odoo.addons.auth_keycloak.exceptions.OAuthError: Not Found

[NicolasDEVOUGE]

Hello,

I want to use keycloak with Odoo, I have configured the momdule like this 👍

And keycloak like this :

When I click on login page, I'm redirected to Keycloak, without error :

`2020-04-10 11:26:16,236 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$841/1490485563 2020-04-10 11:26:20,762 DEBUG [io.undertow.request] (default I/O-1) Matched prefix path /auth for path /auth/realms/master/protocol/openid-connect/auth 2020-04-10 11:26:20,763 DEBUG [io.undertow.request.security] (default task-75) Attempting to authenticate /auth/realms/master/protocol/openid-connect/auth, authentication required: false 2020-04-10 11:26:20,763 DEBUG [io.undertow.request.security] (default task-75) Authentication outcome was NOT_ATTEMPTED with method io.undertow.security.impl.CachedAuthenticatedSessionMechanism@20ff4420 for /auth/realms/master/protocol/openid-connect/auth 2020-04-10 11:26:20,763 DEBUG [io.undertow.request.security] (default task-75) Authentication result was ATTEMPTED for /auth/realms/master/protocol/openid-connect/auth 2020-04-10 11:26:20,763 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-75) new JtaTransactionWrapper 2020-04-10 11:26:20,764 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-75) was existing? false 2020-04-10 11:26:20,764 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-75) RESTEASY002315: PathInfo: /realms/master/protocol/openid-connect/auth 2020-04-10 11:26:20,765 DEBUG [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] (default task-75) Hibernate RegisteredSynchronization successfully registered with JTA platform 2020-04-10 11:26:20,766 DEBUG [org.keycloak.services.util.CookieHelper] (default task-75) {1} cookie found in the requests header 2020-04-10 11:26:20,766 DEBUG [org.keycloak.services.util.CookieHelper] (default task-75) {1} cookie found in the cookies field 2020-04-10 11:26:20,766 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-75) Found AUTH_SESSION_ID cookie with value a18e32c3-4ff4-45a5-8bcc-606b5c95f4c2.d-keycloack 2020-04-10 11:26:20,767 DEBUG [org.keycloak.services.util.CookieHelper] (default task-75) {1} cookie found in the requests header 2020-04-10 11:26:20,767 DEBUG [org.keycloak.services.util.CookieHelper] (default task-75) {1} cookie found in the cookies field 2020-04-10 11:26:20,767 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-75) Found AUTH_SESSION_ID cookie with value a18e32c3-4ff4-45a5-8bcc-606b5c95f4c2.d-keycloack 2020-04-10 11:26:20,767 DEBUG [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider] (default task-75) getUserSessionWithPredicate(a18e32c3-4ff4-45a5-8bcc-606b5c95f4c2): remote cache not available 2020-04-10 11:26:20,768 DEBUG [org.keycloak.protocol.AuthorizationEndpointBase] (default task-75) Sent request to authz endpoint. We don't have root authentication session with ID 'a18e32c3-4ff4-45a5-8bcc-606b5c95f4c2' but we have userSession.Re-created root authentication session with same ID. Client is: odoo . New authentication session tab ID: W1rlGRsrYjQ 2020-04-10 11:26:20,770 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-75) AUTHENTICATE 2020-04-10 11:26:20,770 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-75) AUTHENTICATE ONLY 2020-04-10 11:26:20,770 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-75) processFlow: browser 2020-04-10 11:26:20,770 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-75) check execution: 'auth-cookie', requirement: 'ALTERNATIVE' 2020-04-10 11:26:20,770 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-75) authenticator: auth-cookie 2020-04-10 11:26:20,770 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-75) Going through the flow 'browser' for adding executions 2020-04-10 11:26:20,770 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-75) Going through the flow 'forms' for adding executions 2020-04-10 11:26:20,771 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-75) Selections when trying execution 'auth-cookie' : [ authSelection

• auth-cookie, authSelection - identity-provider-redirector, authSelection - auth-username-password-form] 2020-04-10 11:26:20,771 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-75) invoke authenticator.authenticate: auth-cookie 2020-04-10 11:26:20,771 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-75) authenticator SUCCESS: auth-cookie 2020-04-10 11:26:20,772 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-75) Removing authSession 'a18e32c3-4ff4-45a5-8bcc-606b5c95f4c2'. Expire restart cookie: true 2020-04-10 11:26:20,772 DEBUG [org.hibernate.event.internal.AbstractSaveEventListener] (default task-75) Generated identifier: 8e6d4856-00af-4331-acdc-c4c0145d43ec, using strategy: org.hibernate.id.Assigned 2020-04-10 11:26:20,772 DEBUG [org.keycloak.events] (default task-75) type=LOGIN, realmId=master, clientId=odoo, userId=c222c823-b2c1-4785-b061-d84d8405e9f0, ipAddress=192.168.22.10, auth_method=openid-connect, auth_type=code, response_type=token, redirect_uri=http://odoo-sso.domoce.local:8069/auth_oauth/signin, consent=no_consent_required, code_id=a18e32c3-4ff4-45a5-8bcc-606b5c95f4c2, response_mode=fragment, username=odoo, authSessionParentId=a18e32c3-4ff4-45a5-8bcc-606b5c95f4c2, authSessionTabId=W1rlGRsrYjQ 2020-04-10 11:26:20,773 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-75) Create login cookie - name: KEYCLOAK_IDENTITY, path: /auth/realms/master/, max-age: -1 2020-04-10 11:26:20,774 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-75) Expiring remember me cookie 2020-04-10 11:26:20,774 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-75) Expiring cookie: KEYCLOAK_REMEMBERME path: /auth/realms/master/ 2020-04-10 11:26:20,774 DEBUG [org.keycloak.protocol.oidc.OIDCLoginProtocol] (default task-75) redirectAccessCode: state: {"d": "sso", "p": 4, "r": "http%3A%2F%2Fodoo-sso.domoce.local%3A8069%2Fweb"} 2020-04-10 11:26:20,774 DEBUG [org.hibernate.SQL] (default task-75) select clientscop0.ID as ID1_130, clientscop0_.DESCRIPTION as DESCRIPT2_130, clientscop0_.NAME as NAME3_130, clientscop0_.PROTOCOL as PROTOCOL4_130, clientscop0_.REALM_ID as REALM_ID5_130 from CLIENTSCOPE clientscop0 where clientscop0_.ID=? 2020-04-10 11:26:20,774 DEBUG [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default task-75) KeycloakDS: getConnection(null, WrappedConnectionRequestInfo@255a6418[userName=sa]) [0/20] 2020-04-10 11:26:20,775 DEBUG [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] (default task-75) Initiating JDBC connection release from afterStatement 2020-04-10 11:26:20,775 DEBUG [org.hibernate.loader.entity.plan.AbstractLoadPlanBasedEntityLoader] (default task-75) Done entity load : org.keycloak.models.jpa.entities.ClientScopeEntity#655ef08c-0dd8-40e4-9426-96f755fb8eb5 2020-04-10 11:26:20,779 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-75) JtaTransactionWrapper commit 2020-04-10 11:26:20,779 DEBUG [org.hibernate.event.internal.AbstractFlushingEventListener] (default task-75) Processing flush-time cascades 2020-04-10 11:26:20,780 DEBUG [org.hibernate.event.internal.AbstractFlushingEventListener] (default task-75) Dirty checking collections 2020-04-10 11:26:20,780 DEBUG [org.hibernate.event.internal.AbstractFlushingEventListener] (default task-75) Flushed: 1 insertions, 0 updates, 0 deletions to 1 objects 2020-04-10 11:26:20,780 DEBUG [org.hibernate.event.internal.AbstractFlushingEventListener] (default task-75) Flushed: 0 (re)creations, 0 updates, 0 removals to 0 collections 2020-04-10 11:26:20,780 DEBUG [org.hibernate.internal.util.EntityPrinter] (default task-75) Listing entities: 2020-04-10 11:26:20,780 DEBUG [org.hibernate.internal.util.EntityPrinter] (default task-75) org.keycloak.events.jpa.EventEntity{clientId=odoo, realmId=master, ipAddress=192.168.22.10, id=8e6d4856-00af-4331-acdc-c4c0145d43ec, sessionId=a18e32c3-4ff4-45a5-8bcc-606b5c95f4c2, time=1586510780772, error=null, type=LOGIN, userId=c222c823-b2c1-4785-b061-d84d8405e9f0, detailsJson={"auth_method":"openid-connect","auth_type":"code","response_type":"token","redirect_uri":"http://odoo-sso.domoce.local:8069/auth_oauth/signin","consent":"no_consent_required","code_id":"a18e32c3-4ff4-45a5-8bcc-606b5c95f4c2","response_mode":"fragment","username":"odoo"}} 2020-04-10 11:26:20,781 DEBUG [org.hibernate.SQL] (default task-75) insert into EVENT_ENTITY (CLIENT_ID, DETAILS_JSON, ERROR, IP_ADDRESS, REALM_ID, SESSION_ID, EVENT_TIME, TYPE, USER_ID, ID) values (?, ?, ?, ?, ?, ?, ?, ?, ?, ?) 2020-04-10 11:26:20,781 DEBUG [org.hibernate.engine.jdbc.internal.JdbcCoordinatorImpl] (default task-75) Skipping aggressive release due to manual disabling 2020-04-10 11:26:20,781 DEBUG [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] (default task-75) Initiating JDBC connection release from afterStatement 2020-04-10 11:26:20,781 DEBUG [org.hibernate.engine.transaction.internal.TransactionImpl] (default task-75) On TransactionImpl creation, JpaCompliance#isJpaTransactionComplianceEnabled == false 2020-04-10 11:26:20,782 DEBUG [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default task-75) KeycloakDS: returnConnection(cb3f06a, false) [0/20] 2020-04-10 11:26:20,782 DEBUG [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] (default task-75) Initiating JDBC connection release from afterTransaction 2020-04-10 11:26:20,782 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-75) JtaTransactionWrapper end 2020-04-10 11:26:20,784 DEBUG [io.undertow.request] (default I/O-1) UT005013: An IOException occurred: java.nio.channels.ClosedChannelException at io.undertow.protocols.ssl.SslConduit.doWrap(SslConduit.java:876) at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:649) at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1137) at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89) at org.xnio.nio.WorkerThread.run(WorkerThread.java:591)

2020-04-10 11:26:21,067 DEBUG [io.undertow.request] (default I/O-1) Matched default handler path /realms/master/protocol/openid-connect/token/introspect 2020-04-10 11:26:21,068 DEBUG [io.undertow.request] (default I/O-1) UT005013: An IOException occurred: java.nio.channels.ClosedChannelException at io.undertow.protocols.ssl.SslConduit.doWrap(SslConduit.java:876) at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:649) at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63) at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1137) at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89) at org.xnio.nio.WorkerThread.run(WorkerThread.java:591)`

But in odoo log I have this :

2020-04-10 09:26:20,826 9858 INFO sso werkzeug: 192.168.20.11 - - [10/Apr/2020 09:26:20] "GET /auth_oauth/signin HTTP/1.1" 200 - 2020-04-10 09:26:21,072 9858 ERROR sso odoo.addons.auth_oauth.controllers.main: OAuth2: Not Found Traceback (most recent call last): File "/opt/odoo/odoo11/addons/auth_oauth/controllers/main.py", line 133, in signin credentials = env['res.users'].sudo().auth_oauth(provider, kw) File "/opt/odoo/odoo11/addons/auth_oauth/models/res_users.py", line 96, in auth_oauth validation = self._auth_oauth_validate(provider, access_token) File "/opt/odoo/odoo11-custom-addons/auth_keycloak/models/res_users.py", line 44, in _auth_oauth_validate validation = self._keycloak_validate(oauth_provider, access_token) File "/opt/odoo/odoo11-custom-addons/auth_keycloak/models/res_users.py", line 28, in _keycloak_validate raise OAuthError(resp.reason) odoo.addons.auth_keycloak.exceptions.OAuthError: Not Found 2020-04-10 09:26:21,075 9858 INFO sso werkzeug: 192.168.20.11 - - [10/Apr/2020 09:26:21] "GET /auth_oauth/signin?state=%7B%22d%22%3A+%22sso%22%2C+%22p%22%3A+4%2C+%22r%22%3A+%22http%253A%252F%252Fodoo-sso.domoce.local%253A8069%252Fweb%22%7D&access_token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJZWm82bGdDaXVVTUtWY0JTVzhSaVpjeWhyUHJEWXpMU2RKV190S0xhWWlrIn0.eyJleHAiOjE1ODY1MTE2ODAsImlhdCI6MTU4NjUxMDc4MCwiYXV0aF90aW1lIjoxNTg2NTA5NzM5LCJqdGkiOiJhYTYyZDk4Mi0wNTRiLTQ5OWUtODZhYS1lZjY2NmIwOWI2Y2MiLCJpc3MiOiJodHRwczovL2Qtc3NvLm9zbW9zLnRlY2gvYXV0aC9yZWFsbXMvbWFzdGVyIiwic3ViIjoiYzIyMmM4MjMtYjJjMS00Nzg1LWIwNjEtZDg0ZDg0MDVlOWYwIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoib2RvbyIsInNlc3Npb25fc3RhdGUiOiJhMThlMzJjMy00ZmY0LTQ1YTUtOGJjYy02MDZiNWM5NWY0YzIiLCJhY3IiOiIwIiwic2NvcGUiOiJwcm9maWxlIGVtYWlsIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsInByZWZlcnJlZF91c2VybmFtZSI6Im9kb28ifQ.gQoMqTdlfHO1qlu4dn_uwttdDtw6zBfqzgfC1RN6Ne2IdeOO-dl3S52Syw2Xx_d-gp1tEvLgkfcwJhxdEdQ1LJCJf65tNquPwuLLew9gkQgAV7gvWbRL6_T7rjnFfFZM-NwQv9Sw4y-sNxw4dXG6PcJope5ry5NJ0ge4SSm-Ka-EQXasLjJGiK2rBZaTSaRwcJkmsC9a4RNR52-tIJYMlPcdpOX5C7FN0b0idyzPzxeM0yCdnO5-8cBkvxXxqYltAL7c6z2CF2Sp3YPRWnvTMXN8xra8o1URrgkI_zQi5uYTvblSnAVoPp3CsY8MuFOxgIKmx3Wi_t3BEUhh1UlqCg&token_type=bearer&expires_in=900 HTTP/1.1" 303 - 2020-04-10 09:26:21,150 9858 INFO sso werkzeug: 192.168.20.11 - - [10/Apr/2020 09:26:21] "GET /web/login?oauth_error=2 HTTP/1.1" 200 -

The documentation doesn't explain how to configure Keycloak, but I think the problem is on the Odoo side.

Thank you for your help !

Regards,

Nicolas

[NicolasDEVOUGE]

I precise that the exaple test with the c2c user is good, I have a token, and can test that is working

[janikvonrotz]

To make it work you need a few changes. Have a look here:

https://janikvonrotz.ch/2020/04/24/odoo-oauth-authentication-with-keycloak/

[assign101]

I followed your instructions but getting a invalid_token and access denied..

Traceback (most recent call last): File "/opt/bitnami/odoo/lib/odoo-14.0.post20211010-py3.8.egg/odoo/addons/auth_oauth/controllers/main.py", line 133, in signin credentials = env['res.users'].sudo().auth_oauth(provider, kw) File "/opt/bitnami/odoo/lib/odoo-14.0.post20211010-py3.8.egg/odoo/addons/auth_oauth/models/res_users.py", line 96, in auth_oauth validation = self._auth_oauth_validate(provider, access_token) File "/bitnami/odoo/addons/auth_oauth_keycloak/models/res_users.py", line 41, in _auth_oauth_validate raise Exception(validation['error']) Exception: invalid_token

Any help much appreciated.

[deepa4lok]

In Odoo Configuration, change the scope to 'profile'. that should work

[github-actions[bot]]

There hasn't been any activity on this issue in the past 6 months, so it has been marked as stale and it will be closed automatically if no further activity occurs in the next 30 days. If you want this issue to never become stale, please ask a PSC member to apply the "no stale" label.