auth-odic displaying "access denied" when used with Authentic ODIC Provider

[23brewert]

Module

auth-odic

Describe the bug

After logging in with ODIC odoo displays "Access Denied" and prints an error in docker.

To Reproduce

Affected versions:v16

Steps to reproduce the behavior:

1. Install Plugin
2. Configure for Authentik ODIC
3. Try to Login

Expected behavior
To allow the user to login, and if a user does not exist to provision a new account based off the default access rights.

Error Output: [sensitive values changed]
2023-10-24 00:44:09,644 1 ERROR waspdb odoo.addons.auth_oauth.controllers.main: OAuth2: 'keys' Traceback (most recent call last): File "/usr/lib/python3/dist-packages/odoo/tools/cache.py", line 85, in lookup r = d[key] File "<decorator-gen-6>", line 2, in __getitem__ File "/usr/lib/python3/dist-packages/odoo/tools/func.py", line 87, in locked return func(inst, *args, **kwargs) File "/usr/lib/python3/dist-packages/odoo/tools/lru.py", line 34, in __getitem__ a = self.d[obj] KeyError: ('auth.oauth.provider', <function AuthOauthProvider._get_key at 0x7f4869cf3040>, 'https://sso.REDACTED.com/application/o/hr/jwks/', None) During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/odoo/addons/auth_oauth/controllers/main.py", line 134, in signin db, login, key = env['res.users'].sudo().auth_oauth(provider, kw) File "/mnt/extra-addons/auth_oidc/models/res_users.py", line 66, in auth_oauth validation = oauth_provider._parse_id_token(id_token, access_token) File "/mnt/extra-addons/auth_oidc/models/auth_oauth_provider.py", line 74, in _parse_id_token self._get_key(header.get("kid")), File "<decorator-gen-188>", line 2, in _get_key File "/usr/lib/python3/dist-packages/odoo/tools/cache.py", line 90, in lookup value = d[key] = self.method(*args, **kwargs) File "/mnt/extra-addons/auth_oidc/models/auth_oauth_provider.py", line 54, in _get_key for key in response["keys"]: KeyError: 'keys' 2023-10-24 00:44:09,646 1 INFO waspdb werkzeug: 192.xxx.xx.x - - [24/Oct/2023 00:44:09] "GET /auth_oauth/signin?code=171dba0&state=%7B%22d%22%3A+%22waspdb%22%2C+%22p%22%3A+%22r%22%3A+%22https%253A%252F%252Fhr.REDACTED.com%252Fweb%22%7D HTTP/1.1" 303 - 3 0.004 0.165 2023-10-24 00:44:09,823 1 INFO waspdb werkzeug: 192.xxx.xxx.xxx- - [24/Oct/2023 00:44:09] "GET /web/login?oauth_error=2 HTTP/1.1" 200 - 11 0.008 0.038

Odoo Config:
[Yes the error still displays when I do put in the user endpoint but it should get its data from the JWT]

Authentik Config:

[manfred-warta]

Can confirm, same here with odoo v16 and authentik 2023.10.2

[CRogos]

Can you check if there is a keys and kid attribute in your jwks_uri result?

https://login.microsoftonline.com/organizations/discovery/v2.0/keys

[bbaumgartl]

I did get it to work with Odoo 17.0, the auth_oidc plugin from the 17.0 branch and Authentik 2024.2.2. It is important that a signing cert is selected in Authentik otherwise the JWKS response is empty. The other settings shown above seem fine.

One thing to note is that i had to manually map the user to the oauth id. What i couldn't get to work is the automatic user creation.

[Raimoncoral]

Hi, I'm also trying to setup Odoo 17.0 with authentik 2024.2.2, and when I tried to log in i get an error "Redirect URI error"

In authentik i have 3 URL configured:

• http://your.odoo/auth_oauth/signin/
• https://your.odoo/auth_oauth/signin/
• https://www.your.odoo/auth_oauth/signin/

Can someone help me with this?

Thanks