Skip to Content

MuK MCP OAuth

by
Odoo

99.87

v 17.0 Third Party
Live Preview
Availability
Odoo Online
Odoo.sh
On Premise
Odoo Apps Dependencies Discuss (mail)
Community Apps Dependencies
Lines of code 5953
Technical Name muk_mcp_oauth
LicenseSee License tab
Websitehttp://www.mukit.at
Versions 17.0 18.0 19.0
You bought this module and need support? Click here!
Availability
Odoo Online
Odoo.sh
On Premise
Odoo Apps Dependencies Discuss (mail)
Community Apps Dependencies
Lines of code 5953
Technical Name muk_mcp_oauth
LicenseSee License tab
Websitehttp://www.mukit.at
Versions 17.0 18.0 19.0

MuK MCP OAuth

OAuth 2.1 + Dynamic Client Registration

MuK IT GmbH - www.mukit.at

Community Enterprise

Overview

Lets remote AI clients — ChatGPT.com Developer-mode connectors, Claude.ai web, custom agents — sign in to your Odoo via the industry-standard OAuth 2.1 flow. Stacks on top of muk_mcp and turns your existing /mcp endpoint into a fully-featured authorization server: Dynamic Client Registration (RFC 7591), Protected Resource Metadata (RFC 9728), Authorization Server Metadata (RFC 8414), PKCE S256, and RFC 8707 audience binding — all advertised at well-known URLs that modern AI clients auto-discover.

No external gateway, no extra processes. Point any OAuth-aware MCP client at https://<your-odoo>/mcp and it registers itself, opens an in-Odoo consent screen, and walks away with a signed JWT access token bound to the user, the client, and the approved scope.

Connect Your AI — Zero Local Config

Public-internet AI clients connect via OAuth in seconds — the client self-registers via DCR, the user signs in to Odoo, approves the scopes, and the AI walks away with a usable token. No bearer keys to copy, no client_id to provision.

Connect to ChatGPT.com

Add Odoo as a Custom MCP connector inside ChatGPT and approve access in six clicks — OAuth handles the rest.

  1. Settings › Apps › enable Developer mode.
  2. Create app › Custom MCP.
  3. Server URL: https://<your-odoo>/mcp.
  4. Auth: OAuth 2.1 (auto-discovered).
  5. Connect › sign in to Odoo › approve.
  6. Open the app › Refresh to load the tools.

Connect to Claude.ai

Paste your /mcp URL into Claude.ai's Custom Connectors, sign in, approve scopes — done.

  1. Settings › Connectors › Custom Connectors › Add custom connector.
  2. Remote MCP URL: https://<your-odoo>/mcp.
  3. Auth: OAuth (auto-discovered).
  4. Sign in to Odoo › approve scopes.

Discovery Endpoints

The server publishes the well-known URLs every modern OAuth client probes — clients pointed at /mcp learn the rest on their own.

Endpoint RFC Purpose
/.well-known/oauth-protected-resource 9728 Protected Resource Metadata — resource URL, supported scopes, bearer methods
/.well-known/oauth-authorization-server 8414 Authorization Server Metadata — authorize, token, registration, revocation, JWKS endpoints
/mcp/oauth/jwks.json 7517 RS256 public key set used to verify issued access tokens
/mcp/oauth/register 7591 Dynamic Client Registration — clients self-register at first sign-in
/mcp/oauth/authorize 6749 Authorization-code grant with mandatory PKCE S256 + per-scope consent
/mcp/oauth/token 6749 Token endpoint — authorization_code + rotating refresh_token grants
/mcp/oauth/revoke 7009 Token revocation — idempotent, returns 200 even for unknown tokens

Per-Scope Consent

The first time an AI client requests access, the user lands on an in-Odoo consent screen rendered on Odoo's own login layout — company logo, Bootstrap chrome, all the standard polish. Each requested scope is shown as a labelled checkbox:

  • mcp:read — read via MCP tools (search, browse, view)
  • mcp:write — write via MCP tools (create, update, delete)

The user can grant the full set, narrow it (e.g. uncheck mcp:write to hand out a read-only token), or deny. The approved subset is what gets recorded as consent and bound into the issued JWT — subsequent sign-ins for the same scope skip the consent screen entirely.

Security By Default

Control What it does
PKCE S256 Mandatory on every authorization request — plain rejected; verifiers under 43 or over 128 chars rejected.
Audience binding RFC 8707 — access tokens are tied to the issuing /mcp URL; tokens with a mismatched audience are rejected at the resource.
Refresh rotation Every refresh issues a new pair and consumes the old one. Replaying a consumed refresh outside the grace window revokes the entire chain.
RS256 JWTs Access tokens are signed RS256 JWTs — signing key generated on first use, public JWK exposed at /mcp/oauth/jwks.json.
Scope intersection The requested scope is intersected with the registered client.scope and the user-approved set before the code is issued.
URI validation Only HTTPS URIs, http://localhost variants, and custom-scheme native URIs are accepted. URIs with a fragment are rejected.
UNIQUE constraints Authorization codes, JWT IDs, refresh-token hashes, and client keys all carry DB-level UNIQUE constraints.

Configuration & Audit

Open Settings > General Settings > MCP OAuth to configure access-token TTL (default 900 s), refresh-token TTL (default 30 days), the refresh grace window (default 5 s), and to toggle Dynamic Client Registration. Every OAuth event — register, authorize, token, refresh, revoke — lands in the existing Settings > MCP Server > Audit Log with the originating IP, the client, the user, and — on errors — the failure reason. Expired authorization codes, revoked tokens, and unused DCR clients are vacuumed automatically.

Want more?

Are you having troubles with your Odoo integration? Or do you feel your system lacks of essential features?
If your answer is YES to one of the above questions, feel free to contact us at anytime with your inquiry.
We are looking forward to discuss your needs and plan the next steps with you.

REQUEST QUOTE

Our Services

Odoo
Development

Odoo
Integration

Odoo
Infrastructure

Odoo
Training

Odoo
Support 

MuK Proprietary License v1.0

This software and associated files (the "Software") may only be used
(executed, modified, executed after modifications) if you have
purchased a valid license from MuK IT GmbH.

The above permissions are granted for a single database per purchased
license. Furthermore, with a valid license it is permitted to use the
software on other databases as long as the usage is limited to a testing
or development environment.

You may develop modules based on the Software or that use the Software
as a library (typically by depending on it, importing it and using its
resources), but without copying any source code or material from the
Software. You may distribute those modules under the license of your
choice, provided that this license is compatible with the terms of the
MuK Proprietary License (For example: LGPL, MIT, or proprietary licenses
similar to this one).

It is forbidden to publish, distribute, sublicense, or sell copies of
the Software or modified copies of the Software.

The above copyright notice and this permission notice must be included
in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
DEALINGS IN THE SOFTWARE.

Please log in to comment on this module

  • The author can leave a single reply to each comment.
  • This section is meant to ask simple questions or leave a rating. Every report of a problem experienced while using the module should be addressed to the author directly (refer to the following point).
  • If you want to start a discussion with the author or have a question related to your purchase, please use the support page.