When it comes to Authentication and Authorization, Odoo provides a robust and extensible system to manage user access, roles, and secure login methods. Here’s a breakdown of how Odoo handles these features and how it can be extended to support modern authentication standards like OAuth2, JWT, etc.
1. Built-in Authentication Features in Odoo
🔹 Username & Password (Default)
- Standard login with email/username and password.
- Passwords are securely hashed using industry-standard algorithms (PBKDF2).
🔹 Two-Factor Authentication (2FA)
- Supported via third-party modules.
- Adds an extra layer of security through TOTP apps (like Google Authenticator).
2. OAuth2 Integration (Single Sign-On)
Odoo supports OAuth2-based login via built-in or community modules.
Examples:
- Google OAuth2
- Microsoft Azure AD / Office 365
- Facebook, GitHub, LinkedIn (via community modules)
Use Case:
Allows users to log in using their existing accounts on external services. Especially useful for enterprise SSO (Single Sign-On).
How to Implement:
- Install Odoo's built-in auth_oauth module.
- Configure the OAuth provider credentials (Client ID, Secret).
- Add allowed providers in the settings.
3. JWT (JSON Web Token) Support
Odoo does not use JWT by default for authentication, but it can be integrated using:
🔹 Custom Development or Community Modules:
- Use community modules like auth_jwt or create your own controller to handle JWT generation and validation.
- Common use case: When building APIs or mobile apps that require token-based stateless authentication.
Implementation Outline:
- Use a custom controller to validate credentials and issue a JWT.
- Secure endpoints using a middleware or decorators that validate the token and load the user.
4. LDAP Authentication
- Odoo supports LDAP integration for enterprises needing centralized user management.
- Useful in corporate environments to allow users to authenticate via Active Directory or OpenLDAP.
5. OAuth2 as a Provider (Advanced)
With custom development, Odoo can act as an OAuth2 provider — allowing other applications to authenticate using Odoo users. This is typically custom work and not supported out-of-the-box.
6. Authorization (Access Control)
Odoo enforces authorization using:
🔸 Access Control Lists (ACLs)
- Define which models (tables) users can read, write, create, or delete.
- Controlled based on user groups (e.g., Sales Manager, HR Officer).
🔸 Record Rules
- Enforce fine-grained, dynamic access control on record level.
- Example: A user can only see their own sales orders.
🔸 User Roles and Groups
- Users can belong to multiple groups.
- Groups define UI visibility, menu access, and backend model access.
Summary Table
| Feature | Availability | Description |
|---|---|---|
| Username/Password | ✅ Built-in | Default authentication method |
| OAuth2 (SSO) | ✅ Built-in (auth_oauth) | Google, Azure, etc. |
| JWT | 🟡 Via custom modules | For API/mobile login |
| 2FA | 🟡 Third-party modules | Adds extra login security |
| LDAP | ✅ Built-in | Enterprise authentication |
| ACLs & Record Rules | ✅ Built-in | Fine-grained access control |
Conclusion:
Odoo provides a secure and flexible authentication/authorization system out-of-the-box and supports extensions like OAuth2 and JWT to integrate with modern systems. For enterprise environments or API-based apps, Odoo can be customized to match the required security standards.