Skip to main content

JWT bearer token authentication.

Project description

Beta License: AGPL-3 OCA/server-auth Translate me on Weblate Try me on Runbot

JWT bearer token authentication.

Table of contents

Installation

This module requires the pyjwt library to be installed.

Usage

This module lets developpers add a new jwt authentication method on Odoo controller routes.

To use it, you must:

  • Create an auth.jwt.validator record to configure how the JWT token will be validated.

  • Add an auth="jwt_{validator-name}" or auth="public_or_jwt_{validator-name}" attribute to the routes you want to protect where {validator-name} corresponds to the name attribute of the JWT validator record.

The auth_jwt_demo module provides examples.

The JWT validator can be configured with the following properties:

  • name: the validator name, to match the auth="jwt_{validator-name}" route property.

  • audience: a comma-separated list of allowed audiences, used to validate the aud claim.

  • issuer: used to validate the iss claim.

  • Signature type (secret or public key), algorithm, secret and JWK URI are used to validate the token signature.

In addition, the exp claim is validated to reject expired tokens.

If the Authorization HTTP header is missing, malformed, or contains an invalid token, the request is rejected with a 401 (Unauthorized) code.

If the token is valid, the request executes with the configured user id. By default the user id selection strategy is static (i.e. the same for all requests) and the selected user is configured on the JWT validator. Additional strategies can be provided by overriding the _get_uid() method and extending the user_id_strategy selection field.

The selected user is not stored in the session. It is only available in request.uid (and thus it is the one used in request.env). To avoid any confusion and mismatches between the bearer token and the session, this module rejects requests made with an authenticated user session.

Additionally, if a partner_id_strategy is configured, a partner is searched and if found, its id is stored in the request.jwt_partner_id attribute. If partner_id_required is set, a 401 (Unauthorized) is returned if no partner was found. Otherwise request.jwt_partner_id is left falsy. Additional strategies can be provided by overriding the _get_partner_id() method and extending the partner_id_strategy selection field.

The decoded JWT payload is stored in request.jwt_payload.

The public_auth_jwt method delegates authentication to the standard Odoo public method when the Authorization header is not set. If it is set, the regular JWT authentication is performed as described above. This method is useful for public endpoints that need to work for anonymous users, but can be enhanced when an authenticated user is know. A typical use case is a “add to cart” endpoint that can work for anonymous users, but can be enhanced by binding the cart to a known customer when the authenticated user is known.

Known issues / Roadmap

CORS support is problematic in Odoo before 14.0. This means the demo SPA in auth_jwt_demo does not work as is. To make it work, you need to serve it from the same URL as Odoo, or backport https://github.com/odoo/odoo/pull/56029.

This might also be worked around in auth_jwt by detecting the cors preflight request and not requiring auth in that case.

This is left for future work, as my current focus is Odoo 14.0.

Bug Tracker

Bugs are tracked on GitHub Issues. In case of trouble, please check there if your issue has already been reported. If you spotted it first, help us smashing it by providing a detailed and welcomed feedback.

Do not contact contributors directly about support or help with technical issues.

Credits

Authors

  • ACSONE SA/NV

Contributors

Maintainers

This module is maintained by the OCA.

Odoo Community Association

OCA, or the Odoo Community Association, is a nonprofit organization whose mission is to support the collaborative development of Odoo features and promote its widespread use.

Current maintainer:

sbidoul

This module is part of the OCA/server-auth project on GitHub.

You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distribution

File details

Details for the file odoo13_addon_auth_jwt-13.0.1.1.0-py3-none-any.whl.

File metadata

  • Download URL: odoo13_addon_auth_jwt-13.0.1.1.0-py3-none-any.whl
  • Upload date:
  • Size: 34.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/3.3.0 pkginfo/1.7.0 requests/2.25.1 setuptools/58.0.2 requests-toolbelt/0.9.1 tqdm/4.58.0 CPython/3.8.5

File hashes

Hashes for odoo13_addon_auth_jwt-13.0.1.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 d535ca9e3fc4ea7de13193bb1c55ec4b9d292c1fcb556a3d0abb124603905153
MD5 6ed4c2c98443c49fddf93855e1b23a38
BLAKE2b-256 2a5abf8f343b6cd46cb7dd8e785da9e1dd42c1cea96c6cdb0bfb7b59f2f9ea42

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page