| Availability |
Odoo Online
Odoo.sh
On Premise
|
| Community Apps Dependencies | Show |
| Lines of code | 1231 |
| Technical Name |
ekika_oauth2_provider_openid |
| License | OPL-1 |
| Website | https://ekika.co |
| Versions | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 |
|---|---|---|---|---|---|---|---|---|
| Community | ||||||||
| Enterprise |
https://www.ekika.co/support
OAuth2 Provider - OpenID Connect Extension
Extends the Odoo OAuth2 Provider with OpenID Connect (OIDC) Core 1.0 - ID tokens, JWKS, Discovery, UserInfo, nonce & hybrid flows.
OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0. Where OAuth 2.0 handles authorization (granting access to resources), OIDC handles authentication - it gives the client cryptographic proof of who the user is, along with standardized profile claims, without requiring a separate login system.
With this extension installed, your Odoo instance becomes a fully standards-compliant OpenID Provider (OP). Any application that supports OIDC - whether a custom web app, a mobile app, or a third-party SaaS platform - can authenticate users against Odoo and receive a signed ID token, exactly as they would with Google, Microsoft Azure AD, or Okta.
What is OpenID Connect?
OpenID Connect 1.0 is the identity protocol standardised by the OpenID Foundation, ratified in 2014 and now universally supported by identity-aware software. It formalises how a Relying Party (RP) - the application requesting login - interacts with an OpenID Provider (OP) - the server that authenticates the user and issues signed identity assertions.
The key artifact OIDC introduces over plain OAuth 2.0 is the ID Token: a JSON Web Token (JWT) that carries verified claims about the authenticated user (identity, name, email, etc.) and is cryptographically signed by the OP so the RP can validate authenticity without a round-trip.
This module implements OpenID Connect Core 1.0 on top of the Odoo OAuth2 Provider, adding the ID Token, JWKS, Discovery, and UserInfo endpoints required by the specification.
How it fits into the OAuth2 Flow
When a client requests the openid scope in an OAuth 2.0 Authorization Code flow,
the token response includes both the standard access_token and an additional
id_token (a signed JWT). The client verifies the JWT signature against the OP's
public key (fetched once from /oauth2/jwks) and can then trust the identity claims
inside without any further network call.
ID Tokens (RS256-signed JWT)
ID Tokens (RS256-signed JWT)
Every token endpoint response that includes the openid scope delivers an
ID Token - a compact, URL-safe JSON Web Token signed with the server's
RSA-2048 private key using the RS256 algorithm.
The ID Token payload always contains the following registered claims:
iss- Issuer: the base URL of your Odoo instance.sub- Subject: a stable, unique identifier for the authenticated user.aud- Audience: theclient_idof the Relying Party.exp- Expiration time (Unix timestamp).iat- Issued-at time (Unix timestamp).nonce- Echoed back from the authorization request to prevent replay attacks (when provided).at_hash- Left-half SHA-256 hash of the access token (binds ID token to access token).c_hash- Left-half SHA-256 hash of the authorization code (in hybrid flows).
Relying Parties verify the token using the public key from /oauth2/jwks.
No shared secret is required - any standard JWT library can perform offline verification.
JWKS Endpoint - /oauth2/jwks
The JSON Web Key Set (JWKS) endpoint publishes the RSA public key that clients use to verify ID token signatures. This is the standard mechanism defined in RFC 7517.
Relying Parties fetch this document once (or on key rotation) and cache the public key locally. All subsequent ID token verifications happen offline - no round-trip to Odoo required for each authentication event.
The JWKS document returned by this endpoint includes:
kty: "RSA"- key typeuse: "sig"- intended use (signature verification)alg: "RS256"- signing algorithmkid- key identifier (matches thekidheader in the ID token JWT)n,e- RSA modulus and exponent in base64url encoding
RSA key pairs are automatically generated and stored in Odoo system parameters on first use. No manual key management is required.
OIDC Discovery - /.well-known/openid-configuration
The OpenID Connect Discovery endpoint implements the OpenID Connect Discovery 1.0 specification. It returns a JSON document that fully describes the provider's capabilities - endpoint URLs, supported scopes, response types, signing algorithms, and claim types.
OIDC-aware applications (Keycloak, Auth0, any standards-compliant OIDC client library)
only need your Odoo URL to auto-configure themselves. They fetch
/.well-known/openid-configuration, discover all endpoint addresses dynamically,
and require no manual configuration of individual endpoint URLs.
The discovery document includes:
issuer- your Odoo base URLauthorization_endpoint,token_endpoint,userinfo_endpoint,jwks_uri,revocation_endpointresponse_types_supported- all supported OAuth2 + OIDC response type combinationsscopes_supported-openid,profile,email,phoneid_token_signing_alg_values_supported-RS256claims_supported- full list of returnable identity claimssubject_types_supported-public
OIDC UserInfo Endpoint - /oauth2/userinfo
The UserInfo endpoint is an OAuth 2.0 protected resource endpoint defined in
OIDC Core 1.0 §5.3.
It accepts a valid Access Token via an Authorization: Bearer <token> header
(per RFC 6750)
and returns a JSON object containing claims about the authenticated user.
The claims returned are filtered by the scopes that were granted when the access token was issued. This allows fine-grained control over which user attributes each application can read:
| Scope | Claims returned |
|---|---|
openid |
sub, iss (always included) |
profile |
name, preferred_username |
email |
email, email_verified |
phone |
phone_number |
Nonce Support - Replay Attack Prevention
The nonce is a client-generated, single-use random value included in the
authorization request. The OpenID Provider stores the nonce with the authorization code and
embeds it verbatim in the issued ID Token's nonce claim.
The Relying Party verifies that the nonce in the received ID Token matches the
value it originally sent. This binding between the authentication request and the ID Token
is the primary defence against token replay attacks and
authorization code injection.
This module correctly propagates the nonce through the full authorization code flow:
from the GET /oauth2/authorize consent screen, through the
authorization code storage, and into the final JWT id_token.
Endpoint Reference
This module adds or replaces the following HTTP endpoints on your Odoo instance:
| Endpoint | Method | Description |
|---|---|---|
/.well-known/openid-configuration |
GET | OIDC Discovery document - provider metadata & endpoint URLs |
/oauth2/authorize |
GET / POST | Authorization endpoint - extended with nonce forwarding & OIDC response types |
/oauth2/token |
POST | Token endpoint - returns id_token when openid scope is granted |
/oauth2/userinfo |
GET / POST | OIDC UserInfo endpoint - scope-filtered claims via Bearer token |
/oauth2/jwks |
GET | JSON Web Key Set - RSA public key for ID token signature verification |
/oauth2/revoke |
POST | Token revocation (inherited from base OAuth2 Provider) |
Services EKIKA Provides
EKIKA is your destination for expert Odoo ERP implementation and customization. We pride ourselves on building reliable, trust-based partnerships that give you full transparency and control over your business processes.
With over 12 years of experience, we can assist you with eCommerce platforms, production planning, point-of-sale systems, managing inventory adjustments, and providing advanced field worker tracking solutions to optimize your workflows and boost operational efficiency.
Implementation
Utilise Odoo ERP tailored for your business needs for smooth operations.
Customization
Personalized adjustments to Odoo modules for seamless management.
Support
Ongoing assistance and maintenance to optimize your Odoo system's performance.
Are you struggling with disorganized operations, high operational costs, or lack of transparency in your processes? What sets us apart is our commitment to personalized solutions tailored to your unique business needs and our proactive support, ensuring seamless integration and ongoing success.
Would you like to explore Odoo ERP for your business? Schedule a free consultation with EKIKA today!
Odoo Proprietary License v1.0 This software and associated files (the "Software") may only be used (executed, modified, executed after modifications) if you have purchased a valid license from the authors, typically via Odoo Apps, or if you have received a written agreement from the authors of the Software (see the COPYRIGHT file). You may develop Odoo modules that use the Software as a library (typically by depending on it, importing it and using its resources), but without copying any source code or material from the Software. You may distribute those modules under the license of your choice, provided that this license is compatible with the terms of the Odoo Proprietary License (For example: LGPL, MIT, or proprietary licenses similar to this one). It is forbidden to publish, distribute, sublicense, or sell copies of the Software or modified copies of the Software. The above copyright notice and this permission notice must be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
Please log in to comment on this module