How to integrate OAuth2 and JWT authentication in Odoo?

As modern business applications increasingly integrate with third-party services and mobile platforms, secure and flexible authentication mechanisms are essential. Odoo, being a powerful and extensible ERP platform, supports multiple authentication methods beyond the default username-password model.

This guide provides a step-by-step walkthrough to implement OAuth2 and JWT (JSON Web Token) authentication in Odoo. Whether you're aiming to enable Single Sign-On (SSO) with providers like Google or Microsoft, or looking to secure API access for mobile or third-party applications using JWT tokens, this guide will help you configure and extend your Odoo environment to meet enterprise-grade security and usability standards.

By the end of this guide, you’ll have:

• Enabled OAuth2 login for user convenience and secure external identity management.
• Integrated JWT-based authentication for stateless, token-secured API access.

This setup enhances both user experience and system security, making your Odoo implementation ready for modern, connected use cases.

Here's a clear setup guide for integrating OAuth2 and JWT authentication in Odoo. I’ll separate the instructions into two parts:

✅ PART 1: OAuth2 Integration in Odoo (Using auth_oauth)

🔹 Purpose:

Allow users to log in to Odoo using third-party accounts like Google, Microsoft, Facebook, etc.

🔹 Step-by-Step Guide:

Step 1: Install the OAuth2 Authentication Module

• Go to Apps
• Search for and install: OAuth2 Authentication (auth_oauth)

Step 2: Configure OAuth Provider (e.g., Google)

1. Go to Google Cloud Console → Create a new project.
2. Navigate to APIs & Services > Credentials
3. Create OAuth 2.0 Client ID
   • App Type: Web Application
   • Add redirect URI: https://yourdomain.com/auth_oauth/signin
     (Replace yourdomain.com with your actual domain or localhost for testing)
4. Save your Client ID and Client Secret

Step 3: Add Provider in Odoo

• Go to Settings > Users & Companies > OAuth Providers
• Click Create and fill the form:

  bash
  CopyEdit
  Name: Google
  Client ID: (from Google)
  Client Secret: (from Google)
  Scope: email profile
  Authentication Endpoint: https://accounts.google.com/o/oauth2/auth
  Token Endpoint: https://oauth2.googleapis.com/token
  Userinfo Endpoint: https://www.googleapis.com/oauth2/v3/userinfo
  

• Save and enable it.

Step 4: Enable OAuth Login

• Go to Settings > General Settings
• Enable OAuth Authentication
• Save

Now your users can log in using Google (or any other configured provider).

✅ PART 2: JWT Integration in Odoo (For APIs or Mobile Apps)

Odoo does not support JWT natively, but we can implement it using a custom module or a community module like auth_jwt.

🔹 Approach:

• Create a controller that:
  • Accepts username and password.
  • Verifies credentials.
  • Returns a signed JWT token.
• Use a middleware to protect routes using token verification.

🔹 Dependencies:

• Python’s pyjwt module (pip install pyjwt)
• Odoo >= 14 (works up to Odoo 17+)

🔹 Option A: Use Community Module

1. Install from OCA:
   • OCA Repository: https://github.com/OCA/rest-framework
   • Clone the auth_jwt and rest_framework modules into your addons directory.
2. Add to addons_path in your odoo.conf
3. Restart Odoo and install both modules:
   • rest_framework
   • auth_jwt
4. Use endpoints like:

   css
   CopyEdit
   POST /api/auth/token
   Body:
   {
     "login": "user@example.com",
     "password": "yourpassword"
   }
   

   Response:

   json
   CopyEdit
   {
     "access_token": "eyJ0eXAiOiJKV1QiLCJhbGci..."
   }
   

5. To protect API routes:
   • Use token in header: Authorization: Bearer <token>
   • JWT middleware will validate the token.

🔹 Option B: Create Your Own JWT Auth Controller (Simplified)

python
CopyEdit
from odoo import http
from odoo.http import request
import jwt
import datetime

SECRET_KEY = "your_secret_key"

class JwtAuthController(http.Controller):

    @http.route('/api/jwt/login', type='json', auth='none', csrf=False)
    def jwt_login(self, **kwargs):
        login = kwargs.get('login')
        password = kwargs.get('password')
        uid = request.session.authenticate(request.db, login, password)
        
        if uid:
            payload = {
                'user_id': uid,
                'exp': datetime.datetime.utcnow() + datetime.timedelta(hours=1)
            }
            token = jwt.encode(payload, SECRET_KEY, algorithm='HS256')
            return {'access_token': token}
        else:
            return {'error': 'Invalid credentials'}

🔐 Security Tips

• Use HTTPS in production.
• Keep your SECRET_KEY confidential.
• Set reasonable expiration time (exp) for JWTs.
• Rotate client secrets periodically.
• Validate user roles and permissions before returning data.

🧩 Summary Table