Skip to Content

MuK MCP Enterprise

by
Odoo

166.11

v 19.0 Third Party
Availability
Odoo Online
Odoo.sh
On Premise
Odoo Apps Dependencies Discuss (mail)
Community Apps Dependencies
Lines of code 7972
Technical Name muk_mcp_enterprise
LicenseSee License tab
Websitehttp://www.mukit.at
You bought this module and need support? Click here!
Availability
Odoo Online
Odoo.sh
On Premise
Odoo Apps Dependencies Discuss (mail)
Community Apps Dependencies
Lines of code 7972
Technical Name muk_mcp_enterprise
LicenseSee License tab
Websitehttp://www.mukit.at

MuK MCP Enterprise

Enterprise-Managed Authorization — ID-JAG

MuK IT GmbH - www.mukit.at

Community Enterprise

Overview

Lets your organization control MCP server access centrally through its existing identity provider — Okta, Microsoft Entra ID, Keycloak, any OIDC IdP — instead of every employee authorizing every MCP server individually. Implements the Model Context Protocol Enterprise-Managed Authorization extension (io.modelcontextprotocol/enterprise-managed-authorization, SEP-990) on top of muk_mcp_oauth.

Employees authenticate once with their corporate SSO. The MCP client exchanges an Identity Assertion JWT Authorization Grant (ID-JAG) for an Odoo access token via the RFC 7523 jwt-bearer grant — no per-user consent screen, no browser redirect to Odoo. Onboarding and offboarding happen in one place: the IdP.

How the ID-JAG Flow Works

  1. The MCP client signs the user in at the enterprise IdP and obtains an ID-JAG (a signed JWT) scoped to this Odoo MCP server.
  2. The client POSTs the ID-JAG to /mcp/oauth/token with grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer and assertion=<ID-JAG>.
  3. Odoo validates the ID-JAG against the IdP's JWKS — signature, iss, aud, exp/nbf.
  4. The validated claims are mapped to an Odoo user; a short-lived MCP access token is issued.
  5. Every /mcp call then runs as the resolved user — the same token machinery as muk_mcp_oauth.

Revoking a user at the IdP immediately cuts off new tokens; existing access tokens expire within their short TTL. No per-client, per-server revocation needed.

User Linking

The ID-JAG carries no Odoo session — the user is resolved entirely from the validated claims. Three modes, from most to least restrictive:

Mode Behaviour
Mapping only The sub claim must match a pre-provisioned Identity record. Unknown subjects are rejected. Most secure.
E-mail match Falls back to an existing Odoo user whose login or e-mail equals the email claim, then optionally persists the subject mapping.
JIT provisioning Creates a new user in the configured groups on first sign-in. Use only with a fully trusted IdP.

Configuration & Audit

Open Settings > MCP Server > Authentication > Identity Providers to register one record per IdP — issuer, JWKS URI, audience, claim names, and the user-linking mode. Once at least one IdP exists, the jwt-bearer grant and the extension are advertised in the OAuth discovery metadata. Every ID-JAG exchange — success or rejection — lands in the existing Settings > MCP Server > Logging audit log with the client, the resolved user, the originating IP, and the failure reason on errors.

Security By Default

Control What it does
Signature The ID-JAG must verify against a key in the IdP's JWKS (RS256). JWKS are cached and re-fetched on demand.
Issuer & audience iss must equal the configured issuer; aud must equal the configured audience or the /mcp resource URL.
Expiry exp/nbf are enforced with a small leeway.
No standing secret No long-lived secret is stored; trust flows from the IdP signature on each request.
Permissions The resolved user's groups, record rules, and muk_mcp model access still apply; a token never exceeds its user.

More Apps from MuK IT

MuK MCP Apps

MuK MCP Apps

Interactive UI
 View Module ›
MuK Webhooks

MuK Webhooks

Integration
 View Module ›
MuK AI

MuK AI

AI Assistant
 View Module ›
MuK Backend Theme

MuK Backend Theme

Enterprise Theme
 View Module ›

All MuK Apps

Browse
 View All ›

Help and Support

Feel free to contact us, if you need any help with your Odoo integration or additional features.
You will get 30 days of support in case of any issues (except data recovery, migration or training).

PURCHASE NOW
Contact Support

Our Services

Odoo
Development

Odoo
Integration

Odoo
Infrastructure

Odoo
Training

Odoo
Support

MuK MCP Enterprise

Adds the Model Context Protocol Enterprise-Managed Authorization extension (io.modelcontextprotocol/enterprise-managed-authorization, SEP-990) on top of muk_mcp_oauth. An organization controls MCP server access centrally through its existing identity provider (Okta, Entra ID, Keycloak, any OIDC IdP) instead of each user authorizing each server.

Employees authenticate once with their corporate SSO. The MCP client exchanges an Identity Assertion JWT Authorization Grant (ID-JAG) for an Odoo access token through the RFC 7523 jwt-bearer grant — no per-user consent screen, no browser redirect to Odoo.

Installation

To install this module, you need to:

Download the module and add it to your Odoo addons folder. Afterward, log on to your Odoo server and go to the Apps menu. Trigger the debug mode and update the list by clicking on the "Update Apps List" link. Now install the module by clicking on the install button.

The module pulls in authlib as an external Python dependency (pip install authlib).

Upgrade

To upgrade this module, you need to:

Download the module and add it to your Odoo addons folder. Restart the server and log on to your Odoo server. Select the Apps menu and upgrade the module by clicking on the upgrade button.

Configuration

Navigate to Settings > MCP Server > Authentication > Identity Providers and create one record per IdP:

  • Issuer — the iss claim the IdP stamps on every ID-JAG.
  • JWKS URI — endpoint exposing the IdP's public keys.
  • Audience — expected aud claim; leave empty to require the Odoo /mcp resource URL.
  • Subject / Email Claim — claim names carrying the identity (defaults: sub, email).
  • User Linking — how a validated ID-JAG resolves to an Odoo user.

Once at least one IdP exists, the jwt-bearer grant and the extension are advertised in /.well-known/oauth-authorization-server and /.well-known/oauth-protected-resource.

User Linking

The ID-JAG carries no Odoo session — the user is resolved entirely from the validated claims. Three modes, from most to least restrictive:

  • Pre-provisioned mapping only — the sub claim must match an Identity record you created. Unknown subjects are rejected.
  • Mapping, then e-mail match — falls back to an existing Odoo user whose login or e-mail equals the email claim. With Auto-link Subject enabled the mapping is then persisted.
  • Mapping, e-mail match, then create user — just-in-time provisions a new user in the configured JIT Groups. Use only with a fully trusted IdP.

Security

  • Signature — the ID-JAG must verify against a key in the IdP's JWKS (RS256). JWKS are cached for the configured TTL (default 1 hour) and re-fetched on demand.
  • Issuer & audienceiss must equal the configured issuer; aud must equal the configured audience or the /mcp resource URL.
  • Expiryexp/nbf are enforced with a small leeway.
  • No standing secret — unlike client-credentials, no long-lived secret is stored; trust flows from the IdP signature on each request.
  • Permissions — the resolved user's groups, record rules, and muk_mcp model access still apply; a token never exceeds its user.

Credits

Contributors

Author & Maintainer

This module is maintained by the MuK IT GmbH.

MuK IT is an Austrian company specialized in customizing and extending Odoo. We develop custom solutions for your individual needs to help you focus on your strength and expertise to grow your business.

If you want to get in touch please contact us via mail (sale@mukit.at) or visit our website (https://mukit.at).

MuK Proprietary License v1.0

This software and associated files (the "Software") may only be used
(executed, modified, executed after modifications) if you have
purchased a valid license from MuK IT GmbH.

The above permissions are granted for a single database per purchased
license. Furthermore, with a valid license it is permitted to use the
software on other databases as long as the usage is limited to a testing
or development environment.

You may develop modules based on the Software or that use the Software
as a library (typically by depending on it, importing it and using its
resources), but without copying any source code or material from the
Software. You may distribute those modules under the license of your
choice, provided that this license is compatible with the terms of the
MuK Proprietary License (For example: LGPL, MIT, or proprietary licenses
similar to this one).

It is forbidden to publish, distribute, sublicense, or sell copies of
the Software or modified copies of the Software.

The above copyright notice and this permission notice must be included
in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
DEALINGS IN THE SOFTWARE.

Please log in to comment on this module

  • The author can leave a single reply to each comment.
  • This section is meant to ask simple questions or leave a rating. Every report of a problem experienced while using the module should be addressed to the author directly (refer to the following point).
  • If you want to start a discussion with the author or have a question related to your purchase, please use the support page.