Skip to main content

Authenticate via HTTP Remote User

Project description

License: AGPL-3

Allow users to be automatically logged in

This module initialize the session by looking for the field HTTP_REMOTE_USER in the HEADER of the HTTP request and trying to bind the given value to a user. To be active, the module must be installed in the expected databases and loaded at startup; Add the –load parameter to the startup command:

--load=web,web_kanban,auth_from_http_remote_user, ...

If the field is found in the header and no user matches the given one, the system issue a login error page. (401 Unauthorized)

System parameter

By default this module does not allow the same user to connect from different browser sessions at the same time. It generates a new random pseudo-password (sso_key) that will be different at each session creation. To allow the same user to connect from different browser sessions, a system parameter can be configured with a secret. At session creation, the pseudo-password generated will be a hash based on the secret and the user id making the pseudo-password the same for each session of the same user. The system parameter key must be

http_remote_user.secret

and the value can be any string (Ex: 123456789abcdefgh).

Use case.

The module allows integration with external security systems [1] that can pass along authentication of a user via Remote_User HTTP header field. In many cases, this is achieved via server like Apache HTTPD or nginx proxying Odoo.

How to test the module with Apache [2]

Apache can be used as a reverse proxy providing the authentication and adding the required field in the Http headers.

Install apache:

$ sudo apt-get install apache2

Define a new vhost to Apache by putting a new file in /etc/apache2/sites-available:

$ sudo vi  /etc/apache2/sites-available/MY_VHOST.com

with the following content:

<VirtualHost *:80>
  ServerName MY_VHOST.com
  ProxyRequests Off
  <Location />
    AuthType Basic
    AuthName "Test Odoo auth_from_http_remote_user"
    AuthBasicProvider file
    AuthUserFile /etc/apache2/MY_VHOST.htpasswd
    Require valid-user

    RewriteEngine On
    RewriteCond %{LA-U:REMOTE_USER} (.+)
    RewriteRule . - [E=RU:%1]
    RequestHeader set Remote-User "%{RU}e" env=RU
  </Location>

  RequestHeader unset Remote-User early
  ProxyPass / http://127.0.0.1:8069/  retry=10
  ProxyPassReverse  / http://127.0.0.1:8069/
  ProxyPreserveHost On
</VirtualHost>

Enable the required apache modules:

$ sudo a2enmod headers
$ sudo a2enmod proxy
$ sudo a2enmod rewrite
$ sudo a2enmod proxy_http

Enable your new vhost:

$ sudo a2ensite MY_VHOST.com

Create the htpassword file used by the configured basic authentication:

$ sudo htpasswd -cb /etc/apache2/MY_VHOST.htpasswd admin admin
$ sudo htpasswd -b /etc/apache2/MY_VHOST.htpasswd demo demo

For local test, add the MY_VHOST.com in your /etc/vhosts file.

Finally reload the configuration:

$ sudo service apache2 reload

Open your browser and go to MY_VHOST.com. If everything is well configured, you are prompted for a login and password outside Odoo and are automatically logged in the system.

Bug Tracker

Bugs are tracked on GitHub Issues. In case of trouble, please check there if your issue has already been reported. If you spotted it first, help us smashing it by providing a detailed and welcomed feedback.

Credits

Images

  • Odoo Community Association: Icon.

Contributors

Maintainer

Odoo Community Association

This module is maintained by the OCA.

OCA, or the Odoo Community Association, is a nonprofit organization whose mission is to support the collaborative development of Odoo features and promote its widespread use.

To contribute to this module, please visit https://odoo-community.org.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distribution

File details

Details for the file odoo9_addon_auth_from_http_remote_user-9.0.1.0.0.99.dev17-py2-none-any.whl.

File metadata

File hashes

Hashes for odoo9_addon_auth_from_http_remote_user-9.0.1.0.0.99.dev17-py2-none-any.whl
Algorithm Hash digest
SHA256 6d09f2496281f4e066c6cb8c3d4a395a9938a79b110a3a12ba24001e7a7c629c
MD5 48d5bd1f2d06effd9f521df50454474c
BLAKE2b-256 cb856042c02255846ade23e9ca1d03c53e9368963aa26fcfb21576b7dc9dffb3

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page