[IMP] auth_oidc: prompt for account on AAD login

OCA · Nov 14, 2023 · 60403ce · 60403ce
1 parent 6c78001
commit 60403ce
Show file tree

Hide file tree

Showing 8 changed files with 45 additions and 0 deletions.
diff --git a/auth_oidc/controllers/main.py b/auth_oidc/controllers/main.py
@@ -6,6 +6,7 @@
 import hashlib
 import logging
 import secrets
+from ast import literal_eval
 
 from werkzeug.urls import url_decode, url_encode
 
@@ -43,7 +44,17 @@ def list_providers(self):
                     if "openid" not in provider["scope"].split():
                         _logger.error("openid connect scope must contain 'openid'")
                     params["scope"] = provider["scope"]
+
+                # append provider specific auth link params
+                params_upd = literal_eval(provider["auth_link_params"])
+                params.update(params_upd)
+
                 # auth link that the user will click
+                provider["auth_link"] = "%s?%s" % (
+                    provider["auth_endpoint"],
+                    url_encode(params),
+                )
+
                 provider["auth_link"] = "{}?{}".format(
                     provider["auth_endpoint"], url_encode(params)
                 )

diff --git a/auth_oidc/data/auth_oauth_data.xml b/auth_oidc/data/auth_oauth_data.xml
@@ -17,6 +17,7 @@
         >https://login.microsoftonline.com/organizations/discovery/v2.0/keys</field>
         <field name="css_class">fa fa-fw fa-windows</field>
         <field name="body">Log in with Microsoft</field>
+        <field name="auth_link_params">{'prompt':'select_account'}</field>
     </record>
     <record id="provider_azuread_single" model="auth.oauth.provider">
         <field name="name">Azure AD Single Tenant</field>
@@ -35,5 +36,6 @@
         >https://login.microsoftonline.com/{tenant_id}/discovery/v2.0/keys</field>
         <field name="css_class">fa fa-fw fa-windows</field>
         <field name="body">Log in with Microsoft</field>
+        <field name="auth_link_params">{'prompt':'select_account'}</field>
     </record>
 </odoo>
diff --git a/auth_oidc/demo/local_keycloak.xml b/auth_oidc/demo/local_keycloak.xml
@@ -17,4 +17,24 @@
             name="jwks_uri"
         >http://localhost:8080/auth/realms/master/protocol/openid-connect/certs</field>
     </record>
+    <record id="provider_azuread_multi" model="auth.oauth.provider">
+        <field name="name">Azure AD Multitenant</field>
+        <field name="flow">id_token_code</field>
+        <field name="client_id">auth_oidc-test</field>
+        <field name="enabled">True</field>
+        <field name="token_map">upn:user_id upn:email</field>
+        <field
+            name="auth_endpoint"
+        >https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize</field>
+        <field name="scope">profile openid</field>
+        <field
+            name="token_endpoint"
+        >https://login.microsoftonline.com/organizations/oauth2/v2.0/token</field>
+        <field
+            name="jwks_uri"
+        >https://login.microsoftonline.com/organizations/discovery/v2.0/keys</field>
+        <field name="css_class">fa fa-fw fa-windows</field>
+        <field name="body">Log in with Microsoft</field>
+        <field name="auth_link_params">{'prompt':'select_account'}</field>
+    </record>
 </odoo>
diff --git a/auth_oidc/models/auth_oauth_provider.py b/auth_oidc/models/auth_oauth_provider.py
@@ -45,6 +45,9 @@ class AuthOauthProvider(models.Model):
         string="Token URL", help="Required for OpenID Connect authorization code flow."
     )
     jwks_uri = fields.Char(string="JWKS URL", help="Required for OpenID Connect.")
+    auth_link_params = fields.Char(
+        help="Additional parameters for the auth link. For example: {'prompt':'select_account'}"
+    )
 
     @tools.ormcache("self.jwks_uri", "kid")
     def _get_key(self, kid):

diff --git a/auth_oidc/readme/CONFIGURE.rst b/auth_oidc/readme/CONFIGURE.rst
@@ -37,6 +37,9 @@ or
 
 .. image:: ..static/description/odoo-azure_ad_multitenant.png
 
+* Auth Link Params: Add {'prompt':'select_account'} to the auth link to get the account selection screen
+.. image:: ..static/description/oauth-microsoft_azure-select_account.png
+
 
 Setup for Keycloak
 ~~~~~~~~~~~~~~~~~~

diff --git a/auth_oidc/static/description/oauth-microsoft_azure-select_account.png b/auth_oidc/static/description/oauth-microsoft_azure-select_account.png
diff --git a/auth_oidc/tests/test_auth_oidc_auth_code.py b/auth_oidc/tests/test_auth_oidc_auth_code.py
@@ -51,3 +51,8 @@ def test_auth_link(self):
             self.assertTrue(params["nonce"])
             self.assertTrue(params["state"])
             self.assertEqual(params["redirect_uri"], [BASE_URL + "/auth_oauth/signin"])
+
+            self.assertEqual(len(providers), 1)
+            auth_link_ms = providers[1]["auth_link"]
+            params = parse_qs(urlparse(auth_link_ms).query)
+            self.assertEqual(params["prompt"], ["select_account"])
diff --git a/auth_oidc/views/auth_oauth_provider.xml b/auth_oidc/views/auth_oauth_provider.xml
@@ -18,6 +18,7 @@
             <field name="validation_endpoint" position="after">
                 <field name="token_endpoint" />
                 <field name="jwks_uri" />
+                <field name="auth_link_params" />
             </field>
         </field>
     </record>