[IMP] add AzureAD code flow provider

OCA · Oct 9, 2023 · d0c8951 · d0c8951
1 parent db19eab
commit d0c8951
Show file tree

Hide file tree

Showing 6 changed files with 63 additions and 12 deletions.
diff --git a/auth_oidc/__manifest__.py b/auth_oidc/__manifest__.py
@@ -16,6 +16,6 @@
     "summary": "Allow users to login through OpenID Connect Provider",
     "external_dependencies": {"python": ["python-jose"]},
     "depends": ["auth_oauth"],
-    "data": ["views/auth_oauth_provider.xml"],
+    "data": ["views/auth_oauth_provider.xml", "data/auth_oauth_data.xml"],
     "demo": ["demo/local_keycloak.xml"],
 }
diff --git a/auth_oidc/data/auth_oauth_data.xml b/auth_oidc/data/auth_oauth_data.xml
@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<odoo noupdate="1">
+    <record id="provider_azuread_multi" model="auth.oauth.provider">
+        <field name="name">Azure AD Multitenant</field>
+        <field name="flow">id_token_code</field>
+        <field name="enabled">False</field>
+        <field name="token_map">upn:user_id upn:email</field>
+        <field
+            name="auth_endpoint"
+        >https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize</field>
+        <field name="scope">profile openid</field>
+        <field
+            name="token_endpoint"
+        >https://login.microsoftonline.com/organizations/oauth2/v2.0/token</field>
+        <field
+            name="jwks_uri"
+        >https://login.microsoftonline.com/organizations/discovery/v2.0/keys</field>
+        <field name="css_class">fa fa-fw fa-windows</field>
+        <field name="body">Log in with Microsoft</field>
+    </record>
+    <record id="provider_azuread_single" model="auth.oauth.provider">
+        <field name="name">Azure AD Single Tenant</field>
+        <field name="flow">id_token_code</field>
+        <field name="enabled">False</field>
+        <field name="token_map">upn:user_id upn:email</field>
+        <field
+            name="auth_endpoint"
+        >https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/authorize</field>
+        <field name="scope">profile openid</field>
+        <field
+            name="token_endpoint"
+        >https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token</field>
+        <field
+            name="jwks_uri"
+        >https://login.microsoftonline.com/{tenant_id}/discovery/v2.0/keys</field>
+        <field name="css_class">fa fa-fw fa-windows</field>
+        <field name="body">Log in with Microsoft</field>
+    </record>
+</odoo>
diff --git a/auth_oidc/readme/CONFIGURE.rst b/auth_oidc/readme/CONFIGURE.rst
@@ -1,11 +1,9 @@
 Setup for Microsoft Azure
 ~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Example configuration with OpenID Connect implicit flow.
-This configuration is not recommended because it exposes the access token
-to the client, and in logs.
+Example configuration with OpenID Connect authorization code flow.
 
-# configure a new web application in Azure with OpenID and implicit flow (see
+# configure a new web application in Azure with OpenID and code flow (see
   the `provider documentation
   <https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-provider)>`_)
 # in this application the redirect url must be be "<url of your
@@ -16,15 +14,29 @@ to the client, and in logs.
   <https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-settings>`_
   for more information):
 
-* Provider Name: Azure
-* Auth Flow: OpenID Connect
-* Client ID: use the value of the OAuth2 autorization endoing (v2) from the Azure Endpoints list
-* Body: Azure SSO
-* Authentication URL: use the value of "OAuth2 autorization endpoint (v2)" from the Azure endpoints list
-* Scope: openid email
-* Validation URL: use the value of "OAuth2 token endpoint (v2)" from the Azure endpoints list
+.. image:: ..static/description/oauth-microsoft_azure-api_permissions.png
+
+.. image:: ..static/description/oauth-microsoft_azure-optional_claims.png
+
+Single tenant provider limits the access to user of your tenant,
+while Multitenants allow access for all AzureAD users, so user of foreign companies can use their AzureAD login
+without an guest account.
+
+* Provider Name: Azure AD Single Tenant
+* Client ID: Application (client) id
+* Client Secret: Client secret
 * Allowed: yes
 
+or
+
+* Provider Name: Azure AD Multitenant
+* Client ID: Application (client) id
+* Client Secret: Client secret
+* Allowed: yes
+* replace {tenant_id} in urls with your Azure tenant id
+
+.. image:: ..static/description/odoo-azure_ad_multitenant.png
+
 
 Setup for Keycloak
 ~~~~~~~~~~~~~~~~~~

diff --git a/auth_oidc/static/description/oauth-microsoft_azure-api_permissions.png b/auth_oidc/static/description/oauth-microsoft_azure-api_permissions.png
diff --git a/auth_oidc/static/description/oauth-microsoft_azure-optional_claims.png b/auth_oidc/static/description/oauth-microsoft_azure-optional_claims.png
diff --git a/auth_oidc/static/description/odoo-azure_ad_multitenant.png b/auth_oidc/static/description/odoo-azure_ad_multitenant.png