<h1 class="title">Allow users to sign up through OAuth2 Provider</h1> <ul class="simple"> <li>This module allow Odoo users to connect through a specific OAuth2 provider, if you expect to let users choose its provider prefer Official <cite>auth_oauth</cite> module.</li> <li>This module let you make the configuration at server level</li> </ul> <dl class="docutils"> <dt><em>Benefit:</em></dt> <dd><ul class="first last simple"> <li>let make different settings per environements (production server, test server)</li> </ul> </dd> <dt><em>inconvenience:</em></dt> <dd><ul class="first last simple"> <li>it's not possible to make settings per database, if you are in saas mode.</li> </ul> </dd> </dl> <ul class="simple"> <li>This module is based on <a class="reference external" href="https://github.com/google/oauth2client">oauth2client</a> library to manage oauth2 connexion.</li> </ul> <a name="settings"></a> <h2>Settings</h2> <ul class="simple"> <li><strong>auth_oauth2.client_id</strong>: Client Id given by your OAuth2 Provider (<em>may looks like</em>: <strong>*google-key*</strong>.apps.googleusercontent.com)</li> <li><strong>auth_oauth2.client_secret</strong>: A secret code given by your Oauth2 provider</li> <li><strong>auth_oauth2.auth_uri</strong>: OAuth2 provider URL to authenticate users (<em>default</em>: Google uri <a class="reference external" href="https://accounts.google.com/o/oauth2/auth">https://accounts.google.com/o/oauth2/auth</a>)</li> <li><strong>auth_oauth2.scope</strong>: string or iterable of strings, OAUth user data desired to access (<em>default</em>: email)</li> <li><strong>auth_oauth2.token_uri</strong>: OAuth provider URL to validate tokens (<em>default</em>: Google uri <a class="reference external" href="https://accounts.google.com/o/oauth2/token">https://accounts.google.com/o/oauth2/token</a>)</li> <li><strong>auth_oauth2.data_endpoint</strong>: Data URL</li> <li><strong>auth_oauth2.redirect_uri</strong>: This should be <cite>http[s]://your.host.name[:port]/auth_oauth2/login</cite> if it's not set, this module will construct if from <cite>web.base.url</cite> set in <cite>ir.config_parameter</cite> + <cite>/auth_oauth2/login</cite></li> </ul> <p>Not implemented:</p> <ul class="simple"> <li><strong>auth_oauth2.revoke_uri</strong>: OAuth provider URL to revoke authorizations (<em>default</em>: Google uri <a class="reference external" href="https://accounts.google.com/o/oauth2/revoke">https://accounts.google.com/o/oauth2/revoke</a>)</li> <li><strong>auth_oauth2.user_agent</strong>: string, HTTP User-Agent to provide for this application.</li> </ul> <p>Probably we could go deeper with thoses available attibutes:</p> <ul class="simple"> <li>'state': fields.char('state') Provides any state that might be useful to your application. <em>Today it's only used to pass the db name</em></li> <li>'access_type': fields.selection([('online', u&quot;On line&quot;), ('offline', u&quot;Off line&quot;)])</li> <li>'approval_prompt': fields.selection([('force', u&quot;Force&quot;), ('auto', u&quot;Auto&quot;)])</li> </ul> <a name="what-we-could-do-in-depends-modules"></a> <h2>What we could do in depends modules</h2> <p>Actually the token is saved in password field for convenience. So you could retreivied it to use in other module to consume Providers API, like this:</p> <pre> <code>from oauth2client.client import AccessTokenCredentials as ATC import httplib2 ... access_token = user_model.read(cr, uid, user_id, ['password'])['password'] credentials = ATC(access_token, None) http = httplib2.Http() http = credentials.authorize(http) (resp_headers, content) = http.request( &quot;https://www.googleapis.com/plus/v1/people/me&quot;, &quot;GET&quot;)</code> </pre> <p>On that case you may have to add keys in the <cite>scope</cite> attribute to get token autorization from user to acces to his data.</p> <a name="how-to-get-it-works-with-google-oauth2"></a> <h2>How to get it works with google oauth2</h2> <ul class="simple"> <li>connect to the developer console and create <a class="reference external" href="https://console.developers.google.com">https://console.developers.google.com</a></li> <li>Create a new project</li> <li>Go to API &amp; authentication to create a new ID</li> <li>In Oauth section create client ID</li> <li>set your allowed sources uri: [protocole]://[hostname] (ie: <a class="reference external" href="https://anybox.fr">https://anybox.fr</a>)</li> <li>set redirect uri with: [protocole]://[hostname]/auth_oauth2/login (ie: <a class="reference external" href="https://anybox.fr/auth_oauth2/login">https://anybox.fr/auth_oauth2/login</a>)</li> <li>Install this module</li> <li>add setings in you <cite>openerp.cfg</cite> configuration file</li> <li>restart odoo!</li> </ul> <div class="admonition note"> <p class="first admonition-title">Note</p> <p class="last">Add <cite>#login,password</cite> in the URL if you want to connect with an odoo account (like admin users) to disable the login forms used by this module</p> </div> <a name="todo"></a> <h2>TODO</h2> <ul class="simple"> <li>translate error messages</li> <li>Have a look if we are concerned by the way we got an existed session that sould not work (cf controllers in Odoo <cite>auth_oauth</cite> module)</li> <li>add revoke button and find out if there is differences with log out, if yes implement both</li> <li>get all params and hash parameters from uri (not only the db name)to pass it in state before redirect user to the oauth provider. Later retrieved them before set the connection uri. To do that we will avoid to lost link to an object during connection.</li> </ul> <a name="license"></a> <h2>License</h2> <p>Affero General Public License</p>