @@ If the token is valid, the request executes with the configured user id. By
 default the user id selection strategy is ``static`` (i.e. the same for all
 requests) and the selected user is configured on the JWT validator. Additional
 strategies can be provided by overriding the ``_get_uid()`` method and
-extending the ``user_id_strategy`` selection field..
+extending the ``user_id_strategy`` selection field.
+
+The selected user is *not* stored in the session. It is only available in
+``request.uid`` (and thus it is the one used in ``request.env``). To avoid any
+confusion and mismatches between the bearer token and the session, this module
+rejects requests made with an authenticated user session.
 
 Additionally, if a ``partner_id_strategy`` is configured, a partner is searched
-and if found, its id is stored in the ``request.partner_id`` attribute. If
+and if found, its id is stored in the ``request.jwt_partner_id`` attribute. If
 ``partner_id_required`` is set, a 401 (Unauthorized) is returned if no partner
-was found. Otherwise ``request.partner_id`` is left falsy. Additional
+was found. Otherwise ``request.jwt_partner_id`` is left falsy. Additional
 strategies can be provided by overriding the ``_get_partner_id()`` method
 and extending the ``partner_id_strategy`` selection field.
+
+The decoded JWT payload is stored in ``request.jwt_payload``.

From 05a10d5d166c89700abae543dced8ed3a6ea4445 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Bidoul?= <stephane.bidoul@acsone.eu>
Date: Fri, 25 Jun 2021 19:37:16 +0200
Subject: [PATCH 07/43] auth_jwt: fix jwks URI support

Make it work with pyjwt.
---
 auth_jwt/models/auth_jwt_validator.py | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/auth_jwt/models/auth_jwt_validator.py b/auth_jwt/models/auth_jwt_validator.py
index c8a6f397ab..e5813f193d 100644
--- a/auth_jwt/models/auth_jwt_validator.py
+++ b/auth_jwt/models/auth_jwt_validator.py
@@ -5,7 +5,7 @@
 from functools import partial
 
 import jwt  # pylint: disable=missing-manifest-dependency
-import requests
+from jwt import PyJWKClient
 from werkzeug.exceptions import InternalServerError
 
 from odoo import _, api, fields, models, tools
@@ -101,13 +101,8 @@ def _get_validator_by_name(self, validator_name):
 
     @tools.ormcache("self.public_key_jwk_uri", "kid")
     def _get_key(self, kid):
-        r = requests.get(self.public_key_jwk_uri)
-        r.raise_for_status()
-        response = r.json()
-        for key in response["keys"]:
-            if key["kid"] == kid:
-                return key
-        return {}
+        jwks_client = PyJWKClient(self.public_key_jwk_uri, cache_keys=False)
+        return jwks_client.get_signing_key(kid).key
 
     def _decode(self, token):
         """Validate and decode a JWT token, return the payload."""

From 89dd810f80a9fb2c48df4969ae9c682aadfcbf37 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Bidoul?= <stephane.bidoul@acsone.eu>
Date: Sun, 25 Jul 2021 17:17:16 +0200
Subject: [PATCH 08/43] auth_jwt: mock instead of committing in tests

---
 auth_jwt/tests/test_auth_jwt.py | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/auth_jwt/tests/test_auth_jwt.py b/auth_jwt/tests/test_auth_jwt.py
index c38f522daa..7901f23c95 100644
--- a/auth_jwt/tests/test_auth_jwt.py
+++ b/auth_jwt/tests/test_auth_jwt.py
@@ -75,13 +75,24 @@ def _commit_validator(self, name, audience="me", partner_id_required=False):
         validator = self._create_validator(
             name=name, audience=audience, partner_id_required=partner_id_required
         )
-        # commit because IrHttp._auth_method_jwt will look for validator in another tx
-        self.env.cr.commit()  # pylint: disable=invalid-commit
+
+        def _mocked_get_validator_by_name(self, validator_name):
+            if validator_name == name:
+                return validator
+            return self.env["auth.jwt.validator"]._get_validator_by_name.origin(
+                self, validator_name
+            )
+
         try:
+            # Patch _get_validator_by_name because IrHttp._auth_method_jwt
+            # will look for the validator in another transaction,
+            # where the validator we created above would not be visible.
+            self.env["auth.jwt.validator"]._patch_method(
+                "_get_validator_by_name", _mocked_get_validator_by_name
+            )
             yield validator
         finally:
-            validator.unlink()
-            self.env.cr.commit()  # pylint: disable=invalid-commit
+            self.env["auth.jwt.validator"]._revert_method("_get_validator_by_name")
 
     def test_missing_authorization_header(self):
         with self._mock_request(authorization=None):

From 16bc96b3db92e44e833079891361477d57af18df Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Bidoul?= <stephane.bidoul@acsone.eu>
Date: Mon, 26 Jul 2021 10:48:46 +0200
Subject: [PATCH 09/43] auth_jwt: more precise precondition check

---
 auth_jwt/models/ir_http.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/auth_jwt/models/ir_http.py b/auth_jwt/models/ir_http.py
index 5100fdfdac..5d0a02e027 100644
--- a/auth_jwt/models/ir_http.py
+++ b/auth_jwt/models/ir_http.py
@@ -38,7 +38,10 @@ def _authenticate(cls, auth_method="user"):
                     'A route with auth="jwt" must not be used within a user session.'
                 )
                 raise UnauthorizedSessionMismatch()
-            if request.uid:
+            # Odoo calls _authenticate more than once (in v14? why?), so
+            # on the second call we have a request uid and that is not an error
+            # because _authenticate will not call _auth_method_jwt a second time.
+            if request.uid and not hasattr(request, "jwt_payload"):
                 _logger.error(
                     'A route with auth="jwt" should not have a request.uid here.'
                 )

From 030164bd56513b69285161821227af5cbf1964c1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Bidoul?= <stephane.bidoul@acsone.eu>
Date: Mon, 26 Jul 2021 13:09:37 +0200
Subject: [PATCH 10/43] Rename auth_jwt_test to auth_jwt_demo

---
 auth_jwt/README.rst       | 2 +-
 auth_jwt/readme/USAGE.rst | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/auth_jwt/README.rst b/auth_jwt/README.rst
index cf7ec02b57..f84ef84b14 100644
--- a/auth_jwt/README.rst
+++ b/auth_jwt/README.rst
@@ -51,7 +51,7 @@ To use it, you must:
   you want to protect where ``{validator-name}`` corresponds to the name
   attribute of the JWT validator record.
 
-The ``auth_jwt_test`` module provides examples.
+The ``auth_jwt_demo`` module provides examples.
 
 The JWT validator can be configured with the following properties:
 
diff --git a/auth_jwt/readme/USAGE.rst b/auth_jwt/readme/USAGE.rst
index 03390e3cf0..40b52af6ac 100644
--- a/auth_jwt/readme/USAGE.rst
+++ b/auth_jwt/readme/USAGE.rst
@@ -9,7 +9,7 @@ To use it, you must:
   you want to protect where ``{validator-name}`` corresponds to the name
   attribute of the JWT validator record.
 
-The ``auth_jwt_test`` module provides examples.
+The ``auth_jwt_demo`` module provides examples.
 
 The JWT validator can be configured with the following properties:
 

From e6c93e2aae0e6caaddf1a30cfba5810c56371437 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Bidoul?= <stephane.bidoul@acsone.eu>
Date: Sun, 27 Jun 2021 17:04:28 +0200
Subject: [PATCH 11/43] [MIG] auth_jwt

---
 auth_jwt/__manifest__.py   | 2 +-
 auth_jwt/models/ir_http.py | 5 +++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/auth_jwt/__manifest__.py b/auth_jwt/__manifest__.py
index af3a772047..bd7adbd946 100644
--- a/auth_jwt/__manifest__.py
+++ b/auth_jwt/__manifest__.py
@@ -5,7 +5,7 @@
     "name": "Auth JWT",
     "summary": """
         JWT bearer token authentication.""",
-    "version": "13.0.1.0.0",
+    "version": "14.0.1.0.0",
     "license": "AGPL-3",
     "author": "ACSONE SA/NV,Odoo Community Association (OCA)",
     "maintainers": ["sbidoul"],
diff --git a/auth_jwt/models/ir_http.py b/auth_jwt/models/ir_http.py
index 5d0a02e027..2b555d38c6 100644
--- a/auth_jwt/models/ir_http.py
+++ b/auth_jwt/models/ir_http.py
@@ -24,7 +24,7 @@ class IrHttpJwt(models.AbstractModel):
     _inherit = "ir.http"
 
     @classmethod
-    def _authenticate(cls, auth_method="user"):
+    def _authenticate(cls, endpoint):
         """Protect the _authenticate method.
 
         This is to ensure that the _authenticate method is called
@@ -32,6 +32,7 @@ def _authenticate(cls, auth_method="user"):
         When migrating, review this method carefully by reading the original
         _authenticate method and make sure the conditions have not changed.
         """
+        auth_method = endpoint.routing["auth"]
         if auth_method == "jwt" or auth_method.startswith("jwt_"):
             if request.session.uid:
                 _logger.warning(
@@ -46,7 +47,7 @@ def _authenticate(cls, auth_method="user"):
                     'A route with auth="jwt" should not have a request.uid here.'
                 )
                 raise UnauthorizedSessionMismatch()
-        return super()._authenticate(auth_method)
+        return super()._authenticate(endpoint)
 
     @classmethod
     def _auth_method_jwt(cls, validator_name=None):

From 2d167fdc0cb9778969e9673916cea21ec2c0e864 Mon Sep 17 00:00:00 2001
From: oca-travis <oca+oca-travis@odoo-community.org>
Date: Wed, 28 Jul 2021 17:59:00 +0000
Subject: [PATCH 12/43] [UPD] Update auth_jwt.pot

---
 auth_jwt/i18n/auth_jwt.pot | 255 +++++++++++++++++++++++++++++++++++++
 1 file changed, 255 insertions(+)
 create mode 100644 auth_jwt/i18n/auth_jwt.pot

diff --git a/auth_jwt/i18n/auth_jwt.pot b/auth_jwt/i18n/auth_jwt.pot
new file mode 100644
index 0000000000..5d22a8cac2
--- /dev/null
+++ b/auth_jwt/i18n/auth_jwt.pot
@@ -0,0 +1,255 @@
+# Translation of Odoo Server.
+# This file contains the translation of the following modules:
+# 	* auth_jwt
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: Odoo Server 14.0\n"
+"Report-Msgid-Bugs-To: \n"
+"Last-Translator: \n"
+"Language-Team: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: \n"
+"Plural-Forms: \n"
+
+#. module: auth_jwt
+#: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
+msgid "Algorithm"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__audience
+msgid "Audience"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,help:auth_jwt.field_auth_jwt_validator__audience
+msgid "Comma separated list of audiences, to validate aud."
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__create_uid
+msgid "Created by"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__create_date
+msgid "Created on"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__display_name
+#: model:ir.model.fields,field_description:auth_jwt.field_ir_http__display_name
+msgid "Display Name"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__es256
+msgid "ES256 - ECDSA using SHA-256"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__es256k
+msgid "ES256K - ECDSA with secp256k1 curve using SHA-256"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__es384
+msgid "ES384 - ECDSA using SHA-384"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__es512
+msgid "ES512 - ECDSA using SHA-512"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__partner_id_strategy__email
+msgid "From email claim"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__secret_algorithm__hs256
+msgid "HS256 - HMAC using SHA-256 hash algorithm"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__secret_algorithm__hs384
+msgid "HS384 - HMAC using SHA-384 hash algorithm"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__secret_algorithm__hs512
+msgid "HS512 - HMAC using SHA-512 hash algorithm"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model,name:auth_jwt.model_ir_http
+msgid "HTTP Routing"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__id
+#: model:ir.model.fields,field_description:auth_jwt.field_ir_http__id
+msgid "ID"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__issuer
+msgid "Issuer"
+msgstr ""
+
+#. module: auth_jwt
+#: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
+msgid "JWK URI"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model,name:auth_jwt.model_auth_jwt_validator
+msgid "JWT Validator Configuration"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.actions.act_window,name:auth_jwt.action_auth_jwt_validator
+#: model:ir.ui.menu,name:auth_jwt.menu_auth_jwt_validator
+msgid "JWT Validators"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.constraint,message:auth_jwt.constraint_auth_jwt_validator_name_uniq
+msgid "JWT validator names must be unique !"
+msgstr ""
+
+#. module: auth_jwt
+#: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
+msgid "Key"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator____last_update
+#: model:ir.model.fields,field_description:auth_jwt.field_ir_http____last_update
+msgid "Last Modified on"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__write_uid
+msgid "Last Updated by"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__write_date
+msgid "Last Updated on"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__name
+msgid "Name"
+msgstr ""
+
+#. module: auth_jwt
+#: code:addons/auth_jwt/models/auth_jwt_validator.py:0
+#, python-format
+msgid "Name %r is not a valid python identifier."
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__ps256
+msgid "PS256 - RSASSA-PSS using SHA-256 and MGF1 padding with SHA-256"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__ps384
+msgid "PS384 - RSASSA-PSS using SHA-384 and MGF1 padding with SHA-384"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__ps512
+msgid "PS512 - RSASSA-PSS using SHA-512 and MGF1 padding with SHA-512"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__partner_id_required
+msgid "Partner Id Required"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__partner_id_strategy
+msgid "Partner Id Strategy"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__public_key_algorithm
+msgid "Public Key Algorithm"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__public_key_jwk_uri
+msgid "Public Key Jwk Uri"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__signature_type__public_key
+msgid "Public key"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__rs256
+msgid "RS256 - RSASSA-PKCS1-v1_5 using SHA-256"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__rs384
+msgid "RS384 - RSASSA-PKCS1-v1_5 using SHA-384"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__rs512
+msgid "RS512 - RSASSA-PKCS1-v1_5 using SHA-512"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__signature_type__secret
+msgid "Secret"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__secret_algorithm
+msgid "Secret Algorithm"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__secret_key
+msgid "Secret Key"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__signature_type
+msgid "Signature Type"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__user_id_strategy__static
+msgid "Static"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__static_user_id
+msgid "Static User"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,help:auth_jwt.field_auth_jwt_validator__issuer
+msgid "To validate iss."
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__user_id_strategy
+msgid "User Id Strategy"
+msgstr ""
+
+#. module: auth_jwt
+#: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
+#: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_tree
+msgid "arch"
+msgstr ""

From 6bc609b27d730153a0afb699ff306b5ecd02760d Mon Sep 17 00:00:00 2001
From: OCA-git-bot <oca-git-bot@odoo-community.org>
Date: Wed, 28 Jul 2021 19:49:00 +0000
Subject: [PATCH 13/43] [UPD] README.rst

---
 auth_jwt/README.rst                    |  26 +-
 auth_jwt/static/description/index.html | 470 +++++++++++++++++++++++++
 2 files changed, 487 insertions(+), 9 deletions(-)
 create mode 100644 auth_jwt/static/description/index.html

diff --git a/auth_jwt/README.rst b/auth_jwt/README.rst
index f84ef84b14..be0c8385b3 100644
--- a/auth_jwt/README.rst
+++ b/auth_jwt/README.rst
@@ -14,13 +14,13 @@ Auth JWT
     :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
     :alt: License: AGPL-3
 .. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
-    :target: https://github.com/OCA/server-auth/tree/13.0/auth_jwt
+    :target: https://github.com/OCA/server-auth/tree/14.0/auth_jwt
     :alt: OCA/server-auth
 .. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
-    :target: https://translation.odoo-community.org/projects/server-auth-13-0/server-auth-13-0-auth_jwt
+    :target: https://translation.odoo-community.org/projects/server-auth-14-0/server-auth-14-0-auth_jwt
     :alt: Translate me on Weblate
 .. |badge5| image:: https://img.shields.io/badge/runbot-Try%20me-875A7B.png
-    :target: https://runbot.odoo-community.org/runbot/251/13.0
+    :target: https://runbot.odoo-community.org/runbot/251/14.0
     :alt: Try me on Runbot
 
 |badge1| |badge2| |badge3| |badge4| |badge5| 
@@ -57,7 +57,8 @@ The JWT validator can be configured with the following properties:
 
 * ``name``: the validator name, to match the ``auth="jwt_{validator-name}"``
   route property.
-* ``audience``: used to validate the ``aud`` claim.
+* ``audience``: a comma-separated list of allowed audiences, used to validate
+  the ``aud`` claim.
 * ``issuer``: used to validate the ``iss`` claim.
 * Signature type (secret or public key), algorithm, secret and JWK URI
   are used to validate the token signature.
@@ -71,22 +72,29 @@ If the token is valid, the request executes with the configured user id. By
 default the user id selection strategy is ``static`` (i.e. the same for all
 requests) and the selected user is configured on the JWT validator. Additional
 strategies can be provided by overriding the ``_get_uid()`` method and
-extending the ``user_id_strategy`` selection field..
+extending the ``user_id_strategy`` selection field.
+
+The selected user is *not* stored in the session. It is only available in
+``request.uid`` (and thus it is the one used in ``request.env``). To avoid any
+confusion and mismatches between the bearer token and the session, this module
+rejects requests made with an authenticated user session.
 
 Additionally, if a ``partner_id_strategy`` is configured, a partner is searched
-and if found, its id is stored in the ``request.partner_id`` attribute. If
+and if found, its id is stored in the ``request.jwt_partner_id`` attribute. If
 ``partner_id_required`` is set, a 401 (Unauthorized) is returned if no partner
-was found. Otherwise ``request.partner_id`` is left falsy. Additional
+was found. Otherwise ``request.jwt_partner_id`` is left falsy. Additional
 strategies can be provided by overriding the ``_get_partner_id()`` method
 and extending the ``partner_id_strategy`` selection field.
 
+The decoded JWT payload is stored in ``request.jwt_payload``.
+
 Bug Tracker
 ===========
 
 Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-auth/issues>`_.
 In case of trouble, please check there if your issue has already been reported.
 If you spotted it first, help us smashing it by providing a detailed and welcomed
-`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_jwt%0Aversion:%2013.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_jwt%0Aversion:%2014.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
 
 Do not contact contributors directly about support or help with technical issues.
 
@@ -124,6 +132,6 @@ Current `maintainer <https://odoo-community.org/page/maintainer-role>`__:
 
 |maintainer-sbidoul| 
 
-This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/13.0/auth_jwt>`_ project on GitHub.
+This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/14.0/auth_jwt>`_ project on GitHub.
 
 You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.
diff --git a/auth_jwt/static/description/index.html b/auth_jwt/static/description/index.html
new file mode 100644
index 0000000000..07fea2065a
--- /dev/null
+++ b/auth_jwt/static/description/index.html
@@ -0,0 +1,470 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+<meta name="generator" content="Docutils 0.15.1: http://docutils.sourceforge.net/" />
+<title>Auth JWT</title>
+<style type="text/css">
+
+/*
+:Author: David Goodger (goodger@python.org)
+:Id: $Id: html4css1.css 7952 2016-07-26 18:15:59Z milde $
+:Copyright: This stylesheet has been placed in the public domain.
+
+Default cascading style sheet for the HTML output of Docutils.
+
+See http://docutils.sf.net/docs/howto/html-stylesheets.html for how to
+customize this style sheet.
+*/
+
+/* used to remove borders from tables and images */
+.borderless, table.borderless td, table.borderless th {
+  border: 0 }
+
+table.borderless td, table.borderless th {
+  /* Override padding for "table.docutils td" with "! important".
+     The right padding separates the table cells. */
+  padding: 0 0.5em 0 0 ! important }
+
+.first {
+  /* Override more specific margin styles with "! important". */
+  margin-top: 0 ! important }
+
+.last, .with-subtitle {
+  margin-bottom: 0 ! important }
+
+.hidden {
+  display: none }
+
+.subscript {
+  vertical-align: sub;
+  font-size: smaller }
+
+.superscript {
+  vertical-align: super;
+  font-size: smaller }
+
+a.toc-backref {
+  text-decoration: none ;
+  color: black }
+
+blockquote.epigraph {
+  margin: 2em 5em ; }
+
+dl.docutils dd {
+  margin-bottom: 0.5em }
+
+object[type="image/svg+xml"], object[type="application/x-shockwave-flash"] {
+  overflow: hidden;
+}
+
+/* Uncomment (and remove this text!) to get bold-faced definition list terms
+dl.docutils dt {
+  font-weight: bold }
+*/
+
+div.abstract {
+  margin: 2em 5em }
+
+div.abstract p.topic-title {
+  font-weight: bold ;
+  text-align: center }
+
+div.admonition, div.attention, div.caution, div.danger, div.error,
+div.hint, div.important, div.note, div.tip, div.warning {
+  margin: 2em ;
+  border: medium outset ;
+  padding: 1em }
+
+div.admonition p.admonition-title, div.hint p.admonition-title,
+div.important p.admonition-title, div.note p.admonition-title,
+div.tip p.admonition-title {
+  font-weight: bold ;
+  font-family: sans-serif }
+
+div.attention p.admonition-title, div.caution p.admonition-title,
+div.danger p.admonition-title, div.error p.admonition-title,
+div.warning p.admonition-title, .code .error {
+  color: red ;
+  font-weight: bold ;
+  font-family: sans-serif }
+
+/* Uncomment (and remove this text!) to get reduced vertical space in
+   compound paragraphs.
+div.compound .compound-first, div.compound .compound-middle {
+  margin-bottom: 0.5em }
+
+div.compound .compound-last, div.compound .compound-middle {
+  margin-top: 0.5em }
+*/
+
+div.dedication {
+  margin: 2em 5em ;
+  text-align: center ;
+  font-style: italic }
+
+div.dedication p.topic-title {
+  font-weight: bold ;
+  font-style: normal }
+
+div.figure {
+  margin-left: 2em ;
+  margin-right: 2em }
+
+div.footer, div.header {
+  clear: both;
+  font-size: smaller }
+
+div.line-block {
+  display: block ;
+  margin-top: 1em ;
+  margin-bottom: 1em }
+
+div.line-block div.line-block {
+  margin-top: 0 ;
+  margin-bottom: 0 ;
+  margin-left: 1.5em }
+
+div.sidebar {
+  margin: 0 0 0.5em 1em ;
+  border: medium outset ;
+  padding: 1em ;
+  background-color: #ffffee ;
+  width: 40% ;
+  float: right ;
+  clear: right }
+
+div.sidebar p.rubric {
+  font-family: sans-serif ;
+  font-size: medium }
+
+div.system-messages {
+  margin: 5em }
+
+div.system-messages h1 {
+  color: red }
+
+div.system-message {
+  border: medium outset ;
+  padding: 1em }
+
+div.system-message p.system-message-title {
+  color: red ;
+  font-weight: bold }
+
+div.topic {
+  margin: 2em }
+
+h1.section-subtitle, h2.section-subtitle, h3.section-subtitle,
+h4.section-subtitle, h5.section-subtitle, h6.section-subtitle {
+  margin-top: 0.4em }
+
+h1.title {
+  text-align: center }
+
+h2.subtitle {
+  text-align: center }
+
+hr.docutils {
+  width: 75% }
+
+img.align-left, .figure.align-left, object.align-left, table.align-left {
+  clear: left ;
+  float: left ;
+  margin-right: 1em }
+
+img.align-right, .figure.align-right, object.align-right, table.align-right {
+  clear: right ;
+  float: right ;
+  margin-left: 1em }
+
+img.align-center, .figure.align-center, object.align-center {
+  display: block;
+  margin-left: auto;
+  margin-right: auto;
+}
+
+table.align-center {
+  margin-left: auto;
+  margin-right: auto;
+}
+
+.align-left {
+  text-align: left }
+
+.align-center {
+  clear: both ;
+  text-align: center }
+
+.align-right {
+  text-align: right }
+
+/* reset inner alignment in figures */
+div.align-right {
+  text-align: inherit }
+
+/* div.align-center * { */
+/*   text-align: left } */
+
+.align-top    {
+  vertical-align: top }
+
+.align-middle {
+  vertical-align: middle }
+
+.align-bottom {
+  vertical-align: bottom }
+
+ol.simple, ul.simple {
+  margin-bottom: 1em }
+
+ol.arabic {
+  list-style: decimal }
+
+ol.loweralpha {
+  list-style: lower-alpha }
+
+ol.upperalpha {
+  list-style: upper-alpha }
+
+ol.lowerroman {
+  list-style: lower-roman }
+
+ol.upperroman {
+  list-style: upper-roman }
+
+p.attribution {
+  text-align: right ;
+  margin-left: 50% }
+
+p.caption {
+  font-style: italic }
+
+p.credits {
+  font-style: italic ;
+  font-size: smaller }
+
+p.label {
+  white-space: nowrap }
+
+p.rubric {
+  font-weight: bold ;
+  font-size: larger ;
+  color: maroon ;
+  text-align: center }
+
+p.sidebar-title {
+  font-family: sans-serif ;
+  font-weight: bold ;
+  font-size: larger }
+
+p.sidebar-subtitle {
+  font-family: sans-serif ;
+  font-weight: bold }
+
+p.topic-title {
+  font-weight: bold }
+
+pre.address {
+  margin-bottom: 0 ;
+  margin-top: 0 ;
+  font: inherit }
+
+pre.literal-block, pre.doctest-block, pre.math, pre.code {
+  margin-left: 2em ;
+  margin-right: 2em }
+
+pre.code .ln { color: grey; } /* line numbers */
+pre.code, code { background-color: #eeeeee }
+pre.code .comment, code .comment { color: #5C6576 }
+pre.code .keyword, code .keyword { color: #3B0D06; font-weight: bold }
+pre.code .literal.string, code .literal.string { color: #0C5404 }
+pre.code .name.builtin, code .name.builtin { color: #352B84 }
+pre.code .deleted, code .deleted { background-color: #DEB0A1}
+pre.code .inserted, code .inserted { background-color: #A3D289}
+
+span.classifier {
+  font-family: sans-serif ;
+  font-style: oblique }
+
+span.classifier-delimiter {
+  font-family: sans-serif ;
+  font-weight: bold }
+
+span.interpreted {
+  font-family: sans-serif }
+
+span.option {
+  white-space: nowrap }
+
+span.pre {
+  white-space: pre }
+
+span.problematic {
+  color: red }
+
+span.section-subtitle {
+  /* font-size relative to parent (h1..h6 element) */
+  font-size: 80% }
+
+table.citation {
+  border-left: solid 1px gray;
+  margin-left: 1px }
+
+table.docinfo {
+  margin: 2em 4em }
+
+table.docutils {
+  margin-top: 0.5em ;
+  margin-bottom: 0.5em }
+
+table.footnote {
+  border-left: solid 1px black;
+  margin-left: 1px }
+
+table.docutils td, table.docutils th,
+table.docinfo td, table.docinfo th {
+  padding-left: 0.5em ;
+  padding-right: 0.5em ;
+  vertical-align: top }
+
+table.docutils th.field-name, table.docinfo th.docinfo-name {
+  font-weight: bold ;
+  text-align: left ;
+  white-space: nowrap ;
+  padding-left: 0 }
+
+/* "booktabs" style (no vertical lines) */
+table.docutils.booktabs {
+  border: 0px;
+  border-top: 2px solid;
+  border-bottom: 2px solid;
+  border-collapse: collapse;
+}
+table.docutils.booktabs * {
+  border: 0px;
+}
+table.docutils.booktabs th {
+  border-bottom: thin solid;
+  text-align: left;
+}
+
+h1 tt.docutils, h2 tt.docutils, h3 tt.docutils,
+h4 tt.docutils, h5 tt.docutils, h6 tt.docutils {
+  font-size: 100% }
+
+ul.auto-toc {
+  list-style-type: none }
+
+</style>
+</head>
+<body>
+<div class="document" id="auth-jwt">
+<h1 class="title">Auth JWT</h1>
+
+<!-- !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!! This file is generated by oca-gen-addon-readme !!
+!! changes will be overwritten.                   !!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->
+<p><a class="reference external" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/licence-AGPL--3-blue.png" /></a> <a class="reference external" href="https://github.com/OCA/server-auth/tree/14.0/auth_jwt"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external" href="https://translation.odoo-community.org/projects/server-auth-14-0/server-auth-14-0-auth_jwt"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external" href="https://runbot.odoo-community.org/runbot/251/14.0"><img alt="Try me on Runbot" src="https://img.shields.io/badge/runbot-Try%20me-875A7B.png" /></a></p>
+<p>JWT bearer token authentication.</p>
+<p><strong>Table of contents</strong></p>
+<div class="contents local topic" id="contents">
+<ul class="simple">
+<li><a class="reference internal" href="#installation" id="id1">Installation</a></li>
+<li><a class="reference internal" href="#usage" id="id2">Usage</a></li>
+<li><a class="reference internal" href="#bug-tracker" id="id3">Bug Tracker</a></li>
+<li><a class="reference internal" href="#credits" id="id4">Credits</a><ul>
+<li><a class="reference internal" href="#authors" id="id5">Authors</a></li>
+<li><a class="reference internal" href="#contributors" id="id6">Contributors</a></li>
+<li><a class="reference internal" href="#maintainers" id="id7">Maintainers</a></li>
+</ul>
+</li>
+</ul>
+</div>
+<div class="section" id="installation">
+<h1><a class="toc-backref" href="#id1">Installation</a></h1>
+<p>This module requires the <tt class="docutils literal">pyjwt</tt> library to be installed.</p>
+</div>
+<div class="section" id="usage">
+<h1><a class="toc-backref" href="#id2">Usage</a></h1>
+<p>This module lets developpers add a new <tt class="docutils literal">jwt</tt> authentication method on Odoo
+controller routes.</p>
+<p>To use it, you must:</p>
+<ul class="simple">
+<li>Create an <tt class="docutils literal">auth.jwt.validator</tt> record to configure how the JWT token will
+be validated.</li>
+<li>Add an <tt class="docutils literal"><span class="pre">auth=&quot;jwt_{validator-name}&quot;</span></tt> attribute to the routes
+you want to protect where <tt class="docutils literal"><span class="pre">{validator-name}</span></tt> corresponds to the name
+attribute of the JWT validator record.</li>
+</ul>
+<p>The <tt class="docutils literal">auth_jwt_demo</tt> module provides examples.</p>
+<p>The JWT validator can be configured with the following properties:</p>
+<ul class="simple">
+<li><tt class="docutils literal">name</tt>: the validator name, to match the <tt class="docutils literal"><span class="pre">auth=&quot;jwt_{validator-name}&quot;</span></tt>
+route property.</li>
+<li><tt class="docutils literal">audience</tt>: a comma-separated list of allowed audiences, used to validate
+the <tt class="docutils literal">aud</tt> claim.</li>
+<li><tt class="docutils literal">issuer</tt>: used to validate the <tt class="docutils literal">iss</tt> claim.</li>
+<li>Signature type (secret or public key), algorithm, secret and JWK URI
+are used to validate the token signature.</li>
+</ul>
+<p>In addition, the <tt class="docutils literal">exp</tt> claim is validated to reject expired tokens.</p>
+<p>If the <tt class="docutils literal">Authorization</tt> HTTP header is missing, malformed, or contains
+an invalid token, the request is rejected with a 401 (Unauthorized) code.</p>
+<p>If the token is valid, the request executes with the configured user id. By
+default the user id selection strategy is <tt class="docutils literal">static</tt> (i.e. the same for all
+requests) and the selected user is configured on the JWT validator. Additional
+strategies can be provided by overriding the <tt class="docutils literal">_get_uid()</tt> method and
+extending the <tt class="docutils literal">user_id_strategy</tt> selection field.</p>
+<p>The selected user is <em>not</em> stored in the session. It is only available in
+<tt class="docutils literal">request.uid</tt> (and thus it is the one used in <tt class="docutils literal">request.env</tt>). To avoid any
+confusion and mismatches between the bearer token and the session, this module
+rejects requests made with an authenticated user session.</p>
+<p>Additionally, if a <tt class="docutils literal">partner_id_strategy</tt> is configured, a partner is searched
+and if found, its id is stored in the <tt class="docutils literal">request.jwt_partner_id</tt> attribute. If
+<tt class="docutils literal">partner_id_required</tt> is set, a 401 (Unauthorized) is returned if no partner
+was found. Otherwise <tt class="docutils literal">request.jwt_partner_id</tt> is left falsy. Additional
+strategies can be provided by overriding the <tt class="docutils literal">_get_partner_id()</tt> method
+and extending the <tt class="docutils literal">partner_id_strategy</tt> selection field.</p>
+<p>The decoded JWT payload is stored in <tt class="docutils literal">request.jwt_payload</tt>.</p>
+</div>
+<div class="section" id="bug-tracker">
+<h1><a class="toc-backref" href="#id3">Bug Tracker</a></h1>
+<p>Bugs are tracked on <a class="reference external" href="https://github.com/OCA/server-auth/issues">GitHub Issues</a>.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us smashing it by providing a detailed and welcomed
+<a class="reference external" href="https://github.com/OCA/server-auth/issues/new?body=module:%20auth_jwt%0Aversion:%2014.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**">feedback</a>.</p>
+<p>Do not contact contributors directly about support or help with technical issues.</p>
+</div>
+<div class="section" id="credits">
+<h1><a class="toc-backref" href="#id4">Credits</a></h1>
+<div class="section" id="authors">
+<h2><a class="toc-backref" href="#id5">Authors</a></h2>
+<ul class="simple">
+<li>ACSONE SA/NV</li>
+</ul>
+</div>
+<div class="section" id="contributors">
+<h2><a class="toc-backref" href="#id6">Contributors</a></h2>
+<ul class="simple">
+<li>Stéphane Bidoul &lt;<a class="reference external" href="mailto:stephane.bidoul&#64;acsone.eu">stephane.bidoul&#64;acsone.eu</a>&gt;</li>
+</ul>
+</div>
+<div class="section" id="maintainers">
+<h2><a class="toc-backref" href="#id7">Maintainers</a></h2>
+<p>This module is maintained by the OCA.</p>
+<a class="reference external image-reference" href="https://odoo-community.org"><img alt="Odoo Community Association" src="https://odoo-community.org/logo.png" /></a>
+<p>OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.</p>
+<p>Current <a class="reference external" href="https://odoo-community.org/page/maintainer-role">maintainer</a>:</p>
+<p><a class="reference external" href="https://github.com/sbidoul"><img alt="sbidoul" src="https://github.com/sbidoul.png?size=40px" /></a></p>
+<p>This module is part of the <a class="reference external" href="https://github.com/OCA/server-auth/tree/14.0/auth_jwt">OCA/server-auth</a> project on GitHub.</p>
+<p>You are welcome to contribute. To learn how please visit <a class="reference external" href="https://odoo-community.org/page/Contribute">https://odoo-community.org/page/Contribute</a>.</p>
+</div>
+</div>
+</div>
+</body>
+</html>

From b430a28c0e4e057cb4076a16b11c0801b5a9d3b7 Mon Sep 17 00:00:00 2001
From: OCA-git-bot <oca-git-bot@odoo-community.org>
Date: Wed, 28 Jul 2021 19:49:01 +0000
Subject: [PATCH 14/43] auth_jwt 14.0.1.0.1

---
 auth_jwt/__manifest__.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/auth_jwt/__manifest__.py b/auth_jwt/__manifest__.py
index bd7adbd946..6888130721 100644
--- a/auth_jwt/__manifest__.py
+++ b/auth_jwt/__manifest__.py
@@ -5,7 +5,7 @@
     "name": "Auth JWT",
     "summary": """
         JWT bearer token authentication.""",
-    "version": "14.0.1.0.0",
+    "version": "14.0.1.0.1",
     "license": "AGPL-3",
     "author": "ACSONE SA/NV,Odoo Community Association (OCA)",
     "maintainers": ["sbidoul"],

From 3c074d6e507e97fffcebe42bce38bb33669c156f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Bidoul?= <stephane.bidoul@acsone.eu>
Date: Tue, 5 Oct 2021 09:44:53 +0200
Subject: [PATCH 15/43] [IMP] auth_jwt: add public_or_jwt auth method

This method is useful for public endpoints that need
to work for anonymous user, but can be enhanced when
an authenticated user is know.

A typical use case is a "add to cart" enpoint that can
work for anonymous users, but can be enhanced by
binding the cart to a known customer when the authenticated
user is known.
---
 auth_jwt/models/auth_jwt_validator.py |  8 +++++
 auth_jwt/models/ir_http.py            | 14 +++++++--
 auth_jwt/readme/USAGE.rst             | 14 +++++++--
 auth_jwt/tests/test_auth_jwt.py       | 44 ++++++++++++++++++++++++++-
 4 files changed, 74 insertions(+), 6 deletions(-)

diff --git a/auth_jwt/models/auth_jwt_validator.py b/auth_jwt/models/auth_jwt_validator.py
index e5813f193d..8fd37bf219 100644
--- a/auth_jwt/models/auth_jwt_validator.py
+++ b/auth_jwt/models/auth_jwt_validator.py
@@ -180,12 +180,20 @@ def _register_auth_method(self):
                 f"_auth_method_jwt_{rec.name}",
                 partial(IrHttp.__class__._auth_method_jwt, validator_name=rec.name),
             )
+            setattr(
+                IrHttp.__class__,
+                f"_auth_method_public_or_jwt_{rec.name}",
+                partial(
+                    IrHttp.__class__._auth_method_public_or_jwt, validator_name=rec.name
+                ),
+            )
 
     def _unregister_auth_method(self):
         IrHttp = self.env["ir.http"]
         for rec in self:
             try:
                 delattr(IrHttp.__class__, f"_auth_method_jwt_{rec.name}")
+                delattr(IrHttp.__class__, f"_auth_method_public_or_jwt_{rec.name}")
             except AttributeError:
                 pass
 
diff --git a/auth_jwt/models/ir_http.py b/auth_jwt/models/ir_http.py
index 2b555d38c6..aad11b9854 100644
--- a/auth_jwt/models/ir_http.py
+++ b/auth_jwt/models/ir_http.py
@@ -33,7 +33,11 @@ def _authenticate(cls, endpoint):
         _authenticate method and make sure the conditions have not changed.
         """
         auth_method = endpoint.routing["auth"]
-        if auth_method == "jwt" or auth_method.startswith("jwt_"):
+        if (
+            auth_method in ("jwt", "public_or_jwt")
+            or auth_method.startswith("jwt_")
+            or auth_method.startswith("public_or_jwt_")
+        ):
             if request.session.uid:
                 _logger.warning(
                     'A route with auth="jwt" must not be used within a user session.'
@@ -44,7 +48,7 @@ def _authenticate(cls, endpoint):
             # because _authenticate will not call _auth_method_jwt a second time.
             if request.uid and not hasattr(request, "jwt_payload"):
                 _logger.error(
-                    'A route with auth="jwt" should not have a request.uid here.'
+                    "A route with auth='jwt' should not have a request.uid here."
                 )
                 raise UnauthorizedSessionMismatch()
         return super()._authenticate(endpoint)
@@ -69,6 +73,12 @@ def _auth_method_jwt(cls, validator_name=None):
         request.jwt_payload = payload
         request.jwt_partner_id = partner_id
 
+    @classmethod
+    def _auth_method_public_or_jwt(cls, validator_name=None):
+        if "HTTP_AUTHORIZATION" not in request.httprequest.environ:
+            return cls._auth_method_public()
+        return cls._auth_method_jwt(validator_name)
+
     @classmethod
     def _get_bearer_token(cls):
         # https://tools.ietf.org/html/rfc2617#section-3.2.2
diff --git a/auth_jwt/readme/USAGE.rst b/auth_jwt/readme/USAGE.rst
index 40b52af6ac..be48400b6e 100644
--- a/auth_jwt/readme/USAGE.rst
+++ b/auth_jwt/readme/USAGE.rst
@@ -5,9 +5,9 @@ To use it, you must:
 
 * Create an ``auth.jwt.validator`` record to configure how the JWT token will
   be validated.
-* Add an ``auth="jwt_{validator-name}"`` attribute to the routes
-  you want to protect where ``{validator-name}`` corresponds to the name
-  attribute of the JWT validator record.
+* Add an ``auth="jwt_{validator-name}"`` or ``auth="public_or_jwt_{validator-name}"``
+  attribute to the routes you want to protect where ``{validator-name}`` corresponds to
+  the name attribute of the JWT validator record.
 
 The ``auth_jwt_demo`` module provides examples.
 
@@ -45,3 +45,11 @@ strategies can be provided by overriding the ``_get_partner_id()`` method
 and extending the ``partner_id_strategy`` selection field.
 
 The decoded JWT payload is stored in ``request.jwt_payload``.
+
+The ``public_auth_jwt`` method delegates authentication to the standard Odoo ``public``
+method when the Authorization header is not set. If it is set, the regular JWT
+authentication is performed as described above. This method is useful for public
+endpoints that need to work for anonymous users, but can be enhanced when an
+authenticated user is know. A typical use case is a "add to cart" endpoint that can work
+for anonymous users, but can be enhanced by binding the cart to a known customer when
+the authenticated user is known.
diff --git a/auth_jwt/tests/test_auth_jwt.py b/auth_jwt/tests/test_auth_jwt.py
index 7901f23c95..097312072b 100644
--- a/auth_jwt/tests/test_auth_jwt.py
+++ b/auth_jwt/tests/test_auth_jwt.py
@@ -26,13 +26,21 @@
 class TestAuthMethod(TransactionCase):
     @contextlib.contextmanager
     def _mock_request(self, authorization):
+        environ = {}
+        if authorization:
+            environ["HTTP_AUTHORIZATION"] = authorization
         request = Mock(
             context={},
             db=self.env.cr.dbname,
             uid=None,
-            httprequest=Mock(environ={"HTTP_AUTHORIZATION": authorization}),
+            httprequest=Mock(environ=environ),
             session=DotDict(),
+            env=self.env,
         )
+        # These attributes are added upon successful auth, so make sure
+        # calling hasattr on the mock when they are not yet set returns False.
+        del request.jwt_payload
+        del request.jwt_partner_id
 
         with contextlib.ExitStack() as s:
             odoo.http._request_stack.push(request)
@@ -238,24 +246,58 @@ def test_nbf(self):
     def test_auth_method_registration_on_create(self):
         IrHttp = self.env["ir.http"]
         self.assertFalse(hasattr(IrHttp.__class__, "_auth_method_jwt_validator1"))
+        self.assertFalse(
+            hasattr(IrHttp.__class__, "_auth_method_public_or_jwt_validator1")
+        )
         self._create_validator("validator1")
         self.assertTrue(hasattr(IrHttp.__class__, "_auth_method_jwt_validator1"))
+        self.assertTrue(
+            hasattr(IrHttp.__class__, "_auth_method_public_or_jwt_validator1")
+        )
 
     def test_auth_method_unregistration_on_unlink(self):
         IrHttp = self.env["ir.http"]
         validator = self._create_validator("validator1")
         self.assertTrue(hasattr(IrHttp.__class__, "_auth_method_jwt_validator1"))
+        self.assertTrue(
+            hasattr(IrHttp.__class__, "_auth_method_public_or_jwt_validator1")
+        )
         validator.unlink()
         self.assertFalse(hasattr(IrHttp.__class__, "_auth_method_jwt_validator1"))
+        self.assertFalse(
+            hasattr(IrHttp.__class__, "_auth_method_public_or_jwt_validator1")
+        )
 
     def test_auth_method_registration_on_rename(self):
         IrHttp = self.env["ir.http"]
         validator = self._create_validator("validator1")
         self.assertTrue(hasattr(IrHttp.__class__, "_auth_method_jwt_validator1"))
+        self.assertTrue(
+            hasattr(IrHttp.__class__, "_auth_method_public_or_jwt_validator1")
+        )
         validator.name = "validator2"
         self.assertFalse(hasattr(IrHttp.__class__, "_auth_method_jwt_validator1"))
+        self.assertFalse(
+            hasattr(IrHttp.__class__, "_auth_method_public_or_jwt_validator1")
+        )
         self.assertTrue(hasattr(IrHttp.__class__, "_auth_method_jwt_validator2"))
+        self.assertTrue(
+            hasattr(IrHttp.__class__, "_auth_method_public_or_jwt_validator2")
+        )
 
     def test_name_check(self):
         with self.assertRaises(ValidationError):
             self._create_validator(name="not an identifier")
+
+    def test_public_or_jwt_no_token(self):
+        with self._mock_request(authorization=None) as request:
+            self.env["ir.http"]._auth_method_public_or_jwt()
+            assert request.uid == self.env.ref("base.public_user").id
+            assert not hasattr(request, "jwt_payload")
+
+    def test_public_or_jwt_valid_token(self):
+        with self._commit_validator("validator"):
+            authorization = "Bearer " + self._create_token()
+            with self._mock_request(authorization=authorization) as request:
+                self.env["ir.http"]._auth_method_public_or_jwt_validator()
+                assert request.jwt_payload["aud"] == "me"

From 51365a8db528bf075f545bdabf321675c84abc0b Mon Sep 17 00:00:00 2001
From: OCA-git-bot <oca-git-bot@odoo-community.org>
Date: Wed, 6 Oct 2021 11:53:45 +0000
Subject: [PATCH 16/43] [UPD] README.rst

---
 auth_jwt/README.rst                    | 14 +++++++++++---
 auth_jwt/static/description/index.html | 13 ++++++++++---
 2 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/auth_jwt/README.rst b/auth_jwt/README.rst
index be0c8385b3..871af3c4a2 100644
--- a/auth_jwt/README.rst
+++ b/auth_jwt/README.rst
@@ -47,9 +47,9 @@ To use it, you must:
 
 * Create an ``auth.jwt.validator`` record to configure how the JWT token will
   be validated.
-* Add an ``auth="jwt_{validator-name}"`` attribute to the routes
-  you want to protect where ``{validator-name}`` corresponds to the name
-  attribute of the JWT validator record.
+* Add an ``auth="jwt_{validator-name}"`` or ``auth="public_or_jwt_{validator-name}"``
+  attribute to the routes you want to protect where ``{validator-name}`` corresponds to
+  the name attribute of the JWT validator record.
 
 The ``auth_jwt_demo`` module provides examples.
 
@@ -88,6 +88,14 @@ and extending the ``partner_id_strategy`` selection field.
 
 The decoded JWT payload is stored in ``request.jwt_payload``.
 
+The ``public_auth_jwt`` method delegates authentication to the standard Odoo ``public``
+method when the Authorization header is not set. If it is set, the regular JWT
+authentication is performed as described above. This method is useful for public
+endpoints that need to work for anonymous users, but can be enhanced when an
+authenticated user is know. A typical use case is a "add to cart" endpoint that can work
+for anonymous users, but can be enhanced by binding the cart to a known customer when
+the authenticated user is known.
+
 Bug Tracker
 ===========
 
diff --git a/auth_jwt/static/description/index.html b/auth_jwt/static/description/index.html
index 07fea2065a..d5564eb61b 100644
--- a/auth_jwt/static/description/index.html
+++ b/auth_jwt/static/description/index.html
@@ -395,9 +395,9 @@ <h1><a class="toc-backref" href="#id2">Usage</a></h1>
 <ul class="simple">
 <li>Create an <tt class="docutils literal">auth.jwt.validator</tt> record to configure how the JWT token will
 be validated.</li>
-<li>Add an <tt class="docutils literal"><span class="pre">auth=&quot;jwt_{validator-name}&quot;</span></tt> attribute to the routes
-you want to protect where <tt class="docutils literal"><span class="pre">{validator-name}</span></tt> corresponds to the name
-attribute of the JWT validator record.</li>
+<li>Add an <tt class="docutils literal"><span class="pre">auth=&quot;jwt_{validator-name}&quot;</span></tt> or <tt class="docutils literal"><span class="pre">auth=&quot;public_or_jwt_{validator-name}&quot;</span></tt>
+attribute to the routes you want to protect where <tt class="docutils literal"><span class="pre">{validator-name}</span></tt> corresponds to
+the name attribute of the JWT validator record.</li>
 </ul>
 <p>The <tt class="docutils literal">auth_jwt_demo</tt> module provides examples.</p>
 <p>The JWT validator can be configured with the following properties:</p>
@@ -429,6 +429,13 @@ <h1><a class="toc-backref" href="#id2">Usage</a></h1>
 strategies can be provided by overriding the <tt class="docutils literal">_get_partner_id()</tt> method
 and extending the <tt class="docutils literal">partner_id_strategy</tt> selection field.</p>
 <p>The decoded JWT payload is stored in <tt class="docutils literal">request.jwt_payload</tt>.</p>
+<p>The <tt class="docutils literal">public_auth_jwt</tt> method delegates authentication to the standard Odoo <tt class="docutils literal">public</tt>
+method when the Authorization header is not set. If it is set, the regular JWT
+authentication is performed as described above. This method is useful for public
+endpoints that need to work for anonymous users, but can be enhanced when an
+authenticated user is know. A typical use case is a “add to cart” endpoint that can work
+for anonymous users, but can be enhanced by binding the cart to a known customer when
+the authenticated user is known.</p>
 </div>
 <div class="section" id="bug-tracker">
 <h1><a class="toc-backref" href="#id3">Bug Tracker</a></h1>

From 8dd53c6b01a38b15c2d004d4e19a71a7960b97db Mon Sep 17 00:00:00 2001
From: OCA-git-bot <oca-git-bot@odoo-community.org>
Date: Wed, 6 Oct 2021 11:53:46 +0000
Subject: [PATCH 17/43] auth_jwt 14.0.1.1.0

---
 auth_jwt/__manifest__.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/auth_jwt/__manifest__.py b/auth_jwt/__manifest__.py
index 6888130721..7e0209f0c0 100644
--- a/auth_jwt/__manifest__.py
+++ b/auth_jwt/__manifest__.py
@@ -5,7 +5,7 @@
     "name": "Auth JWT",
     "summary": """
         JWT bearer token authentication.""",
-    "version": "14.0.1.0.1",
+    "version": "14.0.1.1.0",
     "license": "AGPL-3",
     "author": "ACSONE SA/NV,Odoo Community Association (OCA)",
     "maintainers": ["sbidoul"],

From e8c12c3993bb5966d95d57bd757148aad3e60330 Mon Sep 17 00:00:00 2001
From: Maksym Yankin <yankinmk@gmail.com>
Date: Wed, 29 Dec 2021 10:37:59 +0200
Subject: [PATCH 18/43] auth_jwt: Relicence under LGPL

---
 auth_jwt/README.rst                    | 6 +++---
 auth_jwt/__manifest__.py               | 4 ++--
 auth_jwt/exceptions.py                 | 2 +-
 auth_jwt/models/auth_jwt_validator.py  | 2 +-
 auth_jwt/models/ir_http.py             | 2 +-
 auth_jwt/static/description/index.html | 2 +-
 auth_jwt/tests/test_auth_jwt.py        | 2 +-
 7 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/auth_jwt/README.rst b/auth_jwt/README.rst
index 871af3c4a2..002a5092bf 100644
--- a/auth_jwt/README.rst
+++ b/auth_jwt/README.rst
@@ -10,9 +10,9 @@ Auth JWT
 .. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
     :target: https://odoo-community.org/page/development-status
     :alt: Beta
-.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png
-    :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
-    :alt: License: AGPL-3
+.. |badge2| image:: https://img.shields.io/badge/licence-LGPL--3-blue.png
+    :target: http://www.gnu.org/licenses/lgpl-3.0-standalone.html
+    :alt: License: LGPL-3
 .. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
     :target: https://github.com/OCA/server-auth/tree/14.0/auth_jwt
     :alt: OCA/server-auth
diff --git a/auth_jwt/__manifest__.py b/auth_jwt/__manifest__.py
index 7e0209f0c0..b6daf34c17 100644
--- a/auth_jwt/__manifest__.py
+++ b/auth_jwt/__manifest__.py
@@ -1,12 +1,12 @@
 # Copyright 2021 ACSONE SA/NV
-# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl).
+# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl).
 
 {
     "name": "Auth JWT",
     "summary": """
         JWT bearer token authentication.""",
     "version": "14.0.1.1.0",
-    "license": "AGPL-3",
+    "license": "LGPL-3",
     "author": "ACSONE SA/NV,Odoo Community Association (OCA)",
     "maintainers": ["sbidoul"],
     "website": "https://github.com/OCA/server-auth",
diff --git a/auth_jwt/exceptions.py b/auth_jwt/exceptions.py
index dbebaff04d..d1b5a80d0d 100644
--- a/auth_jwt/exceptions.py
+++ b/auth_jwt/exceptions.py
@@ -1,5 +1,5 @@
 # Copyright 2021 ACSONE SA/NV
-# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl).
+# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl)
 
 from werkzeug.exceptions import InternalServerError, Unauthorized
 
diff --git a/auth_jwt/models/auth_jwt_validator.py b/auth_jwt/models/auth_jwt_validator.py
index 8fd37bf219..5d841888be 100644
--- a/auth_jwt/models/auth_jwt_validator.py
+++ b/auth_jwt/models/auth_jwt_validator.py
@@ -1,5 +1,5 @@
 # Copyright 2021 ACSONE SA/NV
-# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl).
+# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl).
 
 import logging
 from functools import partial
diff --git a/auth_jwt/models/ir_http.py b/auth_jwt/models/ir_http.py
index aad11b9854..f90b5824c2 100644
--- a/auth_jwt/models/ir_http.py
+++ b/auth_jwt/models/ir_http.py
@@ -1,5 +1,5 @@
 # Copyright 2021 ACSONE SA/NV
-# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl).
+# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl).
 
 import logging
 import re
diff --git a/auth_jwt/static/description/index.html b/auth_jwt/static/description/index.html
index d5564eb61b..bd621ae44d 100644
--- a/auth_jwt/static/description/index.html
+++ b/auth_jwt/static/description/index.html
@@ -367,7 +367,7 @@ <h1 class="title">Auth JWT</h1>
 !! This file is generated by oca-gen-addon-readme !!
 !! changes will be overwritten.                   !!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->
-<p><a class="reference external" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/licence-AGPL--3-blue.png" /></a> <a class="reference external" href="https://github.com/OCA/server-auth/tree/14.0/auth_jwt"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external" href="https://translation.odoo-community.org/projects/server-auth-14-0/server-auth-14-0-auth_jwt"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external" href="https://runbot.odoo-community.org/runbot/251/14.0"><img alt="Try me on Runbot" src="https://img.shields.io/badge/runbot-Try%20me-875A7B.png" /></a></p>
+<p><a class="reference external" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external" href="http://www.gnu.org/licenses/lgpl-3.0-standalone.html"><img alt="License: LGPL-3" src="https://img.shields.io/badge/licence-LGPL--3-blue.png" /></a> <a class="reference external" href="https://github.com/OCA/server-auth/tree/14.0/auth_jwt"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external" href="https://translation.odoo-community.org/projects/server-auth-14-0/server-auth-14-0-auth_jwt"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external" href="https://runbot.odoo-community.org/runbot/251/14.0"><img alt="Try me on Runbot" src="https://img.shields.io/badge/runbot-Try%20me-875A7B.png" /></a></p>
 <p>JWT bearer token authentication.</p>
 <p><strong>Table of contents</strong></p>
 <div class="contents local topic" id="contents">
diff --git a/auth_jwt/tests/test_auth_jwt.py b/auth_jwt/tests/test_auth_jwt.py
index 097312072b..937778c521 100644
--- a/auth_jwt/tests/test_auth_jwt.py
+++ b/auth_jwt/tests/test_auth_jwt.py
@@ -1,5 +1,5 @@
 # Copyright 2021 ACSONE SA/NV
-# License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl).
+# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl).
 
 import contextlib
 import time

From d00e0a7528eb186033015a79694dedc409962f86 Mon Sep 17 00:00:00 2001
From: OCA-git-bot <oca-git-bot@odoo-community.org>
Date: Wed, 29 Dec 2021 11:07:22 +0000
Subject: [PATCH 19/43] auth_jwt 14.0.1.2.0

---
 auth_jwt/__manifest__.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/auth_jwt/__manifest__.py b/auth_jwt/__manifest__.py
index b6daf34c17..2e9ae85bd5 100644
--- a/auth_jwt/__manifest__.py
+++ b/auth_jwt/__manifest__.py
@@ -5,7 +5,7 @@
     "name": "Auth JWT",
     "summary": """
         JWT bearer token authentication.""",
-    "version": "14.0.1.1.0",
+    "version": "14.0.1.2.0",
     "license": "LGPL-3",
     "author": "ACSONE SA/NV,Odoo Community Association (OCA)",
     "maintainers": ["sbidoul"],

From 6b17cc674792a1465662eb8f3fd0e3d2c4a56478 Mon Sep 17 00:00:00 2001
From: Florian Mounier <paradoxxx.zero@gmail.com>
Date: Thu, 17 Feb 2022 15:44:55 +0100
Subject: [PATCH 20/43] [IMP] auth_jwt: Add validator.next_validator_id to
 allow validator chaining

---
 auth_jwt/exceptions.py                      |  14 ++
 auth_jwt/models/auth_jwt_validator.py       |  22 ++
 auth_jwt/models/ir_http.py                  |  36 ++-
 auth_jwt/tests/test_auth_jwt.py             | 259 ++++++++++++++------
 auth_jwt/views/auth_jwt_validator_views.xml |   2 +
 5 files changed, 246 insertions(+), 87 deletions(-)

diff --git a/auth_jwt/exceptions.py b/auth_jwt/exceptions.py
index d1b5a80d0d..bc81b3ae12 100644
--- a/auth_jwt/exceptions.py
+++ b/auth_jwt/exceptions.py
@@ -30,3 +30,17 @@ class UnauthorizedInvalidToken(Unauthorized):
 
 class UnauthorizedPartnerNotFound(Unauthorized):
     pass
+
+
+class CompositeJwtError(Unauthorized):
+    """Indicate that multiple errors occurred during JWT chain validation."""
+
+    def __init__(self, errors):
+        self.errors = errors
+        super().__init__(
+            "Multiple errors occurred during JWT chain validation:\n"
+            + "\n".join(
+                "{}: {}".format(validator_name, error)
+                for validator_name, error in self.errors.items()
+            )
+        )
diff --git a/auth_jwt/models/auth_jwt_validator.py b/auth_jwt/models/auth_jwt_validator.py
index 5d841888be..3d3c9b4d7c 100644
--- a/auth_jwt/models/auth_jwt_validator.py
+++ b/auth_jwt/models/auth_jwt_validator.py
@@ -67,6 +67,12 @@ class AuthJwtValidator(models.Model):
     partner_id_strategy = fields.Selection([("email", "From email claim")])
     partner_id_required = fields.Boolean()
 
+    next_validator_id = fields.Many2one(
+        "auth.jwt.validator",
+        domain="[('id', '!=', id)]",
+        help="Next validator to try if this one fails",
+    )
+
     _sql_constraints = [
         ("name_uniq", "unique(name)", "JWT validator names must be unique !"),
     ]
@@ -79,6 +85,22 @@ def _check_name(self):
                     _("Name %r is not a valid python identifier.") % (rec.name,)
                 )
 
+    @api.constrains("next_validator_id")
+    def _check_next_validator_id(self):
+        # Prevent circular references
+        for rec in self:
+            validator = rec
+            chain = [validator.name]
+            while validator:
+                validator = validator.next_validator_id
+                chain.append(validator.name)
+                if rec == validator:
+                    raise ValidationError(
+                        _("Validators mustn't make a closed chain: {}.").format(
+                            " -> ".join(chain)
+                        )
+                    )
+
     @api.model
     def _get_validator_by_name_domain(self, validator_name):
         if validator_name:
diff --git a/auth_jwt/models/ir_http.py b/auth_jwt/models/ir_http.py
index f90b5824c2..89bfec6cde 100644
--- a/auth_jwt/models/ir_http.py
+++ b/auth_jwt/models/ir_http.py
@@ -4,10 +4,11 @@
 import logging
 import re
 
-from odoo import SUPERUSER_ID, api, models, registry as registry_get
+from odoo import SUPERUSER_ID, api, models
 from odoo.http import request
 
 from ..exceptions import (
+    CompositeJwtError,
     UnauthorizedMalformedAuthorizationHeader,
     UnauthorizedMissingAuthorizationHeader,
     UnauthorizedSessionMismatch,
@@ -55,20 +56,33 @@ def _authenticate(cls, endpoint):
 
     @classmethod
     def _auth_method_jwt(cls, validator_name=None):
-        assert request.db
         assert not request.uid
         assert not request.session.uid
         token = cls._get_bearer_token()
         assert token
-        registry = registry_get(request.db)
-        with registry.cursor() as cr:
-            env = api.Environment(cr, SUPERUSER_ID, {})
-            validator = env["auth.jwt.validator"]._get_validator_by_name(validator_name)
-            assert len(validator) == 1
-            payload = validator._decode(token)
-            uid = validator._get_and_check_uid(payload)
-            assert uid
-            partner_id = validator._get_and_check_partner_id(payload)
+        # # Use request cursor to allow partner creation strategy in validator
+        env = api.Environment(request.cr, SUPERUSER_ID, {})
+        validator = env["auth.jwt.validator"]._get_validator_by_name(validator_name)
+        assert len(validator) == 1
+
+        payload = None
+        exceptions = {}
+        while validator:
+            try:
+                payload = validator._decode(token)
+                break
+            except Exception as e:
+                exceptions[validator.name] = e
+                validator = validator.next_validator_id
+
+        if not payload:
+            if len(exceptions) == 1:
+                raise list(exceptions.values())[0]
+            raise CompositeJwtError(exceptions)
+
+        uid = validator._get_and_check_uid(payload)
+        assert uid
+        partner_id = validator._get_and_check_partner_id(payload)
         request.uid = uid  # this resets request.env
         request.jwt_payload = payload
         request.jwt_partner_id = partner_id
diff --git a/auth_jwt/tests/test_auth_jwt.py b/auth_jwt/tests/test_auth_jwt.py
index 937778c521..c1e00c660c 100644
--- a/auth_jwt/tests/test_auth_jwt.py
+++ b/auth_jwt/tests/test_auth_jwt.py
@@ -15,6 +15,7 @@
 
 from ..exceptions import (
     AmbiguousJwtValidator,
+    CompositeJwtError,
     JwtValidatorNotFound,
     UnauthorizedInvalidToken,
     UnauthorizedMalformedAuthorizationHeader,
@@ -36,6 +37,7 @@ def _mock_request(self, authorization):
             httprequest=Mock(environ=environ),
             session=DotDict(),
             env=self.env,
+            cr=self.env.cr,
         )
         # These attributes are added upon successful auth, so make sure
         # calling hasattr on the mock when they are not yet set returns False.
@@ -63,45 +65,28 @@ def _create_token(
             payload["nbf"] = nbf
         return jwt.encode(payload, key=key, algorithm="HS256")
 
-    def _create_validator(self, name, audience="me", partner_id_required=False):
+    def _create_validator(
+        self,
+        name,
+        audience="me",
+        issuer="http://the.issuer",
+        secret_key="thesecret",
+        partner_id_required=False,
+    ):
         return self.env["auth.jwt.validator"].create(
             dict(
                 name=name,
                 signature_type="secret",
                 secret_algorithm="HS256",
-                secret_key="thesecret",
+                secret_key=secret_key,
                 audience=audience,
-                issuer="http://the.issuer",
+                issuer=issuer,
                 user_id_strategy="static",
                 partner_id_strategy="email",
                 partner_id_required=partner_id_required,
             )
         )
 
-    @contextlib.contextmanager
-    def _commit_validator(self, name, audience="me", partner_id_required=False):
-        validator = self._create_validator(
-            name=name, audience=audience, partner_id_required=partner_id_required
-        )
-
-        def _mocked_get_validator_by_name(self, validator_name):
-            if validator_name == name:
-                return validator
-            return self.env["auth.jwt.validator"]._get_validator_by_name.origin(
-                self, validator_name
-            )
-
-        try:
-            # Patch _get_validator_by_name because IrHttp._auth_method_jwt
-            # will look for the validator in another transaction,
-            # where the validator we created above would not be visible.
-            self.env["auth.jwt.validator"]._patch_method(
-                "_get_validator_by_name", _mocked_get_validator_by_name
-            )
-            yield validator
-        finally:
-            self.env["auth.jwt.validator"]._revert_method("_get_validator_by_name")
-
     def test_missing_authorization_header(self):
         with self._mock_request(authorization=None):
             with self.assertRaises(UnauthorizedMissingAuthorizationHeader):
@@ -121,64 +106,186 @@ def test_malformed_authorization_header(self):
                     self.env["ir.http"]._auth_method_jwt()
 
     def test_auth_method_valid_token(self):
-        with self._commit_validator("validator"):
-            authorization = "Bearer " + self._create_token()
-            with self._mock_request(authorization=authorization):
-                self.env["ir.http"]._auth_method_jwt_validator()
+        self._create_validator("validator")
+        authorization = "Bearer " + self._create_token()
+        with self._mock_request(authorization=authorization):
+            self.env["ir.http"]._auth_method_jwt_validator()
 
-    def test_auth_method_valid_token_two_validators(self):
-        with self._commit_validator(
-            "validator2", audience="bad"
-        ), self._commit_validator("validator3"):
-            authorization = "Bearer " + self._create_token()
-            with self._mock_request(authorization=authorization):
-                # first validator rejects the token because of invalid audience
-                with self.assertRaises(UnauthorizedInvalidToken):
-                    self.env["ir.http"]._auth_method_jwt_validator2()
-                # second validator accepts the token
-                self.env["ir.http"]._auth_method_jwt_validator3()
+    def test_auth_method_valid_token_two_validators_one_bad_issuer(self):
+        self._create_validator("validator2", issuer="http://other.issuer")
+        self._create_validator("validator3")
+
+        authorization = "Bearer " + self._create_token()
+        with self._mock_request(authorization=authorization):
+            # first validator rejects the token because of invalid audience
+            with self.assertRaises(UnauthorizedInvalidToken):
+                self.env["ir.http"]._auth_method_jwt_validator2()
+            # second validator accepts the token
+            self.env["ir.http"]._auth_method_jwt_validator3()
+
+    def test_auth_method_valid_token_two_validators_one_bad_issuer_chained(self):
+        validator2 = self._create_validator("validator2", issuer="http://other.issuer")
+        validator3 = self._create_validator("validator3")
+        validator2.next_validator_id = validator3
+
+        authorization = "Bearer " + self._create_token()
+        with self._mock_request(authorization=authorization):
+            # Validator2 rejects the token because of invalid issuer but chain
+            # on validator3 which accepts it
+            self.env["ir.http"]._auth_method_jwt_validator2()
+
+    def test_auth_method_valid_token_two_validators_one_bad_audience(self):
+        self._create_validator("validator2", audience="bad")
+        self._create_validator("validator3")
+
+        authorization = "Bearer " + self._create_token()
+        with self._mock_request(authorization=authorization):
+            # first validator rejects the token because of invalid audience
+            with self.assertRaises(UnauthorizedInvalidToken):
+                self.env["ir.http"]._auth_method_jwt_validator2()
+            # second validator accepts the token
+            self.env["ir.http"]._auth_method_jwt_validator3()
+
+    def test_auth_method_valid_token_two_validators_one_bad_audience_chained(self):
+        validator2 = self._create_validator("validator2", audience="bad")
+        validator3 = self._create_validator("validator3")
+
+        validator2.next_validator_id = validator3
+        authorization = "Bearer " + self._create_token()
+        with self._mock_request(authorization=authorization):
+            self.env["ir.http"]._auth_method_jwt_validator2()
 
     def test_auth_method_invalid_token(self):
         # Test invalid token via _auth_method_jwt
         # Other types of invalid tokens are unit tested elswhere.
-        with self._commit_validator("validator4"):
-            authorization = "Bearer " + self._create_token(audience="bad")
-            with self._mock_request(authorization=authorization):
-                with self.assertRaises(UnauthorizedInvalidToken):
-                    self.env["ir.http"]._auth_method_jwt_validator4()
+        self._create_validator("validator4")
+        authorization = "Bearer " + self._create_token(audience="bad")
+        with self._mock_request(authorization=authorization):
+            with self.assertRaises(UnauthorizedInvalidToken):
+                self.env["ir.http"]._auth_method_jwt_validator4()
+
+    def test_auth_method_invalid_token_on_chain(self):
+        validator1 = self._create_validator("validator", issuer="http://other.issuer")
+        validator2 = self._create_validator("validator2", audience="bad audience")
+        validator3 = self._create_validator("validator3", secret_key="bad key")
+        validator4 = self._create_validator(
+            "validator4", issuer="http://other.issuer", audience="bad audience"
+        )
+        validator5 = self._create_validator(
+            "validator5", issuer="http://other.issuer", secret_key="bad key"
+        )
+        validator6 = self._create_validator(
+            "validator6", audience="bad audience", secret_key="bad key"
+        )
+        validator7 = self._create_validator(
+            "validator7",
+            issuer="http://other.issuer",
+            audience="bad audience",
+            secret_key="bad key",
+        )
+        validator1.next_validator_id = validator2
+        validator2.next_validator_id = validator3
+        validator3.next_validator_id = validator4
+        validator4.next_validator_id = validator5
+        validator5.next_validator_id = validator6
+        validator6.next_validator_id = validator7
+
+        authorization = "Bearer " + self._create_token()
+        with self._mock_request(authorization=authorization):
+            with self.assertRaises(CompositeJwtError) as composite_error:
+                self.env["ir.http"]._auth_method_jwt_validator()
+            self.assertEqual(
+                str(composite_error.exception),
+                "401 Unauthorized: Multiple errors occurred during JWT chain validation:\n"
+                "validator: 401 Unauthorized: "
+                "The server could not verify that you are authorized to "
+                "access the URL requested. You either supplied the wrong "
+                "credentials (e.g. a bad password), or your browser doesn't "
+                "understand how to supply the credentials required.\n"
+                "validator2: 401 Unauthorized: "
+                "The server could not verify that you are authorized to "
+                "access the URL requested. You either supplied the wrong "
+                "credentials (e.g. a bad password), or your browser doesn't "
+                "understand how to supply the credentials required.\n"
+                "validator3: 401 Unauthorized: "
+                "The server could not verify that you are authorized to "
+                "access the URL requested. You either supplied the wrong "
+                "credentials (e.g. a bad password), or your browser doesn't "
+                "understand how to supply the credentials required.\n"
+                "validator4: 401 Unauthorized: "
+                "The server could not verify that you are authorized to "
+                "access the URL requested. You either supplied the wrong "
+                "credentials (e.g. a bad password), or your browser doesn't "
+                "understand how to supply the credentials required.\n"
+                "validator5: 401 Unauthorized: "
+                "The server could not verify that you are authorized to "
+                "access the URL requested. You either supplied the wrong "
+                "credentials (e.g. a bad password), or your browser doesn't "
+                "understand how to supply the credentials required.\n"
+                "validator6: 401 Unauthorized: "
+                "The server could not verify that you are authorized to "
+                "access the URL requested. You either supplied the wrong "
+                "credentials (e.g. a bad password), or your browser doesn't "
+                "understand how to supply the credentials required.\n"
+                "validator7: 401 Unauthorized: "
+                "The server could not verify that you are authorized to "
+                "access the URL requested. You either supplied the wrong "
+                "credentials (e.g. a bad password), or your browser doesn't "
+                "understand how to supply the credentials required.",
+            )
+
+    def test_invalid_validation_chain(self):
+        validator1 = self._create_validator("validator")
+        validator2 = self._create_validator("validator2")
+        validator3 = self._create_validator("validator3")
+
+        validator1.next_validator_id = validator2
+        validator2.next_validator_id = validator3
+        with self.assertRaises(ValidationError) as error:
+            validator3.next_validator_id = validator1
+        self.assertEqual(
+            str(error.exception),
+            "Validators mustn't make a closed chain: "
+            "validator3 -> validator -> validator2 -> validator3.",
+        )
+
+    def test_invalid_validation_auto_chain(self):
+        validator = self._create_validator("validator")
+        with self.assertRaises(ValidationError) as error:
+            validator.next_validator_id = validator
+        self.assertEqual(
+            str(error.exception),
+            "Validators mustn't make a closed chain: " "validator -> validator.",
+        )
 
     def test_user_id_strategy(self):
-        with self._commit_validator("validator5") as validator:
-            authorization = "Bearer " + self._create_token()
-            with self._mock_request(authorization=authorization) as request:
-                self.env["ir.http"]._auth_method_jwt_validator5()
-                self.assertEqual(request.uid, validator.static_user_id.id)
+        validator = self._create_validator("validator5")
+        authorization = "Bearer " + self._create_token()
+        with self._mock_request(authorization=authorization) as request:
+            self.env["ir.http"]._auth_method_jwt_validator5()
+            self.assertEqual(request.uid, validator.static_user_id.id)
 
     def test_partner_id_strategy_email_found(self):
         partner = self.env["res.partner"].search([("email", "!=", False)])[0]
-        with self._commit_validator("validator6"):
-            authorization = "Bearer " + self._create_token(email=partner.email)
-            with self._mock_request(authorization=authorization) as request:
-                self.env["ir.http"]._auth_method_jwt_validator6()
-                self.assertEqual(request.jwt_partner_id, partner.id)
+        self._create_validator("validator6")
+        authorization = "Bearer " + self._create_token(email=partner.email)
+        with self._mock_request(authorization=authorization) as request:
+            self.env["ir.http"]._auth_method_jwt_validator6()
+            self.assertEqual(request.jwt_partner_id, partner.id)
 
     def test_partner_id_strategy_email_not_found(self):
-        with self._commit_validator("validator6"):
-            authorization = "Bearer " + self._create_token(
-                email="notanemail@example.com"
-            )
-            with self._mock_request(authorization=authorization) as request:
-                self.env["ir.http"]._auth_method_jwt_validator6()
-                self.assertFalse(request.jwt_partner_id)
+        self._create_validator("validator6")
+        authorization = "Bearer " + self._create_token(email="notanemail@example.com")
+        with self._mock_request(authorization=authorization) as request:
+            self.env["ir.http"]._auth_method_jwt_validator6()
+            self.assertFalse(request.jwt_partner_id)
 
     def test_partner_id_strategy_email_not_found_partner_required(self):
-        with self._commit_validator("validator6", partner_id_required=True):
-            authorization = "Bearer " + self._create_token(
-                email="notanemail@example.com"
-            )
-            with self._mock_request(authorization=authorization):
-                with self.assertRaises(UnauthorizedPartnerNotFound):
-                    self.env["ir.http"]._auth_method_jwt_validator6()
+        self._create_validator("validator6", partner_id_required=True)
+        authorization = "Bearer " + self._create_token(email="notanemail@example.com")
+        with self._mock_request(authorization=authorization):
+            with self.assertRaises(UnauthorizedPartnerNotFound):
+                self.env["ir.http"]._auth_method_jwt_validator6()
 
     def test_get_validator(self):
         AuthJwtValidator = self.env["auth.jwt.validator"]
@@ -296,8 +403,8 @@ def test_public_or_jwt_no_token(self):
             assert not hasattr(request, "jwt_payload")
 
     def test_public_or_jwt_valid_token(self):
-        with self._commit_validator("validator"):
-            authorization = "Bearer " + self._create_token()
-            with self._mock_request(authorization=authorization) as request:
-                self.env["ir.http"]._auth_method_public_or_jwt_validator()
-                assert request.jwt_payload["aud"] == "me"
+        self._create_validator("validator")
+        authorization = "Bearer " + self._create_token()
+        with self._mock_request(authorization=authorization) as request:
+            self.env["ir.http"]._auth_method_public_or_jwt_validator()
+            assert request.jwt_payload["aud"] == "me"
diff --git a/auth_jwt/views/auth_jwt_validator_views.xml b/auth_jwt/views/auth_jwt_validator_views.xml
index 11c9c42e75..6bafe97978 100644
--- a/auth_jwt/views/auth_jwt_validator_views.xml
+++ b/auth_jwt/views/auth_jwt_validator_views.xml
@@ -10,6 +10,7 @@
                         <group colspan="2">
                             <field name="name" />
                             <field name="audience" />
+                            <field name="next_validator_id" />
                         </group>
                         <group colspan="2">
                             <field name="issuer" />
@@ -69,6 +70,7 @@
                 <field name="user_id_strategy" />
                 <field name="partner_id_strategy" />
                 <field name="partner_id_required" />
+                <field name="next_validator_id" />
             </tree>
         </field>
     </record>

From f486b8a2986a2edc4dc6a222b6b7d1f93c0b85a2 Mon Sep 17 00:00:00 2001
From: oca-ci <oca-ci@odoo-community.org>
Date: Tue, 14 Jun 2022 12:18:56 +0000
Subject: [PATCH 21/43] [UPD] Update auth_jwt.pot

---
 auth_jwt/i18n/auth_jwt.pot | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/auth_jwt/i18n/auth_jwt.pot b/auth_jwt/i18n/auth_jwt.pot
index 5d22a8cac2..3c056f6751 100644
--- a/auth_jwt/i18n/auth_jwt.pot
+++ b/auth_jwt/i18n/auth_jwt.pot
@@ -153,6 +153,16 @@ msgstr ""
 msgid "Name %r is not a valid python identifier."
 msgstr ""
 
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__next_validator_id
+msgid "Next Validator"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,help:auth_jwt.field_auth_jwt_validator__next_validator_id
+msgid "Next validator to try if this one fails"
+msgstr ""
+
 #. module: auth_jwt
 #: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__ps256
 msgid "PS256 - RSASSA-PSS using SHA-256 and MGF1 padding with SHA-256"
@@ -248,6 +258,12 @@ msgstr ""
 msgid "User Id Strategy"
 msgstr ""
 
+#. module: auth_jwt
+#: code:addons/auth_jwt/models/auth_jwt_validator.py:0
+#, python-format
+msgid "Validators mustn't make a closed chain: {}."
+msgstr ""
+
 #. module: auth_jwt
 #: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
 #: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_tree

From e82d36fb5911d02d6727f1ee608e0d94047a6946 Mon Sep 17 00:00:00 2001
From: OCA-git-bot <oca-git-bot@odoo-community.org>
Date: Tue, 14 Jun 2022 12:24:54 +0000
Subject: [PATCH 22/43] auth_jwt 14.0.2.0.0

---
 auth_jwt/__manifest__.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/auth_jwt/__manifest__.py b/auth_jwt/__manifest__.py
index 2e9ae85bd5..a8411ffd3f 100644
--- a/auth_jwt/__manifest__.py
+++ b/auth_jwt/__manifest__.py
@@ -5,7 +5,7 @@
     "name": "Auth JWT",
     "summary": """
         JWT bearer token authentication.""",
-    "version": "14.0.1.2.0",
+    "version": "14.0.2.0.0",
     "license": "LGPL-3",
     "author": "ACSONE SA/NV,Odoo Community Association (OCA)",
     "maintainers": ["sbidoul"],

From e884ba22a008a267802ec4c159171a242d06df04 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Bidoul?= <stephane.bidoul@acsone.eu>
Date: Tue, 6 Jun 2023 12:18:24 +0200
Subject: [PATCH 23/43] [MIG] auth_jwt from 14 to 16

---
 auth_jwt/__manifest__.py                    | 2 +-
 auth_jwt/models/auth_jwt_validator.py       | 6 +++---
 auth_jwt/models/ir_http.py                  | 2 +-
 auth_jwt/tests/test_auth_jwt.py             | 6 ++++--
 auth_jwt/views/auth_jwt_validator_views.xml | 2 +-
 5 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/auth_jwt/__manifest__.py b/auth_jwt/__manifest__.py
index a8411ffd3f..903eb0d11b 100644
--- a/auth_jwt/__manifest__.py
+++ b/auth_jwt/__manifest__.py
@@ -5,7 +5,7 @@
     "name": "Auth JWT",
     "summary": """
         JWT bearer token authentication.""",
-    "version": "14.0.2.0.0",
+    "version": "16.0.1.0.0",
     "license": "LGPL-3",
     "author": "ACSONE SA/NV,Odoo Community Association (OCA)",
     "maintainers": ["sbidoul"],
diff --git a/auth_jwt/models/auth_jwt_validator.py b/auth_jwt/models/auth_jwt_validator.py
index 3d3c9b4d7c..9d0daec563 100644
--- a/auth_jwt/models/auth_jwt_validator.py
+++ b/auth_jwt/models/auth_jwt_validator.py
@@ -136,7 +136,7 @@ def _decode(self, token):
                 header = jwt.get_unverified_header(token)
             except Exception as e:
                 _logger.info("Invalid token: %s", e)
-                raise UnauthorizedInvalidToken()
+                raise UnauthorizedInvalidToken() from e
             key = self._get_key(header.get("kid"))
             algorithm = self.public_key_algorithm
         try:
@@ -155,7 +155,7 @@ def _decode(self, token):
             )
         except Exception as e:
             _logger.info("Invalid token: %s", e)
-            raise UnauthorizedInvalidToken()
+            raise UnauthorizedInvalidToken() from e
         return payload
 
     def _get_uid(self, payload):
@@ -216,7 +216,7 @@ def _unregister_auth_method(self):
             try:
                 delattr(IrHttp.__class__, f"_auth_method_jwt_{rec.name}")
                 delattr(IrHttp.__class__, f"_auth_method_public_or_jwt_{rec.name}")
-            except AttributeError:
+            except AttributeError:  # pylint: disable=except-pass
                 pass
 
     @api.model_create_multi
diff --git a/auth_jwt/models/ir_http.py b/auth_jwt/models/ir_http.py
index 89bfec6cde..e53f7c420d 100644
--- a/auth_jwt/models/ir_http.py
+++ b/auth_jwt/models/ir_http.py
@@ -83,7 +83,7 @@ def _auth_method_jwt(cls, validator_name=None):
         uid = validator._get_and_check_uid(payload)
         assert uid
         partner_id = validator._get_and_check_partner_id(payload)
-        request.uid = uid  # this resets request.env
+        request.update_env(user=uid)
         request.jwt_payload = payload
         request.jwt_partner_id = partner_id
 
diff --git a/auth_jwt/tests/test_auth_jwt.py b/auth_jwt/tests/test_auth_jwt.py
index c1e00c660c..f54527b646 100644
--- a/auth_jwt/tests/test_auth_jwt.py
+++ b/auth_jwt/tests/test_auth_jwt.py
@@ -263,7 +263,7 @@ def test_user_id_strategy(self):
         authorization = "Bearer " + self._create_token()
         with self._mock_request(authorization=authorization) as request:
             self.env["ir.http"]._auth_method_jwt_validator5()
-            self.assertEqual(request.uid, validator.static_user_id.id)
+            self.assertEqual(request.env.uid, validator.static_user_id.id)
 
     def test_partner_id_strategy_email_found(self):
         partner = self.env["res.partner"].search([("email", "!=", False)])[0]
@@ -399,7 +399,9 @@ def test_name_check(self):
     def test_public_or_jwt_no_token(self):
         with self._mock_request(authorization=None) as request:
             self.env["ir.http"]._auth_method_public_or_jwt()
-            assert request.uid == self.env.ref("base.public_user").id
+            request.update_env.assert_called_once_with(
+                user=self.env.ref("base.public_user").id
+            )
             assert not hasattr(request, "jwt_payload")
 
     def test_public_or_jwt_valid_token(self):
diff --git a/auth_jwt/views/auth_jwt_validator_views.xml b/auth_jwt/views/auth_jwt_validator_views.xml
index 6bafe97978..4ccce4af5b 100644
--- a/auth_jwt/views/auth_jwt_validator_views.xml
+++ b/auth_jwt/views/auth_jwt_validator_views.xml
@@ -62,7 +62,7 @@
         <field name="name">auth.jwt.validator.tree</field>
         <field name="model">auth.jwt.validator</field>
         <field name="arch" type="xml">
-            <tree string="arch">
+            <tree>
                 <field name="name" />
                 <field name="issuer" />
                 <field name="audience" />

From cda5566840a8eeea58c49bc951b63b8a98fc3df8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Bidoul?= <stephane.bidoul@acsone.eu>
Date: Tue, 6 Jun 2023 15:54:10 +0200
Subject: [PATCH 24/43] [MIG] auth_jwt: convert unit tests to integration tests

The unit tests were broken for non-functional reasons (interaction with
the mock) and is easier to implement as integration test.
---
 auth_jwt/tests/test_auth_jwt.py | 17 ++---------------
 1 file changed, 2 insertions(+), 15 deletions(-)

diff --git a/auth_jwt/tests/test_auth_jwt.py b/auth_jwt/tests/test_auth_jwt.py
index f54527b646..5295f4aeb1 100644
--- a/auth_jwt/tests/test_auth_jwt.py
+++ b/auth_jwt/tests/test_auth_jwt.py
@@ -72,6 +72,7 @@ def _create_validator(
         issuer="http://the.issuer",
         secret_key="thesecret",
         partner_id_required=False,
+        static_user_id=1,
     ):
         return self.env["auth.jwt.validator"].create(
             dict(
@@ -82,6 +83,7 @@ def _create_validator(
                 audience=audience,
                 issuer=issuer,
                 user_id_strategy="static",
+                static_user_id=static_user_id,
                 partner_id_strategy="email",
                 partner_id_required=partner_id_required,
             )
@@ -258,13 +260,6 @@ def test_invalid_validation_auto_chain(self):
             "Validators mustn't make a closed chain: " "validator -> validator.",
         )
 
-    def test_user_id_strategy(self):
-        validator = self._create_validator("validator5")
-        authorization = "Bearer " + self._create_token()
-        with self._mock_request(authorization=authorization) as request:
-            self.env["ir.http"]._auth_method_jwt_validator5()
-            self.assertEqual(request.env.uid, validator.static_user_id.id)
-
     def test_partner_id_strategy_email_found(self):
         partner = self.env["res.partner"].search([("email", "!=", False)])[0]
         self._create_validator("validator6")
@@ -396,14 +391,6 @@ def test_name_check(self):
         with self.assertRaises(ValidationError):
             self._create_validator(name="not an identifier")
 
-    def test_public_or_jwt_no_token(self):
-        with self._mock_request(authorization=None) as request:
-            self.env["ir.http"]._auth_method_public_or_jwt()
-            request.update_env.assert_called_once_with(
-                user=self.env.ref("base.public_user").id
-            )
-            assert not hasattr(request, "jwt_payload")
-
     def test_public_or_jwt_valid_token(self):
         self._create_validator("validator")
         authorization = "Bearer " + self._create_token()

From 9a78860cb86cb00420e0004a6d747eb3706d2f24 Mon Sep 17 00:00:00 2001
From: oca-ci <oca-ci@odoo-community.org>
Date: Wed, 7 Jun 2023 11:10:49 +0000
Subject: [PATCH 25/43] [UPD] Update auth_jwt.pot

---
 auth_jwt/i18n/auth_jwt.pot | 8 +++-----
 1 file changed, 3 insertions(+), 5 deletions(-)

diff --git a/auth_jwt/i18n/auth_jwt.pot b/auth_jwt/i18n/auth_jwt.pot
index 3c056f6751..b6989930e2 100644
--- a/auth_jwt/i18n/auth_jwt.pot
+++ b/auth_jwt/i18n/auth_jwt.pot
@@ -4,7 +4,7 @@
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: Odoo Server 14.0\n"
+"Project-Id-Version: Odoo Server 16.0\n"
 "Report-Msgid-Bugs-To: \n"
 "Last-Translator: \n"
 "Language-Team: \n"
@@ -40,7 +40,6 @@ msgstr ""
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__display_name
-#: model:ir.model.fields,field_description:auth_jwt.field_ir_http__display_name
 msgid "Display Name"
 msgstr ""
 
@@ -91,7 +90,6 @@ msgstr ""
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__id
-#: model:ir.model.fields,field_description:auth_jwt.field_ir_http__id
 msgid "ID"
 msgstr ""
 
@@ -128,7 +126,6 @@ msgstr ""
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator____last_update
-#: model:ir.model.fields,field_description:auth_jwt.field_ir_http____last_update
 msgid "Last Modified on"
 msgstr ""
 
@@ -148,6 +145,7 @@ msgid "Name"
 msgstr ""
 
 #. module: auth_jwt
+#. odoo-python
 #: code:addons/auth_jwt/models/auth_jwt_validator.py:0
 #, python-format
 msgid "Name %r is not a valid python identifier."
@@ -259,6 +257,7 @@ msgid "User Id Strategy"
 msgstr ""
 
 #. module: auth_jwt
+#. odoo-python
 #: code:addons/auth_jwt/models/auth_jwt_validator.py:0
 #, python-format
 msgid "Validators mustn't make a closed chain: {}."
@@ -266,6 +265,5 @@ msgstr ""
 
 #. module: auth_jwt
 #: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
-#: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_tree
 msgid "arch"
 msgstr ""

From 7c33f97735335c464caaf4c4915c5df2c754172f Mon Sep 17 00:00:00 2001
From: OCA-git-bot <oca-git-bot@odoo-community.org>
Date: Wed, 7 Jun 2023 11:20:42 +0000
Subject: [PATCH 26/43] [UPD] README.rst

---
 auth_jwt/README.rst                    | 10 +++++-----
 auth_jwt/static/description/index.html |  6 +++---
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/auth_jwt/README.rst b/auth_jwt/README.rst
index 002a5092bf..82b57b1d3a 100644
--- a/auth_jwt/README.rst
+++ b/auth_jwt/README.rst
@@ -14,13 +14,13 @@ Auth JWT
     :target: http://www.gnu.org/licenses/lgpl-3.0-standalone.html
     :alt: License: LGPL-3
 .. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
-    :target: https://github.com/OCA/server-auth/tree/14.0/auth_jwt
+    :target: https://github.com/OCA/server-auth/tree/16.0/auth_jwt
     :alt: OCA/server-auth
 .. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
-    :target: https://translation.odoo-community.org/projects/server-auth-14-0/server-auth-14-0-auth_jwt
+    :target: https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-auth_jwt
     :alt: Translate me on Weblate
 .. |badge5| image:: https://img.shields.io/badge/runbot-Try%20me-875A7B.png
-    :target: https://runbot.odoo-community.org/runbot/251/14.0
+    :target: https://runbot.odoo-community.org/runbot/251/16.0
     :alt: Try me on Runbot
 
 |badge1| |badge2| |badge3| |badge4| |badge5| 
@@ -102,7 +102,7 @@ Bug Tracker
 Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-auth/issues>`_.
 In case of trouble, please check there if your issue has already been reported.
 If you spotted it first, help us smashing it by providing a detailed and welcomed
-`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_jwt%0Aversion:%2014.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_jwt%0Aversion:%2016.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
 
 Do not contact contributors directly about support or help with technical issues.
 
@@ -140,6 +140,6 @@ Current `maintainer <https://odoo-community.org/page/maintainer-role>`__:
 
 |maintainer-sbidoul| 
 
-This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/14.0/auth_jwt>`_ project on GitHub.
+This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/16.0/auth_jwt>`_ project on GitHub.
 
 You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.
diff --git a/auth_jwt/static/description/index.html b/auth_jwt/static/description/index.html
index bd621ae44d..03f946d46d 100644
--- a/auth_jwt/static/description/index.html
+++ b/auth_jwt/static/description/index.html
@@ -367,7 +367,7 @@ <h1 class="title">Auth JWT</h1>
 !! This file is generated by oca-gen-addon-readme !!
 !! changes will be overwritten.                   !!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->
-<p><a class="reference external" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external" href="http://www.gnu.org/licenses/lgpl-3.0-standalone.html"><img alt="License: LGPL-3" src="https://img.shields.io/badge/licence-LGPL--3-blue.png" /></a> <a class="reference external" href="https://github.com/OCA/server-auth/tree/14.0/auth_jwt"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external" href="https://translation.odoo-community.org/projects/server-auth-14-0/server-auth-14-0-auth_jwt"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external" href="https://runbot.odoo-community.org/runbot/251/14.0"><img alt="Try me on Runbot" src="https://img.shields.io/badge/runbot-Try%20me-875A7B.png" /></a></p>
+<p><a class="reference external" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external" href="http://www.gnu.org/licenses/lgpl-3.0-standalone.html"><img alt="License: LGPL-3" src="https://img.shields.io/badge/licence-LGPL--3-blue.png" /></a> <a class="reference external" href="https://github.com/OCA/server-auth/tree/16.0/auth_jwt"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external" href="https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-auth_jwt"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external" href="https://runbot.odoo-community.org/runbot/251/16.0"><img alt="Try me on Runbot" src="https://img.shields.io/badge/runbot-Try%20me-875A7B.png" /></a></p>
 <p>JWT bearer token authentication.</p>
 <p><strong>Table of contents</strong></p>
 <div class="contents local topic" id="contents">
@@ -442,7 +442,7 @@ <h1><a class="toc-backref" href="#id3">Bug Tracker</a></h1>
 <p>Bugs are tracked on <a class="reference external" href="https://github.com/OCA/server-auth/issues">GitHub Issues</a>.
 In case of trouble, please check there if your issue has already been reported.
 If you spotted it first, help us smashing it by providing a detailed and welcomed
-<a class="reference external" href="https://github.com/OCA/server-auth/issues/new?body=module:%20auth_jwt%0Aversion:%2014.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**">feedback</a>.</p>
+<a class="reference external" href="https://github.com/OCA/server-auth/issues/new?body=module:%20auth_jwt%0Aversion:%2016.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**">feedback</a>.</p>
 <p>Do not contact contributors directly about support or help with technical issues.</p>
 </div>
 <div class="section" id="credits">
@@ -468,7 +468,7 @@ <h2><a class="toc-backref" href="#id7">Maintainers</a></h2>
 promote its widespread use.</p>
 <p>Current <a class="reference external" href="https://odoo-community.org/page/maintainer-role">maintainer</a>:</p>
 <p><a class="reference external" href="https://github.com/sbidoul"><img alt="sbidoul" src="https://github.com/sbidoul.png?size=40px" /></a></p>
-<p>This module is part of the <a class="reference external" href="https://github.com/OCA/server-auth/tree/14.0/auth_jwt">OCA/server-auth</a> project on GitHub.</p>
+<p>This module is part of the <a class="reference external" href="https://github.com/OCA/server-auth/tree/16.0/auth_jwt">OCA/server-auth</a> project on GitHub.</p>
 <p>You are welcome to contribute. To learn how please visit <a class="reference external" href="https://odoo-community.org/page/Contribute">https://odoo-community.org/page/Contribute</a>.</p>
 </div>
 </div>

From d8017fb3c4056c38222f0cc9788d63f0cae188b3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Bidoul?= <stephane.bidoul@acsone.eu>
Date: Wed, 7 Jun 2023 16:14:23 +0200
Subject: [PATCH 27/43] auth_jwt: add cookie mode

---
 auth_jwt/exceptions.py                      |  8 +++
 auth_jwt/models/auth_jwt_validator.py       | 41 +++++++++++++++-
 auth_jwt/models/ir_http.py                  | 54 +++++++++++++++++++--
 auth_jwt/readme/USAGE.rst                   | 11 ++++-
 auth_jwt/tests/test_auth_jwt.py             |  6 ++-
 auth_jwt/views/auth_jwt_validator_views.xml | 26 ++++++++--
 6 files changed, 133 insertions(+), 13 deletions(-)

diff --git a/auth_jwt/exceptions.py b/auth_jwt/exceptions.py
index bc81b3ae12..d6129d5f82 100644
--- a/auth_jwt/exceptions.py
+++ b/auth_jwt/exceptions.py
@@ -8,6 +8,10 @@ class UnauthorizedMissingAuthorizationHeader(Unauthorized):
     pass
 
 
+class UnauthorizedMissingCookie(Unauthorized):
+    pass
+
+
 class UnauthorizedMalformedAuthorizationHeader(Unauthorized):
     pass
 
@@ -44,3 +48,7 @@ def __init__(self, errors):
                 for validator_name, error in self.errors.items()
             )
         )
+
+
+class UnauthorizedConfigurationError(Unauthorized):
+    pass
diff --git a/auth_jwt/models/auth_jwt_validator.py b/auth_jwt/models/auth_jwt_validator.py
index 9d0daec563..d8263cf86d 100644
--- a/auth_jwt/models/auth_jwt_validator.py
+++ b/auth_jwt/models/auth_jwt_validator.py
@@ -1,7 +1,9 @@
 # Copyright 2021 ACSONE SA/NV
 # License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl).
 
+import datetime
 import logging
+from calendar import timegm
 from functools import partial
 
 import jwt  # pylint: disable=missing-manifest-dependency
@@ -73,6 +75,23 @@ class AuthJwtValidator(models.Model):
         help="Next validator to try if this one fails",
     )
 
+    cookie_enabled = fields.Boolean(
+        help=(
+            "Convert the JWT token into an HttpOnly Secure cookie. "
+            "When both an Authorization header and the cookie are present "
+            "in the request, the cookie is ignored."
+        )
+    )
+    cookie_name = fields.Char(default="authorization")
+    cookie_path = fields.Char(default="/")
+    cookie_max_age = fields.Integer(
+        default=86400 * 365,
+        help="Number of seconds until the cookie expires (Max-Age).",
+    )
+    cookie_secure = fields.Boolean(
+        default=True, help="Set to false only for development without https."
+    )
+
     _sql_constraints = [
         ("name_uniq", "unique(name)", "JWT validator names must be unique !"),
     ]
@@ -126,9 +145,27 @@ def _get_key(self, kid):
         jwks_client = PyJWKClient(self.public_key_jwk_uri, cache_keys=False)
         return jwks_client.get_signing_key(kid).key
 
-    def _decode(self, token):
+    def _encode(self, payload, secret, expire):
+        """Encode and sign a JWT payload so it can be decoded and validated with
+        _decode().
+
+        The aud and iss claims are set to this validator's values.
+        The exp claim is set according to the expire parameter.
+        """
+        payload = dict(
+            payload,
+            exp=timegm(datetime.datetime.utcnow().utctimetuple()) + expire,
+            aud=self.audience,
+            iss=self.issuer,
+        )
+        return jwt.encode(payload, key=secret, algorithm="HS256")
+
+    def _decode(self, token, secret=None):
         """Validate and decode a JWT token, return the payload."""
-        if self.signature_type == "secret":
+        if secret:
+            key = secret
+            algorithm = "HS256"
+        elif self.signature_type == "secret":
             key = self.secret_key
             algorithm = self.secret_algorithm
         else:
diff --git a/auth_jwt/models/ir_http.py b/auth_jwt/models/ir_http.py
index e53f7c420d..c1d9bdd3a0 100644
--- a/auth_jwt/models/ir_http.py
+++ b/auth_jwt/models/ir_http.py
@@ -9,8 +9,10 @@
 
 from ..exceptions import (
     CompositeJwtError,
+    UnauthorizedConfigurationError,
     UnauthorizedMalformedAuthorizationHeader,
     UnauthorizedMissingAuthorizationHeader,
+    UnauthorizedMissingCookie,
     UnauthorizedSessionMismatch,
 )
 
@@ -54,12 +56,33 @@ def _authenticate(cls, endpoint):
                 raise UnauthorizedSessionMismatch()
         return super()._authenticate(endpoint)
 
+    @classmethod
+    def _get_jwt_cookie_secret(cls):
+        secret = request.env["ir.config_parameter"].sudo().get_param("database.secret")
+        if not secret:
+            _logger.error("database.secret system parameter is not set.")
+            raise UnauthorizedConfigurationError()
+        return secret
+
+    @classmethod
+    def _get_jwt_payload(cls, validator):
+        """Obtain and validate the JWT payload from the request authorization header or
+        cookie."""
+        try:
+            token = cls._get_bearer_token()
+            assert token
+            return validator._decode(token)
+        except UnauthorizedMissingAuthorizationHeader:
+            if not validator.cookie_enabled:
+                raise
+            token = cls._get_cookie_token(validator.cookie_name)
+            assert token
+            return validator._decode(token, secret=cls._get_jwt_cookie_secret())
+
     @classmethod
     def _auth_method_jwt(cls, validator_name=None):
         assert not request.uid
         assert not request.session.uid
-        token = cls._get_bearer_token()
-        assert token
         # # Use request cursor to allow partner creation strategy in validator
         env = api.Environment(request.cr, SUPERUSER_ID, {})
         validator = env["auth.jwt.validator"]._get_validator_by_name(validator_name)
@@ -69,7 +92,7 @@ def _auth_method_jwt(cls, validator_name=None):
         exceptions = {}
         while validator:
             try:
-                payload = validator._decode(token)
+                payload = cls._get_jwt_payload(validator)
                 break
             except Exception as e:
                 exceptions[validator.name] = e
@@ -80,6 +103,23 @@ def _auth_method_jwt(cls, validator_name=None):
                 raise list(exceptions.values())[0]
             raise CompositeJwtError(exceptions)
 
+        if validator.cookie_enabled:
+            if not validator.cookie_name:
+                _logger.info("Cookie name not set for validator %s", validator.name)
+                raise UnauthorizedConfigurationError()
+            request.future_response.set_cookie(
+                key=validator.cookie_name,
+                value=validator._encode(
+                    payload,
+                    secret=cls._get_jwt_cookie_secret(),
+                    expire=validator.cookie_max_age,
+                ),
+                max_age=validator.cookie_max_age,
+                path=validator.cookie_path or "/",
+                secure=validator.cookie_secure,
+                httponly=True,
+            )
+
         uid = validator._get_and_check_uid(payload)
         assert uid
         partner_id = validator._get_and_check_partner_id(payload)
@@ -106,3 +146,11 @@ def _get_bearer_token(cls):
             _logger.info("Malformed Authorization header.")
             raise UnauthorizedMalformedAuthorizationHeader()
         return mo.group(1)
+
+    @classmethod
+    def _get_cookie_token(cls, cookie_name):
+        token = request.httprequest.cookies.get(cookie_name)
+        if not token:
+            _logger.info("Missing cookie %s.", cookie_name)
+            raise UnauthorizedMissingCookie()
+        return token
diff --git a/auth_jwt/readme/USAGE.rst b/auth_jwt/readme/USAGE.rst
index be48400b6e..7d42e750a9 100644
--- a/auth_jwt/readme/USAGE.rst
+++ b/auth_jwt/readme/USAGE.rst
@@ -24,7 +24,8 @@ The JWT validator can be configured with the following properties:
 In addition, the ``exp`` claim is validated to reject expired tokens.
 
 If the ``Authorization`` HTTP header is missing, malformed, or contains
-an invalid token, the request is rejected with a 401 (Unauthorized) code.
+an invalid token, the request is rejected with a 401 (Unauthorized) code,
+unless the cookie mode is enabled (see below).
 
 If the token is valid, the request executes with the configured user id. By
 default the user id selection strategy is ``static`` (i.e. the same for all
@@ -53,3 +54,11 @@ endpoints that need to work for anonymous users, but can be enhanced when an
 authenticated user is know. A typical use case is a "add to cart" endpoint that can work
 for anonymous users, but can be enhanced by binding the cart to a known customer when
 the authenticated user is known.
+
+You can enable a cookie mode on JWT validators. In this case, the JWT payload obtained
+from the ``Authorization`` header is returned as a Http-Only cookie. This mode is
+sometimes simpler for front-end applications which do not then need to store and protect
+the JWT token across requests and can simply rely on the cookie management mechanisms of
+browsers. When both the ``Authorization`` header and a cookie are provided, the cookie
+is ignored in order to let clients authenticate with a different user by providing a new
+JWT token.
diff --git a/auth_jwt/tests/test_auth_jwt.py b/auth_jwt/tests/test_auth_jwt.py
index 5295f4aeb1..695ec2b773 100644
--- a/auth_jwt/tests/test_auth_jwt.py
+++ b/auth_jwt/tests/test_auth_jwt.py
@@ -90,11 +90,13 @@ def _create_validator(
         )
 
     def test_missing_authorization_header(self):
+        self._create_validator("validator")
         with self._mock_request(authorization=None):
             with self.assertRaises(UnauthorizedMissingAuthorizationHeader):
-                self.env["ir.http"]._auth_method_jwt()
+                self.env["ir.http"]._auth_method_jwt(validator_name="validator")
 
     def test_malformed_authorization_header(self):
+        self._create_validator("validator")
         for authorization in (
             "a",
             "Bearer",
@@ -105,7 +107,7 @@ def test_malformed_authorization_header(self):
         ):
             with self._mock_request(authorization=authorization):
                 with self.assertRaises(UnauthorizedMalformedAuthorizationHeader):
-                    self.env["ir.http"]._auth_method_jwt()
+                    self.env["ir.http"]._auth_method_jwt(validator_name="validator")
 
     def test_auth_method_valid_token(self):
         self._create_validator("validator")
diff --git a/auth_jwt/views/auth_jwt_validator_views.xml b/auth_jwt/views/auth_jwt_validator_views.xml
index 4ccce4af5b..bc907038a9 100644
--- a/auth_jwt/views/auth_jwt_validator_views.xml
+++ b/auth_jwt/views/auth_jwt_validator_views.xml
@@ -7,12 +7,12 @@
             <form string="arch">
                 <sheet>
                     <group col="4">
-                        <group colspan="2">
+                        <group colspan="2" string="General">
                             <field name="name" />
-                            <field name="audience" />
                             <field name="next_validator_id" />
                         </group>
-                        <group colspan="2">
+                        <group colspan="2" string="Token validation">
+                            <field name="audience" />
                             <field name="issuer" />
                             <field name="signature_type" />
                             <field
@@ -41,7 +41,7 @@
                                     'required': [('signature_type', '=', 'public_key')]}"
                             />
                         </group>
-                        <group colspan="2">
+                        <group colspan="2" string="User">
                             <field name="user_id_strategy" />
                             <field
                                 name="static_user_id"
@@ -49,10 +49,26 @@
                                         'required': [('user_id_strategy', '=', 'static')]}"
                             />
                         </group>
-                        <group colspan="2">
+                        <group colspan="2" string="Partner">
                             <field name="partner_id_strategy" />
                             <field name="partner_id_required" />
                         </group>
+                        <group colspan="2" string="Cookie">
+                            <field name="cookie_enabled" />
+                            <field
+                                name="cookie_name"
+                                attrs="{'required': [('cookie_enabled', '=', True)],
+                                        'invisible': [('cookie_enabled', '=', False)]}"
+                            />
+                            <field
+                                name="cookie_path"
+                                attrs="{'invisible': [('cookie_enabled', '=', False)]}"
+                            />
+                            <field
+                                name="cookie_max_age"
+                                attrs="{'invisible': [('cookie_enabled', '=', False)]}"
+                            />
+                        </group>
                     </group>
                 </sheet>
             </form>

From 621b4908d25e92f747ccd6b566f58e870b541b26 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Bidoul?= <stephane.bidoul@acsone.eu>
Date: Thu, 8 Jun 2023 08:25:31 +0200
Subject: [PATCH 28/43] auth_jwt: clarify exceptions

Distinguish errors that lead to a 401
from internal configuration errors.
---
 auth_jwt/exceptions.py          |  4 ++--
 auth_jwt/models/ir_http.py      | 13 +++++++------
 auth_jwt/tests/test_auth_jwt.py |  4 ++--
 3 files changed, 11 insertions(+), 10 deletions(-)

diff --git a/auth_jwt/exceptions.py b/auth_jwt/exceptions.py
index d6129d5f82..e8af54d114 100644
--- a/auth_jwt/exceptions.py
+++ b/auth_jwt/exceptions.py
@@ -36,7 +36,7 @@ class UnauthorizedPartnerNotFound(Unauthorized):
     pass
 
 
-class CompositeJwtError(Unauthorized):
+class UnauthorizedCompositeJwtError(Unauthorized):
     """Indicate that multiple errors occurred during JWT chain validation."""
 
     def __init__(self, errors):
@@ -50,5 +50,5 @@ def __init__(self, errors):
         )
 
 
-class UnauthorizedConfigurationError(Unauthorized):
+class ConfigurationError(InternalServerError):
     pass
diff --git a/auth_jwt/models/ir_http.py b/auth_jwt/models/ir_http.py
index c1d9bdd3a0..a78b74f415 100644
--- a/auth_jwt/models/ir_http.py
+++ b/auth_jwt/models/ir_http.py
@@ -8,8 +8,9 @@
 from odoo.http import request
 
 from ..exceptions import (
-    CompositeJwtError,
-    UnauthorizedConfigurationError,
+    ConfigurationError,
+    Unauthorized,
+    UnauthorizedCompositeJwtError,
     UnauthorizedMalformedAuthorizationHeader,
     UnauthorizedMissingAuthorizationHeader,
     UnauthorizedMissingCookie,
@@ -61,7 +62,7 @@ def _get_jwt_cookie_secret(cls):
         secret = request.env["ir.config_parameter"].sudo().get_param("database.secret")
         if not secret:
             _logger.error("database.secret system parameter is not set.")
-            raise UnauthorizedConfigurationError()
+            raise ConfigurationError()
         return secret
 
     @classmethod
@@ -94,19 +95,19 @@ def _auth_method_jwt(cls, validator_name=None):
             try:
                 payload = cls._get_jwt_payload(validator)
                 break
-            except Exception as e:
+            except Unauthorized as e:
                 exceptions[validator.name] = e
                 validator = validator.next_validator_id
 
         if not payload:
             if len(exceptions) == 1:
                 raise list(exceptions.values())[0]
-            raise CompositeJwtError(exceptions)
+            raise UnauthorizedCompositeJwtError(exceptions)
 
         if validator.cookie_enabled:
             if not validator.cookie_name:
                 _logger.info("Cookie name not set for validator %s", validator.name)
-                raise UnauthorizedConfigurationError()
+                raise ConfigurationError()
             request.future_response.set_cookie(
                 key=validator.cookie_name,
                 value=validator._encode(
diff --git a/auth_jwt/tests/test_auth_jwt.py b/auth_jwt/tests/test_auth_jwt.py
index 695ec2b773..20fb59b7cb 100644
--- a/auth_jwt/tests/test_auth_jwt.py
+++ b/auth_jwt/tests/test_auth_jwt.py
@@ -15,8 +15,8 @@
 
 from ..exceptions import (
     AmbiguousJwtValidator,
-    CompositeJwtError,
     JwtValidatorNotFound,
+    UnauthorizedCompositeJwtError,
     UnauthorizedInvalidToken,
     UnauthorizedMalformedAuthorizationHeader,
     UnauthorizedMissingAuthorizationHeader,
@@ -196,7 +196,7 @@ def test_auth_method_invalid_token_on_chain(self):
 
         authorization = "Bearer " + self._create_token()
         with self._mock_request(authorization=authorization):
-            with self.assertRaises(CompositeJwtError) as composite_error:
+            with self.assertRaises(UnauthorizedCompositeJwtError) as composite_error:
                 self.env["ir.http"]._auth_method_jwt_validator()
             self.assertEqual(
                 str(composite_error.exception),

From 91333a6e8a37363b3e79a832fc6612a75c5c588e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Bidoul?= <stephane.bidoul@acsone.eu>
Date: Thu, 8 Jun 2023 08:26:57 +0200
Subject: [PATCH 29/43] auth_jwt: minor refactoring

---
 auth_jwt/models/auth_jwt_validator.py |  8 ++++++++
 auth_jwt/models/ir_http.py            | 12 ++----------
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/auth_jwt/models/auth_jwt_validator.py b/auth_jwt/models/auth_jwt_validator.py
index d8263cf86d..72b099c09c 100644
--- a/auth_jwt/models/auth_jwt_validator.py
+++ b/auth_jwt/models/auth_jwt_validator.py
@@ -15,6 +15,7 @@
 
 from ..exceptions import (
     AmbiguousJwtValidator,
+    ConfigurationError,
     JwtValidatorNotFound,
     UnauthorizedInvalidToken,
     UnauthorizedPartnerNotFound,
@@ -272,3 +273,10 @@ def write(self, vals):
     def unlink(self):
         self._unregister_auth_method()
         return super().unlink()
+
+    def _get_jwt_cookie_secret(self):
+        secret = self.env["ir.config_parameter"].sudo().get_param("database.secret")
+        if not secret:
+            _logger.error("database.secret system parameter is not set.")
+            raise ConfigurationError()
+        return secret
diff --git a/auth_jwt/models/ir_http.py b/auth_jwt/models/ir_http.py
index a78b74f415..3c4a31a256 100644
--- a/auth_jwt/models/ir_http.py
+++ b/auth_jwt/models/ir_http.py
@@ -57,14 +57,6 @@ def _authenticate(cls, endpoint):
                 raise UnauthorizedSessionMismatch()
         return super()._authenticate(endpoint)
 
-    @classmethod
-    def _get_jwt_cookie_secret(cls):
-        secret = request.env["ir.config_parameter"].sudo().get_param("database.secret")
-        if not secret:
-            _logger.error("database.secret system parameter is not set.")
-            raise ConfigurationError()
-        return secret
-
     @classmethod
     def _get_jwt_payload(cls, validator):
         """Obtain and validate the JWT payload from the request authorization header or
@@ -78,7 +70,7 @@ def _get_jwt_payload(cls, validator):
                 raise
             token = cls._get_cookie_token(validator.cookie_name)
             assert token
-            return validator._decode(token, secret=cls._get_jwt_cookie_secret())
+            return validator._decode(token, secret=validator._get_jwt_cookie_secret())
 
     @classmethod
     def _auth_method_jwt(cls, validator_name=None):
@@ -112,7 +104,7 @@ def _auth_method_jwt(cls, validator_name=None):
                 key=validator.cookie_name,
                 value=validator._encode(
                     payload,
-                    secret=cls._get_jwt_cookie_secret(),
+                    secret=validator._get_jwt_cookie_secret(),
                     expire=validator.cookie_max_age,
                 ),
                 max_age=validator.cookie_max_age,

From 2353a46bb55e9dbb4dbe32f5a4672fcf69e2551d Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Bidoul?= <stephane.bidoul@acsone.eu>
Date: Thu, 8 Jun 2023 13:05:40 +0200
Subject: [PATCH 30/43] [IMP] auth_jwt: refactor

Extract _parse_bearer_authorization function for easier reuse by fastapi_auth_jwt
---
 auth_jwt/models/auth_jwt_validator.py | 22 ++++++++++++++++++++++
 auth_jwt/models/ir_http.py            | 17 +++--------------
 2 files changed, 25 insertions(+), 14 deletions(-)

diff --git a/auth_jwt/models/auth_jwt_validator.py b/auth_jwt/models/auth_jwt_validator.py
index 72b099c09c..6d2e938843 100644
--- a/auth_jwt/models/auth_jwt_validator.py
+++ b/auth_jwt/models/auth_jwt_validator.py
@@ -3,6 +3,7 @@
 
 import datetime
 import logging
+import re
 from calendar import timegm
 from functools import partial
 
@@ -18,11 +19,15 @@
     ConfigurationError,
     JwtValidatorNotFound,
     UnauthorizedInvalidToken,
+    UnauthorizedMalformedAuthorizationHeader,
+    UnauthorizedMissingAuthorizationHeader,
     UnauthorizedPartnerNotFound,
 )
 
 _logger = logging.getLogger(__name__)
 
+AUTHORIZATION_RE = re.compile(r"^Bearer ([^ ]+)$")
+
 
 class AuthJwtValidator(models.Model):
     _name = "auth.jwt.validator"
@@ -280,3 +285,20 @@ def _get_jwt_cookie_secret(self):
             _logger.error("database.secret system parameter is not set.")
             raise ConfigurationError()
         return secret
+
+    @api.model
+    def _parse_bearer_authorization(self, authorization):
+        """Parse a Bearer token authorization header and return the token.
+
+        Raises UnauthorizedMissingAuthorizationHeader if authorization is falsy.
+        Raises UnauthorizedMalformedAuthorizationHeader if invalid.
+        """
+        if not authorization:
+            _logger.info("Missing Authorization header.")
+            raise UnauthorizedMissingAuthorizationHeader()
+        # https://tools.ietf.org/html/rfc6750#section-2.1
+        mo = AUTHORIZATION_RE.match(authorization)
+        if not mo:
+            _logger.info("Malformed Authorization header.")
+            raise UnauthorizedMalformedAuthorizationHeader()
+        return mo.group(1)
diff --git a/auth_jwt/models/ir_http.py b/auth_jwt/models/ir_http.py
index 3c4a31a256..efa2c49b76 100644
--- a/auth_jwt/models/ir_http.py
+++ b/auth_jwt/models/ir_http.py
@@ -2,7 +2,6 @@
 # License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl).
 
 import logging
-import re
 
 from odoo import SUPERUSER_ID, api, models
 from odoo.http import request
@@ -11,7 +10,6 @@
     ConfigurationError,
     Unauthorized,
     UnauthorizedCompositeJwtError,
-    UnauthorizedMalformedAuthorizationHeader,
     UnauthorizedMissingAuthorizationHeader,
     UnauthorizedMissingCookie,
     UnauthorizedSessionMismatch,
@@ -20,9 +18,6 @@
 _logger = logging.getLogger(__name__)
 
 
-AUTHORIZATION_RE = re.compile(r"^Bearer ([^ ]+)$")
-
-
 class IrHttpJwt(models.AbstractModel):
 
     _inherit = "ir.http"
@@ -130,15 +125,9 @@ def _auth_method_public_or_jwt(cls, validator_name=None):
     def _get_bearer_token(cls):
         # https://tools.ietf.org/html/rfc2617#section-3.2.2
         authorization = request.httprequest.environ.get("HTTP_AUTHORIZATION")
-        if not authorization:
-            _logger.info("Missing Authorization header.")
-            raise UnauthorizedMissingAuthorizationHeader()
-        # https://tools.ietf.org/html/rfc6750#section-2.1
-        mo = AUTHORIZATION_RE.match(authorization)
-        if not mo:
-            _logger.info("Malformed Authorization header.")
-            raise UnauthorizedMalformedAuthorizationHeader()
-        return mo.group(1)
+        return request.env["auth.jwt.validator"]._parse_bearer_authorization(
+            authorization
+        )
 
     @classmethod
     def _get_cookie_token(cls, cookie_name):

From 8aeef4a989f6a487133dda019c47b9cc7e614910 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Bidoul?= <stephane.bidoul@acsone.eu>
Date: Thu, 8 Jun 2023 16:35:36 +0200
Subject: [PATCH 31/43] [FIX] auth_jwt: don't use public mode if a cookie is
 present

---
 auth_jwt/models/ir_http.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/auth_jwt/models/ir_http.py b/auth_jwt/models/ir_http.py
index efa2c49b76..b65118fd88 100644
--- a/auth_jwt/models/ir_http.py
+++ b/auth_jwt/models/ir_http.py
@@ -118,7 +118,13 @@ def _auth_method_jwt(cls, validator_name=None):
     @classmethod
     def _auth_method_public_or_jwt(cls, validator_name=None):
         if "HTTP_AUTHORIZATION" not in request.httprequest.environ:
-            return cls._auth_method_public()
+            env = api.Environment(request.cr, SUPERUSER_ID, {})
+            validator = env["auth.jwt.validator"]._get_validator_by_name(validator_name)
+            assert len(validator) == 1
+            if not validator.cookie_enabled or not request.httprequest.cookies.get(
+                validator.cookie_name
+            ):
+                return cls._auth_method_public()
         return cls._auth_method_jwt(validator_name)
 
     @classmethod

From e003ebd722d02c6063672f92f78fbebb31a0fbc1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Bidoul?= <stephane.bidoul@acsone.eu>
Date: Fri, 16 Jun 2023 18:34:54 +0200
Subject: [PATCH 32/43] [IMP] auth_jwt: check cookie_name is present in cookie
 mode

---
 auth_jwt/models/auth_jwt_validator.py | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/auth_jwt/models/auth_jwt_validator.py b/auth_jwt/models/auth_jwt_validator.py
index 6d2e938843..13649adad2 100644
--- a/auth_jwt/models/auth_jwt_validator.py
+++ b/auth_jwt/models/auth_jwt_validator.py
@@ -126,6 +126,18 @@ def _check_next_validator_id(self):
                         )
                     )
 
+    @api.constrains("cookie_enabled", "cookie_name")
+    def _check_cookie_name(self):
+        for rec in self:
+            if rec.cookie_enabled and not rec.cookie_name:
+                raise ValidationError(
+                    _(
+                        "A cookie name must be provided on JWT validator %s "
+                        "because it has cookie mode enabled."
+                    )
+                    % (rec.name,)
+                )
+
     @api.model
     def _get_validator_by_name_domain(self, validator_name):
         if validator_name:

From 6131bfff7afea23895fa761b01b3a681cf50f702 Mon Sep 17 00:00:00 2001
From: oca-ci <oca-ci@odoo-community.org>
Date: Fri, 23 Jun 2023 15:09:28 +0000
Subject: [PATCH 33/43] [UPD] Update auth_jwt.pot

---
 auth_jwt/i18n/auth_jwt.pot | 77 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 77 insertions(+)

diff --git a/auth_jwt/i18n/auth_jwt.pot b/auth_jwt/i18n/auth_jwt.pot
index b6989930e2..9068730315 100644
--- a/auth_jwt/i18n/auth_jwt.pot
+++ b/auth_jwt/i18n/auth_jwt.pot
@@ -13,6 +13,15 @@ msgstr ""
 "Content-Transfer-Encoding: \n"
 "Plural-Forms: \n"
 
+#. module: auth_jwt
+#. odoo-python
+#: code:addons/auth_jwt/models/auth_jwt_validator.py:0
+#, python-format
+msgid ""
+"A cookie name must be provided on JWT validator %s because it has cookie "
+"mode enabled."
+msgstr ""
+
 #. module: auth_jwt
 #: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
 msgid "Algorithm"
@@ -28,6 +37,44 @@ msgstr ""
 msgid "Comma separated list of audiences, to validate aud."
 msgstr ""
 
+#. module: auth_jwt
+#: model:ir.model.fields,help:auth_jwt.field_auth_jwt_validator__cookie_enabled
+msgid ""
+"Convert the JWT token into an HttpOnly Secure cookie. When both an "
+"Authorization header and the cookie are present in the request, the cookie "
+"is ignored."
+msgstr ""
+
+#. module: auth_jwt
+#: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
+msgid "Cookie"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__cookie_enabled
+msgid "Cookie Enabled"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__cookie_max_age
+msgid "Cookie Max Age"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__cookie_name
+msgid "Cookie Name"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__cookie_path
+msgid "Cookie Path"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__cookie_secure
+msgid "Cookie Secure"
+msgstr ""
+
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__create_uid
 msgid "Created by"
@@ -68,6 +115,11 @@ msgstr ""
 msgid "From email claim"
 msgstr ""
 
+#. module: auth_jwt
+#: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
+msgid "General"
+msgstr ""
+
 #. module: auth_jwt
 #: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__secret_algorithm__hs256
 msgid "HS256 - HMAC using SHA-256 hash algorithm"
@@ -161,6 +213,11 @@ msgstr ""
 msgid "Next validator to try if this one fails"
 msgstr ""
 
+#. module: auth_jwt
+#: model:ir.model.fields,help:auth_jwt.field_auth_jwt_validator__cookie_max_age
+msgid "Number of seconds until the cookie expires (Max-Age)."
+msgstr ""
+
 #. module: auth_jwt
 #: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__ps256
 msgid "PS256 - RSASSA-PSS using SHA-256 and MGF1 padding with SHA-256"
@@ -176,6 +233,11 @@ msgstr ""
 msgid "PS512 - RSASSA-PSS using SHA-512 and MGF1 padding with SHA-512"
 msgstr ""
 
+#. module: auth_jwt
+#: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
+msgid "Partner"
+msgstr ""
+
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__partner_id_required
 msgid "Partner Id Required"
@@ -231,6 +293,11 @@ msgstr ""
 msgid "Secret Key"
 msgstr ""
 
+#. module: auth_jwt
+#: model:ir.model.fields,help:auth_jwt.field_auth_jwt_validator__cookie_secure
+msgid "Set to false only for development without https."
+msgstr ""
+
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__signature_type
 msgid "Signature Type"
@@ -251,6 +318,16 @@ msgstr ""
 msgid "To validate iss."
 msgstr ""
 
+#. module: auth_jwt
+#: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
+msgid "Token validation"
+msgstr ""
+
+#. module: auth_jwt
+#: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
+msgid "User"
+msgstr ""
+
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__user_id_strategy
 msgid "User Id Strategy"

From 9942618bb2a42b4b12b8ac870e46e58b2b1d205f Mon Sep 17 00:00:00 2001
From: OCA-git-bot <oca-git-bot@odoo-community.org>
Date: Fri, 23 Jun 2023 15:12:24 +0000
Subject: [PATCH 34/43] [UPD] README.rst

---
 auth_jwt/README.rst                    | 11 ++++++++++-
 auth_jwt/static/description/index.html | 10 +++++++++-
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/auth_jwt/README.rst b/auth_jwt/README.rst
index 82b57b1d3a..df2b8daca7 100644
--- a/auth_jwt/README.rst
+++ b/auth_jwt/README.rst
@@ -66,7 +66,8 @@ The JWT validator can be configured with the following properties:
 In addition, the ``exp`` claim is validated to reject expired tokens.
 
 If the ``Authorization`` HTTP header is missing, malformed, or contains
-an invalid token, the request is rejected with a 401 (Unauthorized) code.
+an invalid token, the request is rejected with a 401 (Unauthorized) code,
+unless the cookie mode is enabled (see below).
 
 If the token is valid, the request executes with the configured user id. By
 default the user id selection strategy is ``static`` (i.e. the same for all
@@ -96,6 +97,14 @@ authenticated user is know. A typical use case is a "add to cart" endpoint that
 for anonymous users, but can be enhanced by binding the cart to a known customer when
 the authenticated user is known.
 
+You can enable a cookie mode on JWT validators. In this case, the JWT payload obtained
+from the ``Authorization`` header is returned as a Http-Only cookie. This mode is
+sometimes simpler for front-end applications which do not then need to store and protect
+the JWT token across requests and can simply rely on the cookie management mechanisms of
+browsers. When both the ``Authorization`` header and a cookie are provided, the cookie
+is ignored in order to let clients authenticate with a different user by providing a new
+JWT token.
+
 Bug Tracker
 ===========
 
diff --git a/auth_jwt/static/description/index.html b/auth_jwt/static/description/index.html
index 03f946d46d..467640b5ad 100644
--- a/auth_jwt/static/description/index.html
+++ b/auth_jwt/static/description/index.html
@@ -412,7 +412,8 @@ <h1><a class="toc-backref" href="#id2">Usage</a></h1>
 </ul>
 <p>In addition, the <tt class="docutils literal">exp</tt> claim is validated to reject expired tokens.</p>
 <p>If the <tt class="docutils literal">Authorization</tt> HTTP header is missing, malformed, or contains
-an invalid token, the request is rejected with a 401 (Unauthorized) code.</p>
+an invalid token, the request is rejected with a 401 (Unauthorized) code,
+unless the cookie mode is enabled (see below).</p>
 <p>If the token is valid, the request executes with the configured user id. By
 default the user id selection strategy is <tt class="docutils literal">static</tt> (i.e. the same for all
 requests) and the selected user is configured on the JWT validator. Additional
@@ -436,6 +437,13 @@ <h1><a class="toc-backref" href="#id2">Usage</a></h1>
 authenticated user is know. A typical use case is a “add to cart” endpoint that can work
 for anonymous users, but can be enhanced by binding the cart to a known customer when
 the authenticated user is known.</p>
+<p>You can enable a cookie mode on JWT validators. In this case, the JWT payload obtained
+from the <tt class="docutils literal">Authorization</tt> header is returned as a Http-Only cookie. This mode is
+sometimes simpler for front-end applications which do not then need to store and protect
+the JWT token across requests and can simply rely on the cookie management mechanisms of
+browsers. When both the <tt class="docutils literal">Authorization</tt> header and a cookie are provided, the cookie
+is ignored in order to let clients authenticate with a different user by providing a new
+JWT token.</p>
 </div>
 <div class="section" id="bug-tracker">
 <h1><a class="toc-backref" href="#id3">Bug Tracker</a></h1>

From b2001adc9375fad508ad2f4ef4cfb1167c2b9d36 Mon Sep 17 00:00:00 2001
From: OCA-git-bot <oca-git-bot@odoo-community.org>
Date: Fri, 23 Jun 2023 15:12:25 +0000
Subject: [PATCH 35/43] auth_jwt 16.0.1.1.0

---
 auth_jwt/__manifest__.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/auth_jwt/__manifest__.py b/auth_jwt/__manifest__.py
index 903eb0d11b..059b9bc7ec 100644
--- a/auth_jwt/__manifest__.py
+++ b/auth_jwt/__manifest__.py
@@ -5,7 +5,7 @@
     "name": "Auth JWT",
     "summary": """
         JWT bearer token authentication.""",
-    "version": "16.0.1.0.0",
+    "version": "16.0.1.1.0",
     "license": "LGPL-3",
     "author": "ACSONE SA/NV,Odoo Community Association (OCA)",
     "maintainers": ["sbidoul"],

From b3db3c40cc1401caa27439e44db67109ece5ece0 Mon Sep 17 00:00:00 2001
From: Ivorra78 <informatica@totmaterial.es>
Date: Fri, 25 Aug 2023 13:52:48 +0000
Subject: [PATCH 36/43] Added translation using Weblate (Spanish)

---
 auth_jwt/i18n/es.po | 347 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 347 insertions(+)
 create mode 100644 auth_jwt/i18n/es.po

diff --git a/auth_jwt/i18n/es.po b/auth_jwt/i18n/es.po
new file mode 100644
index 0000000000..c5be458a7a
--- /dev/null
+++ b/auth_jwt/i18n/es.po
@@ -0,0 +1,347 @@
+# Translation of Odoo Server.
+# This file contains the translation of the following modules:
+# 	* auth_jwt
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: Odoo Server 16.0\n"
+"Report-Msgid-Bugs-To: \n"
+"Last-Translator: Automatically generated\n"
+"Language-Team: none\n"
+"Language: es\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: \n"
+"Plural-Forms: nplurals=2; plural=n != 1;\n"
+
+#. module: auth_jwt
+#. odoo-python
+#: code:addons/auth_jwt/models/auth_jwt_validator.py:0
+#, python-format
+msgid ""
+"A cookie name must be provided on JWT validator %s because it has cookie "
+"mode enabled."
+msgstr ""
+
+#. module: auth_jwt
+#: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
+msgid "Algorithm"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__audience
+msgid "Audience"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,help:auth_jwt.field_auth_jwt_validator__audience
+msgid "Comma separated list of audiences, to validate aud."
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,help:auth_jwt.field_auth_jwt_validator__cookie_enabled
+msgid ""
+"Convert the JWT token into an HttpOnly Secure cookie. When both an "
+"Authorization header and the cookie are present in the request, the cookie "
+"is ignored."
+msgstr ""
+
+#. module: auth_jwt
+#: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
+msgid "Cookie"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__cookie_enabled
+msgid "Cookie Enabled"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__cookie_max_age
+msgid "Cookie Max Age"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__cookie_name
+msgid "Cookie Name"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__cookie_path
+msgid "Cookie Path"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__cookie_secure
+msgid "Cookie Secure"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__create_uid
+msgid "Created by"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__create_date
+msgid "Created on"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__display_name
+msgid "Display Name"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__es256
+msgid "ES256 - ECDSA using SHA-256"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__es256k
+msgid "ES256K - ECDSA with secp256k1 curve using SHA-256"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__es384
+msgid "ES384 - ECDSA using SHA-384"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__es512
+msgid "ES512 - ECDSA using SHA-512"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__partner_id_strategy__email
+msgid "From email claim"
+msgstr ""
+
+#. module: auth_jwt
+#: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
+msgid "General"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__secret_algorithm__hs256
+msgid "HS256 - HMAC using SHA-256 hash algorithm"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__secret_algorithm__hs384
+msgid "HS384 - HMAC using SHA-384 hash algorithm"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__secret_algorithm__hs512
+msgid "HS512 - HMAC using SHA-512 hash algorithm"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model,name:auth_jwt.model_ir_http
+msgid "HTTP Routing"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__id
+msgid "ID"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__issuer
+msgid "Issuer"
+msgstr ""
+
+#. module: auth_jwt
+#: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
+msgid "JWK URI"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model,name:auth_jwt.model_auth_jwt_validator
+msgid "JWT Validator Configuration"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.actions.act_window,name:auth_jwt.action_auth_jwt_validator
+#: model:ir.ui.menu,name:auth_jwt.menu_auth_jwt_validator
+msgid "JWT Validators"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.constraint,message:auth_jwt.constraint_auth_jwt_validator_name_uniq
+msgid "JWT validator names must be unique !"
+msgstr ""
+
+#. module: auth_jwt
+#: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
+msgid "Key"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator____last_update
+msgid "Last Modified on"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__write_uid
+msgid "Last Updated by"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__write_date
+msgid "Last Updated on"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__name
+msgid "Name"
+msgstr ""
+
+#. module: auth_jwt
+#. odoo-python
+#: code:addons/auth_jwt/models/auth_jwt_validator.py:0
+#, python-format
+msgid "Name %r is not a valid python identifier."
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__next_validator_id
+msgid "Next Validator"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,help:auth_jwt.field_auth_jwt_validator__next_validator_id
+msgid "Next validator to try if this one fails"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,help:auth_jwt.field_auth_jwt_validator__cookie_max_age
+msgid "Number of seconds until the cookie expires (Max-Age)."
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__ps256
+msgid "PS256 - RSASSA-PSS using SHA-256 and MGF1 padding with SHA-256"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__ps384
+msgid "PS384 - RSASSA-PSS using SHA-384 and MGF1 padding with SHA-384"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__ps512
+msgid "PS512 - RSASSA-PSS using SHA-512 and MGF1 padding with SHA-512"
+msgstr ""
+
+#. module: auth_jwt
+#: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
+msgid "Partner"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__partner_id_required
+msgid "Partner Id Required"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__partner_id_strategy
+msgid "Partner Id Strategy"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__public_key_algorithm
+msgid "Public Key Algorithm"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__public_key_jwk_uri
+msgid "Public Key Jwk Uri"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__signature_type__public_key
+msgid "Public key"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__rs256
+msgid "RS256 - RSASSA-PKCS1-v1_5 using SHA-256"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__rs384
+msgid "RS384 - RSASSA-PKCS1-v1_5 using SHA-384"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__rs512
+msgid "RS512 - RSASSA-PKCS1-v1_5 using SHA-512"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__signature_type__secret
+msgid "Secret"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__secret_algorithm
+msgid "Secret Algorithm"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__secret_key
+msgid "Secret Key"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,help:auth_jwt.field_auth_jwt_validator__cookie_secure
+msgid "Set to false only for development without https."
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__signature_type
+msgid "Signature Type"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__user_id_strategy__static
+msgid "Static"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__static_user_id
+msgid "Static User"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,help:auth_jwt.field_auth_jwt_validator__issuer
+msgid "To validate iss."
+msgstr ""
+
+#. module: auth_jwt
+#: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
+msgid "Token validation"
+msgstr ""
+
+#. module: auth_jwt
+#: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
+msgid "User"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__user_id_strategy
+msgid "User Id Strategy"
+msgstr ""
+
+#. module: auth_jwt
+#. odoo-python
+#: code:addons/auth_jwt/models/auth_jwt_validator.py:0
+#, python-format
+msgid "Validators mustn't make a closed chain: {}."
+msgstr ""
+
+#. module: auth_jwt
+#: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
+msgid "arch"
+msgstr ""

From 6c6a6fb6140c46fd2fa9bc5e65097cd913536b5a Mon Sep 17 00:00:00 2001
From: Ivorra78 <informatica@totmaterial.es>
Date: Fri, 25 Aug 2023 13:54:48 +0000
Subject: [PATCH 37/43] Translated using Weblate (Spanish)

Currently translated at 100.0% (64 of 64 strings)

Translation: server-auth-16.0/server-auth-16.0-auth_jwt
Translate-URL: https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-auth_jwt/es/
---
 auth_jwt/i18n/es.po | 134 ++++++++++++++++++++++++--------------------
 1 file changed, 72 insertions(+), 62 deletions(-)

diff --git a/auth_jwt/i18n/es.po b/auth_jwt/i18n/es.po
index c5be458a7a..f3a2eeaaef 100644
--- a/auth_jwt/i18n/es.po
+++ b/auth_jwt/i18n/es.po
@@ -6,13 +6,15 @@ msgid ""
 msgstr ""
 "Project-Id-Version: Odoo Server 16.0\n"
 "Report-Msgid-Bugs-To: \n"
-"Last-Translator: Automatically generated\n"
+"PO-Revision-Date: 2023-09-02 19:25+0000\n"
+"Last-Translator: Ivorra78 <informatica@totmaterial.es>\n"
 "Language-Team: none\n"
 "Language: es\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: \n"
 "Plural-Forms: nplurals=2; plural=n != 1;\n"
+"X-Generator: Weblate 4.17\n"
 
 #. module: auth_jwt
 #. odoo-python
@@ -22,21 +24,23 @@ msgid ""
 "A cookie name must be provided on JWT validator %s because it has cookie "
 "mode enabled."
 msgstr ""
+"Se debe proporcionar un nombre de cookie en el validador JWT %s porque tiene "
+"habilitado el modo cookie."
 
 #. module: auth_jwt
 #: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
 msgid "Algorithm"
-msgstr ""
+msgstr "Algoritmo"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__audience
 msgid "Audience"
-msgstr ""
+msgstr "Audiencia"
 
 #. module: auth_jwt
 #: model:ir.model.fields,help:auth_jwt.field_auth_jwt_validator__audience
 msgid "Comma separated list of audiences, to validate aud."
-msgstr ""
+msgstr "Lista de audiencias separada por comas, para validar aud."
 
 #. module: auth_jwt
 #: model:ir.model.fields,help:auth_jwt.field_auth_jwt_validator__cookie_enabled
@@ -45,303 +49,309 @@ msgid ""
 "Authorization header and the cookie are present in the request, the cookie "
 "is ignored."
 msgstr ""
+"Convierte el código JWT en una cookie HttpOnly Secure. Cuando tanto la "
+"cabecera de autorización como la cookie están presentes en la solicitud, se "
+"ignora la cookie."
 
 #. module: auth_jwt
 #: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
 msgid "Cookie"
 msgstr ""
+"Paquete de datos que un programa recibe y reenvía sin cambiarlos y que "
+"normalmente se emplea para indicar que ha ocurrido un evento o situación "
+"especial"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__cookie_enabled
 msgid "Cookie Enabled"
-msgstr ""
+msgstr "Cookie habilitada"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__cookie_max_age
 msgid "Cookie Max Age"
-msgstr ""
+msgstr "Cookie Edad Máxima"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__cookie_name
 msgid "Cookie Name"
-msgstr ""
+msgstr "Nombre de la cookie"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__cookie_path
 msgid "Cookie Path"
-msgstr ""
+msgstr "Ruta de Cookies"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__cookie_secure
 msgid "Cookie Secure"
-msgstr ""
+msgstr "Cookie segura"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__create_uid
 msgid "Created by"
-msgstr ""
+msgstr "Creado por"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__create_date
 msgid "Created on"
-msgstr ""
+msgstr "Creado el"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__display_name
 msgid "Display Name"
-msgstr ""
+msgstr "Mostrar Nombre"
 
 #. module: auth_jwt
 #: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__es256
 msgid "ES256 - ECDSA using SHA-256"
-msgstr ""
+msgstr "ES256 - ECDSA utilizando SHA-256"
 
 #. module: auth_jwt
 #: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__es256k
 msgid "ES256K - ECDSA with secp256k1 curve using SHA-256"
-msgstr ""
+msgstr "ES256K - ECDSA con curva secp256k1 utilizando SHA-256"
 
 #. module: auth_jwt
 #: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__es384
 msgid "ES384 - ECDSA using SHA-384"
-msgstr ""
+msgstr "ES384 - ECDSA utilizando SHA-384"
 
 #. module: auth_jwt
 #: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__es512
 msgid "ES512 - ECDSA using SHA-512"
-msgstr ""
+msgstr "ES512 - ECDSA utilizando SHA-512"
 
 #. module: auth_jwt
 #: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__partner_id_strategy__email
 msgid "From email claim"
-msgstr ""
+msgstr "De la reclamación por correo electrónico"
 
 #. module: auth_jwt
 #: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
 msgid "General"
-msgstr ""
+msgstr "General"
 
 #. module: auth_jwt
 #: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__secret_algorithm__hs256
 msgid "HS256 - HMAC using SHA-256 hash algorithm"
-msgstr ""
+msgstr "HS256 - HMAC utilizando el algoritmo hash SHA-256"
 
 #. module: auth_jwt
 #: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__secret_algorithm__hs384
 msgid "HS384 - HMAC using SHA-384 hash algorithm"
-msgstr ""
+msgstr "HS384 - HMAC utilizando el algoritmo hash SHA-384"
 
 #. module: auth_jwt
 #: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__secret_algorithm__hs512
 msgid "HS512 - HMAC using SHA-512 hash algorithm"
-msgstr ""
+msgstr "HS512 - HMAC utilizando el algoritmo hash SHA-512"
 
 #. module: auth_jwt
 #: model:ir.model,name:auth_jwt.model_ir_http
 msgid "HTTP Routing"
-msgstr ""
+msgstr "Enrutamiento HTTP"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__id
 msgid "ID"
-msgstr ""
+msgstr "ID (identificación)"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__issuer
 msgid "Issuer"
-msgstr ""
+msgstr "Emisor"
 
 #. module: auth_jwt
 #: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
 msgid "JWK URI"
-msgstr ""
+msgstr "URI DE JWK"
 
 #. module: auth_jwt
 #: model:ir.model,name:auth_jwt.model_auth_jwt_validator
 msgid "JWT Validator Configuration"
-msgstr ""
+msgstr "Configuración del validador JWT"
 
 #. module: auth_jwt
 #: model:ir.actions.act_window,name:auth_jwt.action_auth_jwt_validator
 #: model:ir.ui.menu,name:auth_jwt.menu_auth_jwt_validator
 msgid "JWT Validators"
-msgstr ""
+msgstr "Validadores JWT"
 
 #. module: auth_jwt
 #: model:ir.model.constraint,message:auth_jwt.constraint_auth_jwt_validator_name_uniq
 msgid "JWT validator names must be unique !"
-msgstr ""
+msgstr "¡Los nombres de los validadores JWT deben ser únicos!"
 
 #. module: auth_jwt
 #: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
 msgid "Key"
-msgstr ""
+msgstr "Clave"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator____last_update
 msgid "Last Modified on"
-msgstr ""
+msgstr "Última Modificación el"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__write_uid
 msgid "Last Updated by"
-msgstr ""
+msgstr "Última actualización por"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__write_date
 msgid "Last Updated on"
-msgstr ""
+msgstr "Última Actualización el"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__name
 msgid "Name"
-msgstr ""
+msgstr "Nombre"
 
 #. module: auth_jwt
 #. odoo-python
 #: code:addons/auth_jwt/models/auth_jwt_validator.py:0
 #, python-format
 msgid "Name %r is not a valid python identifier."
-msgstr ""
+msgstr "El nombre %r no es un identificador python válido."
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__next_validator_id
 msgid "Next Validator"
-msgstr ""
+msgstr "Siguiente Validador"
 
 #. module: auth_jwt
 #: model:ir.model.fields,help:auth_jwt.field_auth_jwt_validator__next_validator_id
 msgid "Next validator to try if this one fails"
-msgstr ""
+msgstr "Siguiente validador a probar si éste falla"
 
 #. module: auth_jwt
 #: model:ir.model.fields,help:auth_jwt.field_auth_jwt_validator__cookie_max_age
 msgid "Number of seconds until the cookie expires (Max-Age)."
-msgstr ""
+msgstr "Número de segundos hasta que expira la cookie (Max-Age)."
 
 #. module: auth_jwt
 #: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__ps256
 msgid "PS256 - RSASSA-PSS using SHA-256 and MGF1 padding with SHA-256"
-msgstr ""
+msgstr "PS256 - RSASSA-PSS utilizando SHA-256 y relleno MGF1 con SHA-256"
 
 #. module: auth_jwt
 #: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__ps384
 msgid "PS384 - RSASSA-PSS using SHA-384 and MGF1 padding with SHA-384"
-msgstr ""
+msgstr "PS384 - RSASSA-PSS utilizando SHA-384 y relleno MGF1 con SHA-384"
 
 #. module: auth_jwt
 #: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__ps512
 msgid "PS512 - RSASSA-PSS using SHA-512 and MGF1 padding with SHA-512"
-msgstr ""
+msgstr "PS512 - RSASSA-PSS utilizando SHA-512 y relleno MGF1 con SHA-512"
 
 #. module: auth_jwt
 #: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
 msgid "Partner"
-msgstr ""
+msgstr "Socio"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__partner_id_required
 msgid "Partner Id Required"
-msgstr ""
+msgstr "Id de socio Obligatorio"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__partner_id_strategy
 msgid "Partner Id Strategy"
-msgstr ""
+msgstr "Estrategia de ID de socio"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__public_key_algorithm
 msgid "Public Key Algorithm"
-msgstr ""
+msgstr "Algoritmo de clave pública"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__public_key_jwk_uri
 msgid "Public Key Jwk Uri"
-msgstr ""
+msgstr "Clave pública Jwk Uri"
 
 #. module: auth_jwt
 #: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__signature_type__public_key
 msgid "Public key"
-msgstr ""
+msgstr "Clave pública"
 
 #. module: auth_jwt
 #: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__rs256
 msgid "RS256 - RSASSA-PKCS1-v1_5 using SHA-256"
-msgstr ""
+msgstr "RS256 - RSASSA-PKCS1-v1_5 utilizando SHA-256"
 
 #. module: auth_jwt
 #: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__rs384
 msgid "RS384 - RSASSA-PKCS1-v1_5 using SHA-384"
-msgstr ""
+msgstr "RS384 - RSASSA-PKCS1-v1_5 utilizando SHA-384"
 
 #. module: auth_jwt
 #: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__rs512
 msgid "RS512 - RSASSA-PKCS1-v1_5 using SHA-512"
-msgstr ""
+msgstr "RS512 - RSASSA-PKCS1-v1_5 utilizando SHA-512"
 
 #. module: auth_jwt
 #: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__signature_type__secret
 msgid "Secret"
-msgstr ""
+msgstr "Secreto"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__secret_algorithm
 msgid "Secret Algorithm"
-msgstr ""
+msgstr "Algoritmo secreto"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__secret_key
 msgid "Secret Key"
-msgstr ""
+msgstr "Clave secreta"
 
 #. module: auth_jwt
 #: model:ir.model.fields,help:auth_jwt.field_auth_jwt_validator__cookie_secure
 msgid "Set to false only for development without https."
-msgstr ""
+msgstr "Establecer a Falso sólo para el desarrollo sin https."
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__signature_type
 msgid "Signature Type"
-msgstr ""
+msgstr "Tipo de firma"
 
 #. module: auth_jwt
 #: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__user_id_strategy__static
 msgid "Static"
-msgstr ""
+msgstr "Estático"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__static_user_id
 msgid "Static User"
-msgstr ""
+msgstr "Usuario estático"
 
 #. module: auth_jwt
 #: model:ir.model.fields,help:auth_jwt.field_auth_jwt_validator__issuer
 msgid "To validate iss."
-msgstr ""
+msgstr "Para validar el iss."
 
 #. module: auth_jwt
 #: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
 msgid "Token validation"
-msgstr ""
+msgstr "Validación de símbolos"
 
 #. module: auth_jwt
 #: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
 msgid "User"
-msgstr ""
+msgstr "Usuario"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__user_id_strategy
 msgid "User Id Strategy"
-msgstr ""
+msgstr "Estrategia de ID de usuario"
 
 #. module: auth_jwt
 #. odoo-python
 #: code:addons/auth_jwt/models/auth_jwt_validator.py:0
 #, python-format
 msgid "Validators mustn't make a closed chain: {}."
-msgstr ""
+msgstr "Los validadores no deben hacer una cadena cerrada: {}."
 
 #. module: auth_jwt
 #: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
 msgid "arch"
-msgstr ""
+msgstr "arch"

From 80cd757599f9135d7b5586f267345d19f6b7274a Mon Sep 17 00:00:00 2001
From: OCA-git-bot <oca-git-bot@odoo-community.org>
Date: Sun, 3 Sep 2023 16:34:35 +0000
Subject: [PATCH 38/43] [UPD] README.rst

---
 auth_jwt/README.rst                    | 15 +++++----
 auth_jwt/static/description/index.html | 44 ++++++++++++++------------
 2 files changed, 32 insertions(+), 27 deletions(-)

diff --git a/auth_jwt/README.rst b/auth_jwt/README.rst
index df2b8daca7..f309f82757 100644
--- a/auth_jwt/README.rst
+++ b/auth_jwt/README.rst
@@ -2,10 +2,13 @@
 Auth JWT
 ========
 
-.. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+.. 
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    !! This file is generated by oca-gen-addon-readme !!
    !! changes will be overwritten.                   !!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! source digest: sha256:d22309ac82ef1eb8879974683b10d4be288eb330fd7e250927f1a8d602dc3988
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 
 .. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
     :target: https://odoo-community.org/page/development-status
@@ -19,11 +22,11 @@ Auth JWT
 .. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
     :target: https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-auth_jwt
     :alt: Translate me on Weblate
-.. |badge5| image:: https://img.shields.io/badge/runbot-Try%20me-875A7B.png
-    :target: https://runbot.odoo-community.org/runbot/251/16.0
-    :alt: Try me on Runbot
+.. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png
+    :target: https://runboat.odoo-community.org/builds?repo=OCA/server-auth&target_branch=16.0
+    :alt: Try me on Runboat
 
-|badge1| |badge2| |badge3| |badge4| |badge5| 
+|badge1| |badge2| |badge3| |badge4| |badge5|
 
 JWT bearer token authentication.
 
@@ -110,7 +113,7 @@ Bug Tracker
 
 Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-auth/issues>`_.
 In case of trouble, please check there if your issue has already been reported.
-If you spotted it first, help us smashing it by providing a detailed and welcomed
+If you spotted it first, help us to smash it by providing a detailed and welcomed
 `feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_jwt%0Aversion:%2016.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
 
 Do not contact contributors directly about support or help with technical issues.
diff --git a/auth_jwt/static/description/index.html b/auth_jwt/static/description/index.html
index 467640b5ad..109b2c3500 100644
--- a/auth_jwt/static/description/index.html
+++ b/auth_jwt/static/description/index.html
@@ -1,20 +1,20 @@
-<?xml version="1.0" encoding="utf-8" ?>
+<?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-<meta name="generator" content="Docutils 0.15.1: http://docutils.sourceforge.net/" />
+<meta name="generator" content="Docutils: https://docutils.sourceforge.io/" />
 <title>Auth JWT</title>
 <style type="text/css">
 
 /*
 :Author: David Goodger (goodger@python.org)
-:Id: $Id: html4css1.css 7952 2016-07-26 18:15:59Z milde $
+:Id: $Id: html4css1.css 8954 2022-01-20 10:10:25Z milde $
 :Copyright: This stylesheet has been placed in the public domain.
 
 Default cascading style sheet for the HTML output of Docutils.
 
-See http://docutils.sf.net/docs/howto/html-stylesheets.html for how to
+See https://docutils.sourceforge.io/docs/howto/html-stylesheets.html for how to
 customize this style sheet.
 */
 
@@ -366,29 +366,31 @@ <h1 class="title">Auth JWT</h1>
 <!-- !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !! This file is generated by oca-gen-addon-readme !!
 !! changes will be overwritten.                   !!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!! source digest: sha256:d22309ac82ef1eb8879974683b10d4be288eb330fd7e250927f1a8d602dc3988
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->
-<p><a class="reference external" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external" href="http://www.gnu.org/licenses/lgpl-3.0-standalone.html"><img alt="License: LGPL-3" src="https://img.shields.io/badge/licence-LGPL--3-blue.png" /></a> <a class="reference external" href="https://github.com/OCA/server-auth/tree/16.0/auth_jwt"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external" href="https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-auth_jwt"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external" href="https://runbot.odoo-community.org/runbot/251/16.0"><img alt="Try me on Runbot" src="https://img.shields.io/badge/runbot-Try%20me-875A7B.png" /></a></p>
+<p><a class="reference external image-reference" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external image-reference" href="http://www.gnu.org/licenses/lgpl-3.0-standalone.html"><img alt="License: LGPL-3" src="https://img.shields.io/badge/licence-LGPL--3-blue.png" /></a> <a class="reference external image-reference" href="https://github.com/OCA/server-auth/tree/16.0/auth_jwt"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external image-reference" href="https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-auth_jwt"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external image-reference" href="https://runboat.odoo-community.org/builds?repo=OCA/server-auth&amp;target_branch=16.0"><img alt="Try me on Runboat" src="https://img.shields.io/badge/runboat-Try%20me-875A7B.png" /></a></p>
 <p>JWT bearer token authentication.</p>
 <p><strong>Table of contents</strong></p>
 <div class="contents local topic" id="contents">
 <ul class="simple">
-<li><a class="reference internal" href="#installation" id="id1">Installation</a></li>
-<li><a class="reference internal" href="#usage" id="id2">Usage</a></li>
-<li><a class="reference internal" href="#bug-tracker" id="id3">Bug Tracker</a></li>
-<li><a class="reference internal" href="#credits" id="id4">Credits</a><ul>
-<li><a class="reference internal" href="#authors" id="id5">Authors</a></li>
-<li><a class="reference internal" href="#contributors" id="id6">Contributors</a></li>
-<li><a class="reference internal" href="#maintainers" id="id7">Maintainers</a></li>
+<li><a class="reference internal" href="#installation" id="toc-entry-1">Installation</a></li>
+<li><a class="reference internal" href="#usage" id="toc-entry-2">Usage</a></li>
+<li><a class="reference internal" href="#bug-tracker" id="toc-entry-3">Bug Tracker</a></li>
+<li><a class="reference internal" href="#credits" id="toc-entry-4">Credits</a><ul>
+<li><a class="reference internal" href="#authors" id="toc-entry-5">Authors</a></li>
+<li><a class="reference internal" href="#contributors" id="toc-entry-6">Contributors</a></li>
+<li><a class="reference internal" href="#maintainers" id="toc-entry-7">Maintainers</a></li>
 </ul>
 </li>
 </ul>
 </div>
 <div class="section" id="installation">
-<h1><a class="toc-backref" href="#id1">Installation</a></h1>
+<h1><a class="toc-backref" href="#toc-entry-1">Installation</a></h1>
 <p>This module requires the <tt class="docutils literal">pyjwt</tt> library to be installed.</p>
 </div>
 <div class="section" id="usage">
-<h1><a class="toc-backref" href="#id2">Usage</a></h1>
+<h1><a class="toc-backref" href="#toc-entry-2">Usage</a></h1>
 <p>This module lets developpers add a new <tt class="docutils literal">jwt</tt> authentication method on Odoo
 controller routes.</p>
 <p>To use it, you must:</p>
@@ -446,36 +448,36 @@ <h1><a class="toc-backref" href="#id2">Usage</a></h1>
 JWT token.</p>
 </div>
 <div class="section" id="bug-tracker">
-<h1><a class="toc-backref" href="#id3">Bug Tracker</a></h1>
+<h1><a class="toc-backref" href="#toc-entry-3">Bug Tracker</a></h1>
 <p>Bugs are tracked on <a class="reference external" href="https://github.com/OCA/server-auth/issues">GitHub Issues</a>.
 In case of trouble, please check there if your issue has already been reported.
-If you spotted it first, help us smashing it by providing a detailed and welcomed
+If you spotted it first, help us to smash it by providing a detailed and welcomed
 <a class="reference external" href="https://github.com/OCA/server-auth/issues/new?body=module:%20auth_jwt%0Aversion:%2016.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**">feedback</a>.</p>
 <p>Do not contact contributors directly about support or help with technical issues.</p>
 </div>
 <div class="section" id="credits">
-<h1><a class="toc-backref" href="#id4">Credits</a></h1>
+<h1><a class="toc-backref" href="#toc-entry-4">Credits</a></h1>
 <div class="section" id="authors">
-<h2><a class="toc-backref" href="#id5">Authors</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-5">Authors</a></h2>
 <ul class="simple">
 <li>ACSONE SA/NV</li>
 </ul>
 </div>
 <div class="section" id="contributors">
-<h2><a class="toc-backref" href="#id6">Contributors</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-6">Contributors</a></h2>
 <ul class="simple">
 <li>Stéphane Bidoul &lt;<a class="reference external" href="mailto:stephane.bidoul&#64;acsone.eu">stephane.bidoul&#64;acsone.eu</a>&gt;</li>
 </ul>
 </div>
 <div class="section" id="maintainers">
-<h2><a class="toc-backref" href="#id7">Maintainers</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-7">Maintainers</a></h2>
 <p>This module is maintained by the OCA.</p>
 <a class="reference external image-reference" href="https://odoo-community.org"><img alt="Odoo Community Association" src="https://odoo-community.org/logo.png" /></a>
 <p>OCA, or the Odoo Community Association, is a nonprofit organization whose
 mission is to support the collaborative development of Odoo features and
 promote its widespread use.</p>
 <p>Current <a class="reference external" href="https://odoo-community.org/page/maintainer-role">maintainer</a>:</p>
-<p><a class="reference external" href="https://github.com/sbidoul"><img alt="sbidoul" src="https://github.com/sbidoul.png?size=40px" /></a></p>
+<p><a class="reference external image-reference" href="https://github.com/sbidoul"><img alt="sbidoul" src="https://github.com/sbidoul.png?size=40px" /></a></p>
 <p>This module is part of the <a class="reference external" href="https://github.com/OCA/server-auth/tree/16.0/auth_jwt">OCA/server-auth</a> project on GitHub.</p>
 <p>You are welcome to contribute. To learn how please visit <a class="reference external" href="https://odoo-community.org/page/Contribute">https://odoo-community.org/page/Contribute</a>.</p>
 </div>

From 516540774f9d04fc184800d98c7de304cee928a9 Mon Sep 17 00:00:00 2001
From: Riccardo Bellanova <bellanova@webmonks.it>
Date: Fri, 15 Dec 2023 08:57:26 +0000
Subject: [PATCH 39/43] Added translation using Weblate (Italian)

---
 auth_jwt/i18n/it.po | 347 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 347 insertions(+)
 create mode 100644 auth_jwt/i18n/it.po

diff --git a/auth_jwt/i18n/it.po b/auth_jwt/i18n/it.po
new file mode 100644
index 0000000000..3b337b274b
--- /dev/null
+++ b/auth_jwt/i18n/it.po
@@ -0,0 +1,347 @@
+# Translation of Odoo Server.
+# This file contains the translation of the following modules:
+# 	* auth_jwt
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: Odoo Server 16.0\n"
+"Report-Msgid-Bugs-To: \n"
+"Last-Translator: Automatically generated\n"
+"Language-Team: none\n"
+"Language: it\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: \n"
+"Plural-Forms: nplurals=2; plural=n != 1;\n"
+
+#. module: auth_jwt
+#. odoo-python
+#: code:addons/auth_jwt/models/auth_jwt_validator.py:0
+#, python-format
+msgid ""
+"A cookie name must be provided on JWT validator %s because it has cookie "
+"mode enabled."
+msgstr ""
+
+#. module: auth_jwt
+#: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
+msgid "Algorithm"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__audience
+msgid "Audience"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,help:auth_jwt.field_auth_jwt_validator__audience
+msgid "Comma separated list of audiences, to validate aud."
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,help:auth_jwt.field_auth_jwt_validator__cookie_enabled
+msgid ""
+"Convert the JWT token into an HttpOnly Secure cookie. When both an "
+"Authorization header and the cookie are present in the request, the cookie "
+"is ignored."
+msgstr ""
+
+#. module: auth_jwt
+#: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
+msgid "Cookie"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__cookie_enabled
+msgid "Cookie Enabled"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__cookie_max_age
+msgid "Cookie Max Age"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__cookie_name
+msgid "Cookie Name"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__cookie_path
+msgid "Cookie Path"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__cookie_secure
+msgid "Cookie Secure"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__create_uid
+msgid "Created by"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__create_date
+msgid "Created on"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__display_name
+msgid "Display Name"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__es256
+msgid "ES256 - ECDSA using SHA-256"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__es256k
+msgid "ES256K - ECDSA with secp256k1 curve using SHA-256"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__es384
+msgid "ES384 - ECDSA using SHA-384"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__es512
+msgid "ES512 - ECDSA using SHA-512"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__partner_id_strategy__email
+msgid "From email claim"
+msgstr ""
+
+#. module: auth_jwt
+#: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
+msgid "General"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__secret_algorithm__hs256
+msgid "HS256 - HMAC using SHA-256 hash algorithm"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__secret_algorithm__hs384
+msgid "HS384 - HMAC using SHA-384 hash algorithm"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__secret_algorithm__hs512
+msgid "HS512 - HMAC using SHA-512 hash algorithm"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model,name:auth_jwt.model_ir_http
+msgid "HTTP Routing"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__id
+msgid "ID"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__issuer
+msgid "Issuer"
+msgstr ""
+
+#. module: auth_jwt
+#: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
+msgid "JWK URI"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model,name:auth_jwt.model_auth_jwt_validator
+msgid "JWT Validator Configuration"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.actions.act_window,name:auth_jwt.action_auth_jwt_validator
+#: model:ir.ui.menu,name:auth_jwt.menu_auth_jwt_validator
+msgid "JWT Validators"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.constraint,message:auth_jwt.constraint_auth_jwt_validator_name_uniq
+msgid "JWT validator names must be unique !"
+msgstr ""
+
+#. module: auth_jwt
+#: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
+msgid "Key"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator____last_update
+msgid "Last Modified on"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__write_uid
+msgid "Last Updated by"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__write_date
+msgid "Last Updated on"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__name
+msgid "Name"
+msgstr ""
+
+#. module: auth_jwt
+#. odoo-python
+#: code:addons/auth_jwt/models/auth_jwt_validator.py:0
+#, python-format
+msgid "Name %r is not a valid python identifier."
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__next_validator_id
+msgid "Next Validator"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,help:auth_jwt.field_auth_jwt_validator__next_validator_id
+msgid "Next validator to try if this one fails"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,help:auth_jwt.field_auth_jwt_validator__cookie_max_age
+msgid "Number of seconds until the cookie expires (Max-Age)."
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__ps256
+msgid "PS256 - RSASSA-PSS using SHA-256 and MGF1 padding with SHA-256"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__ps384
+msgid "PS384 - RSASSA-PSS using SHA-384 and MGF1 padding with SHA-384"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__ps512
+msgid "PS512 - RSASSA-PSS using SHA-512 and MGF1 padding with SHA-512"
+msgstr ""
+
+#. module: auth_jwt
+#: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
+msgid "Partner"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__partner_id_required
+msgid "Partner Id Required"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__partner_id_strategy
+msgid "Partner Id Strategy"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__public_key_algorithm
+msgid "Public Key Algorithm"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__public_key_jwk_uri
+msgid "Public Key Jwk Uri"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__signature_type__public_key
+msgid "Public key"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__rs256
+msgid "RS256 - RSASSA-PKCS1-v1_5 using SHA-256"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__rs384
+msgid "RS384 - RSASSA-PKCS1-v1_5 using SHA-384"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__rs512
+msgid "RS512 - RSASSA-PKCS1-v1_5 using SHA-512"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__signature_type__secret
+msgid "Secret"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__secret_algorithm
+msgid "Secret Algorithm"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__secret_key
+msgid "Secret Key"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,help:auth_jwt.field_auth_jwt_validator__cookie_secure
+msgid "Set to false only for development without https."
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__signature_type
+msgid "Signature Type"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__user_id_strategy__static
+msgid "Static"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__static_user_id
+msgid "Static User"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,help:auth_jwt.field_auth_jwt_validator__issuer
+msgid "To validate iss."
+msgstr ""
+
+#. module: auth_jwt
+#: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
+msgid "Token validation"
+msgstr ""
+
+#. module: auth_jwt
+#: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
+msgid "User"
+msgstr ""
+
+#. module: auth_jwt
+#: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__user_id_strategy
+msgid "User Id Strategy"
+msgstr ""
+
+#. module: auth_jwt
+#. odoo-python
+#: code:addons/auth_jwt/models/auth_jwt_validator.py:0
+#, python-format
+msgid "Validators mustn't make a closed chain: {}."
+msgstr ""
+
+#. module: auth_jwt
+#: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
+msgid "arch"
+msgstr ""

From d5135a4342f597b12b459b05623e699cc0b62838 Mon Sep 17 00:00:00 2001
From: Riccardo Bellanova <bellanova@webmonks.it>
Date: Fri, 15 Dec 2023 10:43:43 +0000
Subject: [PATCH 40/43] Translated using Weblate (Italian)

Currently translated at 89.0% (57 of 64 strings)

Translation: server-auth-16.0/server-auth-16.0-auth_jwt
Translate-URL: https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-auth_jwt/it/
---
 auth_jwt/i18n/it.po | 140 ++++++++++++++++++++++++--------------------
 1 file changed, 77 insertions(+), 63 deletions(-)

diff --git a/auth_jwt/i18n/it.po b/auth_jwt/i18n/it.po
index 3b337b274b..9336d05128 100644
--- a/auth_jwt/i18n/it.po
+++ b/auth_jwt/i18n/it.po
@@ -6,13 +6,15 @@ msgid ""
 msgstr ""
 "Project-Id-Version: Odoo Server 16.0\n"
 "Report-Msgid-Bugs-To: \n"
-"Last-Translator: Automatically generated\n"
+"PO-Revision-Date: 2023-12-15 13:34+0000\n"
+"Last-Translator: Riccardo Bellanova <bellanova@webmonks.it>\n"
 "Language-Team: none\n"
 "Language: it\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: \n"
 "Plural-Forms: nplurals=2; plural=n != 1;\n"
+"X-Generator: Weblate 4.17\n"
 
 #. module: auth_jwt
 #. odoo-python
@@ -22,21 +24,23 @@ msgid ""
 "A cookie name must be provided on JWT validator %s because it has cookie "
 "mode enabled."
 msgstr ""
+"È necessario fornire un nome del cookie sul validatore JWT %s perché ha la "
+"modalità cookie abilitata."
 
 #. module: auth_jwt
 #: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
 msgid "Algorithm"
-msgstr ""
+msgstr "Algoritmo"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__audience
 msgid "Audience"
-msgstr ""
+msgstr "Audience"
 
 #. module: auth_jwt
 #: model:ir.model.fields,help:auth_jwt.field_auth_jwt_validator__audience
 msgid "Comma separated list of audiences, to validate aud."
-msgstr ""
+msgstr "Elenco di audience separati da virgole, per validare aud."
 
 #. module: auth_jwt
 #: model:ir.model.fields,help:auth_jwt.field_auth_jwt_validator__cookie_enabled
@@ -45,303 +49,313 @@ msgid ""
 "Authorization header and the cookie are present in the request, the cookie "
 "is ignored."
 msgstr ""
+"Converti il token JWT in un cookie HttpOnly Secure. Quando nella richiesta "
+"sono presenti sia un Authorization header che il cookie, il cookie viene "
+"ignorato."
 
 #. module: auth_jwt
 #: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
 msgid "Cookie"
-msgstr ""
+msgstr "Cookie"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__cookie_enabled
 msgid "Cookie Enabled"
-msgstr ""
+msgstr "Cookie abilitato"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__cookie_max_age
 msgid "Cookie Max Age"
-msgstr ""
+msgstr "Durata massima cookie"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__cookie_name
 msgid "Cookie Name"
-msgstr ""
+msgstr "Nome cookie"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__cookie_path
 msgid "Cookie Path"
-msgstr ""
+msgstr "Path cookie"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__cookie_secure
+#, fuzzy
 msgid "Cookie Secure"
-msgstr ""
+msgstr "Cookie Secure"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__create_uid
 msgid "Created by"
-msgstr ""
+msgstr "Creato da"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__create_date
 msgid "Created on"
-msgstr ""
+msgstr "Creato il"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__display_name
 msgid "Display Name"
-msgstr ""
+msgstr "Nome visualizzato"
 
 #. module: auth_jwt
 #: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__es256
 msgid "ES256 - ECDSA using SHA-256"
-msgstr ""
+msgstr "ES256 - ECDSA usando SHA-256"
 
 #. module: auth_jwt
 #: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__es256k
 msgid "ES256K - ECDSA with secp256k1 curve using SHA-256"
-msgstr ""
+msgstr "ES256K - ECDSA con curva secp256k1 usando SHA-256"
 
 #. module: auth_jwt
 #: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__es384
 msgid "ES384 - ECDSA using SHA-384"
-msgstr ""
+msgstr "ES384 - ECDSA usando SHA-384"
 
 #. module: auth_jwt
 #: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__es512
 msgid "ES512 - ECDSA using SHA-512"
-msgstr ""
+msgstr "ES512 - ECDSA usando SHA-512"
 
 #. module: auth_jwt
 #: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__partner_id_strategy__email
+#, fuzzy
 msgid "From email claim"
-msgstr ""
+msgstr "Dalla richiesta email"
 
 #. module: auth_jwt
 #: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
 msgid "General"
-msgstr ""
+msgstr "Generale"
 
 #. module: auth_jwt
 #: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__secret_algorithm__hs256
 msgid "HS256 - HMAC using SHA-256 hash algorithm"
-msgstr ""
+msgstr "HS256 - HMAC usando SHA-256 hash algorithm"
 
 #. module: auth_jwt
 #: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__secret_algorithm__hs384
 msgid "HS384 - HMAC using SHA-384 hash algorithm"
-msgstr ""
+msgstr "HS384 - HMAC usando SHA-384 hash algorithm"
 
 #. module: auth_jwt
 #: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__secret_algorithm__hs512
 msgid "HS512 - HMAC using SHA-512 hash algorithm"
-msgstr ""
+msgstr "HS512 - HMAC usando SHA-512 hash algorithm"
 
 #. module: auth_jwt
 #: model:ir.model,name:auth_jwt.model_ir_http
 msgid "HTTP Routing"
-msgstr ""
+msgstr "Instradamento HTTP"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__id
+#, fuzzy
 msgid "ID"
-msgstr ""
+msgstr "ID"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__issuer
+#, fuzzy
 msgid "Issuer"
-msgstr ""
+msgstr "Issuer"
 
 #. module: auth_jwt
 #: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
+#, fuzzy
 msgid "JWK URI"
-msgstr ""
+msgstr "JWK URI"
 
 #. module: auth_jwt
 #: model:ir.model,name:auth_jwt.model_auth_jwt_validator
 msgid "JWT Validator Configuration"
-msgstr ""
+msgstr "Configurazione validatore JWT"
 
 #. module: auth_jwt
 #: model:ir.actions.act_window,name:auth_jwt.action_auth_jwt_validator
 #: model:ir.ui.menu,name:auth_jwt.menu_auth_jwt_validator
 msgid "JWT Validators"
-msgstr ""
+msgstr "Validatori JWT"
 
 #. module: auth_jwt
 #: model:ir.model.constraint,message:auth_jwt.constraint_auth_jwt_validator_name_uniq
 msgid "JWT validator names must be unique !"
-msgstr ""
+msgstr "I nomi dei validatori JWT devono essere univoci!"
 
 #. module: auth_jwt
 #: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
 msgid "Key"
-msgstr ""
+msgstr "Chiave"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator____last_update
 msgid "Last Modified on"
-msgstr ""
+msgstr "Ultima modifica il"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__write_uid
 msgid "Last Updated by"
-msgstr ""
+msgstr "Ultimo aggiornamento da"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__write_date
 msgid "Last Updated on"
-msgstr ""
+msgstr "Ultimo aggiornamento il"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__name
 msgid "Name"
-msgstr ""
+msgstr "Nome"
 
 #. module: auth_jwt
 #. odoo-python
 #: code:addons/auth_jwt/models/auth_jwt_validator.py:0
 #, python-format
 msgid "Name %r is not a valid python identifier."
-msgstr ""
+msgstr "Il nome %r non è un identificatore Python valido."
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__next_validator_id
 msgid "Next Validator"
-msgstr ""
+msgstr "Validatore successivo"
 
 #. module: auth_jwt
 #: model:ir.model.fields,help:auth_jwt.field_auth_jwt_validator__next_validator_id
 msgid "Next validator to try if this one fails"
-msgstr ""
+msgstr "Validatore successivo da provare se questo fallisce"
 
 #. module: auth_jwt
 #: model:ir.model.fields,help:auth_jwt.field_auth_jwt_validator__cookie_max_age
 msgid "Number of seconds until the cookie expires (Max-Age)."
-msgstr ""
+msgstr "Numero di secondi fino alla scadenza del cookie (Durata max)."
 
 #. module: auth_jwt
 #: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__ps256
 msgid "PS256 - RSASSA-PSS using SHA-256 and MGF1 padding with SHA-256"
-msgstr ""
+msgstr "PS256 - RSASSA-PSS usando SHA-256 e padding MGF1 con SHA-256"
 
 #. module: auth_jwt
 #: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__ps384
 msgid "PS384 - RSASSA-PSS using SHA-384 and MGF1 padding with SHA-384"
-msgstr ""
+msgstr "PS384 - RSASSA-PSS usando SHA-384 e padding MGF1 con SHA-384"
 
 #. module: auth_jwt
 #: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__ps512
 msgid "PS512 - RSASSA-PSS using SHA-512 and MGF1 padding with SHA-512"
-msgstr ""
+msgstr "PS512 - RSASSA-PSS usando SHA-512 e padding MGF1 con SHA-512"
 
 #. module: auth_jwt
 #: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
+#, fuzzy
 msgid "Partner"
-msgstr ""
+msgstr "Partner"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__partner_id_required
 msgid "Partner Id Required"
-msgstr ""
+msgstr "Partner ID obbligatorio"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__partner_id_strategy
 msgid "Partner Id Strategy"
-msgstr ""
+msgstr "Strategia Partner ID"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__public_key_algorithm
 msgid "Public Key Algorithm"
-msgstr ""
+msgstr "Algoritmo a chiave pubblica"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__public_key_jwk_uri
 msgid "Public Key Jwk Uri"
-msgstr ""
+msgstr "Jwk Uri a chiave pubblica"
 
 #. module: auth_jwt
 #: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__signature_type__public_key
 msgid "Public key"
-msgstr ""
+msgstr "Chiave pubblica"
 
 #. module: auth_jwt
 #: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__rs256
 msgid "RS256 - RSASSA-PKCS1-v1_5 using SHA-256"
-msgstr ""
+msgstr "RS256 - RSASSA-PKCS1-v1_5 usando SHA-256"
 
 #. module: auth_jwt
 #: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__rs384
 msgid "RS384 - RSASSA-PKCS1-v1_5 using SHA-384"
-msgstr ""
+msgstr "RS384 - RSASSA-PKCS1-v1_5 usando SHA-384"
 
 #. module: auth_jwt
 #: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__public_key_algorithm__rs512
 msgid "RS512 - RSASSA-PKCS1-v1_5 using SHA-512"
-msgstr ""
+msgstr "RS512 - RSASSA-PKCS1-v1_5 usando SHA-512"
 
 #. module: auth_jwt
 #: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__signature_type__secret
 msgid "Secret"
-msgstr ""
+msgstr "Segreta"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__secret_algorithm
 msgid "Secret Algorithm"
-msgstr ""
+msgstr "Algoritmo segreto"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__secret_key
 msgid "Secret Key"
-msgstr ""
+msgstr "Chiave segreta"
 
 #. module: auth_jwt
 #: model:ir.model.fields,help:auth_jwt.field_auth_jwt_validator__cookie_secure
 msgid "Set to false only for development without https."
-msgstr ""
+msgstr "Imposta su false solo per lo sviluppo senza https."
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__signature_type
 msgid "Signature Type"
-msgstr ""
+msgstr "Tipo di firma"
 
 #. module: auth_jwt
 #: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__user_id_strategy__static
 msgid "Static"
-msgstr ""
+msgstr "Statica"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__static_user_id
 msgid "Static User"
-msgstr ""
+msgstr "Utente statico"
 
 #. module: auth_jwt
 #: model:ir.model.fields,help:auth_jwt.field_auth_jwt_validator__issuer
 msgid "To validate iss."
-msgstr ""
+msgstr "Per validare iss."
 
 #. module: auth_jwt
 #: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
 msgid "Token validation"
-msgstr ""
+msgstr "Convalida del token"
 
 #. module: auth_jwt
 #: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
 msgid "User"
-msgstr ""
+msgstr "Utente"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__user_id_strategy
 msgid "User Id Strategy"
-msgstr ""
+msgstr "Strategia User ID"
 
 #. module: auth_jwt
 #. odoo-python
 #: code:addons/auth_jwt/models/auth_jwt_validator.py:0
 #, python-format
 msgid "Validators mustn't make a closed chain: {}."
-msgstr ""
+msgstr "I validatori non devono creare una catena chiusa: {}."
 
 #. module: auth_jwt
 #: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
+#, fuzzy
 msgid "arch"
-msgstr ""
+msgstr "arch"

From 290f8c1f9b1cdf21a7cb52e86e072f1310ee8061 Mon Sep 17 00:00:00 2001
From: mymage <stefano.consolaro@mymage.it>
Date: Wed, 3 Jan 2024 12:26:21 +0000
Subject: [PATCH 41/43] Translated using Weblate (Italian)

Currently translated at 100.0% (64 of 64 strings)

Translation: server-auth-16.0/server-auth-16.0-auth_jwt
Translate-URL: https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-auth_jwt/it/
---
 auth_jwt/i18n/it.po | 19 ++++++-------------
 1 file changed, 6 insertions(+), 13 deletions(-)

diff --git a/auth_jwt/i18n/it.po b/auth_jwt/i18n/it.po
index 9336d05128..ee29f1a08b 100644
--- a/auth_jwt/i18n/it.po
+++ b/auth_jwt/i18n/it.po
@@ -6,8 +6,8 @@ msgid ""
 msgstr ""
 "Project-Id-Version: Odoo Server 16.0\n"
 "Report-Msgid-Bugs-To: \n"
-"PO-Revision-Date: 2023-12-15 13:34+0000\n"
-"Last-Translator: Riccardo Bellanova <bellanova@webmonks.it>\n"
+"PO-Revision-Date: 2024-01-03 14:33+0000\n"
+"Last-Translator: mymage <stefano.consolaro@mymage.it>\n"
 "Language-Team: none\n"
 "Language: it\n"
 "MIME-Version: 1.0\n"
@@ -80,9 +80,8 @@ msgstr "Path cookie"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__cookie_secure
-#, fuzzy
 msgid "Cookie Secure"
-msgstr "Cookie Secure"
+msgstr "Cookie secure"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__create_uid
@@ -121,9 +120,8 @@ msgstr "ES512 - ECDSA usando SHA-512"
 
 #. module: auth_jwt
 #: model:ir.model.fields.selection,name:auth_jwt.selection__auth_jwt_validator__partner_id_strategy__email
-#, fuzzy
 msgid "From email claim"
-msgstr "Dalla richiesta email"
+msgstr "Da richiesta e-mail"
 
 #. module: auth_jwt
 #: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
@@ -152,21 +150,18 @@ msgstr "Instradamento HTTP"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__id
-#, fuzzy
 msgid "ID"
 msgstr "ID"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__issuer
-#, fuzzy
 msgid "Issuer"
-msgstr "Issuer"
+msgstr "Segnalatore"
 
 #. module: auth_jwt
 #: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
-#, fuzzy
 msgid "JWK URI"
-msgstr "JWK URI"
+msgstr "URI JWK"
 
 #. module: auth_jwt
 #: model:ir.model,name:auth_jwt.model_auth_jwt_validator
@@ -248,7 +243,6 @@ msgstr "PS512 - RSASSA-PSS usando SHA-512 e padding MGF1 con SHA-512"
 
 #. module: auth_jwt
 #: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
-#, fuzzy
 msgid "Partner"
 msgstr "Partner"
 
@@ -356,6 +350,5 @@ msgstr "I validatori non devono creare una catena chiusa: {}."
 
 #. module: auth_jwt
 #: model_terms:ir.ui.view,arch_db:auth_jwt.view_auth_jwt_validator_form
-#, fuzzy
 msgid "arch"
 msgstr "arch"

From 58560391a303665257090e8d0c66f8fb3ae7776b Mon Sep 17 00:00:00 2001
From: Francesco Foresti <francesco.foresti@ooops404.com>
Date: Mon, 29 Jan 2024 09:01:26 +0000
Subject: [PATCH 42/43] Translated using Weblate (Italian)

Currently translated at 100.0% (64 of 64 strings)

Translation: server-auth-16.0/server-auth-16.0-auth_jwt
Translate-URL: https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-auth_jwt/it/
---
 auth_jwt/i18n/it.po | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/auth_jwt/i18n/it.po b/auth_jwt/i18n/it.po
index ee29f1a08b..9d3c3da001 100644
--- a/auth_jwt/i18n/it.po
+++ b/auth_jwt/i18n/it.po
@@ -6,8 +6,8 @@ msgid ""
 msgstr ""
 "Project-Id-Version: Odoo Server 16.0\n"
 "Report-Msgid-Bugs-To: \n"
-"PO-Revision-Date: 2024-01-03 14:33+0000\n"
-"Last-Translator: mymage <stefano.consolaro@mymage.it>\n"
+"PO-Revision-Date: 2024-01-29 11:35+0000\n"
+"Last-Translator: Francesco Foresti <francesco.foresti@ooops404.com>\n"
 "Language-Team: none\n"
 "Language: it\n"
 "MIME-Version: 1.0\n"
@@ -192,7 +192,7 @@ msgstr "Ultima modifica il"
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__write_uid
 msgid "Last Updated by"
-msgstr "Ultimo aggiornamento da"
+msgstr "Ultimo aggiornamento di"
 
 #. module: auth_jwt
 #: model:ir.model.fields,field_description:auth_jwt.field_auth_jwt_validator__write_date

From 559b3fee2af517f75ecf3be3d854dfee43a4111e Mon Sep 17 00:00:00 2001
From: Mike Aelbrecht <mikeaelbrecht@gmail.com>
Date: Thu, 30 May 2024 08:32:18 +0200
Subject: [PATCH 43/43] [MIG] auth_jwt: Migration to 17.0

---
 auth_jwt/README.rst                           | 121 +++++++++---------
 auth_jwt/__manifest__.py                      |   5 +-
 auth_jwt/exceptions.py                        |   2 +-
 auth_jwt/models/ir_http.py                    |   1 -
 auth_jwt/pyproject.toml                       |   3 +
 auth_jwt/readme/CONTRIBUTORS.md               |   2 +
 auth_jwt/readme/CONTRIBUTORS.rst              |   1 -
 .../{DESCRIPTION.rst => DESCRIPTION.md}       |   0
 auth_jwt/readme/INSTALL.md                    |   1 +
 auth_jwt/readme/INSTALL.rst                   |   1 -
 auth_jwt/readme/USAGE.md                      |  69 ++++++++++
 auth_jwt/readme/USAGE.rst                     |  64 ---------
 auth_jwt/static/description/index.html        | 109 ++++++++--------
 auth_jwt/tests/test_auth_jwt.py               |  23 ++--
 auth_jwt/views/auth_jwt_validator_views.xml   |  31 ++---
 requirements.txt                              |   2 +
 16 files changed, 233 insertions(+), 202 deletions(-)
 create mode 100644 auth_jwt/pyproject.toml
 create mode 100644 auth_jwt/readme/CONTRIBUTORS.md
 delete mode 100644 auth_jwt/readme/CONTRIBUTORS.rst
 rename auth_jwt/readme/{DESCRIPTION.rst => DESCRIPTION.md} (100%)
 create mode 100644 auth_jwt/readme/INSTALL.md
 delete mode 100644 auth_jwt/readme/INSTALL.rst
 create mode 100644 auth_jwt/readme/USAGE.md
 delete mode 100644 auth_jwt/readme/USAGE.rst

diff --git a/auth_jwt/README.rst b/auth_jwt/README.rst
index f309f82757..0ae874edb4 100644
--- a/auth_jwt/README.rst
+++ b/auth_jwt/README.rst
@@ -17,13 +17,13 @@ Auth JWT
     :target: http://www.gnu.org/licenses/lgpl-3.0-standalone.html
     :alt: License: LGPL-3
 .. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
-    :target: https://github.com/OCA/server-auth/tree/16.0/auth_jwt
+    :target: https://github.com/OCA/server-auth/tree/17.0/auth_jwt
     :alt: OCA/server-auth
 .. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
-    :target: https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-auth_jwt
+    :target: https://translation.odoo-community.org/projects/server-auth-17-0/server-auth-17-0-auth_jwt
     :alt: Translate me on Weblate
 .. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png
-    :target: https://runboat.odoo-community.org/builds?repo=OCA/server-auth&target_branch=16.0
+    :target: https://runboat.odoo-community.org/builds?repo=OCA/server-auth&target_branch=17.0
     :alt: Try me on Runboat
 
 |badge1| |badge2| |badge3| |badge4| |badge5|
@@ -43,70 +43,76 @@ This module requires the ``pyjwt`` library to be installed.
 Usage
 =====
 
-This module lets developpers add a new ``jwt`` authentication method on Odoo
-controller routes.
+This module lets developpers add a new ``jwt`` authentication method on
+Odoo controller routes.
 
 To use it, you must:
 
-* Create an ``auth.jwt.validator`` record to configure how the JWT token will
-  be validated.
-* Add an ``auth="jwt_{validator-name}"`` or ``auth="public_or_jwt_{validator-name}"``
-  attribute to the routes you want to protect where ``{validator-name}`` corresponds to
-  the name attribute of the JWT validator record.
+- Create an ``auth.jwt.validator`` record to configure how the JWT token
+  will be validated.
+- Add an ``auth="jwt_{validator-name}"`` or
+  ``auth="public_or_jwt_{validator-name}"`` attribute to the routes you
+  want to protect where ``{validator-name}`` corresponds to the name
+  attribute of the JWT validator record.
 
 The ``auth_jwt_demo`` module provides examples.
 
 The JWT validator can be configured with the following properties:
 
-* ``name``: the validator name, to match the ``auth="jwt_{validator-name}"``
-  route property.
-* ``audience``: a comma-separated list of allowed audiences, used to validate
-  the ``aud`` claim.
-* ``issuer``: used to validate the ``iss`` claim.
-* Signature type (secret or public key), algorithm, secret and JWK URI
+- ``name``: the validator name, to match the
+  ``auth="jwt_{validator-name}"`` route property.
+- ``audience``: a comma-separated list of allowed audiences, used to
+  validate the ``aud`` claim.
+- ``issuer``: used to validate the ``iss`` claim.
+- Signature type (secret or public key), algorithm, secret and JWK URI
   are used to validate the token signature.
 
 In addition, the ``exp`` claim is validated to reject expired tokens.
 
 If the ``Authorization`` HTTP header is missing, malformed, or contains
-an invalid token, the request is rejected with a 401 (Unauthorized) code,
-unless the cookie mode is enabled (see below).
-
-If the token is valid, the request executes with the configured user id. By
-default the user id selection strategy is ``static`` (i.e. the same for all
-requests) and the selected user is configured on the JWT validator. Additional
-strategies can be provided by overriding the ``_get_uid()`` method and
-extending the ``user_id_strategy`` selection field.
-
-The selected user is *not* stored in the session. It is only available in
-``request.uid`` (and thus it is the one used in ``request.env``). To avoid any
-confusion and mismatches between the bearer token and the session, this module
-rejects requests made with an authenticated user session.
-
-Additionally, if a ``partner_id_strategy`` is configured, a partner is searched
-and if found, its id is stored in the ``request.jwt_partner_id`` attribute. If
-``partner_id_required`` is set, a 401 (Unauthorized) is returned if no partner
-was found. Otherwise ``request.jwt_partner_id`` is left falsy. Additional
-strategies can be provided by overriding the ``_get_partner_id()`` method
-and extending the ``partner_id_strategy`` selection field.
+an invalid token, the request is rejected with a 401 (Unauthorized)
+code, unless the cookie mode is enabled (see below).
+
+If the token is valid, the request executes with the configured user id.
+By default the user id selection strategy is ``static`` (i.e. the same
+for all requests) and the selected user is configured on the JWT
+validator. Additional strategies can be provided by overriding the
+``_get_uid()`` method and extending the ``user_id_strategy`` selection
+field.
+
+The selected user is *not* stored in the session. It is only available
+in ``request.uid`` (and thus it is the one used in ``request.env``). To
+avoid any confusion and mismatches between the bearer token and the
+session, this module rejects requests made with an authenticated user
+session.
+
+Additionally, if a ``partner_id_strategy`` is configured, a partner is
+searched and if found, its id is stored in the
+``request.jwt_partner_id`` attribute. If ``partner_id_required`` is set,
+a 401 (Unauthorized) is returned if no partner was found. Otherwise
+``request.jwt_partner_id`` is left falsy. Additional strategies can be
+provided by overriding the ``_get_partner_id()`` method and extending
+the ``partner_id_strategy`` selection field.
 
 The decoded JWT payload is stored in ``request.jwt_payload``.
 
-The ``public_auth_jwt`` method delegates authentication to the standard Odoo ``public``
-method when the Authorization header is not set. If it is set, the regular JWT
-authentication is performed as described above. This method is useful for public
-endpoints that need to work for anonymous users, but can be enhanced when an
-authenticated user is know. A typical use case is a "add to cart" endpoint that can work
-for anonymous users, but can be enhanced by binding the cart to a known customer when
-the authenticated user is known.
-
-You can enable a cookie mode on JWT validators. In this case, the JWT payload obtained
-from the ``Authorization`` header is returned as a Http-Only cookie. This mode is
-sometimes simpler for front-end applications which do not then need to store and protect
-the JWT token across requests and can simply rely on the cookie management mechanisms of
-browsers. When both the ``Authorization`` header and a cookie are provided, the cookie
-is ignored in order to let clients authenticate with a different user by providing a new
-JWT token.
+The ``public_auth_jwt`` method delegates authentication to the standard
+Odoo ``public`` method when the Authorization header is not set. If it
+is set, the regular JWT authentication is performed as described above.
+This method is useful for public endpoints that need to work for
+anonymous users, but can be enhanced when an authenticated user is know.
+A typical use case is a "add to cart" endpoint that can work for
+anonymous users, but can be enhanced by binding the cart to a known
+customer when the authenticated user is known.
+
+You can enable a cookie mode on JWT validators. In this case, the JWT
+payload obtained from the ``Authorization`` header is returned as a
+Http-Only cookie. This mode is sometimes simpler for front-end
+applications which do not then need to store and protect the JWT token
+across requests and can simply rely on the cookie management mechanisms
+of browsers. When both the ``Authorization`` header and a cookie are
+provided, the cookie is ignored in order to let clients authenticate
+with a different user by providing a new JWT token.
 
 Bug Tracker
 ===========
@@ -114,7 +120,7 @@ Bug Tracker
 Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-auth/issues>`_.
 In case of trouble, please check there if your issue has already been reported.
 If you spotted it first, help us to smash it by providing a detailed and welcomed
-`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_jwt%0Aversion:%2016.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_jwt%0Aversion:%2017.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
 
 Do not contact contributors directly about support or help with technical issues.
 
@@ -122,17 +128,18 @@ Credits
 =======
 
 Authors
-~~~~~~~
+-------
 
 * ACSONE SA/NV
 
 Contributors
-~~~~~~~~~~~~
+------------
 
-* Stéphane Bidoul <stephane.bidoul@acsone.eu>
+- Stéphane Bidoul <stephane.bidoul@acsone.eu>
+- Mohamed Alkobrosli <malkobrosly@kencove.com>
 
 Maintainers
-~~~~~~~~~~~
+-----------
 
 This module is maintained by the OCA.
 
@@ -152,6 +159,6 @@ Current `maintainer <https://odoo-community.org/page/maintainer-role>`__:
 
 |maintainer-sbidoul| 
 
-This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/16.0/auth_jwt>`_ project on GitHub.
+This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/17.0/auth_jwt>`_ project on GitHub.
 
 You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.
diff --git a/auth_jwt/__manifest__.py b/auth_jwt/__manifest__.py
index 059b9bc7ec..aa1fc3838a 100644
--- a/auth_jwt/__manifest__.py
+++ b/auth_jwt/__manifest__.py
@@ -5,7 +5,7 @@
     "name": "Auth JWT",
     "summary": """
         JWT bearer token authentication.""",
-    "version": "16.0.1.1.0",
+    "version": "17.0.1.0.0",
     "license": "LGPL-3",
     "author": "ACSONE SA/NV,Odoo Community Association (OCA)",
     "maintainers": ["sbidoul"],
@@ -14,4 +14,7 @@
     "external_dependencies": {"python": ["pyjwt", "cryptography"]},
     "data": ["security/ir.model.access.csv", "views/auth_jwt_validator_views.xml"],
     "demo": [],
+    "installable": True,
+    "application": False,
+    "auto_install": False,
 }
diff --git a/auth_jwt/exceptions.py b/auth_jwt/exceptions.py
index e8af54d114..1864954100 100644
--- a/auth_jwt/exceptions.py
+++ b/auth_jwt/exceptions.py
@@ -44,7 +44,7 @@ def __init__(self, errors):
         super().__init__(
             "Multiple errors occurred during JWT chain validation:\n"
             + "\n".join(
-                "{}: {}".format(validator_name, error)
+                f"{validator_name}: {error}"
                 for validator_name, error in self.errors.items()
             )
         )
diff --git a/auth_jwt/models/ir_http.py b/auth_jwt/models/ir_http.py
index b65118fd88..7168e50894 100644
--- a/auth_jwt/models/ir_http.py
+++ b/auth_jwt/models/ir_http.py
@@ -19,7 +19,6 @@
 
 
 class IrHttpJwt(models.AbstractModel):
-
     _inherit = "ir.http"
 
     @classmethod
diff --git a/auth_jwt/pyproject.toml b/auth_jwt/pyproject.toml
new file mode 100644
index 0000000000..4231d0cccb
--- /dev/null
+++ b/auth_jwt/pyproject.toml
@@ -0,0 +1,3 @@
+[build-system]
+requires = ["whool"]
+build-backend = "whool.buildapi"
diff --git a/auth_jwt/readme/CONTRIBUTORS.md b/auth_jwt/readme/CONTRIBUTORS.md
new file mode 100644
index 0000000000..d6260f557c
--- /dev/null
+++ b/auth_jwt/readme/CONTRIBUTORS.md
@@ -0,0 +1,2 @@
+- Stéphane Bidoul \<<stephane.bidoul@acsone.eu>\>
+- Mohamed Alkobrosli \<<malkobrosly@kencove.com>\>
diff --git a/auth_jwt/readme/CONTRIBUTORS.rst b/auth_jwt/readme/CONTRIBUTORS.rst
deleted file mode 100644
index f323b44ab0..0000000000
--- a/auth_jwt/readme/CONTRIBUTORS.rst
+++ /dev/null
@@ -1 +0,0 @@
-* Stéphane Bidoul <stephane.bidoul@acsone.eu>
diff --git a/auth_jwt/readme/DESCRIPTION.rst b/auth_jwt/readme/DESCRIPTION.md
similarity index 100%
rename from auth_jwt/readme/DESCRIPTION.rst
rename to auth_jwt/readme/DESCRIPTION.md
diff --git a/auth_jwt/readme/INSTALL.md b/auth_jwt/readme/INSTALL.md
new file mode 100644
index 0000000000..529cf45e83
--- /dev/null
+++ b/auth_jwt/readme/INSTALL.md
@@ -0,0 +1 @@
+This module requires the `pyjwt` library to be installed.
diff --git a/auth_jwt/readme/INSTALL.rst b/auth_jwt/readme/INSTALL.rst
deleted file mode 100644
index 9d8ccacf56..0000000000
--- a/auth_jwt/readme/INSTALL.rst
+++ /dev/null
@@ -1 +0,0 @@
-This module requires the ``pyjwt`` library to be installed.
diff --git a/auth_jwt/readme/USAGE.md b/auth_jwt/readme/USAGE.md
new file mode 100644
index 0000000000..b67c4fc331
--- /dev/null
+++ b/auth_jwt/readme/USAGE.md
@@ -0,0 +1,69 @@
+This module lets developpers add a new `jwt` authentication method on
+Odoo controller routes.
+
+To use it, you must:
+
+- Create an `auth.jwt.validator` record to configure how the JWT token
+  will be validated.
+- Add an `auth="jwt_{validator-name}"` or
+  `auth="public_or_jwt_{validator-name}"` attribute to the routes you
+  want to protect where `{validator-name}` corresponds to the name
+  attribute of the JWT validator record.
+
+The `auth_jwt_demo` module provides examples.
+
+The JWT validator can be configured with the following properties:
+
+- `name`: the validator name, to match the `auth="jwt_{validator-name}"`
+  route property.
+- `audience`: a comma-separated list of allowed audiences, used to
+  validate the `aud` claim.
+- `issuer`: used to validate the `iss` claim.
+- Signature type (secret or public key), algorithm, secret and JWK URI
+  are used to validate the token signature.
+
+In addition, the `exp` claim is validated to reject expired tokens.
+
+If the `Authorization` HTTP header is missing, malformed, or contains an
+invalid token, the request is rejected with a 401 (Unauthorized) code,
+unless the cookie mode is enabled (see below).
+
+If the token is valid, the request executes with the configured user id.
+By default the user id selection strategy is `static` (i.e. the same for
+all requests) and the selected user is configured on the JWT validator.
+Additional strategies can be provided by overriding the `_get_uid()`
+method and extending the `user_id_strategy` selection field.
+
+The selected user is *not* stored in the session. It is only available
+in `request.uid` (and thus it is the one used in `request.env`). To
+avoid any confusion and mismatches between the bearer token and the
+session, this module rejects requests made with an authenticated user
+session.
+
+Additionally, if a `partner_id_strategy` is configured, a partner is
+searched and if found, its id is stored in the `request.jwt_partner_id`
+attribute. If `partner_id_required` is set, a 401 (Unauthorized) is
+returned if no partner was found. Otherwise `request.jwt_partner_id` is
+left falsy. Additional strategies can be provided by overriding the
+`_get_partner_id()` method and extending the `partner_id_strategy`
+selection field.
+
+The decoded JWT payload is stored in `request.jwt_payload`.
+
+The `public_auth_jwt` method delegates authentication to the standard
+Odoo `public` method when the Authorization header is not set. If it is
+set, the regular JWT authentication is performed as described above.
+This method is useful for public endpoints that need to work for
+anonymous users, but can be enhanced when an authenticated user is know.
+A typical use case is a "add to cart" endpoint that can work for
+anonymous users, but can be enhanced by binding the cart to a known
+customer when the authenticated user is known.
+
+You can enable a cookie mode on JWT validators. In this case, the JWT
+payload obtained from the `Authorization` header is returned as a
+Http-Only cookie. This mode is sometimes simpler for front-end
+applications which do not then need to store and protect the JWT token
+across requests and can simply rely on the cookie management mechanisms
+of browsers. When both the `Authorization` header and a cookie are
+provided, the cookie is ignored in order to let clients authenticate
+with a different user by providing a new JWT token.
diff --git a/auth_jwt/readme/USAGE.rst b/auth_jwt/readme/USAGE.rst
deleted file mode 100644
index 7d42e750a9..0000000000
--- a/auth_jwt/readme/USAGE.rst
+++ /dev/null
@@ -1,64 +0,0 @@
-This module lets developpers add a new ``jwt`` authentication method on Odoo
-controller routes.
-
-To use it, you must:
-
-* Create an ``auth.jwt.validator`` record to configure how the JWT token will
-  be validated.
-* Add an ``auth="jwt_{validator-name}"`` or ``auth="public_or_jwt_{validator-name}"``
-  attribute to the routes you want to protect where ``{validator-name}`` corresponds to
-  the name attribute of the JWT validator record.
-
-The ``auth_jwt_demo`` module provides examples.
-
-The JWT validator can be configured with the following properties:
-
-* ``name``: the validator name, to match the ``auth="jwt_{validator-name}"``
-  route property.
-* ``audience``: a comma-separated list of allowed audiences, used to validate
-  the ``aud`` claim.
-* ``issuer``: used to validate the ``iss`` claim.
-* Signature type (secret or public key), algorithm, secret and JWK URI
-  are used to validate the token signature.
-
-In addition, the ``exp`` claim is validated to reject expired tokens.
-
-If the ``Authorization`` HTTP header is missing, malformed, or contains
-an invalid token, the request is rejected with a 401 (Unauthorized) code,
-unless the cookie mode is enabled (see below).
-
-If the token is valid, the request executes with the configured user id. By
-default the user id selection strategy is ``static`` (i.e. the same for all
-requests) and the selected user is configured on the JWT validator. Additional
-strategies can be provided by overriding the ``_get_uid()`` method and
-extending the ``user_id_strategy`` selection field.
-
-The selected user is *not* stored in the session. It is only available in
-``request.uid`` (and thus it is the one used in ``request.env``). To avoid any
-confusion and mismatches between the bearer token and the session, this module
-rejects requests made with an authenticated user session.
-
-Additionally, if a ``partner_id_strategy`` is configured, a partner is searched
-and if found, its id is stored in the ``request.jwt_partner_id`` attribute. If
-``partner_id_required`` is set, a 401 (Unauthorized) is returned if no partner
-was found. Otherwise ``request.jwt_partner_id`` is left falsy. Additional
-strategies can be provided by overriding the ``_get_partner_id()`` method
-and extending the ``partner_id_strategy`` selection field.
-
-The decoded JWT payload is stored in ``request.jwt_payload``.
-
-The ``public_auth_jwt`` method delegates authentication to the standard Odoo ``public``
-method when the Authorization header is not set. If it is set, the regular JWT
-authentication is performed as described above. This method is useful for public
-endpoints that need to work for anonymous users, but can be enhanced when an
-authenticated user is know. A typical use case is a "add to cart" endpoint that can work
-for anonymous users, but can be enhanced by binding the cart to a known customer when
-the authenticated user is known.
-
-You can enable a cookie mode on JWT validators. In this case, the JWT payload obtained
-from the ``Authorization`` header is returned as a Http-Only cookie. This mode is
-sometimes simpler for front-end applications which do not then need to store and protect
-the JWT token across requests and can simply rely on the cookie management mechanisms of
-browsers. When both the ``Authorization`` header and a cookie are provided, the cookie
-is ignored in order to let clients authenticate with a different user by providing a new
-JWT token.
diff --git a/auth_jwt/static/description/index.html b/auth_jwt/static/description/index.html
index 109b2c3500..341f0c558d 100644
--- a/auth_jwt/static/description/index.html
+++ b/auth_jwt/static/description/index.html
@@ -1,4 +1,3 @@
-<?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
 <head>
@@ -9,10 +8,11 @@
 
 /*
 :Author: David Goodger (goodger@python.org)
-:Id: $Id: html4css1.css 8954 2022-01-20 10:10:25Z milde $
+:Id: $Id: html4css1.css 9511 2024-01-13 09:50:07Z milde $
 :Copyright: This stylesheet has been placed in the public domain.
 
 Default cascading style sheet for the HTML output of Docutils.
+Despite the name, some widely supported CSS2 features are used.
 
 See https://docutils.sourceforge.io/docs/howto/html-stylesheets.html for how to
 customize this style sheet.
@@ -275,7 +275,7 @@
   margin-left: 2em ;
   margin-right: 2em }
 
-pre.code .ln { color: grey; } /* line numbers */
+pre.code .ln { color: gray; } /* line numbers */
 pre.code, code { background-color: #eeeeee }
 pre.code .comment, code .comment { color: #5C6576 }
 pre.code .keyword, code .keyword { color: #3B0D06; font-weight: bold }
@@ -301,7 +301,7 @@
 span.pre {
   white-space: pre }
 
-span.problematic {
+span.problematic, pre.problematic {
   color: red }
 
 span.section-subtitle {
@@ -369,7 +369,7 @@ <h1 class="title">Auth JWT</h1>
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !! source digest: sha256:d22309ac82ef1eb8879974683b10d4be288eb330fd7e250927f1a8d602dc3988
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->
-<p><a class="reference external image-reference" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external image-reference" href="http://www.gnu.org/licenses/lgpl-3.0-standalone.html"><img alt="License: LGPL-3" src="https://img.shields.io/badge/licence-LGPL--3-blue.png" /></a> <a class="reference external image-reference" href="https://github.com/OCA/server-auth/tree/16.0/auth_jwt"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external image-reference" href="https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-auth_jwt"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external image-reference" href="https://runboat.odoo-community.org/builds?repo=OCA/server-auth&amp;target_branch=16.0"><img alt="Try me on Runboat" src="https://img.shields.io/badge/runboat-Try%20me-875A7B.png" /></a></p>
+<p><a class="reference external image-reference" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external image-reference" href="http://www.gnu.org/licenses/lgpl-3.0-standalone.html"><img alt="License: LGPL-3" src="https://img.shields.io/badge/licence-LGPL--3-blue.png" /></a> <a class="reference external image-reference" href="https://github.com/OCA/server-auth/tree/17.0/auth_jwt"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external image-reference" href="https://translation.odoo-community.org/projects/server-auth-17-0/server-auth-17-0-auth_jwt"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external image-reference" href="https://runboat.odoo-community.org/builds?repo=OCA/server-auth&amp;target_branch=17.0"><img alt="Try me on Runboat" src="https://img.shields.io/badge/runboat-Try%20me-875A7B.png" /></a></p>
 <p>JWT bearer token authentication.</p>
 <p><strong>Table of contents</strong></p>
 <div class="contents local topic" id="contents">
@@ -391,68 +391,74 @@ <h1><a class="toc-backref" href="#toc-entry-1">Installation</a></h1>
 </div>
 <div class="section" id="usage">
 <h1><a class="toc-backref" href="#toc-entry-2">Usage</a></h1>
-<p>This module lets developpers add a new <tt class="docutils literal">jwt</tt> authentication method on Odoo
-controller routes.</p>
+<p>This module lets developpers add a new <tt class="docutils literal">jwt</tt> authentication method on
+Odoo controller routes.</p>
 <p>To use it, you must:</p>
 <ul class="simple">
-<li>Create an <tt class="docutils literal">auth.jwt.validator</tt> record to configure how the JWT token will
-be validated.</li>
-<li>Add an <tt class="docutils literal"><span class="pre">auth=&quot;jwt_{validator-name}&quot;</span></tt> or <tt class="docutils literal"><span class="pre">auth=&quot;public_or_jwt_{validator-name}&quot;</span></tt>
-attribute to the routes you want to protect where <tt class="docutils literal"><span class="pre">{validator-name}</span></tt> corresponds to
-the name attribute of the JWT validator record.</li>
+<li>Create an <tt class="docutils literal">auth.jwt.validator</tt> record to configure how the JWT token
+will be validated.</li>
+<li>Add an <tt class="docutils literal"><span class="pre">auth=&quot;jwt_{validator-name}&quot;</span></tt> or
+<tt class="docutils literal"><span class="pre">auth=&quot;public_or_jwt_{validator-name}&quot;</span></tt> attribute to the routes you
+want to protect where <tt class="docutils literal"><span class="pre">{validator-name}</span></tt> corresponds to the name
+attribute of the JWT validator record.</li>
 </ul>
 <p>The <tt class="docutils literal">auth_jwt_demo</tt> module provides examples.</p>
 <p>The JWT validator can be configured with the following properties:</p>
 <ul class="simple">
-<li><tt class="docutils literal">name</tt>: the validator name, to match the <tt class="docutils literal"><span class="pre">auth=&quot;jwt_{validator-name}&quot;</span></tt>
-route property.</li>
-<li><tt class="docutils literal">audience</tt>: a comma-separated list of allowed audiences, used to validate
-the <tt class="docutils literal">aud</tt> claim.</li>
+<li><tt class="docutils literal">name</tt>: the validator name, to match the
+<tt class="docutils literal"><span class="pre">auth=&quot;jwt_{validator-name}&quot;</span></tt> route property.</li>
+<li><tt class="docutils literal">audience</tt>: a comma-separated list of allowed audiences, used to
+validate the <tt class="docutils literal">aud</tt> claim.</li>
 <li><tt class="docutils literal">issuer</tt>: used to validate the <tt class="docutils literal">iss</tt> claim.</li>
 <li>Signature type (secret or public key), algorithm, secret and JWK URI
 are used to validate the token signature.</li>
 </ul>
 <p>In addition, the <tt class="docutils literal">exp</tt> claim is validated to reject expired tokens.</p>
 <p>If the <tt class="docutils literal">Authorization</tt> HTTP header is missing, malformed, or contains
-an invalid token, the request is rejected with a 401 (Unauthorized) code,
-unless the cookie mode is enabled (see below).</p>
-<p>If the token is valid, the request executes with the configured user id. By
-default the user id selection strategy is <tt class="docutils literal">static</tt> (i.e. the same for all
-requests) and the selected user is configured on the JWT validator. Additional
-strategies can be provided by overriding the <tt class="docutils literal">_get_uid()</tt> method and
-extending the <tt class="docutils literal">user_id_strategy</tt> selection field.</p>
-<p>The selected user is <em>not</em> stored in the session. It is only available in
-<tt class="docutils literal">request.uid</tt> (and thus it is the one used in <tt class="docutils literal">request.env</tt>). To avoid any
-confusion and mismatches between the bearer token and the session, this module
-rejects requests made with an authenticated user session.</p>
-<p>Additionally, if a <tt class="docutils literal">partner_id_strategy</tt> is configured, a partner is searched
-and if found, its id is stored in the <tt class="docutils literal">request.jwt_partner_id</tt> attribute. If
-<tt class="docutils literal">partner_id_required</tt> is set, a 401 (Unauthorized) is returned if no partner
-was found. Otherwise <tt class="docutils literal">request.jwt_partner_id</tt> is left falsy. Additional
-strategies can be provided by overriding the <tt class="docutils literal">_get_partner_id()</tt> method
-and extending the <tt class="docutils literal">partner_id_strategy</tt> selection field.</p>
+an invalid token, the request is rejected with a 401 (Unauthorized)
+code, unless the cookie mode is enabled (see below).</p>
+<p>If the token is valid, the request executes with the configured user id.
+By default the user id selection strategy is <tt class="docutils literal">static</tt> (i.e. the same
+for all requests) and the selected user is configured on the JWT
+validator. Additional strategies can be provided by overriding the
+<tt class="docutils literal">_get_uid()</tt> method and extending the <tt class="docutils literal">user_id_strategy</tt> selection
+field.</p>
+<p>The selected user is <em>not</em> stored in the session. It is only available
+in <tt class="docutils literal">request.uid</tt> (and thus it is the one used in <tt class="docutils literal">request.env</tt>). To
+avoid any confusion and mismatches between the bearer token and the
+session, this module rejects requests made with an authenticated user
+session.</p>
+<p>Additionally, if a <tt class="docutils literal">partner_id_strategy</tt> is configured, a partner is
+searched and if found, its id is stored in the
+<tt class="docutils literal">request.jwt_partner_id</tt> attribute. If <tt class="docutils literal">partner_id_required</tt> is set,
+a 401 (Unauthorized) is returned if no partner was found. Otherwise
+<tt class="docutils literal">request.jwt_partner_id</tt> is left falsy. Additional strategies can be
+provided by overriding the <tt class="docutils literal">_get_partner_id()</tt> method and extending
+the <tt class="docutils literal">partner_id_strategy</tt> selection field.</p>
 <p>The decoded JWT payload is stored in <tt class="docutils literal">request.jwt_payload</tt>.</p>
-<p>The <tt class="docutils literal">public_auth_jwt</tt> method delegates authentication to the standard Odoo <tt class="docutils literal">public</tt>
-method when the Authorization header is not set. If it is set, the regular JWT
-authentication is performed as described above. This method is useful for public
-endpoints that need to work for anonymous users, but can be enhanced when an
-authenticated user is know. A typical use case is a “add to cart” endpoint that can work
-for anonymous users, but can be enhanced by binding the cart to a known customer when
-the authenticated user is known.</p>
-<p>You can enable a cookie mode on JWT validators. In this case, the JWT payload obtained
-from the <tt class="docutils literal">Authorization</tt> header is returned as a Http-Only cookie. This mode is
-sometimes simpler for front-end applications which do not then need to store and protect
-the JWT token across requests and can simply rely on the cookie management mechanisms of
-browsers. When both the <tt class="docutils literal">Authorization</tt> header and a cookie are provided, the cookie
-is ignored in order to let clients authenticate with a different user by providing a new
-JWT token.</p>
+<p>The <tt class="docutils literal">public_auth_jwt</tt> method delegates authentication to the standard
+Odoo <tt class="docutils literal">public</tt> method when the Authorization header is not set. If it
+is set, the regular JWT authentication is performed as described above.
+This method is useful for public endpoints that need to work for
+anonymous users, but can be enhanced when an authenticated user is know.
+A typical use case is a “add to cart” endpoint that can work for
+anonymous users, but can be enhanced by binding the cart to a known
+customer when the authenticated user is known.</p>
+<p>You can enable a cookie mode on JWT validators. In this case, the JWT
+payload obtained from the <tt class="docutils literal">Authorization</tt> header is returned as a
+Http-Only cookie. This mode is sometimes simpler for front-end
+applications which do not then need to store and protect the JWT token
+across requests and can simply rely on the cookie management mechanisms
+of browsers. When both the <tt class="docutils literal">Authorization</tt> header and a cookie are
+provided, the cookie is ignored in order to let clients authenticate
+with a different user by providing a new JWT token.</p>
 </div>
 <div class="section" id="bug-tracker">
 <h1><a class="toc-backref" href="#toc-entry-3">Bug Tracker</a></h1>
 <p>Bugs are tracked on <a class="reference external" href="https://github.com/OCA/server-auth/issues">GitHub Issues</a>.
 In case of trouble, please check there if your issue has already been reported.
 If you spotted it first, help us to smash it by providing a detailed and welcomed
-<a class="reference external" href="https://github.com/OCA/server-auth/issues/new?body=module:%20auth_jwt%0Aversion:%2016.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**">feedback</a>.</p>
+<a class="reference external" href="https://github.com/OCA/server-auth/issues/new?body=module:%20auth_jwt%0Aversion:%2017.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**">feedback</a>.</p>
 <p>Do not contact contributors directly about support or help with technical issues.</p>
 </div>
 <div class="section" id="credits">
@@ -467,18 +473,21 @@ <h2><a class="toc-backref" href="#toc-entry-5">Authors</a></h2>
 <h2><a class="toc-backref" href="#toc-entry-6">Contributors</a></h2>
 <ul class="simple">
 <li>Stéphane Bidoul &lt;<a class="reference external" href="mailto:stephane.bidoul&#64;acsone.eu">stephane.bidoul&#64;acsone.eu</a>&gt;</li>
+<li>Mohamed Alkobrosli &lt;<a class="reference external" href="mailto:malkobrosly&#64;kencove.com">malkobrosly&#64;kencove.com</a>&gt;</li>
 </ul>
 </div>
 <div class="section" id="maintainers">
 <h2><a class="toc-backref" href="#toc-entry-7">Maintainers</a></h2>
 <p>This module is maintained by the OCA.</p>
-<a class="reference external image-reference" href="https://odoo-community.org"><img alt="Odoo Community Association" src="https://odoo-community.org/logo.png" /></a>
+<a class="reference external image-reference" href="https://odoo-community.org">
+<img alt="Odoo Community Association" src="https://odoo-community.org/logo.png" />
+</a>
 <p>OCA, or the Odoo Community Association, is a nonprofit organization whose
 mission is to support the collaborative development of Odoo features and
 promote its widespread use.</p>
 <p>Current <a class="reference external" href="https://odoo-community.org/page/maintainer-role">maintainer</a>:</p>
 <p><a class="reference external image-reference" href="https://github.com/sbidoul"><img alt="sbidoul" src="https://github.com/sbidoul.png?size=40px" /></a></p>
-<p>This module is part of the <a class="reference external" href="https://github.com/OCA/server-auth/tree/16.0/auth_jwt">OCA/server-auth</a> project on GitHub.</p>
+<p>This module is part of the <a class="reference external" href="https://github.com/OCA/server-auth/tree/17.0/auth_jwt">OCA/server-auth</a> project on GitHub.</p>
 <p>You are welcome to contribute. To learn how please visit <a class="reference external" href="https://odoo-community.org/page/Contribute">https://odoo-community.org/page/Contribute</a>.</p>
 </div>
 </div>
diff --git a/auth_jwt/tests/test_auth_jwt.py b/auth_jwt/tests/test_auth_jwt.py
index 20fb59b7cb..6a87e87cbc 100644
--- a/auth_jwt/tests/test_auth_jwt.py
+++ b/auth_jwt/tests/test_auth_jwt.py
@@ -200,7 +200,8 @@ def test_auth_method_invalid_token_on_chain(self):
                 self.env["ir.http"]._auth_method_jwt_validator()
             self.assertEqual(
                 str(composite_error.exception),
-                "401 Unauthorized: Multiple errors occurred during JWT chain validation:\n"
+                "401 Unauthorized: "
+                "Multiple errors occurred during JWT chain validation:\n"
                 "validator: 401 Unauthorized: "
                 "The server could not verify that you are authorized to "
                 "access the URL requested. You either supplied the wrong "
@@ -287,17 +288,20 @@ def test_partner_id_strategy_email_not_found_partner_required(self):
     def test_get_validator(self):
         AuthJwtValidator = self.env["auth.jwt.validator"]
         AuthJwtValidator.search([]).unlink()
-        with self.assertRaises(JwtValidatorNotFound), mute_logger(
-            "odoo.addons.auth_jwt.models.auth_jwt_validator"
+        with (
+            self.assertRaises(JwtValidatorNotFound),
+            mute_logger("odoo.addons.auth_jwt.models.auth_jwt_validator"),
         ):
             AuthJwtValidator._get_validator_by_name(None)
-        with self.assertRaises(JwtValidatorNotFound), mute_logger(
-            "odoo.addons.auth_jwt.models.auth_jwt_validator"
+        with (
+            self.assertRaises(JwtValidatorNotFound),
+            mute_logger("odoo.addons.auth_jwt.models.auth_jwt_validator"),
         ):
             AuthJwtValidator._get_validator_by_name("notavalidator")
         validator1 = self._create_validator(name="validator1")
-        with self.assertRaises(JwtValidatorNotFound), mute_logger(
-            "odoo.addons.auth_jwt.models.auth_jwt_validator"
+        with (
+            self.assertRaises(JwtValidatorNotFound),
+            mute_logger("odoo.addons.auth_jwt.models.auth_jwt_validator"),
         ):
             AuthJwtValidator._get_validator_by_name("notavalidator")
         self.assertEqual(AuthJwtValidator._get_validator_by_name(None), validator1)
@@ -306,8 +310,9 @@ def test_get_validator(self):
         )
         # create a second validator
         validator2 = self._create_validator(name="validator2")
-        with self.assertRaises(AmbiguousJwtValidator), mute_logger(
-            "odoo.addons.auth_jwt.models.auth_jwt_validator"
+        with (
+            self.assertRaises(AmbiguousJwtValidator),
+            mute_logger("odoo.addons.auth_jwt.models.auth_jwt_validator"),
         ):
             AuthJwtValidator._get_validator_by_name(None)
         self.assertEqual(
diff --git a/auth_jwt/views/auth_jwt_validator_views.xml b/auth_jwt/views/auth_jwt_validator_views.xml
index bc907038a9..318e2ce72b 100644
--- a/auth_jwt/views/auth_jwt_validator_views.xml
+++ b/auth_jwt/views/auth_jwt_validator_views.xml
@@ -18,35 +18,35 @@
                             <field
                                 name="secret_key"
                                 string="Key"
-                                attrs="{'invisible': [('signature_type', '!=', 'secret')],
-                                    'required': [('signature_type', '=', 'secret')]}"
+                                invisible="signature_type != 'secret'"
+                                required="signature_type == 'secret'"
                             />
                             <field
                                 name="secret_algorithm"
                                 string="Algorithm"
-                                attrs="{'invisible': [('signature_type', '!=', 'secret')],
-                                    'required': [('signature_type', '=', 'secret')]}"
+                                invisible="signature_type != 'secret'"
+                                required="signature_type == 'secret'"
                             />
                             <field
                                 name="public_key_jwk_uri"
                                 string="JWK URI"
-                                attrs="{'invisible': [('signature_type', '!=', 'public_key')],
-                                    'required': [('signature_type', '=', 'public_key')]}"
+                                invisible="signature_type != 'public_key'"
+                                required="signature_type == 'public_key'"
                                 widget="url"
                             />
                             <field
                                 name="public_key_algorithm"
                                 string="Algorithm"
-                                attrs="{'invisible': [('signature_type', '!=', 'public_key')],
-                                    'required': [('signature_type', '=', 'public_key')]}"
+                                invisible="signature_type != 'public_key'"
+                                required="signature_type == 'public_key'"
                             />
                         </group>
                         <group colspan="2" string="User">
                             <field name="user_id_strategy" />
                             <field
                                 name="static_user_id"
-                                attrs="{'invisible': [('user_id_strategy', '!=', 'static')],
-                                        'required': [('user_id_strategy', '=', 'static')]}"
+                                invisible="user_id_strategy != 'static'"
+                                required="user_id_strategy == 'static'"
                             />
                         </group>
                         <group colspan="2" string="Partner">
@@ -57,16 +57,13 @@
                             <field name="cookie_enabled" />
                             <field
                                 name="cookie_name"
-                                attrs="{'required': [('cookie_enabled', '=', True)],
-                                        'invisible': [('cookie_enabled', '=', False)]}"
-                            />
-                            <field
-                                name="cookie_path"
-                                attrs="{'invisible': [('cookie_enabled', '=', False)]}"
+                                invisible="not cookie_enabled"
+                                required="cookie_enabled"
                             />
+                            <field name="cookie_path" invisible="not cookie_enabled" />
                             <field
                                 name="cookie_max_age"
-                                attrs="{'invisible': [('cookie_enabled', '=', False)]}"
+                                invisible="not cookie_enabled"
                             />
                         </group>
                     </group>
diff --git a/requirements.txt b/requirements.txt
index 72eb0562e8..30a3b63d62 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,6 +1,8 @@
 # generated from manifests external_dependencies
+cryptography
 email_validator
 lxml
+pyjwt
 pysaml2
 python-jose
 python-ldap