Merge PR OCA#493 into 16.0

Signed-off-by sbidoul

auth_oauth_ropc/README.rst

@@ -0,0 +1,104 @@
+===============
+Auth OAuth ROPC
+===============
+
+.. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! This file is generated by oca-gen-addon-readme !!
+   !! changes will be overwritten.                   !!
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
+    :target: https://odoo-community.org/page/development-status
+    :alt: Beta
+.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png
+    :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
+    :alt: License: AGPL-3
+.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
+    :target: https://github.com/OCA/server-auth/tree/16.0/auth_oauth_ropc
+    :alt: OCA/server-auth
+.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
+    :target: https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-auth_oauth_ropc
+    :alt: Translate me on Weblate
+.. |badge5| image:: https://img.shields.io/badge/runbot-Try%20me-875A7B.png
+    :target: https://runbot.odoo-community.org/runbot/251/16.0
+    :alt: Try me on Runbot
+
+|badge1| |badge2| |badge3| |badge4| |badge5| 
+
+This module add the possibility to login with OAuth Resource Owner Password Credentials Grant
+
+https://datatracker.ietf.org/doc/html/rfc6749#section-4.3 
+
+In most scenarios, more secure alternatives are available and recommended. This flow requires a very high degree of trust in the application, and carries risks that are not present in other flows. You should only use this flow when other more secure flows aren't viable.
+
+This module is useful for the Odoo mobile application, which only supports user/password authentication.
+
+
+**Table of contents**
+
+.. contents::
+   :local:
+
+Configuration
+=============
+
+The configuration of this module is based with Microsoft Azure ad OAuth provider
+
+https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
+
+To configure this module, you need to:
+
+#. Go to Settings/Users/OAuth ROPC providers and create a new one
+
+.. figure:: https://raw.githubusercontent.com/OCA/server-auth/16.0/auth_oauth_ropc/static/description/configuration.png
+   :alt: provider description
+   :width: 600 px
+
+Usage
+=====
+
+To use this module, you need to:
+
+#. Go on the login screen
+#. Fill your Odoo user name (must be the same in OAuth provider)
+#. Fill your OAuth password
+
+Bug Tracker
+===========
+
+Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-auth/issues>`_.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us smashing it by providing a detailed and welcomed
+`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_oauth_ropc%0Aversion:%2016.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+
+Do not contact contributors directly about support or help with technical issues.
+
+Credits
+=======
+
+Authors
+~~~~~~~
+
+* ACSONE SA/NV
+
+Contributors
+~~~~~~~~~~~~
+
+Adrien Peiffer <[email protected]>
+
+Maintainers
+~~~~~~~~~~~
+
+This module is maintained by the OCA.
+
+.. image:: https://odoo-community.org/logo.png
+   :alt: Odoo Community Association
+   :target: https://odoo-community.org
+
+OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.
+
+This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/16.0/auth_oauth_ropc>`_ project on GitHub.
+
+You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.

auth_oauth_ropc/__init__.py

@@ -0,0 +1 @@
+from . import models

auth_oauth_ropc/__manifest__.py

@@ -0,0 +1,17 @@
+# Copyright 2023 ACSONE SA/NV
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
+
+{
+    "name": "Auth OAuth ROPC",
+    "summary": """
+        Allow to login with OAuth Resource Owner Password Credentials Grant""",
+    "version": "16.0.1.0.0",
+    "license": "AGPL-3",
+    "author": "ACSONE SA/NV,Odoo Community Association (OCA)",
+    "website": "https://github.com/OCA/server-auth",
+    "depends": ["base"],
+    "data": [
+        "security/oauth_ropc_provider.xml",
+        "views/oauth_ropc_provider.xml",
+    ],
+}

auth_oauth_ropc/models/__init__.py

@@ -0,0 +1,2 @@
+from . import oauth_ropc_provider
+from . import res_users

auth_oauth_ropc/models/oauth_ropc_provider.py

@@ -0,0 +1,44 @@
+# Copyright 2023 ACSONE SA/NV
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
+
+import requests
+
+from odoo import _, api, fields, models
+from odoo.exceptions import ValidationError
+
+
+class OAuthRopcProvider(models.Model):
+
+    _name = "oauth.ropc.provider"
+    _description = "OAuth ROPC Provider"
+
+    name = fields.Char()
+    client_id = fields.Char(string="Client ID")
+    client_secret = fields.Char()
+    auth_endpoint = fields.Char(string="Authorization URL", required=True)
+    resource = fields.Char()
+    scope = fields.Char()
+    active = fields.Boolean(default=True)
+
+    @api.constrains("active")
+    def _check_active(self):
+        records_to_check = self.filtered(lambda r: r.active)
+        for record in records_to_check:
+            if self.search([("id", "!=", record.id)]):
+                raise ValidationError(_("""You can define only one active provider"""))
+
+    def _authenticate(self, login, password):
+        self.ensure_one()
+        data = {
+            "client_id": self.client_id,
+            "client_secret": self.client_secret,
+            "resource": self.resource,
+            "scope": self.scope,
+            "grant_type": "password",
+            "username": login,
+            "password": password,
+        }
+        r = requests.post(self.auth_endpoint, data=data, timeout=5)
+        if r.status_code == 200:
+            return True
+        return False

auth_oauth_ropc/models/res_users.py

@@ -0,0 +1,23 @@
+# Copyright 2023 ACSONE SA/NV
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
+
+from odoo import models
+from odoo.exceptions import AccessDenied
+
+
+class ResUsers(models.Model):
+
+    _inherit = "res.users"
+
+    def _check_credentials(self, password, env):
+        try:
+            return super(ResUsers, self)._check_credentials(password, env)
+        except AccessDenied:
+            passwd_allowed = (
+                env["interactive"] or not self.env.user._rpc_api_keys_only()
+            )
+            if passwd_allowed and self.env.user.active:
+                if ropc_provider := self.env["oauth.ropc.provider"].sudo().search([]):
+                    if ropc_provider._authenticate(self.env.user.login, password):
+                        return
+            raise

auth_oauth_ropc/readme/CONFIGURE.rst

@@ -0,0 +1,11 @@
+The configuration of this module is based with Microsoft Azure ad OAuth provider
+
+https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
+
+To configure this module, you need to:
+
+#. Go to Settings/Users/OAuth ROPC providers and create a new one
+
+.. figure:: ../static/description/configuration.png
+   :alt: provider description
+   :width: 600 px

auth_oauth_ropc/readme/CONTRIBUTORS.rst

@@ -0,0 +1 @@
+Adrien Peiffer <[email protected]>

auth_oauth_ropc/readme/DESCRIPTION.rst

@@ -0,0 +1,7 @@
+This module add the possibility to login with OAuth Resource Owner Password Credentials Grant
+
+https://datatracker.ietf.org/doc/html/rfc6749#section-4.3
+
+In most scenarios, more secure alternatives are available and recommended. This flow requires a very high degree of trust in the application, and carries risks that are not present in other flows. You should only use this flow when other more secure flows aren't viable.
+
+This module is useful for the Odoo mobile application, which only supports user/password authentication.

auth_oauth_ropc/readme/USAGE.rst

@@ -0,0 +1,5 @@
+To use this module, you need to:
+
+#. Go on the login screen
+#. Fill your Odoo user name (must be the same in OAuth provider)
+#. Fill your OAuth password

auth_oauth_ropc/security/oauth_ropc_provider.xml

@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!-- Copyright 2023 ACSONE SA/NV
+     License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl). -->
+<odoo>
+
+    <record model="ir.model.access" id="oauth_ropc_provider_access_system">
+        <field name="name">oauth.ropc.provider access system</field>
+        <field name="model_id" ref="model_oauth_ropc_provider" />
+        <field name="group_id" ref="base.group_system" />
+        <field name="perm_read" eval="1" />
+        <field name="perm_create" eval="1" />
+        <field name="perm_write" eval="1" />
+        <field name="perm_unlink" eval="1" />
+    </record>
+
+</odoo>