oca / server-auth Goto Github PK
View Code? Open in Web Editor NEWHome Page: https://odoo-community.org/psc-teams/tools-30
License: GNU Affero General Public License v3.0
Home Page: https://odoo-community.org/psc-teams/tools-30
License: GNU Affero General Public License v3.0
I need a way to show records of res.users.log
model. Odoo doesn't provide views for the model and I haven't found a ready solution for that. So, I think to create the module.
My question is: what could be a proper name / technical name for such a module and is server-auth
proper repository for it?
It seems that sometimes the method in the website module controllers/main.py web_login is overriding the one in password_security and then if the password has expired, user is not redirected on the signup_url but on the standard /web page and therefore cannot login anymore.
How to be sure that password_security is on the top? should it be added to the server_wide_modules in conf? (it seems that it doesn't help..)
Hello,
https://github.com/OCA/server-tools/tree/10.0/auth_admin_passkey
We are not using this module at all, but I think is a good idea yo open this issue and see what Contributors thinks.
Im my opinion this module shouldn't be migrated to v11 inside an OCA repository.
Thanks for other point of view
auth_admin_passkey is a great module.
For the main use is to debug or test other user's ACL.
Not only the admin could use this feature but also managers to test there team access...
However, with this module, anyone having this module can access any account including the admin.
This module should not override the adnin password.
When the customer open the link(Confirm & Sign) from email quotation, first time open Login form. Second click show the quotation. The problem is from auth_session_timeout. Exception URL (inactive_session_time_out_ignored_url) are configured for the path (/quote)
Odoo 11 CE
Hi all,
I installed the password_security v12
When I:
Error:
TypeError: Value being assigned to HTMLMeterElement.value is not a finite floating-point value.http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:3931
Traceback:
update@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:3931:1350
_renderEdit/<@http://localhost:8069/web/content/326-6b41e4f/web.assets_backend.js:2673:1052
then/</</<@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:802:678
fire@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:796:281
add@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:797:467
then/</<@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:802:649
each@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:625:758
then/<@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:802:553
Deferred@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:803:189
then@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:802:518
_renderEdit@http://localhost:8069/web/content/326-6b41e4f/web.assets_backend.js:2673:1036
OdooClass.extend/</prototype[name]</<@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:3538:485
_render@http://localhost:8069/web/content/326-6b41e4f/web.assets_backend.js:1044:31
start/<@http://localhost:8069/web/content/326-6b41e4f/web.assets_backend.js:1041:1516
then/</</<@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:802:678
fire@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:796:281
add@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:797:467
then/</<@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:802:649
each@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:625:758
then/<@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:802:553
Deferred@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:803:189
then@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:802:518
start@http://localhost:8069/web/content/326-6b41e4f/web.assets_backend.js:1041:1425
OdooClass.extend/</prototype[name]</<@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:3538:485
_widgetRenderAndInsert/<@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:3683:47
then/</</<@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:802:678
fire@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:796:281
fireWith@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:801:198
updateFunc/<@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:804:482
fire@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:796:281
fireWith@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:801:198
then/</</<@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:802:874
fire@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:796:281
fireWith@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:801:198
Deferred/</deferred[tuple[0]]@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:803:56
rpc/<@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:3588:436
then/</</<@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:802:678
fire@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:796:281
fireWith@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:801:198
Deferred/</deferred[tuple[0]]@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:803:56
fire@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:796:281
fireWith@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:801:198
Deferred/</deferred[tuple[0]]@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:803:56
genericJsonRpc/<@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:3557:1
then/</</<@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:802:678
fire@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:796:281
fireWith@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:801:198
then/</</<@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:802:874
fire@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:796:281
fireWith@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:801:198
done@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:1192:86
callback@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:1212:15
Thanks for your help
Tested on v11 and v12 runbot, unable to test on v10/v9
When opening the wizard to add a new MFA device the secret code (and QR code) displayed is not the same as the secret code used to validate.
After entering any Confirmation Code and clicking Create, the secret code and QR code reloads and shows the correct code. If this is not noticed by user they continue entering the 6 digit code from the first secret and continue receiving validation errors.
Workaround: Enter any 6 digit code and click validate, then add the displayed secret code / QR to authenticator
Hi all,
I have installed the module auth_session_timeout-11.0.1.0.0, and after that started to get redirect link and the error - Too many redirects. Problem was gone, when I removed the module.
What can be the issue?
This is the log line.
2019-05-25 10:56:02,747 873 INFO 7danat werkzeug: 217.165.21.202 - - [25/May/201 9 10:56:02] "GET /web/login?redirect=http%3A%2F%2F7danat.com%3A8069%2Fweb%2Flogi n%3Fredirect%3Dhttp%253A%252F%252F7danat.com%253A8069%252Fweb%252Flogin%253Fredi rect%253Dhttp%25253A%25252F%25252F7danat.com%25253A8069%25252Fweb%25252Flogin%25 253Fredirect%25253Dhttp%2525253A%2525252F%2525252F7danat.com%2525253A8069%252525 2Fweb%2525252Flogin%2525253Fredirect%2525253Dhttp%252525253A%252525252F%25252525 2F7danat.com%252525253A8069%252525252Fweb%252525252Flogin%252525253Fredirect%252 525253Dhttp%25252525253A%25252525252F%25252525252F7danat.com%25252525253A8069%25 252525252Fweb%25252525252Flogin%25252525253Fredirect%25252525253Dhttp%2525252525 253A%2525252525252F%2525252525252F7danat.com%2525252525253A8069%2525252525252Fwe b%2525252525252Flogin%2525252525253Fredirect%2525252525253Dhttp%252525252525253A %252525252525252F%252525252525252F7danat.com%252525252525253A8069%25252525252525 2Fweb%252525252525252Flogin%252525252525253Fredirect%252525252525253Dhttp%252525 25252525253A%25252525252525252F%25252525252525252F7danat.com%25252525252525253A8 069%25252525252525252Fweb%25252525252525252Flogin%25252525252525253Fredirect%252 52525252525253Dhttp%2525252525252525253A%2525252525252525252F%252525252525252525 2F7danat.com%2525252525252525253A8069%2525252525252525252Fweb%252525252525252525 2Flogin%2525252525252525253Fredirect%2525252525252525253Dhttp%252525252525252525 253A%252525252525252525252F%252525252525252525252F7danat.com%2525252525252525252 53A8069%252525252525252525252Fweb%252525252525252525252Flogin%252525252525252525 253Fredirect%252525252525252525253Dhttp%25252525252525252525253A%252525252525252 52525252F%25252525252525252525252F7danat.com%25252525252525252525253A8069%252525 25252525252525252Fweb%25252525252525252525252Flogin%25252525252525252525253Fredi rect%25252525252525252525253Dhttp%2525252525252525252525253A%2525252525252525252 525252F%2525252525252525252525252F7danat.com%2525252525252525252525253A8069%2525 252525252525252525252F HTTP/1.1" 302 -
Hello,
I want to use keycloak with Odoo, I have configured the momdule like this 👍
And keycloak like this :
When I click on login page, I'm redirected to Keycloak, without error :
`2020-04-10 11:26:16,236 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$841/1490485563
2020-04-10 11:26:20,762 DEBUG [io.undertow.request] (default I/O-1) Matched prefix path /auth for path /auth/realms/master/protocol/openid-connect/auth
2020-04-10 11:26:20,763 DEBUG [io.undertow.request.security] (default task-75) Attempting to authenticate /auth/realms/master/protocol/openid-connect/auth, authentication required: false
2020-04-10 11:26:20,763 DEBUG [io.undertow.request.security] (default task-75) Authentication outcome was NOT_ATTEMPTED with method io.undertow.security.impl.CachedAuthenticatedSessionMechanism@20ff4420 for /auth/realms/master/protocol/openid-connect/auth
2020-04-10 11:26:20,763 DEBUG [io.undertow.request.security] (default task-75) Authentication result was ATTEMPTED for /auth/realms/master/protocol/openid-connect/auth
2020-04-10 11:26:20,763 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-75) new JtaTransactionWrapper
2020-04-10 11:26:20,764 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-75) was existing? false
2020-04-10 11:26:20,764 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-75) RESTEASY002315: PathInfo: /realms/master/protocol/openid-connect/auth
2020-04-10 11:26:20,765 DEBUG [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] (default task-75) Hibernate RegisteredSynchronization successfully registered with JTA platform
2020-04-10 11:26:20,766 DEBUG [org.keycloak.services.util.CookieHelper] (default task-75) {1} cookie found in the requests header
2020-04-10 11:26:20,766 DEBUG [org.keycloak.services.util.CookieHelper] (default task-75) {1} cookie found in the cookies field
2020-04-10 11:26:20,766 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-75) Found AUTH_SESSION_ID cookie with value a18e32c3-4ff4-45a5-8bcc-606b5c95f4c2.d-keycloack
2020-04-10 11:26:20,767 DEBUG [org.keycloak.services.util.CookieHelper] (default task-75) {1} cookie found in the requests header
2020-04-10 11:26:20,767 DEBUG [org.keycloak.services.util.CookieHelper] (default task-75) {1} cookie found in the cookies field
2020-04-10 11:26:20,767 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-75) Found AUTH_SESSION_ID cookie with value a18e32c3-4ff4-45a5-8bcc-606b5c95f4c2.d-keycloack
2020-04-10 11:26:20,767 DEBUG [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider] (default task-75) getUserSessionWithPredicate(a18e32c3-4ff4-45a5-8bcc-606b5c95f4c2): remote cache not available
2020-04-10 11:26:20,768 DEBUG [org.keycloak.protocol.AuthorizationEndpointBase] (default task-75) Sent request to authz endpoint. We don't have root authentication session with ID 'a18e32c3-4ff4-45a5-8bcc-606b5c95f4c2' but we have userSession.Re-created root authentication session with same ID. Client is: odoo . New authentication session tab ID: W1rlGRsrYjQ
2020-04-10 11:26:20,770 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-75) AUTHENTICATE
2020-04-10 11:26:20,770 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-75) AUTHENTICATE ONLY
2020-04-10 11:26:20,770 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-75) processFlow: browser
2020-04-10 11:26:20,770 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-75) check execution: 'auth-cookie', requirement: 'ALTERNATIVE'
2020-04-10 11:26:20,770 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-75) authenticator: auth-cookie
2020-04-10 11:26:20,770 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-75) Going through the flow 'browser' for adding executions
2020-04-10 11:26:20,770 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-75) Going through the flow 'forms' for adding executions
2020-04-10 11:26:20,771 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-75) Selections when trying execution 'auth-cookie' : [ authSelection
2020-04-10 11:26:21,067 DEBUG [io.undertow.request] (default I/O-1) Matched default handler path /realms/master/protocol/openid-connect/token/introspect
2020-04-10 11:26:21,068 DEBUG [io.undertow.request] (default I/O-1) UT005013: An IOException occurred: java.nio.channels.ClosedChannelException
at io.undertow.protocols.ssl.SslConduit.doWrap(SslConduit.java:876)
at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:649)
at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63)
at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1137)
at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:591)`
But in odoo log I have this :
2020-04-10 09:26:20,826 9858 INFO sso werkzeug: 192.168.20.11 - - [10/Apr/2020 09:26:20] "GET /auth_oauth/signin HTTP/1.1" 200 - 2020-04-10 09:26:21,072 9858 ERROR sso odoo.addons.auth_oauth.controllers.main: OAuth2: Not Found Traceback (most recent call last): File "/opt/odoo/odoo11/addons/auth_oauth/controllers/main.py", line 133, in signin credentials = env['res.users'].sudo().auth_oauth(provider, kw) File "/opt/odoo/odoo11/addons/auth_oauth/models/res_users.py", line 96, in auth_oauth validation = self._auth_oauth_validate(provider, access_token) File "/opt/odoo/odoo11-custom-addons/auth_keycloak/models/res_users.py", line 44, in _auth_oauth_validate validation = self._keycloak_validate(oauth_provider, access_token) File "/opt/odoo/odoo11-custom-addons/auth_keycloak/models/res_users.py", line 28, in _keycloak_validate raise OAuthError(resp.reason) odoo.addons.auth_keycloak.exceptions.OAuthError: Not Found 2020-04-10 09:26:21,075 9858 INFO sso werkzeug: 192.168.20.11 - - [10/Apr/2020 09:26:21] "GET /auth_oauth/signin?state=%7B%22d%22%3A+%22sso%22%2C+%22p%22%3A+4%2C+%22r%22%3A+%22http%253A%252F%252Fodoo-sso.domoce.local%253A8069%252Fweb%22%7D&access_token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJZWm82bGdDaXVVTUtWY0JTVzhSaVpjeWhyUHJEWXpMU2RKV190S0xhWWlrIn0.eyJleHAiOjE1ODY1MTE2ODAsImlhdCI6MTU4NjUxMDc4MCwiYXV0aF90aW1lIjoxNTg2NTA5NzM5LCJqdGkiOiJhYTYyZDk4Mi0wNTRiLTQ5OWUtODZhYS1lZjY2NmIwOWI2Y2MiLCJpc3MiOiJodHRwczovL2Qtc3NvLm9zbW9zLnRlY2gvYXV0aC9yZWFsbXMvbWFzdGVyIiwic3ViIjoiYzIyMmM4MjMtYjJjMS00Nzg1LWIwNjEtZDg0ZDg0MDVlOWYwIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoib2RvbyIsInNlc3Npb25fc3RhdGUiOiJhMThlMzJjMy00ZmY0LTQ1YTUtOGJjYy02MDZiNWM5NWY0YzIiLCJhY3IiOiIwIiwic2NvcGUiOiJwcm9maWxlIGVtYWlsIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsInByZWZlcnJlZF91c2VybmFtZSI6Im9kb28ifQ.gQoMqTdlfHO1qlu4dn_uwttdDtw6zBfqzgfC1RN6Ne2IdeOO-dl3S52Syw2Xx_d-gp1tEvLgkfcwJhxdEdQ1LJCJf65tNquPwuLLew9gkQgAV7gvWbRL6_T7rjnFfFZM-NwQv9Sw4y-sNxw4dXG6PcJope5ry5NJ0ge4SSm-Ka-EQXasLjJGiK2rBZaTSaRwcJkmsC9a4RNR52-tIJYMlPcdpOX5C7FN0b0idyzPzxeM0yCdnO5-8cBkvxXxqYltAL7c6z2CF2Sp3YPRWnvTMXN8xra8o1URrgkI_zQi5uYTvblSnAVoPp3CsY8MuFOxgIKmx3Wi_t3BEUhh1UlqCg&token_type=bearer&expires_in=900 HTTP/1.1" 303 - 2020-04-10 09:26:21,150 9858 INFO sso werkzeug: 192.168.20.11 - - [10/Apr/2020 09:26:21] "GET /web/login?oauth_error=2 HTTP/1.1" 200 -
The documentation doesn't explain how to configure Keycloak, but I think the problem is on the Odoo side.
Thank you for your help !
Regards,
Nicolas
odoo v12
I got this error a lot in the log file !
2020-03-27 10:39:37,513 104143 ERROR DataBase odoo.addons.auth_session_timeout.models.res_users: Exception reading session file modified time.
Traceback (most recent call last):
File "/odoo/custom/others/auth_session_timeout/models/res_users.py", line 74, in _auth_timeout_check
expired = getmtime(path) < deadline
File "/usr/lib/python3.6/genericpath.py", line 55, in getmtime
return os.stat(filename).st_mtime
FileNotFoundError: [Errno 2] No such file or directory: '/odoo/.local/share/Odoo/sessions/werkzeug_f984108a7183103f7971885c14707c95811e9310.sess'
2020-03-27 10:39:37,915 104123 INFO DataBase werkzeug: 127.0.0.1 - - [27/Mar/2020 10:39:37] "POST /web/dataset/call_kw/project.phase/name_search HTT
Currently the module password_security is using a similar case to:
Unsafe password is passed as safe:
Safe password is passed as unsafe:
The following python library:
Works a little different similar to:
And gives you a score of security of your password considering the name of the user too.
I mean, name = John Smith
and password = JhonSmith123
it is unsafe.
For more information check the following readme:
Note: Help wanted here.
Hello
I encounter this problem in module keychain when installing it, how do we fix it.
AttributeError: module 'odoo.fields' has no attribute 'Serialized'
Kind regards,
Tien
[13.0] password_security migrate to odoo version 13 ? when can i expected this module to be upgrade to version 13 ?
Estoy en un proyecto utilizando la version 8.0 de odoo y me preguntaba si en el pasado el modulo funciono en esta versión, aunque ya no tenga soporte.
Gracias!
Hello,
Can i use this module with Odoo Enterprise V11 ?
I've a fresh install debian jessie and odoo Enterprise V11 with demo data.
Only install one module and auth_session_timeout.
Put delay at 120 to be disconnect after 2 minutes.
The session still active even if i use demo or admin account.
Thanks for your help
Ericzen
module: auth_session_timeout
version: 12.0
Steps to reproduce
inactive_session_time_out_ignored_url,Excluding addresses has no effect
All incoming HTTP are killed,
Similar to dingtalk approval callback
Current behavior
Expected behavior
auth session timeout, should point to the user, not all
ldap
moduleserver-auth
to you addons pathServer startup fails, or may even break in unexpected ways, because of Odoo being unable to import ldap
. This happens even if the atuh_ldaps
module is not installed.
Since ldap
is only recommended for Odoo to work, not required, this error should not happen. If auth_ldaps
is not installed, no errors should occur. If the user attempts to install auth_ldaps
, but ldap
is not available, an exception should be raised.
Hi @gurneyalex and @yajo
I have some issue to install lasso on centos8 through ansible and it looks like there's a problem with versions used.
The official reference of the lasso https://pypi.org/project/lasso/ is precising that it's an alpha stage and moreover when you follow the doc and you want to point to the https://github.com/aperezdc/lasso-python it has been renamed in gnarl
My proposal is to user lasso-python instead of the actual dependency or to find a more "stable" dependency .
What's your point of view ?
Regards
The tests of auth_totp_password_security are failing for 11.0: https://travis-ci.org/OCA/server-auth/branches
The error is: AssertionError: 'http://localhost:8069/web/reset_password?token=eqN15WCDR57SxdDbdVv4&db=openerp_test' not found in 'redirected'
This is probably the problem:
Before installing auth_session_timeout module. (Above Image)
After installing the auth_session_timeout module. (Above Image)
Only happen to images where I uploaded myself using the upload image button. Image uploaded from my local.
web.base.url
, web.base.url.freeze
parameter is set properly with my domain ( https://domain ) and True.
Hi,
I install the password_security, and I'm not sure that the test for the "resets inside of min" is working.
I'm on Odoo 11, and the reset password form send in "qcontext" a empty string for the token as so the first 'if' is never valid. (controller/main.py line 61)
Plus, if this 'if' is valid the queries "user_ids = request.env.sudo().search(...)" (line 74 and 79) are not valid and throw an exception "AttributeError: 'Environment' object has no attribute 'sudo'" and should be replace by "user_ids = request.env['res.users'].sudo().search(...)"
Best regards,
M.
Currently, auth_from_http_remote_users
does not allow the same user to connect from different browser sessions at the same time (different browsers, different machines etc).
This is due to the fact that, when creating a new session, the module generates a new random pseudo-password (sso_key)
that is subsequently used to check credentials at the beginning of each request (via check_security
). So when the same user tries to connect via two sessions, they invalidate each other.
While there are reasons to make this sso_key
secret, there is no reason for it to be random, IMO.
So I propose to change the module to generate that sso_key
by hashing the combination of the user id, and a per-database secret to be set in a system parameter. For compatibility, if the system parameter is absent, log a warning and fall back on the current mechanism.
Often companies will want to maintain a whitelist of IP address expressed by ranges of IP's instead of having to express them one by one.
See https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation
And a sample implementation in python of logic to check if an IP address is whithin a range expressed by a CIDR expression: https://diego.assencio.com/?index=85e407d6c771ba2bc5f02b17714241e2
Migrate auth_saml from https://github.com/xcgd/auth_saml to version 11 in OCA/server-auth
See xcgd/auth_saml#8
I installed odoo 12 in centOS7 server
When i check the odoo log, sometimes below mentioned error appears and the service stopped.
Traceback (most recent call last):
File "/home/Odoo12/odoo12/custom_addons/auth_session_timeout/models/res_users.py", line 74, in _auth_timeout_check
expired = getmtime(path) < deadline
File "/opt/rh/rh-python36/root/usr/lib64/python3.6/genericpath.py", line 55, in getmtime
return os.stat(filename).st_mtime
FileNotFoundError: [Errno 2] No such file or directory: '/home/Odoo12/.local/share/Odoo/sessions/werkzeug_438ccef416264f0acdcb5bfb772f$
Please help me to fix this.....
Steps to reproduce
Result
Expected result
How to replicate
Install Odoo
Add saml_auth to you addons path
Start the Odoo server
Log in with the administrator account
Configure SAML Provider [Using F5 in my case] (Matching attribute / IDP Configuration / SP Configuration / Private key of our service provider (this openerpserver)) and enable provider. (Provide a name and a body here we used Provider name = "F5" Body = "Login with F5")
Log out from the administrator account
Click on Login with the SAML Provider [Here Login with F5]
You are redirected to the external authentification system.
You log in with your user on the external authentification system. (In this scenario user doesn't exist in Odoo database on purpose)
You are redirected to the Odoo page localhost:9999/web/login#action=login&saml_error=3
Current behaviour
No error message is displayed Login page
Odoo/addons/web/views/webclient_templates.xml ln.407
<p class="alert alert-danger" t-if="error">
<t t-esc="error"/>
</p>
Expected behavior
The following message should be displayed:
"You do not have access to this database or your " "invitation has expired. Please ask for an invitation " "and be sure to follow the link in your invitation email."
Issue: request.params.get('saml_error') doesn't get the proper value and error is empty
Eventual solution path: grab the saml_error from the url variable.
FYI: Login with a valid user works perfectly the configuration as is seems to work. But in case of an unexisting user, the message is not displayed. Maybe I am missing something in the configuration.
Source: The message is provided by the method web_login() in server-auth/auth_saml/controllers/main.py
@http.route()
def web_login(self, *args, **kw):
ensure_db()
if (
request.httprequest.method == 'GET' and
request.session.uid and
request.params.get('redirect')
):
# Redirect if already logged in and redirect param is present
return http.redirect_with_hash(request.params.get('redirect'))
providers = self.list_providers()
response = super(SAMLLogin, self).web_login(*args, **kw)
if response.is_qweb:
error = request.params.get('saml_error')
if error == '1':
error = _("Sign up is not allowed on this database.")
elif error == '2':
error = _("Access Denied")
elif error == '3':
error = _(
"You do not have access to this database or your "
"invitation has expired. Please ask for an invitation "
"and be sure to follow the link in your invitation email."
)
else:
error = None
response.qcontext['providers'] = providers
if error:
response.qcontext['error'] = error
return response
lasso fail with pip (ubuntu18.04, ubuntu 20.04):
pip3 install lasso
Collecting lasso
Downloading https://files.pythonhosted.org/packages/4e/8d/515757f262f53ed72e7695a2274097aafe0aa28d8017fb6e7c357baab2ab/lasso-0.0.5.tar.gz
Collecting delorean>=0.4.4 (from lasso)
Downloading https://files.pythonhosted.org/packages/76/40/5e8d179a0311236b2e83aa1c80b0b363700035ad6639858c75ef5be975e6/Delorean-1.0.0.tar.gz
Collecting schema<0.4.0,>=0.3.1 (from lasso)
Downloading https://files.pythonhosted.org/packages/0c/1f/1bb243c03e7109f18256b0485c6a1c400019a76d023f36983c99232c0141/schema-0.3.1.tar.gz
Complete output from command python setup.py egg_info:
Traceback (most recent call last):
File "", line 1, in
File "/tmp/pip-build-bl27l9pf/schema/setup.py", line 16, in
long_description=open('README.rst').read(),
File "/usr/lib/python3.6/encodings/ascii.py", line 26, in decode
return codecs.ascii_decode(input, self.errors)[0]
UnicodeDecodeError: 'ascii' codec can't decode byte 0xe2 in position 2360: ordinal not in range(128)
----------------------------------------
Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-build-bl27l9pf/schema/
In github, the project is now https://github.com/aperezdc/gnarl, maybe we should exchange lasso for gnarl?
The password_security
module throws a warning during tests. Although it is just a warning, it makes odoo.sh flag the tests as yellow. So an Odoo instance using password_security
cannot pass its tests on odoo.sh.
Sample warning from the log:
2019-10-10 11:18:13,150 7 WARNING jmcvetta-dev-632767 odoo.http: <function odoo.addons.password_security.controllers.main.web_auth_signup> returns an invalid response type for an http request
Warning is thrown from within odoo.http.route
decorator, which is wrapping password_security.controllers.main.web_auth_signup()
.
Within that method we have the line:
return request.render('auth_signup.signup', qcontext)
@route
is unhappy because the response from request.render()
is an instance of MagicMock
. Whereas @route
is expecting an instance of odoo.http.Response
, or one of a few other types.
Need to change the mocking setup, so the MagicMock
object will report itself as an instance of odoo.http.Response
.
Sorry for the previous issue. I thought i wrote the message in English.
I am in a project using version 8.0 of odoo and I was wondering if in the past the module auth_saml worked in this version, although it does not have support anymore.
Thank you!
Hi we want to use the auth_saml module in Odoo (OpenERP)
The installation was successful but when we try to login using SAML the brower wants to go to https://url.of.our.odoo.server/auth_saml/get_auth_request?pid=2 and we get a 404 error page.
Any idea of what could be the solution for this issue?
https://github.com/OCA/maintainer-tools/wiki/Migration-to-version-13.0
Missing module? Check https://github.com/OCA/maintainer-tools/wiki/%5BFAQ%5D-Missing-modules-in-migration-issue-list
Hi all,
I using Odoo 11 CE on Ubuntu 16.04 with Apache 2.4 reverse proxy.
When i install auth_session_timeout and logout, if load website, odoo redirect to /web/login.
If clear browser cookies, after tray to login, odoo redirect again to /web/login with cycle and login form not load.
If i uninstall auth_session_timeout, no redirect and website load normal.
How to resolve this issue?
Change the verify() function in models/res_users_authenticator.py to use valid_window (allows use of OTP before and after the current displayed one):
...
if totp.verify(confirmation_code, valid_window=1):
...
This helps users login experience and also if there is any time issue on the server.
Eg. User opens authenticator app with 10s left of valid time left on OTP - do they wait for the next one to show or try and enter and submit this one in time. By setting valid window we reduce user frustration
https://github.com/OCA/maintainer-tools/wiki/Migration-to-version-12.0
When a user clicks on their name in the upper right corner -> Preferences and scrolls to MFA devices, the field for authenticator_ids shows devices for other users as being available.
Fix: add domain="[('user_id', '=', id)]" to the authenticator_ids field on view_users_form_simple_modif
I am using keycloak v8.0.1 and odoo v11. After setting up the keycloak integration, everything works great, however, when I log out of odoo and try to log in again, I get a 502 error from keycloak.
One thing I did notice is the redirect_uri
contains the http
protocol instead of the https
protocol, even though all of my config says to use https
. I would blame it on my configuration setup, except that it really does work the first time I login.
https://iam.siliconhills.dev/auth/realms/master/protocol/openid-connect/auth?client_id=hq.siliconhills.dev&redirect_uri=http%3A%2F%2Fhq.siliconhills.dev%2Fauth_oauth%2Fsignin&response_type=token&state=%7B%22r%22%3A+%22http%253A%252F%252Fhq.siliconhills.dev%252Fweb%22%2C+%22d%22%3A+%22hq-siliconhills-dev%22%2C+%22p%22%3A+7%7D&scope=False
In order to make it work, I have to logout of keycloak, and then try to login to odoo with keycloak. But, if I'm already logged into keycloak and I try to login to odoo with keycloak, it always throws a 502
error.
Below is my configuration.
Neither keycloak or odoo give me any error logs. Keycloak only logs the following warnings.
Hi:
Has anyone tried server-auth with a Shibboleth IdP? I've got a functioning IdP endpoint setup and I entered all the metadata in the server-auth Odoo 11 plugin. I enabled the plugin and I do see the link to login to my IdP on the Odoo login screen. When I click on it - it goes to https://<mydomain.com>/None and I get a 404 page not found error. The link address it's trying to execute is:
https://<mydomain.com>/auth_saml/get_auth_request?pid=1
I'm assuming it can't find: https://<mydomain.com>/metadata (my SP entityID)) - Are there any nginx tweaks that need to be done to make this URI work?
I'm going to re-test my metadata at Onelogin: https://www.samltool.com/validate_xml.php
Just curious if anyone has gone down this road. If so, is there any place to start checking?
Cheers,
Dave
module: auth_saml
version: 11.0
Steps to reproduce
Current behavior
Expected behavior
Odoo Server Error
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/odoo/http.py", line 624, in _handle_exception
return super(JsonRequest, self)._handle_exception(exception)
File "/usr/lib/python3/dist-packages/odoo/http.py", line 310, in _handle_exception
raise pycompat.reraise(type(exception), exception, sys.exc_info()[2])
File "/usr/lib/python3/dist-packages/odoo/tools/pycompat.py", line 14, in reraise
raise value
File "/usr/lib/python3/dist-packages/odoo/http.py", line 669, in dispatch
result = self._call_function(**self.params)
File "/usr/lib/python3/dist-packages/odoo/http.py", line 350, in _call_function
return checked_call(self.db, *args, **kwargs)
File "/usr/lib/python3/dist-packages/odoo/service/model.py", line 94, in wrapper
return f(dbname, *args, **kwargs)
File "/usr/lib/python3/dist-packages/odoo/http.py", line 339, in checked_call
result = self.endpoint(*a, **kw)
File "/usr/lib/python3/dist-packages/odoo/http.py", line 915, in call
return self.method(*args, **kw)
File "/usr/lib/python3/dist-packages/odoo/http.py", line 515, in response_wrap
response = f(*args, **kw)
File "/usr/lib/python3/dist-packages/odoo/addons/web/controllers/main.py", line 1326, in call_button
action = self._call_kw(model, method, args, kwargs)
File "/usr/lib/python3/dist-packages/odoo/addons/web/controllers/main.py", line 1314, in _call_kw
return call_kw(request.env[model], method, args, kwargs)
File "/usr/lib/python3/dist-packages/odoo/api.py", line 387, in call_kw
result = _call_kw_multi(method, model, args, kwargs)
File "/usr/lib/python3/dist-packages/odoo/api.py", line 374, in _call_kw_multi
result = method(recs, *args, **kwargs)
File "/usr/lib/python3/dist-packages/odoo/addons/users_ldap_populate/models/users_ldap.py", line 189, in populate_wizard
res_id = wizard_obj.create({'ldap_id': self.id}).id
File "", line 2, in create
File "/usr/lib/python3/dist-packages/odoo/api.py", line 335, in _model_create_multi
return create(self, [arg])
File "/usr/lib/python3/dist-packages/odoo/addons/users_ldap_populate/models/populate_wizard.py", line 32, in create
ldap.action_populate()
File "/usr/lib/python3/dist-packages/odoo/addons/users_ldap_populate/models/users_ldap.py", line 65, in action_populate
results = self._get_ldap_entry_dicts(conf)
File "/usr/lib/python3/dist-packages/odoo/addons/users_ldap_populate/models/users_ldap.py", line 128, in _get_ldap_entry_dicts
ldap_password.encode('utf-8')
File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 443, in simple_bind_s
msgid = self.simple_bind(who,cred,serverctrls,clientctrls)
File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 437, in simple_bind
return self._ldap_call(self._l.simple_bind,who,cred,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls))
File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 313, in _ldap_call
result = func(*args,**kwargs)
TypeError: simple_bind() argument 1 must be str or None, not bytes
2020-02-24 23:53:15,988 17670 WARNING 20200117-WalkThru odoo.addons.website.models.ir_http: 403 Forbidden:
Traceback (most recent call last):
File "/opt/odoo/v12-test/env/lib/python3.6/site-packages/odoo-12.0-py3.6.egg/odoo/addons/base/models/ir_http.py", line 203, in _dispatch
result = request.dispatch()
File "/opt/odoo/v12-test/env/lib/python3.6/site-packages/odoo-12.0-py3.6.egg/odoo/http.py", line 835, in dispatch
r = self._call_function(**self.params)
File "/opt/odoo/v12-test/env/lib/python3.6/site-packages/odoo-12.0-py3.6.egg/odoo/http.py", line 346, in _call_function
return checked_call(self.db, *args, **kwargs)
File "/opt/odoo/v12-test/env/lib/python3.6/site-packages/odoo-12.0-py3.6.egg/odoo/service/model.py", line 97, in wrapper
return f(dbname, *args, **kwargs)
File "/opt/odoo/v12-test/env/lib/python3.6/site-packages/odoo-12.0-py3.6.egg/odoo/http.py", line 339, in checked_call
result = self.endpoint(*a, **kw)
File "/opt/odoo/v12-test/env/lib/python3.6/site-packages/odoo-12.0-py3.6.egg/odoo/http.py", line 941, in __call__
return self.method(*args, **kw)
File "/opt/odoo/v12-test/env/lib/python3.6/site-packages/odoo-12.0-py3.6.egg/odoo/http.py", line 519, in response_wrap
response = f(*args, **kw)
File "/opt/odoo/v12-test/odoo/addons/website/controllers/main.py", line 96, in web_login
response = super(Website, self).web_login(redirect=redirect, *args, **kw)
File "/opt/odoo/v12-test/env/lib/python3.6/site-packages/odoo-12.0-py3.6.egg/odoo/http.py", line 519, in response_wrap
response = f(*args, **kw)
File "/opt/odoo/v12-test/odoo/addons/auth_oauth/controllers/main.py", line 94, in web_login
response = super(OAuthLogin, self).web_login(*args, **kw)
File "/opt/odoo/v12-test/env/lib/python3.6/site-packages/odoo-12.0-py3.6.egg/odoo/http.py", line 519, in response_wrap
response = f(*args, **kw)
File "/opt/odoo/v12-test/odoo/addons/auth_signup/controllers/main.py", line 21, in web_login
response = super(AuthSignupHome, self).web_login(*args, **kw)
File "/opt/odoo/v12-test/env/lib/python3.6/site-packages/odoo-12.0-py3.6.egg/odoo/http.py", line 519, in response_wrap
response = f(*args, **kw)
File "/opt/odoo/v12-test/src/tko-addons/tko_web_sessions_management/models/main.py", line 58, in web_login
request.params['password'])
File "/opt/odoo/v12-test/env/lib/python3.6/site-packages/odoo-12.0-py3.6.egg/odoo/http.py", line 1041, in authenticate
uid = odoo.registry(db)['res.users'].authenticate(db, login, password, env)
File "/opt/odoo/v12-test/env/lib/python3.6/site-packages/odoo-12.0-py3.6.egg/odoo/addons/base/models/res_users.py", line 594, in authenticate
uid = cls._login(db, login, password)
File "/opt/odoo/v12-test/src/server-auth/users_ldap_groups/models/res_users.py", line 12, in _login
user_id = super()._login(db, login, password)
File "/opt/odoo/v12-test/odoo/addons/auth_ldap/models/res_users.py", line 21, in _login
raise e
File "/opt/odoo/v12-test/odoo/addons/auth_ldap/models/res_users.py", line 15, in _login
return super(Users, cls)._login(db, login, password)
File "/opt/odoo/v12-test/env/lib/python3.6/site-packages/odoo-12.0-py3.6.egg/odoo/addons/base/models/res_users.py", line 573, in _login
user._check_credentials(password)
File "/opt/odoo/v12-test/odoo/addons/auth_oauth/models/res_users.py", line 114, in _check_credentials
return super(ResUsers, self)._check_credentials(password)
File "/opt/odoo/v12-test/src/server-auth/auth_ldap_attribute_sync/models/res_users.py", line 12, in _check_credentials
super()._check_credentials(password)
File "/opt/odoo/v12-test/odoo/addons/auth_ldap/models/res_users.py", line 33, in _check_credentials
super(Users, self)._check_credentials(password)
File "/opt/odoo/v12-test/src/server-auth/auth_totp/models/res_users.py", line 106, in _check_credentials
raise MfaLoginNeeded
odoo.addons.auth_totp.exceptions.MfaLoginNeeded: Access denied
Im using auth_session_timeout in combination with Odoo 11 EE and we regularly have an 50_x error "Service unavailable" when we're using Chrome.
The user is logged out properly, but after this error we have to clear all cookies before we can login in Odoo again.
Any idea how to fix this?
I have noticed password_security/models/res_users.py is different for versions 11 and 12 regarding the _password_has_expired function: in version 12, there is a condition that allows to disable password expiration just by setting password_expiration = 0 (which makes sense),
@api.multi
def _password_has_expired(self):
self.ensure_one()
if not self.password_write_date:
return True
if not self.company_id.password_expiration:
return False
days = (fields.Datetime.now() - self.password_write_date).days
return days > self.company_id.password_expiration
while in version 11, the function does not accept a value just to disable it.
@api.multi
def _password_has_expired(self):
self.ensure_one()
if not self.password_write_date:
return True
write_date = fields.Datetime.from_string(self.password_write_date)
today = fields.Datetime.from_string(fields.Datetime.now())
days = (today - write_date).days
return days > self.company_id.password_expiration
Can we "backport" that feature or is there any reason not to implement it that way in version 11? Will you accept a pull request of that feature to be merged in 11.0 branch?
Hello all,
Has anyone managed to setup the SAML connector with Microsoft ADFS SSO?
If so.. what should I place in each of the SAMLv2 setup screen?
Kind regards,
Fernando
is there any module to add the feature of auth2 authentication as a (provider) not client
I would like to propose a new module to add the feature of auth2 authentication schema to odoo
To allow other apps to authenticate using Odoo
Hi Hello
I'm trying to change
auth_brute_force.max_by_ip
But I don't know where are those parameter stored.
Hello,
We are hoping to install the Password security module but noticed a strange issue. We wish to disable the history check, as per the pop-up instructions "0 to disable". However this does not seem to work, we have to enter the value 1. This seems minor but could cause frustration to new users of the module
Steps:
In the password policy set (for ease of use):
Days = 0
Minimum Hours = 0
Characters = 0
History = 0
Lower = 1
Upper = 1
Numeric = 1
Special = 0
Ensure users can reset their own passwords
Create a new user, login and logout as said user
Using the Reset password mechanism on the login page
Set new password as Abcd1 Login
Set new password as Abcd1 Again. Login. User was able to use same password
Set new password as Abcd1 User sees error "Cannot use the most recent 0 passwords"
Login as a user with settings permissions and in password policy set History to 1.
Repeat the above test, the user can reuse the same password unlimited times
Expected:
On the third attempt the user can use the repeat password when history = 0
Kind regards,
Sam
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.