Connecting Okta with Odoo using Oauth

jordy.pouwels · April 11, 2023, 8:53am

Hello, I have a question regarding connecting with Odoo.

It is possible to setup a Oauth provider in Odoo. I would like to use Okta for this. However, the Odoo application in Okta does not provide support for this so I have to setup a new application.

The problem I am facing is that for this setup, Okta is referencing to the documentation of Odoo (in this case). However Odoo does not have sufficient documentation about this. Because of that, I do not know where to find the endpoints necessary to setup this application.

Hopefully someone has experience with this and can help me out. Thanks in advance.

erik · April 11, 2023, 10:12pm

Hello,

I am not able to find specific information for this integration.
I assume you most likely would want to create an OIDC Web App in Okta.
This will give you the client_id / client_secret.

To get the endpoints needed by Odoo you can use your Orgs discovery endpoints.

For the Org Authorization Server it would be,
https://{domain}.okta.com/.well-known/openid-configuration

For a Custom Authorization Server it would be (if using the predefined default authorization server),
https://{domain}.okta.com/oauth2/default/.well-known/openid-configuration

Differences between the authorization servers can be found here.

You most likely will need to experiment a bit to see if a custom authorization server is required and the scopes/claims the integration may need if it is not documented.

Hope that helps.

jordy.pouwels · April 12, 2023, 6:11am

Thanks for your help Eric!

I have used the links from my Org Authorization Server:

These are the same as I was using before. Am I making any mistakes in one of the endpoints?

In the system log, I get the error “unsupported_response_type” when trying to use the Okta widget in Odoo. I found somewhere on the Developer Forum that activating ‘implicit (hybrid)’ fixes this issue. However, this changes the error to ‘invalid_nonce’

erik · April 12, 2023, 11:58pm

Hello,

When you test could you open the browsers dev console and select the network tab.
One of the calls will be to the /authorize endpoint.
If you could include the full request URL it would be helpful to know what Odoo is sending.

Thank You,

jordy.pouwels · April 13, 2023, 5:53am

https://shadowzone.okta.com/oauth2/v1/authorize?response_type=token&client_id=0oa92i9ck8QxzYbx35d7&redirect_uri=https%3A%2F%2Fshadowzone.odoo.com%2Fauth_oauth%2Fsignin&scope=openid+profile+email&state={"d"%3A+"shadowzone"%2C+"p"%3A+4%2C+"r"%3A+"https%253A%252F%252Fshadowzone.odoo.com%252Fweb"}

erik · April 14, 2023, 11:14pm

Hello,

Okta requires a nonce value if the return type is token.
It looks like Odoo is not sending a nonce as part of the authorize parameters.

Is there an option in Odoo to either add a nonce if doing and implicit flow, or an option to do an authorization code flow instead?

jordy.pouwels · April 15, 2023, 7:01am

I have added an image with everything I can configure.

dawoudt · April 17, 2023, 6:11am

hey @jordy.pouwels It seems like odoo have a ticket open for something similar Oauth authentication uses Implicit Flow without nonce · Issue #63750 · odoo/odoo · GitHub.
You may need to extend some of odoo’s oauth addon libraries (odoo/addons/auth_oauth at 16.0 · odoo/odoo · GitHub) yourself to allow a generate a nonce value for the /authorize request and validate on the redirect back.

jordy.pouwels · April 21, 2023, 9:43am

Thank you Eric and dawoudt for the useful support. This is clearly a problem on the side of Odoo and I have opened a ticket with them to (hopefully) resolve this issue.

system · April 22, 2023, 9:44am

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.