Skip to Content

Face Kiosk Attendance

by
Odoo
v 18.0 Third Party 75
Download for v 18.0 Deploy on Odoo.sh
Availability
Odoo Online
Odoo.sh
On Premise
Odoo Apps Dependencies Attendances (hr_attendance)
Discuss (mail)
Employees (hr)
Community Apps Dependencies
Lines of code 4006
Technical Name eh_hr_face_kiosk
LicenseLGPL-3
Websitehttps://www.erpheritage.com.au/
Versions 16.0 17.0 18.0 19.0
You bought this module and need support? Click here!
Availability
Odoo Online
Odoo.sh
On Premise
Odoo Apps Dependencies Attendances (hr_attendance)
Discuss (mail)
Employees (hr)
Community Apps Dependencies
Lines of code 4006
Technical Name eh_hr_face_kiosk
LicenseLGPL-3
Websitehttps://www.erpheritage.com.au/
Versions 16.0 17.0 18.0 19.0
ERP Heritage · HR Platform
Attendance kiosk for Odoo 18 Community

Face Kiosk Attendance

Self-hosted browser face-match clock-in that posts straight to hr.attendance, with raw images never leaving the device.

Free · LGPL-3Odoo 18 CommunityLGPL-3v1.0.0
In-browser face-api.js embedding
Server-side cosine match
Posts to hr.attendance
Raw images stay on device
Per-site geofence option

Why this module

Face Kiosk Attendance

Privacy by design

Embeddings, not images

The browser computes a 128-dim face embedding locally and sends only that number array to the server. Raw webcam frames never persist server-side, so there is no image store to breach or to govern.

Lives in your database

No subscription kiosk

Enrolment, templates, matches, and attendance all live inside your own Odoo. The match controller, template model, and enrolment wizard ship in the module; there is no third-party service in the clock-in path.

Honest about scope

Convenience, not anti-spoofing

This identifies an enrolled face for attendance convenience. A printed photo or a screen can match and a modified client can submit any embedding, so it is not a liveness or security control. Passive liveness is a separate module.

Day in the life

A shift change at the front desk

An employee steps in front of a paired tablet at the welcome screen. The browser captures a face, builds the embedding, and posts it with the device token. The server confirms the device, checks the optional site geofence, cosine-matches the embedding against active consented templates for that company, and applies the company match threshold. On a hit it opens or closes the employee's hr.attendance record and shows the name and action. A near miss below threshold is logged and raises a low-confidence attendance exception for a manager to review.

Edge cases

The cases most modules quietly ignore.

In the shipped code today, each one a place where a cheaper module silently does the wrong thing.

Consent withdrawal cascade

When a face consent is withdrawn, every active template tied to it is deactivated in the same transaction and the cascade is written to the kiosk audit trail with the count, so a later compliance review can prove when it happened.

Retention expiry

A retention sweep cron extends the base sweep: expired face consents have their still-active templates deactivated, so a lapsed consent cannot keep matching at the kiosk.

Multi-company scoping

The device token resolves to one device, one site, one company. The match only searches active templates for that company, so a cross-company face match is impossible at the controller layer.

Stolen-token throttling

The match endpoint is DB-backed rate limited by token or client IP, so a leaked device token cannot hammer the matcher; over-budget callers get a 429.

Geofence enforcement

When a site enables geofencing, a missing or out-of-radius location returns no-match with a logged reason rather than posting attendance, using a haversine distance against the site coordinates and radius.

Below-threshold handling

A best match worse than the company threshold posts no attendance, records a match_fail event with the distance, and raises an identity_low_confidence attendance exception for review.

Dimension mismatch safety

Stored templates whose length does not equal the incoming embedding are skipped during matching, and template creation validates that the JSON embedding is numeric and matches its declared dimension.

Check-in or check-out toggle

On a match the server finds the latest open attendance for the employee; if one is open it sets check_out, otherwise it creates a new check_in, so the same gesture clocks in or out correctly.

What is inside

Built to do the job, end to end.

  • eh.hr.face.template. Stores the JSON embedding, declared dimension, model identity and version, capture method, quality score, company, and a required link to a granted face consent record. Validations reject non-numeric or mismatched-length embeddings.
  • Match controller. The /eh_hr/kiosk/face/match route authenticates by device token, applies rate limiting and optional geofencing, normalises and cosine-matches the embedding against consented active templates, toggles hr.attendance, and logs every step.
  • Public kiosk shell. The /eh_hr/kiosk/<site_code> route renders a standalone HTML page with pair, welcome, success, and failure screens. It loads face-api.js and the kiosk scripts directly with an mtime cache-bust, outside the Odoo web client.
  • Enrolment wizard. An HR-admin wizard captures three to five samples through an OWL widget, requires a ticked consent acknowledgement, grants or reuses a face consent, and stores each sample as its own template row for varied lighting and angles.
  • Employee templates view. Each employee carries face templates, an active-template count, and a computed face-enrolled flag derived from live templates, plus actions to enrol and to view or deactivate templates.
  • Role-scoped access. Access rights separate HR user, manager, admin, and auditor groups, so reading templates, enrolling, and unlinking are granted to the right roles only.

Honest about the edges

What this does not do, so nothing surprises you.

  • This is an attendance-convenience face match, not an anti-spoofing or liveness control. A printed photo, a screen, or a modified client can defeat it. For passive liveness, add the separate face liveness module.
  • face-api.js is not bundled. The model files are large and you choose a release, so you run the supplied static lib setup once before the kiosk works.
  • The match is a plain cosine scan over a company's active templates, fast for dozens to low hundreds of employees. Beyond roughly two thousand templates per company an indexed approach is the right answer.
  • Requires the attendance base and core suite modules; it relies on their consent, kiosk site and device, rate-limit, audit event, and attendance-exception models.
  • Geofencing depends on the browser providing a location and the site being configured with coordinates and a radius; it is optional and off by default.
  • The kiosk shell is a standalone public page authenticated by a paired device token, not an Odoo login, so device pairing and token security are operational responsibilities.
Search

face recognition attendance odoo, biometric clock in odoo 18, kiosk attendance odoo community, face-api.js odoo, contactless attendance, no badge time clock, hr attendance kiosk, self hosted face attendance, employee clock in kiosk, geofenced attendance odoo, consent managed biometric, odoo 18 attendance module

ERP Heritage

Production-grade Odoo accounting, built to an engineering bar and documented honestly. Support: info@erpheritage.com.au
Developed by Odoo Customisation Services

v1.0.0 · LGPL-3 · Odoo 18 Community

Please log in to comment on this module

  • The author can leave a single reply to each comment.
  • This section is meant to ask simple questions or leave a rating. Every report of a problem experienced while using the module should be addressed to the author directly (refer to the following point).
  • If you want to start a discussion with the author, please use the developer contact information. They can usually be found in the description.