[19.0][MIG] auth_saml: Migration to 19.0#916
Open
vincent-hatakeyama wants to merge 80 commits into
Open
Conversation
vincent-hatakeyama
force-pushed
the
mig/19.0/auth_saml
branch
4 times, most recently
from
ea3da06 to
57bc71b
Compare
This was referenced Apr 2, 2026
vincent-hatakeyama
force-pushed
the
mig/19.0/auth_saml
branch
2 times, most recently
from
dadd3b2 to
02262c0
Compare
vincent-hatakeyama
force-pushed
the
mig/19.0/auth_saml
branch
from
02262c0 to
43b377b
Compare
Contributor
Author
|
Rebased and added fix #937 |
Contributor
Author
|
/ocabot migration auth_saml |
Contributor
|
Sorry @vincent-hatakeyama you are not allowed to mark the addon to be migrated. To do so you must either have push permissions on the repository, or be a declared maintainer of all modified addons. If you wish to adopt an addon and become it's maintainer, open a pull request to add your GitHub login to the |
[IMP] Cleanup
The following line of code for 11.0: - https://github.com/odoo/odoo/blob/52d6f0e3ee90874fc93fec9cdff74ec71d3b991f/addons/auth_oauth/controllers/main.py#L69 is assigning the key "auth_link" for "list_providers" method. The following template is expecting this key: - https://github.com/odoo/odoo/blob/52d6f0e3ee90874fc93fec9cdff74ec71d3b991f/addons/auth_oauth/views/auth_oauth_templates.xml#L5 So, it raise a KeyError compiling "template_auth_oauth_providers_N" This change is fixing adding that expected key in order to avoid this KeyError
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate. Translation: server-auth-11.0/server-auth-11.0-auth_saml Translate-URL: https://translation.odoo-community.org/projects/server-auth-11-0/server-auth-11-0-auth_saml/
[FIX] dependencies
add requirement on lasso
- Default behavior is now to allow password and SAML together. Otherwise, users could keep getting their passwords removed without warning. - General cleanup. - Remove relations to field `password_crypt` because in v12 the `password` field is always encrypted instead. Co-Authored-By: Alexandre Díaz <alexandre.diaz@tecnativa.com>
Updated the signin method to reflect changes in similar method signin from auth_oauth. Without the changes, the ORM crashes with psycopg2.errors.InvalidSavepointSpecification when trying to signin. Fixes OCA#664
As user in that group can already edit users, so it make sense to allow them to see and edit that information rather than restrict it to admin/system.
Currently translated at 100.0% (89 of 89 strings) Translation: server-auth-18.0/server-auth-18.0-auth_saml Translate-URL: https://translation.odoo-community.org/projects/server-auth-18-0/server-auth-18-0-auth_saml/fr/
To reproduce: enable both saml and mfa.
Fixes
```
File "/home/odoo/18.0/server-auth/auth_saml/controllers/main.py", line 251, in signin
resp = request.redirect(_get_login_redirect_url(auth_info, url), 303)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/home/odoo/18.0/odoo/addons/web/controllers/utils.py", line 240, in _get_login_redirect_url
url = request.env(user=uid)['res.users'].browse(uid)._mfa_url()
^^^^^^^^^^^^^^^^^^^^^
File "/home/odoo/18.0/odoo/odoo/api.py", line 644, in __call__
uid = self.uid if user is None else int(user)
^^^^^^^^^
```
cf. https://github.com/odoo/odoo/blob/65704e58fda293af727f76d5c0741b135817db99/addons/web/controllers/home.py#L124-L126
Co-authored-by: Cas Vissers <cas@360erp.nl>
The message is incorrect, the log is done when the attribute key is not found.
On Office365, what you get when configuring an application for SAML authentication is the URL of the federation metadata document. This URL is stable, but the content of the document is not. I suspect some of the encryption keys can be updated / renewed over time. The result is that the configured provider in Odoo suddenly stops working, because the messages sent by the Office365 provider can no longer be validated by Odoo (because the federation document is out of date). Downloading the new version and updating the auth.saml.provider record fixes the issue. This PR adds a new field to store the URL of the metadata document. When this field is set on a provider, you get a button next to it in the form view to download the document from the URL. The button will not update the document if it has not changed. Additionally, when a SignatureError happens, we check if downloading the document again fixes the issue.
Fix logic of SELECT FOR UDPDATE to only lock records whose metadata will be updated
When using mapping, not writing the value systematically avoids getting security mail on login/email changes when there is no change. Also use SQL for blanking passwords avoids the security update mails.
Currently translated at 100.0% (93 of 93 strings) Translation: server-auth-18.0/server-auth-18.0-auth_saml Translate-URL: https://translation.odoo-community.org/projects/server-auth-18-0/server-auth-18-0-auth_saml/it/
vincent-hatakeyama
force-pushed
the
mig/19.0/auth_saml
branch
from
43b377b to
a489d35
Compare
Contributor
Author
|
/ocabot merge nobump |
Contributor
|
Sorry @vincent-hatakeyama you are not allowed to merge. To do so you must either have push permissions on the repository, or be a declared maintainer of all modified addons. If you wish to adopt an addon and become it's maintainer, open a pull request to add your GitHub login to the |
Contributor
Author
|
As before, I can’t merge this because of the change to If anyone is using this PR, please approve it so I ask project maintainers to merge it. |
- custom message when response is too old - avoid using werkzeug.urls method, they are deprecated - add missing ondelete cascade when user is deleted - attribute mapping is now also duplicated when the provider is duplicated - factorize getting SAML attribute value, allowing using subject.nameId in mapping attributes too - add an opton to reactivate user when finding an user and creation is enabled
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
There is already an existing PR that missed some needed changes. I also do not manage to log in with a local keycloak.
I’m currently facing the same issue with my PR (that’s why it is in draft).Fixed by looking at auth_oauth to find the issue after some digging.