[16.0] auth_oidc: OpenID Connect fixes from 15.0

auth_oidc/README.rst

@@ -7,7 +7,7 @@ Authentication OpenID Connect
    !! This file is generated by oca-gen-addon-readme !!
    !! changes will be overwritten.                   !!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-   !! source digest: sha256:a54c4126f9873d2af17b9228f9afa844806a2541b42dc7945ec41be08379a915
+   !! source digest: sha256:376f14d31d98045b37afd5cfd3b74af9327544e62dba698ce26a53f58ffb75a4
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 
 .. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
@@ -143,6 +143,31 @@ Known issues / Roadmap
 Changelog
 =========
 
+16.0.1.1.0 2024-02-28
+---------------------
+
+-  Forward port OpenID Connect fixes from 15.0 to 16.0
+
+16.0.1.0.2 2023-11-16
+---------------------
+
+-  Readme link updates
+
+16.0.1.0.1 2023-10-09
+---------------------
+
+-  Add AzureAD code flow provider
+
+16.0.1.0.0 2023-01-27
+---------------------
+
+-  Odoo 16 migration
+
+15.0.1.0.0 2023-01-06
+---------------------
+
+-  Odoo 15 migration
+
 14.0.1.0.0 2021-12-10
 ---------------------
 
@@ -184,6 +209,7 @@ Contributors
 -  Alexandre Fayolle <[email protected]>
 -  Stéphane Bidoul <[email protected]>
 -  David Jaen <[email protected]>
+-  Andreas Perhab <[email protected]>
 
 Maintainers
 -----------

auth_oidc/__manifest__.py

@@ -4,7 +4,7 @@
 
 {
     "name": "Authentication OpenID Connect",
-    "version": "16.0.1.0.2",
+    "version": "16.0.1.1.0",
     "license": "AGPL-3",
     "author": (
         "ICTSTUDIO, André Schenkels, "

auth_oidc/models/auth_oauth_provider.py

@@ -11,6 +11,7 @@
 
 try:
     from jose import jwt
+    from jose.exceptions import JWSError, JWTError
 except ImportError:
     logging.getLogger(__name__).debug("jose library not installed")
 
@@ -47,14 +48,18 @@ class AuthOauthProvider(models.Model):
     jwks_uri = fields.Char(string="JWKS URL", help="Required for OpenID Connect.")
 
     @tools.ormcache("self.jwks_uri", "kid")
-    def _get_key(self, kid):
+    def _get_keys(self, kid):
         r = requests.get(self.jwks_uri, timeout=10)
         r.raise_for_status()
         response = r.json()
-        for key in response["keys"]:
-            if key["kid"] == kid:
-                return key
-        return {}
+        # the keys returned here should follow
+        # JWS Notes on Key Selection
+        # https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-signature#appendix-D
+        return [
+            key
+            for key in response["keys"]
+            if kid is None or key.get("kid", None) == kid
+        ]
 
     def _map_token_values(self, res):
         if self.token_map:
@@ -68,15 +73,34 @@ def _parse_id_token(self, id_token, access_token):
         self.ensure_one()
         res = {}
         header = jwt.get_unverified_header(id_token)
-        res.update(
-            jwt.decode(
-                id_token,
-                self._get_key(header.get("kid")),
-                algorithms=["RS256"],
-                audience=self.client_id,
-                access_token=access_token,
-            )
-        )
-
+        res.update(self._decode_id_token(access_token, id_token, header.get("kid")))
         res.update(self._map_token_values(res))
         return res
+
+    def _decode_id_token(self, access_token, id_token, kid):
+        keys = self._get_keys(kid)
+        if len(keys) > 1 and kid is None:
+            # https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.10.1
+            # If there are multiple keys in the referenced JWK Set document, a kid
+            # value MUST be provided in the JOSE Header.
+            raise JWTError(
+                "OpenID Connect requires kid to be set if there is more"
+                " than one key in the JWKS"
+            )
+        error = None
+        # we accept multiple keys with the same kid in case a key gets rotated.
+        for key in keys:
+            try:
+                values = jwt.decode(
+                    id_token,
+                    key,
+                    algorithms=["RS256"],
+                    audience=self.client_id,
+                    access_token=access_token,
+                )
+                return values
+            except (JWTError, JWSError) as e:
+                error = e
+        if error:
+            raise error
+        return {}

auth_oidc/models/res_users.py

@@ -65,7 +65,12 @@ def auth_oauth(self, provider, params):
             raise AccessDenied()
         validation = oauth_provider._parse_id_token(id_token, access_token)
         # required check
-        if not validation.get("user_id"):
+        if "sub" in validation and "user_id" not in validation:
+            # set user_id for auth_oauth, user_id is not an OpenID Connect standard
+            # claim:
+            # https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
+            validation["user_id"] = validation["sub"]
+        elif not validation.get("user_id"):
             _logger.error("user_id claim not found in id_token (after mapping).")
             raise AccessDenied()
         # retrieve and sign in user

auth_oidc/readme/CONTRIBUTORS.md

@@ -1,3 +1,4 @@
 - Alexandre Fayolle \<<[email protected]>\>
 - Stéphane Bidoul \<<[email protected]>\>
 - David Jaen \<<[email protected]>\>
+- Andreas Perhab \<<[email protected]>\>

auth_oidc/readme/HISTORY.md

@@ -1,3 +1,23 @@
+## 16.0.1.1.0 2024-02-28
+
+- Forward port OpenID Connect fixes from 15.0 to 16.0
+
+## 16.0.1.0.2 2023-11-16
+
+- Readme link updates
+
+## 16.0.1.0.1 2023-10-09
+
+- Add AzureAD code flow provider
+
+## 16.0.1.0.0 2023-01-27
+
+- Odoo 16 migration
+
+## 15.0.1.0.0 2023-01-06
+
+- Odoo 15 migration
+
 ## 14.0.1.0.0 2021-12-10
 
 - Odoo 14 migration

auth_oidc/static/description/index.html

@@ -367,7 +367,7 @@ <h1 class="title">Authentication OpenID Connect</h1>
 !! This file is generated by oca-gen-addon-readme !!
 !! changes will be overwritten.                   !!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-!! source digest: sha256:a54c4126f9873d2af17b9228f9afa844806a2541b42dc7945ec41be08379a915
+!! source digest: sha256:376f14d31d98045b37afd5cfd3b74af9327544e62dba698ce26a53f58ffb75a4
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->
 <p><a class="reference external image-reference" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external image-reference" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/licence-AGPL--3-blue.png" /></a> <a class="reference external image-reference" href="https://github.com/OCA/server-auth/tree/16.0/auth_oidc"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external image-reference" href="https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-auth_oidc"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external image-reference" href="https://runboat.odoo-community.org/builds?repo=OCA/server-auth&amp;target_branch=16.0"><img alt="Try me on Runboat" src="https://img.shields.io/badge/runboat-Try%20me-875A7B.png" /></a></p>
 <p>This module allows users to login through an OpenID Connect provider
@@ -386,16 +386,21 @@ <h1 class="title">Authentication OpenID Connect</h1>
 <li><a class="reference internal" href="#usage" id="toc-entry-5">Usage</a></li>
 <li><a class="reference internal" href="#known-issues-roadmap" id="toc-entry-6">Known issues / Roadmap</a></li>
 <li><a class="reference internal" href="#changelog" id="toc-entry-7">Changelog</a><ul>
-<li><a class="reference internal" href="#section-1" id="toc-entry-8">14.0.1.0.0 2021-12-10</a></li>
-<li><a class="reference internal" href="#section-2" id="toc-entry-9">13.0.1.0.0 2020-04-10</a></li>
-<li><a class="reference internal" href="#section-3" id="toc-entry-10">10.0.1.0.0 2018-10-05</a></li>
+<li><a class="reference internal" href="#section-1" id="toc-entry-8">16.0.1.1.0 2024-02-28</a></li>
+<li><a class="reference internal" href="#section-2" id="toc-entry-9">16.0.1.0.2 2023-11-16</a></li>
+<li><a class="reference internal" href="#section-3" id="toc-entry-10">16.0.1.0.1 2023-10-09</a></li>
+<li><a class="reference internal" href="#section-4" id="toc-entry-11">16.0.1.0.0 2023-01-27</a></li>
+<li><a class="reference internal" href="#section-5" id="toc-entry-12">15.0.1.0.0 2023-01-06</a></li>
+<li><a class="reference internal" href="#section-6" id="toc-entry-13">14.0.1.0.0 2021-12-10</a></li>
+<li><a class="reference internal" href="#section-7" id="toc-entry-14">13.0.1.0.0 2020-04-10</a></li>
+<li><a class="reference internal" href="#section-8" id="toc-entry-15">10.0.1.0.0 2018-10-05</a></li>
 </ul>
 </li>
-<li><a class="reference internal" href="#bug-tracker" id="toc-entry-11">Bug Tracker</a></li>
-<li><a class="reference internal" href="#credits" id="toc-entry-12">Credits</a><ul>
-<li><a class="reference internal" href="#authors" id="toc-entry-13">Authors</a></li>
-<li><a class="reference internal" href="#contributors" id="toc-entry-14">Contributors</a></li>
-<li><a class="reference internal" href="#maintainers" id="toc-entry-15">Maintainers</a></li>
+<li><a class="reference internal" href="#bug-tracker" id="toc-entry-16">Bug Tracker</a></li>
+<li><a class="reference internal" href="#credits" id="toc-entry-17">Credits</a><ul>
+<li><a class="reference internal" href="#authors" id="toc-entry-18">Authors</a></li>
+<li><a class="reference internal" href="#contributors" id="toc-entry-19">Contributors</a></li>
+<li><a class="reference internal" href="#maintainers" id="toc-entry-20">Maintainers</a></li>
 </ul>
 </li>
 </ul>
@@ -493,52 +498,83 @@ <h1><a class="toc-backref" href="#toc-entry-6">Known issues / Roadmap</a></h1>
 <div class="section" id="changelog">
 <h1><a class="toc-backref" href="#toc-entry-7">Changelog</a></h1>
 <div class="section" id="section-1">
-<h2><a class="toc-backref" href="#toc-entry-8">14.0.1.0.0 2021-12-10</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-8">16.0.1.1.0 2024-02-28</a></h2>
 <ul class="simple">
-<li>Odoo 14 migration</li>
+<li>Forward port OpenID Connect fixes from 15.0 to 16.0</li>
 </ul>
 </div>
 <div class="section" id="section-2">
-<h2><a class="toc-backref" href="#toc-entry-9">13.0.1.0.0 2020-04-10</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-9">16.0.1.0.2 2023-11-16</a></h2>
 <ul class="simple">
-<li>Odoo 13 migration, add authorization code flow.</li>
+<li>Readme link updates</li>
 </ul>
 </div>
 <div class="section" id="section-3">
-<h2><a class="toc-backref" href="#toc-entry-10">10.0.1.0.0 2018-10-05</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-10">16.0.1.0.1 2023-10-09</a></h2>
+<ul class="simple">
+<li>Add AzureAD code flow provider</li>
+</ul>
+</div>
+<div class="section" id="section-4">
+<h2><a class="toc-backref" href="#toc-entry-11">16.0.1.0.0 2023-01-27</a></h2>
+<ul class="simple">
+<li>Odoo 16 migration</li>
+</ul>
+</div>
+<div class="section" id="section-5">
+<h2><a class="toc-backref" href="#toc-entry-12">15.0.1.0.0 2023-01-06</a></h2>
+<ul class="simple">
+<li>Odoo 15 migration</li>
+</ul>
+</div>
+<div class="section" id="section-6">
+<h2><a class="toc-backref" href="#toc-entry-13">14.0.1.0.0 2021-12-10</a></h2>
+<ul class="simple">
+<li>Odoo 14 migration</li>
+</ul>
+</div>
+<div class="section" id="section-7">
+<h2><a class="toc-backref" href="#toc-entry-14">13.0.1.0.0 2020-04-10</a></h2>
+<ul class="simple">
+<li>Odoo 13 migration, add authorization code flow.</li>
+</ul>
+</div>
+<div class="section" id="section-8">
+<h2><a class="toc-backref" href="#toc-entry-15">10.0.1.0.0 2018-10-05</a></h2>
 <ul class="simple">
 <li>Initial implementation</li>
 </ul>
 </div>
 </div>
 <div class="section" id="bug-tracker">
-<h1><a class="toc-backref" href="#toc-entry-11">Bug Tracker</a></h1>
+<h1><a class="toc-backref" href="#toc-entry-16">Bug Tracker</a></h1>
 <p>Bugs are tracked on <a class="reference external" href="https://github.com/OCA/server-auth/issues">GitHub Issues</a>.
 In case of trouble, please check there if your issue has already been reported.
 If you spotted it first, help us to smash it by providing a detailed and welcomed
 <a class="reference external" href="https://github.com/OCA/server-auth/issues/new?body=module:%20auth_oidc%0Aversion:%2016.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**">feedback</a>.</p>
 <p>Do not contact contributors directly about support or help with technical issues.</p>
 </div>
 <div class="section" id="credits">
-<h1><a class="toc-backref" href="#toc-entry-12">Credits</a></h1>
+<h1><a class="toc-backref" href="#toc-entry-17">Credits</a></h1>
 <div class="section" id="authors">
-<h2><a class="toc-backref" href="#toc-entry-13">Authors</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-18">Authors</a></h2>
 <ul class="simple">
 <li>ICTSTUDIO</li>
 <li>André Schenkels</li>
 <li>ACSONE SA/NV</li>
 </ul>
 </div>
 <div class="section" id="contributors">
-<h2><a class="toc-backref" href="#toc-entry-14">Contributors</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-19">Contributors</a></h2>
 <ul class="simple">
 <li>Alexandre Fayolle &lt;<a class="reference external" href="mailto:alexandre.fayolle&#64;camptocamp.com">alexandre.fayolle&#64;camptocamp.com</a>&gt;</li>
 <li>Stéphane Bidoul &lt;<a class="reference external" href="mailto:stephane.bidoul&#64;acsone.eu">stephane.bidoul&#64;acsone.eu</a>&gt;</li>
 <li>David Jaen &lt;<a class="reference external" href="mailto:david.jaen.revert&#64;gmail.com">david.jaen.revert&#64;gmail.com</a>&gt;</li>
+<li>Andreas Perhab &lt;<a class="reference external" href="mailto:andreas.perhab&#64;wt-io-it.at">andreas.perhab&#64;wt-io-it.at</a>&gt;</li>
 </ul>
 </div>
 <div class="section" id="maintainers">
-<h2><a class="toc-backref" href="#toc-entry-15">Maintainers</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-20">Maintainers</a></h2>
 <p>This module is maintained by the OCA.</p>
 <a class="reference external image-reference" href="https://odoo-community.org"><img alt="Odoo Community Association" src="https://odoo-community.org/logo.png" /></a>
 <p>OCA, or the Odoo Community Association, is a nonprofit organization whose