Microsoft Azure sign-in authentication - Access Denied

[hedshefer]

Hi,

We have followed the Odoo documentation: https://www.odoo.com/documentation/16.0/applications/general/auth/azure.html#microsoft-azure-sign-in-authentication

Then, we got 'access denied' error and the following error in the log:

odoo.addons.auth_oauth.controllers.main: OAuth2: invalid_request Traceback (most recent call last): File "/home/odoo/src/odoo/addons/auth_oauth/controllers/main.py", line 134, in signin db, login, key = env['res.users'].sudo().auth_oauth(provider, kw) File "/home/odoo/src/odoo/addons/auth_oauth/models/res_users.py", line 124, in auth_oauth validation = self._auth_oauth_validate(provider, access_token) File "/home/odoo/src/odoo/addons/auth_oauth/models/res_users.py", line 49, in _auth_oauth_validate raise Exception(validation['error']) Exception: invalid_request

Odoo Ticket #3458265 @tiku-odoo @StraubCreative

[StraubCreative]

Hi @hedshefer We're looking into it, thanks 👍

[tiku-odoo]

@hedshefer

Thanks for reaching out. I also see you have a support ticket open.

Without testing on your database, I cannot see what you have configured. Just a few things to consider while the support team and I work on your issue:

For the Supported account types this selection may vary based on your end use and Microsoft account type. We will make a warning note in the doc clarifying this (for both internal users and portal users). What is your login end goal (organizational users or portal customers)? What type of Microsoft account do you have?

Choose "Personal Microsoft accounts only" if the target audience is meant for portal users. Choose "Accounts in this organizational directory only (Default Directory only - Single tenant)" if the target audience is company users.

Have you input the system parameter in Odoo yet? This is often the case for an access denied error.

Odoo System Parameter

First activate the developer mode, and then go to Settings ‣ Technical ‣ System Parameters.

Click Create and on the new/blank form that appears, add the following system parameter auth_oauth.authorization_header to the Key field, and set the Value to 1. Then click Save to finish.

Your question in Odoo Ticket #3458265

In addition - I will be happy to understand the following instruction regarding Odoo.sh hosting:

Warning

Databases hosted on Odoo.com should not use OAuth login for the owner or administrator of the database as it would unlink the database from their Odoo.com account. If OAuth is set up for that user, the database will no longer be able to be duplicated, renamed, or otherwise managed from the Odoo.com portal.

This means that the administrator of the account (DB) should not set up Azure Oauth for because it will cause impotent admin (unable to manage the db). Azure Oauth should be set up for your users but not the administrator of the DB.

Additionally can you send over a screenshot of your Oauth configuration in Odoo? Also if you're able to, can you send screenshots of the Azure dashboard (Overview of the app (essentials page), Authentication page, and the Endpoints page)? Please attach them to the support ticket as PII would be revealed on Github.

I have opened a Pull Request to update the document to include the free portal users. It can be viewed here: Azure Oauth Update

I will continue testing and await the support ticket to be assigned to work with the analyst on the issue. I hope this is helpful. As always reach out should you need further assistance or if you're not able to resolve this issue.

Thanks, Tim :+1:

CC: @StraubCreative

[hedshefer]

@tiku-odoo

Hi,

Indeed, the system parameter auth_oauth.authorization_header was missing. Thank you!

Regarding the admin user warning - Does it apply only to saas (odoo.com) or to any database on Odoo.SH as well? Does "admin" refer to every user in the "base.group_system" access group? This warning seems unclear to me. I think it would be better for Odoo to block those users by default for the relevant users and DB. It's only a matter of time until some admin users mistakenly use it.

[tiku-odoo]

@hedshefer

Thanks for your reply. Glad your issue is fixed.

The statement refers to admin who created the database and has it attached to their Odoo account. This does apply to Odoo SH account users as well.

Admin would have the DB listed in "My Databases" and for SH: the admin who created the DB in the sandbox or production.

Please don't hesitate to reach out should you have any other questions.

Warmest, Tim

CC: @StraubCreative