Odoo 集成OAuth2认证

ElonMuscle
1,928 阅读2分钟

采用docker部署

Odoo 安装部署参考
hub.docker.com/_/odoo

集成OAuth2认证配置

参考 authing.cn/blog/在Odoo中…

参考勘误  
服务商名称,必填 ;
客户端 ID,必填,应用 ID;
允许,选填,是否启用此服务商,此处请勾选;
正文,必填,显示在 Odoo 网站上登录按钮的文字;
身份验证网址,必填,请填写:https://your.idpserver/oauth2/authorize/
作用域,必填,请根据idpserver提供的scope填写,一般多为openid或userinfo,其scope中的claim必须包含一个user_id字段;
验证网址,必填,请填写:https://your.idpserver/oauth2/userinfo;
数据网址,非必填

配置部分的源码分析
见中文注释
docker下的Odoo调试十分不方便,没有日志,没有vi编辑器,没有root权限 我的解决方式:

  1. 从github上下载对应开源版本的odoo
  2. 解压后挂载odoo\addons\auth_oauth\models到容器/usr/lib/python3/dist-packages/odoo/addons/auth_oauth/models
  3. 编辑odoo\addons\auth_oauth\models下的文件,在需要logger的地方加入open('/var/log/odoo/logger.log','w').write(str(<debug_var>))
  4. 每次移动logger位置后需要重启container

这样做其实不如仔细分析源码,或者不如直接安装odoo,比在docker中调试方便多了

# -*- coding: utf-8 -*-
# Part of Odoo. See LICENSE file for full copyright and licensing details.

import json

import requests

from odoo import api, fields, models
from odoo.exceptions import AccessDenied, UserError
from odoo.addons.auth_signup.models.res_users import SignupError

from odoo.addons import base
base.models.res_users.USER_PRIVATE_FIELDS.append('oauth_access_token')

class ResUsers(models.Model):
    _inherit = 'res.users'

    oauth_provider_id = fields.Many2one('auth.oauth.provider', string='OAuth Provider')
    oauth_uid = fields.Char(string='OAuth User ID', help="Oauth Provider user_id", copy=False)
    oauth_access_token = fields.Char(string='OAuth Access Token', readonly=True, copy=False)

    _sql_constraints = [
        ('uniq_users_oauth_provider_oauth_uid', 'unique(oauth_provider_id, oauth_uid)', 'OAuth UID must be unique per provider'),
    ]

    @api.model
    def _auth_oauth_rpc(self, endpoint, access_token):
        ### 验证token是否有效
        return requests.get(endpoint, params={'access_token': access_token}).json()

    @api.model
    def _auth_oauth_validate(self, provider, access_token):
        """ return the validation data corresponding to the access token """
        oauth_provider = self.env['auth.oauth.provider'].browse(provider)
        ### validation_endpoint即上文中的`验证网址`
        validation = self._auth_oauth_rpc(oauth_provider.validation_endpoint, access_token)

        if validation.get("error"):
            raise Exception(validation['error'])
        if oauth_provider.data_endpoint:
            data = self._auth_oauth_rpc(oauth_provider.data_endpoint, access_token)
            validation.update(data)
        return validation

    @api.model
    def _generate_signup_values(self, provider, validation, params):
        oauth_uid = validation['user_id']
        email = validation.get('email', 'provider_%s_user_%s' % (provider, oauth_uid))
        name = validation.get('name', email)
        return {
            'name': name,
            'login': email,
            'email': email,
            'oauth_provider_id': provider,
            'oauth_uid': oauth_uid,
            'oauth_access_token': params['access_token'],
            'active': True,
        }

    @api.model
    def _auth_oauth_signin(self, provider, validation, params):
        """ retrieve and sign in the user corresponding to provider and validated access token
            :param provider: oauth provider id (int)
            :param validation: result of validation of access token (dict)
            :param params: oauth parameters (dict)
            :return: user login (str)
            :raise: AccessDenied if signin failed

            This method can be overridden to add alternative signin methods.
        """
        oauth_uid = validation['user_id']
        try:
            oauth_user = self.search([("oauth_uid", "=", oauth_uid), ('oauth_provider_id', '=', provider)])  
            if not oauth_user:
                raise AccessDenied()
            assert len(oauth_user) == 1
            oauth_user.write({'oauth_access_token': params['access_token']})
            return oauth_user.login
        except AccessDenied as access_denied_exception:
            if self.env.context.get('no_user_creation'):
                return None
            state = json.loads(params['state'])
            token = state.get('t')
            values = self._generate_signup_values(provider, validation, params)
            try:
                _, login, _ = self.signup(values, token)
                return login
            except (SignupError, UserError):
                raise access_denied_exception

    @api.model
    def auth_oauth(self, provider, params):
        # Advice by Google (to avoid Confused Deputy Problem)
        # if validation.audience != OUR_CLIENT_ID:
        #   abort()
        # else:
        #   continue with the process

        access_token = params.get('access_token')
        validation = self._auth_oauth_validate(provider, access_token)
        # required check
        ###  检查是否提供user_id字段
        if not validation.get('user_id'):
            # Workaround: facebook does not send 'user_id' in Open Graph Api
            ### 没有user_id就尝试找id字段
            if validation.get('id'):
                validation['user_id'] = validation['id']
            else:
                raise AccessDenied()

        # retrieve and sign in user
        login = self._auth_oauth_signin(provider, validation, params)
        if not login:
            raise AccessDenied()
        # return user credentials
        return (self.env.cr.dbname, login, access_token)

    def _check_credentials(self, password):
        try:
            return super(ResUsers, self)._check_credentials(password)
        except AccessDenied:
            res = self.sudo().search([('id', '=', self.env.uid), ('oauth_access_token', '=', password)])
            if not res:
                raise

    def _get_session_token_fields(self):
        return super(ResUsers, self)._get_session_token_fields() | {'oauth_access_token'}

Odoo API调用

参考 www.odoo.com/documentati…
需要后端语言连接数据库后通过XML-RPC方式调用

avatar
文章
阅读
粉丝