Metadata-Version: 2.1
Name: odoo13-addon-auth-jwt
Version: 13.0.1.1.1.dev1
Summary: JWT bearer token authentication.
Home-page: https://github.com/OCA/server-auth
Author: ACSONE SA/NV,Odoo Community Association (OCA)
Author-email: support@odoo-community.org
License: AGPL-3
Platform: UNKNOWN
Classifier: Programming Language :: Python
Classifier: Framework :: Odoo
Classifier: Framework :: Odoo :: 13.0
Classifier: License :: OSI Approved :: GNU Affero General Public License v3
Requires-Python: >=3.5
Requires-Dist: cryptography
Requires-Dist: odoo <13.1dev,>=13.0a
Requires-Dist: pyjwt

========
Auth JWT
========

.. 
   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
   !! This file is generated by oca-gen-addon-readme !!
   !! changes will be overwritten.                   !!
   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
   !! source digest: sha256:28cfb3e6d9aa50c1c37804b1f5ce2cc95907ae514563535e43cffe05d084572e
   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
    :target: https://odoo-community.org/page/development-status
    :alt: Beta
.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png
    :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
    :alt: License: AGPL-3
.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
    :target: https://github.com/OCA/server-auth/tree/13.0/auth_jwt
    :alt: OCA/server-auth
.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
    :target: https://translation.odoo-community.org/projects/server-auth-13-0/server-auth-13-0-auth_jwt
    :alt: Translate me on Weblate
.. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png
    :target: https://runboat.odoo-community.org/builds?repo=OCA/server-auth&target_branch=13.0
    :alt: Try me on Runboat

|badge1| |badge2| |badge3| |badge4| |badge5|

JWT bearer token authentication.

**Table of contents**

.. contents::
   :local:

Installation
============

This module requires the ``pyjwt`` library to be installed.

Usage
=====

This module lets developpers add a new ``jwt`` authentication method on Odoo
controller routes.

To use it, you must:

* Create an ``auth.jwt.validator`` record to configure how the JWT token will
  be validated.
* Add an ``auth="jwt_{validator-name}"`` or ``auth="public_or_jwt_{validator-name}"``
  attribute to the routes you want to protect where ``{validator-name}`` corresponds to
  the name attribute of the JWT validator record.

The ``auth_jwt_demo`` module provides examples.

The JWT validator can be configured with the following properties:

* ``name``: the validator name, to match the ``auth="jwt_{validator-name}"``
  route property.
* ``audience``: a comma-separated list of allowed audiences, used to validate
  the ``aud`` claim.
* ``issuer``: used to validate the ``iss`` claim.
* Signature type (secret or public key), algorithm, secret and JWK URI
  are used to validate the token signature.

In addition, the ``exp`` claim is validated to reject expired tokens.

If the ``Authorization`` HTTP header is missing, malformed, or contains
an invalid token, the request is rejected with a 401 (Unauthorized) code.

If the token is valid, the request executes with the configured user id. By
default the user id selection strategy is ``static`` (i.e. the same for all
requests) and the selected user is configured on the JWT validator. Additional
strategies can be provided by overriding the ``_get_uid()`` method and
extending the ``user_id_strategy`` selection field.

The selected user is *not* stored in the session. It is only available in
``request.uid`` (and thus it is the one used in ``request.env``). To avoid any
confusion and mismatches between the bearer token and the session, this module
rejects requests made with an authenticated user session.

Additionally, if a ``partner_id_strategy`` is configured, a partner is searched
and if found, its id is stored in the ``request.jwt_partner_id`` attribute. If
``partner_id_required`` is set, a 401 (Unauthorized) is returned if no partner
was found. Otherwise ``request.jwt_partner_id`` is left falsy. Additional
strategies can be provided by overriding the ``_get_partner_id()`` method
and extending the ``partner_id_strategy`` selection field.

The decoded JWT payload is stored in ``request.jwt_payload``.

The ``public_auth_jwt`` method delegates authentication to the standard Odoo ``public``
method when the Authorization header is not set. If it is set, the regular JWT
authentication is performed as described above. This method is useful for public
endpoints that need to work for anonymous users, but can be enhanced when an
authenticated user is know. A typical use case is a "add to cart" endpoint that can work
for anonymous users, but can be enhanced by binding the cart to a known customer when
the authenticated user is known.

Known issues / Roadmap
======================

CORS support is problematic in Odoo before 14.0.
This means the demo SPA in ``auth_jwt_demo`` does not work as is.
To make it work, you need to serve it from the same URL as Odoo,
or backport https://github.com/odoo/odoo/pull/56029.

This might also be worked around in ``auth_jwt`` by detecting
the cors preflight request and not requiring auth in that case.

This is left for future work, as my current focus is Odoo 14.0.

Bug Tracker
===========

Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-auth/issues>`_.
In case of trouble, please check there if your issue has already been reported.
If you spotted it first, help us to smash it by providing a detailed and welcomed
`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_jwt%0Aversion:%2013.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.

Do not contact contributors directly about support or help with technical issues.

Credits
=======

Authors
~~~~~~~

* ACSONE SA/NV

Contributors
~~~~~~~~~~~~

* Stéphane Bidoul <stephane.bidoul@acsone.eu>

Maintainers
~~~~~~~~~~~

This module is maintained by the OCA.

.. image:: https://odoo-community.org/logo.png
   :alt: Odoo Community Association
   :target: https://odoo-community.org

OCA, or the Odoo Community Association, is a nonprofit organization whose
mission is to support the collaborative development of Odoo features and
promote its widespread use.

.. |maintainer-sbidoul| image:: https://github.com/sbidoul.png?size=40px
    :target: https://github.com/sbidoul
    :alt: sbidoul

Current `maintainer <https://odoo-community.org/page/maintainer-role>`__:

|maintainer-sbidoul| 

This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/13.0/auth_jwt>`_ project on GitHub.

You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.


