Skip to Content
This question has been flagged
loginoauth2Azureodoo16
1222 Vistes
Avatar
Tom Nugter

Looking for help using MS Azure as out identity provider with MFA logging into Odoo.

 We’re using odoo 16 and we looking for a safe, foolproof way for our internal users to login. Minimal requirement is to have some form us MFA (multi factor authentication) or 2FA (Two Factor authentication).

 

Since I’m learning Scrum, let’s write that out in user stories:

 -As an internal user I want to be able to log in without as little hassle as possible, so I can quickly begin with my work

 -As a system administrator  I want my users to log in with something more secure that just a password, so I can ensure the safety of the system

 -As a system administrator  I do not want my users to be able to by pass security measures, so I can ensure the safety of the system.

 -As a system administrator I want my users to be able to set up their own login and/or safely measures, so I will not be the bottle neck for their onboarding

 With these user stories, we begun to check what would be possible. Odoo 16 has a 2FA authentication system build in, but this turns out to be insufficient. We realized this functionally has two major flaws for our use case:

-Users would be challenged for a 2FA at every login attempt. We quickly realized that this would be highly annoying for people. Most likely it would be counterproductive, because using this functionality would encourage people to NOT log out when leaving.

-Users would be able to TURN OFF 2FA themselves in their profile and it would be a pain for our administrators to keep track of users that turned it off.

 Realizing this we started searching for an alternative. Since we used the Microsoft Suite already, using MS Workspace (now MS Entra) as our Identity Provider would be a great option. Users would be able to log in with their MS password. We would also be able to use Conditional Access [1] to set policies so that MFA challenges would be limited to a minimum.

Odoo already provided decent documentation for setting up a connection between Odoo and MS Azure using OAuth. [2] The documentation seems to be solid, and we where able to set up a system where users where able to log on in Odoo using their MS credentials.

 Next step would be to create an new Conditional Access Policy in MS Azure. Our system administrator created one, tested if it worked an a MS default app and then applied the policy to the Odoo App in MS Azure.

 Unfortunately, somehow, the policy was not respected. Even though we made the policy really tight, users where not prompted to MFA. When testing the same policy on a MS default app, the users would be prompted, so we suspect a setting on the Odoo App in MS Azure.

 We suspect that issue lies in this setting:

 


IN the setup described by Odoo, the setting ’access tokens (used for implicit flow) is mandatory. I suspect that this setting forced an implicit flow, which means that our MFA policy is ignored. Unfortually, if we turn this off, out setup doesn't work anymore.

Am I correct in my assumption that this setting is preventing out users from being promoted with MFA? And if so, would somebody be able to help me out with setting up a system where we can login with OAuth in Odoo using MS Azure with Conditinal Access?

 

Help is very much appreciated


[1] https://www.odoo.com/documentation/16.0/applications/general/users/azure.html

Avatar
Descartar
Related Posts Respostes Vistes Activitat
Azure oauth issue
oauth2 Azure
Avatar
Avatar
1
d’abr. 25
2371
Why can't Odoo correctly redirect to the initial access path after successful authentication by the OAuth provider, ?
login oauth2
Avatar
0
de maig 24
1818
How to Facebook login in Odoo
login facebook oauth2
Avatar
Avatar
Avatar
2
de maig 25
18029
Facebook Login
login facebook oauth2
Avatar
Avatar
Avatar
4
de jul. 17
9112
Odoo OAuth Error 3 Solved
oauth login openid oauth2
Avatar
Avatar
2
de gen. 24
8465