|
| 1 | +======== |
| 2 | +Auth JWT |
| 3 | +======== |
| 4 | + |
| 5 | +.. |
| 6 | + !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! |
| 7 | + !! This file is generated by oca-gen-addon-readme !! |
| 8 | + !! changes will be overwritten. !! |
| 9 | + !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! |
| 10 | + !! source digest: sha256:608e8780fabb7f7a32193245dd2a7e594810863dcc55aa1dc9e5b2bc3426d74c |
| 11 | + !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! |
| 12 | +
|
| 13 | +.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png |
| 14 | + :target: https://odoo-community.org/page/development-status |
| 15 | + :alt: Beta |
| 16 | +.. |badge2| image:: https://img.shields.io/badge/licence-LGPL--3-blue.png |
| 17 | + :target: http://www.gnu.org/licenses/lgpl-3.0-standalone.html |
| 18 | + :alt: License: LGPL-3 |
| 19 | +.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github |
| 20 | + :target: https://github.com/OCA/server-auth/tree/18.0/auth_jwt |
| 21 | + :alt: OCA/server-auth |
| 22 | +.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png |
| 23 | + :target: https://translation.odoo-community.org/projects/server-auth-18-0/server-auth-18-0-auth_jwt |
| 24 | + :alt: Translate me on Weblate |
| 25 | +.. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png |
| 26 | + :target: https://runboat.odoo-community.org/builds?repo=OCA/server-auth&target_branch=18.0 |
| 27 | + :alt: Try me on Runboat |
| 28 | + |
| 29 | +|badge1| |badge2| |badge3| |badge4| |badge5| |
| 30 | + |
| 31 | +JWT bearer token authentication. |
| 32 | + |
| 33 | +**Table of contents** |
| 34 | + |
| 35 | +.. contents:: |
| 36 | + :local: |
| 37 | + |
| 38 | +Installation |
| 39 | +============ |
| 40 | + |
| 41 | +This module requires the ``pyjwt`` library to be installed. |
| 42 | + |
| 43 | +Usage |
| 44 | +===== |
| 45 | + |
| 46 | +This module lets developpers add a new ``jwt`` authentication method on |
| 47 | +Odoo controller routes. |
| 48 | + |
| 49 | +To use it, you must: |
| 50 | + |
| 51 | +- Create an ``auth.jwt.validator`` record to configure how the JWT token |
| 52 | + will be validated. |
| 53 | +- Add an ``auth="jwt_{validator-name}"`` or |
| 54 | + ``auth="public_or_jwt_{validator-name}"`` attribute to the routes you |
| 55 | + want to protect where ``{validator-name}`` corresponds to the name |
| 56 | + attribute of the JWT validator record. |
| 57 | + |
| 58 | +The ``auth_jwt_demo`` module provides examples. |
| 59 | + |
| 60 | +The JWT validator can be configured with the following properties: |
| 61 | + |
| 62 | +- ``name``: the validator name, to match the |
| 63 | + ``auth="jwt_{validator-name}"`` route property. |
| 64 | +- ``audience``: a comma-separated list of allowed audiences, used to |
| 65 | + validate the ``aud`` claim. |
| 66 | +- ``issuer``: used to validate the ``iss`` claim. |
| 67 | +- Signature type (secret or public key), algorithm, secret and JWK URI |
| 68 | + are used to validate the token signature. |
| 69 | + |
| 70 | +In addition, the ``exp`` claim is validated to reject expired tokens. |
| 71 | + |
| 72 | +If the ``Authorization`` HTTP header is missing, malformed, or contains |
| 73 | +an invalid token, the request is rejected with a 401 (Unauthorized) |
| 74 | +code, unless the cookie mode is enabled (see below). |
| 75 | + |
| 76 | +If the token is valid, the request executes with the configured user id. |
| 77 | +By default the user id selection strategy is ``static`` (i.e. the same |
| 78 | +for all requests) and the selected user is configured on the JWT |
| 79 | +validator. Additional strategies can be provided by overriding the |
| 80 | +``_get_uid()`` method and extending the ``user_id_strategy`` selection |
| 81 | +field. |
| 82 | + |
| 83 | +The selected user is *not* stored in the session. It is only available |
| 84 | +in ``request.uid`` (and thus it is the one used in ``request.env``). To |
| 85 | +avoid any confusion and mismatches between the bearer token and the |
| 86 | +session, this module rejects requests made with an authenticated user |
| 87 | +session. |
| 88 | + |
| 89 | +Additionally, if a ``partner_id_strategy`` is configured, a partner is |
| 90 | +searched and if found, its id is stored in the |
| 91 | +``request.jwt_partner_id`` attribute. If ``partner_id_required`` is set, |
| 92 | +a 401 (Unauthorized) is returned if no partner was found. Otherwise |
| 93 | +``request.jwt_partner_id`` is left falsy. Additional strategies can be |
| 94 | +provided by overriding the ``_get_partner_id()`` method and extending |
| 95 | +the ``partner_id_strategy`` selection field. |
| 96 | + |
| 97 | +The decoded JWT payload is stored in ``request.jwt_payload``. |
| 98 | + |
| 99 | +The ``public_auth_jwt`` method delegates authentication to the standard |
| 100 | +Odoo ``public`` method when the Authorization header is not set. If it |
| 101 | +is set, the regular JWT authentication is performed as described above. |
| 102 | +This method is useful for public endpoints that need to work for |
| 103 | +anonymous users, but can be enhanced when an authenticated user is know. |
| 104 | +A typical use case is a "add to cart" endpoint that can work for |
| 105 | +anonymous users, but can be enhanced by binding the cart to a known |
| 106 | +customer when the authenticated user is known. |
| 107 | + |
| 108 | +You can enable a cookie mode on JWT validators. In this case, the JWT |
| 109 | +payload obtained from the ``Authorization`` header is returned as a |
| 110 | +Http-Only cookie. This mode is sometimes simpler for front-end |
| 111 | +applications which do not then need to store and protect the JWT token |
| 112 | +across requests and can simply rely on the cookie management mechanisms |
| 113 | +of browsers. When both the ``Authorization`` header and a cookie are |
| 114 | +provided, the cookie is ignored in order to let clients authenticate |
| 115 | +with a different user by providing a new JWT token. |
| 116 | + |
| 117 | +Bug Tracker |
| 118 | +=========== |
| 119 | + |
| 120 | +Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-auth/issues>`_. |
| 121 | +In case of trouble, please check there if your issue has already been reported. |
| 122 | +If you spotted it first, help us to smash it by providing a detailed and welcomed |
| 123 | +`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_jwt%0Aversion:%2018.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_. |
| 124 | + |
| 125 | +Do not contact contributors directly about support or help with technical issues. |
| 126 | + |
| 127 | +Credits |
| 128 | +======= |
| 129 | + |
| 130 | +Authors |
| 131 | +------- |
| 132 | + |
| 133 | +* ACSONE SA/NV |
| 134 | + |
| 135 | +Contributors |
| 136 | +------------ |
| 137 | + |
| 138 | +- Stéphane Bidoul <stephane.bidoul@acsone.eu> |
| 139 | +- Mohamed Alkobrosli <malkobrosly@kencove.com> |
| 140 | + |
| 141 | +Maintainers |
| 142 | +----------- |
| 143 | + |
| 144 | +This module is maintained by the OCA. |
| 145 | + |
| 146 | +.. image:: https://odoo-community.org/logo.png |
| 147 | + :alt: Odoo Community Association |
| 148 | + :target: https://odoo-community.org |
| 149 | + |
| 150 | +OCA, or the Odoo Community Association, is a nonprofit organization whose |
| 151 | +mission is to support the collaborative development of Odoo features and |
| 152 | +promote its widespread use. |
| 153 | + |
| 154 | +.. |maintainer-sbidoul| image:: https://github.com/sbidoul.png?size=40px |
| 155 | + :target: https://github.com/sbidoul |
| 156 | + :alt: sbidoul |
| 157 | + |
| 158 | +Current `maintainer <https://odoo-community.org/page/maintainer-role>`__: |
| 159 | + |
| 160 | +|maintainer-sbidoul| |
| 161 | + |
| 162 | +This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/18.0/auth_jwt>`_ project on GitHub. |
| 163 | + |
| 164 | +You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute. |
0 commit comments