Hello,

https://github.com/OCA/server-tools/tree/10.0/auth_admin_passkey

We are not using this module at all, but I think is a good idea yo open this issue and see what Contributors thinks.

Im my opinion this module shouldn't be migrated to v11 inside an OCA repository.

Thanks for other point of view

Hi @gurneyalex and @yajo

I have some issue to install lasso on centos8 through ansible and it looks like there's a problem with versions used.

The official reference of the lasso https://pypi.org/project/lasso/ is precising that it's an alpha stage and moreover when you follow the doc and you want to point to the https://github.com/aperezdc/lasso-python it has been renamed in gnarl
My proposal is to user lasso-python instead of the actual dependency or to find a more "stable" dependency .
What's your point of view ?

Regards

I installed odoo 12 in centOS7 server
When i check the odoo log, sometimes below mentioned error appears and the service stopped.

Traceback (most recent call last):
File "/home/Odoo12/odoo12/custom_addons/auth_session_timeout/models/res_users.py", line 74, in _auth_timeout_check
expired = getmtime(path) < deadline
File "/opt/rh/rh-python36/root/usr/lib64/python3.6/genericpath.py", line 55, in getmtime
return os.stat(filename).st_mtime
FileNotFoundError: [Errno 2] No such file or directory: '/home/Odoo12/.local/share/Odoo/sessions/werkzeug_438ccef416264f0acdcb5bfb772f$

Please help me to fix this.....

is there any module to add the feature of auth2 authentication as a (provider) not client

Before installing auth_session_timeout module. (Above Image)

After installing the auth_session_timeout module. (Above Image)

Only happen to images where I uploaded myself using the upload image button. Image uploaded from my local.

web.base.url, web.base.url.freeze parameter is set properly with my domain ( https://domain ) and True.

Hello,

We are hoping to install the Password security module but noticed a strange issue. We wish to disable the history check, as per the pop-up instructions "0 to disable". However this does not seem to work, we have to enter the value 1. This seems minor but could cause frustration to new users of the module

Steps:
In the password policy set (for ease of use):
Days = 0
Minimum Hours = 0
Characters = 0
History = 0
Lower = 1
Upper = 1
Numeric = 1
Special = 0

Ensure users can reset their own passwords
Create a new user, login and logout as said user
Using the Reset password mechanism on the login page
Set new password as Abcd1 Login
Set new password as Abcd1 Again. Login. User was able to use same password
Set new password as Abcd1 User sees error "Cannot use the most recent 0 passwords"

Login as a user with settings permissions and in password policy set History to 1.
Repeat the above test, the user can reuse the same password unlimited times

Expected:
On the third attempt the user can use the repeat password when history = 0

Kind regards,

Sam

When the customer open the link(Confirm & Sign) from email quotation, first time open Login form. Second click show the quotation. The problem is from auth_session_timeout. Exception URL (inactive_session_time_out_ignored_url) are configured for the path (/quote)
Odoo 11 CE

Hi all,

I installed the password_security v12

When I:

1. Open user Form
2. Choose any user
3. Click Action & choose Change Password
4. An issue occurs when I try to click the text field to set the new password

Error:
TypeError: Value being assigned to HTMLMeterElement.value is not a finite floating-point value.

http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:3931
Traceback:
update@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:3931:1350
_renderEdit/<@http://localhost:8069/web/content/326-6b41e4f/web.assets_backend.js:2673:1052
then/</</<@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:802:678
fire@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:796:281
add@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:797:467
then/</<@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:802:649
each@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:625:758
then/<@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:802:553
Deferred@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:803:189
then@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:802:518
_renderEdit@http://localhost:8069/web/content/326-6b41e4f/web.assets_backend.js:2673:1036
OdooClass.extend/</prototype[name]</<@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:3538:485
_render@http://localhost:8069/web/content/326-6b41e4f/web.assets_backend.js:1044:31
start/<@http://localhost:8069/web/content/326-6b41e4f/web.assets_backend.js:1041:1516
then/</</<@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:802:678
fire@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:796:281
add@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:797:467
then/</<@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:802:649
each@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:625:758
then/<@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:802:553
Deferred@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:803:189
then@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:802:518
start@http://localhost:8069/web/content/326-6b41e4f/web.assets_backend.js:1041:1425
OdooClass.extend/</prototype[name]</<@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:3538:485
_widgetRenderAndInsert/<@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:3683:47
then/</</<@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:802:678
fire@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:796:281
fireWith@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:801:198
updateFunc/<@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:804:482
fire@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:796:281
fireWith@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:801:198
then/</</<@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:802:874
fire@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:796:281
fireWith@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:801:198
Deferred/</deferred[tuple[0]]@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:803:56
rpc/<@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:3588:436
then/</</<@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:802:678
fire@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:796:281
fireWith@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:801:198
Deferred/</deferred[tuple[0]]@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:803:56
fire@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:796:281
fireWith@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:801:198
Deferred/</deferred[tuple[0]]@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:803:56
genericJsonRpc/<@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:3557:1
then/</</<@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:802:678
fire@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:796:281
fireWith@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:801:198
then/</</<@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:802:874
fire@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:796:281
fireWith@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:801:198
done@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:1192:86
callback@http://localhost:8069/web/content/325-0efc0a7/web.assets_common.js:1212:15

Thanks for your help

It seems that sometimes the method in the website module controllers/main.py web_login is overriding the one in password_security and then if the password has expired, user is not redirected on the signup_url but on the standard /web page and therefore cannot login anymore.
How to be sure that password_security is on the top? should it be added to the server_wide_modules in conf? (it seems that it doesn't help..)

Hi:

Has anyone tried server-auth with a Shibboleth IdP? I've got a functioning IdP endpoint setup and I entered all the metadata in the server-auth Odoo 11 plugin. I enabled the plugin and I do see the link to login to my IdP on the Odoo login screen. When I click on it - it goes to https://<mydomain.com>/None and I get a 404 page not found error. The link address it's trying to execute is:

https://<mydomain.com>/auth_saml/get_auth_request?pid=1

I'm assuming it can't find: https://<mydomain.com>/metadata (my SP entityID)) - Are there any nginx tweaks that need to be done to make this URI work?

I'm going to re-test my metadata at Onelogin: https://www.samltool.com/validate_xml.php

Just curious if anyone has gone down this road. If so, is there any place to start checking?

Cheers,
Dave

The tests of auth_totp_password_security are failing for 11.0: https://travis-ci.org/OCA/server-auth/branches

The error is: AssertionError: 'http://localhost:8069/web/reset_password?token=eqN15WCDR57SxdDbdVv4&db=openerp_test' not found in 'redirected'

This is probably the problem:

Estoy en un proyecto utilizando la version 8.0 de odoo y me preguntaba si en el pasado el modulo funciono en esta versión, aunque ya no tenga soporte.

Gracias!

Im using auth_session_timeout in combination with Odoo 11 EE and we regularly have an 50_x error "Service unavailable" when we're using Chrome.

The user is logged out properly, but after this error we have to clear all cookies before we can login in Odoo again.

Any idea how to fix this?

Hello
I encounter this problem in module keychain when installing it, how do we fix it.

AttributeError: module 'odoo.fields' has no attribute 'Serialized'

Kind regards,
Tien

Hi all,
I using Odoo 11 CE on Ubuntu 16.04 with Apache 2.4 reverse proxy.
When i install auth_session_timeout and logout, if load website, odoo redirect to /web/login.
If clear browser cookies, after tray to login, odoo redirect again to /web/login with cycle and login form not load.
If i uninstall auth_session_timeout, no redirect and website load normal.
How to resolve this issue?

How to replicate

1. Install Odoo, do not install the ldap module
2. Add server-auth to you addons path
3. Start the Odoo server

Current behaviour

Server startup fails, or may even break in unexpected ways, because of Odoo being unable to import ldap. This happens even if the atuh_ldaps module is not installed.

Expected behaviour

Since ldap is only recommended for Odoo to work, not required, this error should not happen. If auth_ldaps is not installed, no errors should occur. If the user attempts to install auth_ldaps, but ldap is not available, an exception should be raised.

I would like to propose a new module to add the feature of auth2 authentication schema to odoo
To allow other apps to authenticate using Odoo

Hi,

I install the password_security, and I'm not sure that the test for the "resets inside of min" is working.
I'm on Odoo 11, and the reset password form send in "qcontext" a empty string for the token as so the first 'if' is never valid. (controller/main.py line 61)
Plus, if this 'if' is valid the queries "user_ids = request.env.sudo().search(...)" (line 74 and 79) are not valid and throw an exception "AttributeError: 'Environment' object has no attribute 'sudo'" and should be replace by "user_ids = request.env['res.users'].sudo().search(...)"

Best regards,

M.

Hello all,
Has anyone managed to setup the SAML connector with Microsoft ADFS SSO?

If so.. what should I place in each of the SAMLv2 setup screen?

Kind regards,

Fernando

Migrate auth_saml from https://github.com/xcgd/auth_saml to version 11 in OCA/server-auth

See xcgd/auth_saml#8

CC: @wolfhall, @bodedra

Change the verify() function in models/res_users_authenticator.py to use valid_window (allows use of OTP before and after the current displayed one):

...
if totp.verify(confirmation_code, valid_window=1):
...

This helps users login experience and also if there is any time issue on the server.

Eg. User opens authenticator app with 10s left of valid time left on OTP - do they wait for the next one to show or try and enter and submit this one in time. By setting valid window we reduce user frustration

Hello,

I want to use keycloak with Odoo, I have configured the momdule like this 👍

And keycloak like this :

When I click on login page, I'm redirected to Keycloak, without error :

`2020-04-10 11:26:16,236 DEBUG [org.keycloak.services.scheduled.ScheduledTaskRunner] (Timer-2) Executed scheduled task AbstractLastSessionRefreshStoreFactory$$Lambda$841/1490485563
2020-04-10 11:26:20,762 DEBUG [io.undertow.request] (default I/O-1) Matched prefix path /auth for path /auth/realms/master/protocol/openid-connect/auth
2020-04-10 11:26:20,763 DEBUG [io.undertow.request.security] (default task-75) Attempting to authenticate /auth/realms/master/protocol/openid-connect/auth, authentication required: false
2020-04-10 11:26:20,763 DEBUG [io.undertow.request.security] (default task-75) Authentication outcome was NOT_ATTEMPTED with method io.undertow.security.impl.CachedAuthenticatedSessionMechanism@20ff4420 for /auth/realms/master/protocol/openid-connect/auth
2020-04-10 11:26:20,763 DEBUG [io.undertow.request.security] (default task-75) Authentication result was ATTEMPTED for /auth/realms/master/protocol/openid-connect/auth
2020-04-10 11:26:20,763 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-75) new JtaTransactionWrapper
2020-04-10 11:26:20,764 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-75) was existing? false
2020-04-10 11:26:20,764 DEBUG [org.jboss.resteasy.resteasy_jaxrs.i18n] (default task-75) RESTEASY002315: PathInfo: /realms/master/protocol/openid-connect/auth
2020-04-10 11:26:20,765 DEBUG [org.hibernate.resource.transaction.backend.jta.internal.JtaTransactionCoordinatorImpl] (default task-75) Hibernate RegisteredSynchronization successfully registered with JTA platform
2020-04-10 11:26:20,766 DEBUG [org.keycloak.services.util.CookieHelper] (default task-75) {1} cookie found in the requests header
2020-04-10 11:26:20,766 DEBUG [org.keycloak.services.util.CookieHelper] (default task-75) {1} cookie found in the cookies field
2020-04-10 11:26:20,766 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-75) Found AUTH_SESSION_ID cookie with value a18e32c3-4ff4-45a5-8bcc-606b5c95f4c2.d-keycloack
2020-04-10 11:26:20,767 DEBUG [org.keycloak.services.util.CookieHelper] (default task-75) {1} cookie found in the requests header
2020-04-10 11:26:20,767 DEBUG [org.keycloak.services.util.CookieHelper] (default task-75) {1} cookie found in the cookies field
2020-04-10 11:26:20,767 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-75) Found AUTH_SESSION_ID cookie with value a18e32c3-4ff4-45a5-8bcc-606b5c95f4c2.d-keycloack
2020-04-10 11:26:20,767 DEBUG [org.keycloak.models.sessions.infinispan.InfinispanUserSessionProvider] (default task-75) getUserSessionWithPredicate(a18e32c3-4ff4-45a5-8bcc-606b5c95f4c2): remote cache not available
2020-04-10 11:26:20,768 DEBUG [org.keycloak.protocol.AuthorizationEndpointBase] (default task-75) Sent request to authz endpoint. We don't have root authentication session with ID 'a18e32c3-4ff4-45a5-8bcc-606b5c95f4c2' but we have userSession.Re-created root authentication session with same ID. Client is: odoo . New authentication session tab ID: W1rlGRsrYjQ
2020-04-10 11:26:20,770 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-75) AUTHENTICATE
2020-04-10 11:26:20,770 DEBUG [org.keycloak.authentication.AuthenticationProcessor] (default task-75) AUTHENTICATE ONLY
2020-04-10 11:26:20,770 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-75) processFlow: browser
2020-04-10 11:26:20,770 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-75) check execution: 'auth-cookie', requirement: 'ALTERNATIVE'
2020-04-10 11:26:20,770 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-75) authenticator: auth-cookie
2020-04-10 11:26:20,770 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-75) Going through the flow 'browser' for adding executions
2020-04-10 11:26:20,770 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-75) Going through the flow 'forms' for adding executions
2020-04-10 11:26:20,771 DEBUG [org.keycloak.authentication.AuthenticationSelectionResolver] (default task-75) Selections when trying execution 'auth-cookie' : [ authSelection

• auth-cookie, authSelection - identity-provider-redirector, authSelection - auth-username-password-form]
  2020-04-10 11:26:20,771 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-75) invoke authenticator.authenticate: auth-cookie
  2020-04-10 11:26:20,771 DEBUG [org.keycloak.authentication.DefaultAuthenticationFlow] (default task-75) authenticator SUCCESS: auth-cookie
  2020-04-10 11:26:20,772 DEBUG [org.keycloak.services.managers.AuthenticationSessionManager] (default task-75) Removing authSession 'a18e32c3-4ff4-45a5-8bcc-606b5c95f4c2'. Expire restart cookie: true
  2020-04-10 11:26:20,772 DEBUG [org.hibernate.event.internal.AbstractSaveEventListener] (default task-75) Generated identifier: 8e6d4856-00af-4331-acdc-c4c0145d43ec, using strategy: org.hibernate.id.Assigned
  2020-04-10 11:26:20,772 DEBUG [org.keycloak.events] (default task-75) type=LOGIN, realmId=master, clientId=odoo, userId=c222c823-b2c1-4785-b061-d84d8405e9f0, ipAddress=192.168.22.10, auth_method=openid-connect, auth_type=code, response_type=token, redirect_uri=http://odoo-sso.domoce.local:8069/auth_oauth/signin, consent=no_consent_required, code_id=a18e32c3-4ff4-45a5-8bcc-606b5c95f4c2, response_mode=fragment, username=odoo, authSessionParentId=a18e32c3-4ff4-45a5-8bcc-606b5c95f4c2, authSessionTabId=W1rlGRsrYjQ
  2020-04-10 11:26:20,773 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-75) Create login cookie - name: KEYCLOAK_IDENTITY, path: /auth/realms/master/, max-age: -1
  2020-04-10 11:26:20,774 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-75) Expiring remember me cookie
  2020-04-10 11:26:20,774 DEBUG [org.keycloak.services.managers.AuthenticationManager] (default task-75) Expiring cookie: KEYCLOAK_REMEMBER_ME path: /auth/realms/master/
  2020-04-10 11:26:20,774 DEBUG [org.keycloak.protocol.oidc.OIDCLoginProtocol] (default task-75) redirectAccessCode: state: {"d": "sso", "p": 4, "r": "http%3A%2F%2Fodoo-sso.domoce.local%3A8069%2Fweb"}
  2020-04-10 11:26:20,774 DEBUG [org.hibernate.SQL] (default task-75)
  select
  clientscop0_.ID as ID1_13_0_,
  clientscop0_.DESCRIPTION as DESCRIPT2_13_0_,
  clientscop0_.NAME as NAME3_13_0_,
  clientscop0_.PROTOCOL as PROTOCOL4_13_0_,
  clientscop0_.REALM_ID as REALM_ID5_13_0_
  from
  CLIENT_SCOPE clientscop0_
  where
  clientscop0_.ID=?
  2020-04-10 11:26:20,774 DEBUG [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default task-75) KeycloakDS: getConnection(null, WrappedConnectionRequestInfo@255a6418[userName=sa]) [0/20]
  2020-04-10 11:26:20,775 DEBUG [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] (default task-75) Initiating JDBC connection release from afterStatement
  2020-04-10 11:26:20,775 DEBUG [org.hibernate.loader.entity.plan.AbstractLoadPlanBasedEntityLoader] (default task-75) Done entity load : org.keycloak.models.jpa.entities.ClientScopeEntity#655ef08c-0dd8-40e4-9426-96f755fb8eb5
  2020-04-10 11:26:20,779 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-75) JtaTransactionWrapper commit
  2020-04-10 11:26:20,779 DEBUG [org.hibernate.event.internal.AbstractFlushingEventListener] (default task-75) Processing flush-time cascades
  2020-04-10 11:26:20,780 DEBUG [org.hibernate.event.internal.AbstractFlushingEventListener] (default task-75) Dirty checking collections
  2020-04-10 11:26:20,780 DEBUG [org.hibernate.event.internal.AbstractFlushingEventListener] (default task-75) Flushed: 1 insertions, 0 updates, 0 deletions to 1 objects
  2020-04-10 11:26:20,780 DEBUG [org.hibernate.event.internal.AbstractFlushingEventListener] (default task-75) Flushed: 0 (re)creations, 0 updates, 0 removals to 0 collections
  2020-04-10 11:26:20,780 DEBUG [org.hibernate.internal.util.EntityPrinter] (default task-75) Listing entities:
  2020-04-10 11:26:20,780 DEBUG [org.hibernate.internal.util.EntityPrinter] (default task-75) org.keycloak.events.jpa.EventEntity{clientId=odoo, realmId=master, ipAddress=192.168.22.10, id=8e6d4856-00af-4331-acdc-c4c0145d43ec, sessionId=a18e32c3-4ff4-45a5-8bcc-606b5c95f4c2, time=1586510780772, error=null, type=LOGIN, userId=c222c823-b2c1-4785-b061-d84d8405e9f0, detailsJson={"auth_method":"openid-connect","auth_type":"code","response_type":"token","redirect_uri":"http://odoo-sso.domoce.local:8069/auth_oauth/signin","consent":"no_consent_required","code_id":"a18e32c3-4ff4-45a5-8bcc-606b5c95f4c2","response_mode":"fragment","username":"odoo"}}
  2020-04-10 11:26:20,781 DEBUG [org.hibernate.SQL] (default task-75)
  insert
  into
  EVENT_ENTITY
  (CLIENT_ID, DETAILS_JSON, ERROR, IP_ADDRESS, REALM_ID, SESSION_ID, EVENT_TIME, TYPE, USER_ID, ID)
  values
  (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
  2020-04-10 11:26:20,781 DEBUG [org.hibernate.engine.jdbc.internal.JdbcCoordinatorImpl] (default task-75) Skipping aggressive release due to manual disabling
  2020-04-10 11:26:20,781 DEBUG [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] (default task-75) Initiating JDBC connection release from afterStatement
  2020-04-10 11:26:20,781 DEBUG [org.hibernate.engine.transaction.internal.TransactionImpl] (default task-75) On TransactionImpl creation, JpaCompliance#isJpaTransactionComplianceEnabled == false
  2020-04-10 11:26:20,782 DEBUG [org.jboss.jca.core.connectionmanager.pool.strategy.OnePool] (default task-75) KeycloakDS: returnConnection(cb3f06a, false) [0/20]
  2020-04-10 11:26:20,782 DEBUG [org.hibernate.resource.jdbc.internal.LogicalConnectionManagedImpl] (default task-75) Initiating JDBC connection release from afterTransaction
  2020-04-10 11:26:20,782 DEBUG [org.keycloak.transaction.JtaTransactionWrapper] (default task-75) JtaTransactionWrapper end
  2020-04-10 11:26:20,784 DEBUG [io.undertow.request] (default I/O-1) UT005013: An IOException occurred: java.nio.channels.ClosedChannelException
  at io.undertow.protocols.ssl.SslConduit.doWrap(SslConduit.java:876)
  at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:649)
  at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63)
  at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1137)
  at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
  at org.xnio.nio.WorkerThread.run(WorkerThread.java:591)

2020-04-10 11:26:21,067 DEBUG [io.undertow.request] (default I/O-1) Matched default handler path /realms/master/protocol/openid-connect/token/introspect
2020-04-10 11:26:21,068 DEBUG [io.undertow.request] (default I/O-1) UT005013: An IOException occurred: java.nio.channels.ClosedChannelException
at io.undertow.protocols.ssl.SslConduit.doWrap(SslConduit.java:876)
at io.undertow.protocols.ssl.SslConduit.doHandshake(SslConduit.java:649)
at io.undertow.protocols.ssl.SslConduit.access$900(SslConduit.java:63)
at io.undertow.protocols.ssl.SslConduit$SslReadReadyHandler.readReady(SslConduit.java:1137)
at org.xnio.nio.NioSocketConduit.handleReady(NioSocketConduit.java:89)
at org.xnio.nio.WorkerThread.run(WorkerThread.java:591)`

But in odoo log I have this :

2020-04-10 09:26:20,826 9858 INFO sso werkzeug: 192.168.20.11 - - [10/Apr/2020 09:26:20] "GET /auth_oauth/signin HTTP/1.1" 200 - 2020-04-10 09:26:21,072 9858 ERROR sso odoo.addons.auth_oauth.controllers.main: OAuth2: Not Found Traceback (most recent call last): File "/opt/odoo/odoo11/addons/auth_oauth/controllers/main.py", line 133, in signin credentials = env['res.users'].sudo().auth_oauth(provider, kw) File "/opt/odoo/odoo11/addons/auth_oauth/models/res_users.py", line 96, in auth_oauth validation = self._auth_oauth_validate(provider, access_token) File "/opt/odoo/odoo11-custom-addons/auth_keycloak/models/res_users.py", line 44, in _auth_oauth_validate validation = self._keycloak_validate(oauth_provider, access_token) File "/opt/odoo/odoo11-custom-addons/auth_keycloak/models/res_users.py", line 28, in _keycloak_validate raise OAuthError(resp.reason) odoo.addons.auth_keycloak.exceptions.OAuthError: Not Found 2020-04-10 09:26:21,075 9858 INFO sso werkzeug: 192.168.20.11 - - [10/Apr/2020 09:26:21] "GET /auth_oauth/signin?state=%7B%22d%22%3A+%22sso%22%2C+%22p%22%3A+4%2C+%22r%22%3A+%22http%253A%252F%252Fodoo-sso.domoce.local%253A8069%252Fweb%22%7D&access_token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJZWm82bGdDaXVVTUtWY0JTVzhSaVpjeWhyUHJEWXpMU2RKV190S0xhWWlrIn0.eyJleHAiOjE1ODY1MTE2ODAsImlhdCI6MTU4NjUxMDc4MCwiYXV0aF90aW1lIjoxNTg2NTA5NzM5LCJqdGkiOiJhYTYyZDk4Mi0wNTRiLTQ5OWUtODZhYS1lZjY2NmIwOWI2Y2MiLCJpc3MiOiJodHRwczovL2Qtc3NvLm9zbW9zLnRlY2gvYXV0aC9yZWFsbXMvbWFzdGVyIiwic3ViIjoiYzIyMmM4MjMtYjJjMS00Nzg1LWIwNjEtZDg0ZDg0MDVlOWYwIiwidHlwIjoiQmVhcmVyIiwiYXpwIjoib2RvbyIsInNlc3Npb25fc3RhdGUiOiJhMThlMzJjMy00ZmY0LTQ1YTUtOGJjYy02MDZiNWM5NWY0YzIiLCJhY3IiOiIwIiwic2NvcGUiOiJwcm9maWxlIGVtYWlsIiwiZW1haWxfdmVyaWZpZWQiOnRydWUsInByZWZlcnJlZF91c2VybmFtZSI6Im9kb28ifQ.gQoMqTdlfHO1qlu4dn_uwttdDtw6zBfqzgfC1RN6Ne2IdeOO-dl3S52Syw2Xx_d-gp1tEvLgkfcwJhxdEdQ1LJCJf65tNquPwuLLew9gkQgAV7gvWbRL6_T7rjnFfFZM-NwQv9Sw4y-sNxw4dXG6PcJope5ry5NJ0ge4SSm-Ka-EQXasLjJGiK2rBZaTSaRwcJkmsC9a4RNR52-tIJYMlPcdpOX5C7FN0b0idyzPzxeM0yCdnO5-8cBkvxXxqYltAL7c6z2CF2Sp3YPRWnvTMXN8xra8o1URrgkI_zQi5uYTvblSnAVoPp3CsY8MuFOxgIKmx3Wi_t3BEUhh1UlqCg&token_type=bearer&expires_in=900 HTTP/1.1" 303 - 2020-04-10 09:26:21,150 9858 INFO sso werkzeug: 192.168.20.11 - - [10/Apr/2020 09:26:21] "GET /web/login?oauth_error=2 HTTP/1.1" 200 -

The documentation doesn't explain how to configure Keycloak, but I think the problem is on the Odoo side.

Thank you for your help !

Regards,

Nicolas

auth_admin_passkey is a great module.
For the main use is to debug or test other user's ACL.

Not only the admin could use this feature but also managers to test there team access...

However, with this module, anyone having this module can access any account including the admin.
This module should not override the adnin password.

Todo

https://github.com/OCA/maintainer-tools/wiki/Migration-to-version-13.0

Modules to migrate

• auth_admin_passkey - By @bizzappdev - #169
• auth_api_key @Laurent-Corron #142
• auth_keycloak (superseded by auth_oidc)
• auth_ldap_attribute_sync
• auth_ldaps
• auth_oauth_multi_token - By @yajo - #218
• auth_oidc - By @sbidoul - #260
• auth_session_timeout - By @rruebner - #137
• auth_signup_verify_email
• auth_totp
• auth_u2f
• base_user_show_email
• password_security
• users_ldap_groups
• users_ldap_mail - By @joao-p-marques - #241
• users_ldap_populate - By @joao-p-marques - #249
• user_log_view

Missing module? Check https://github.com/OCA/maintainer-tools/wiki/%5BFAQ%5D-Missing-modules-in-migration-issue-list

Steps

• Set up a user with 2FA (I used Google Authenticator and used the work around at #140)
• In a different browser or in a private/incogito window, go to /web/login
• Enter the user name and password

Result

• Got a "403: Forbidden" page
• Log:

2020-02-24 23:53:15,988 17670 WARNING 20200117-WalkThru odoo.addons.website.models.ir_http: 403 Forbidden:

Traceback (most recent call last):
  File "/opt/odoo/v12-test/env/lib/python3.6/site-packages/odoo-12.0-py3.6.egg/odoo/addons/base/models/ir_http.py", line 203, in _dispatch
    result = request.dispatch()
  File "/opt/odoo/v12-test/env/lib/python3.6/site-packages/odoo-12.0-py3.6.egg/odoo/http.py", line 835, in dispatch
    r = self._call_function(**self.params)
  File "/opt/odoo/v12-test/env/lib/python3.6/site-packages/odoo-12.0-py3.6.egg/odoo/http.py", line 346, in _call_function
    return checked_call(self.db, *args, **kwargs)
  File "/opt/odoo/v12-test/env/lib/python3.6/site-packages/odoo-12.0-py3.6.egg/odoo/service/model.py", line 97, in wrapper
    return f(dbname, *args, **kwargs)
  File "/opt/odoo/v12-test/env/lib/python3.6/site-packages/odoo-12.0-py3.6.egg/odoo/http.py", line 339, in checked_call
    result = self.endpoint(*a, **kw)
  File "/opt/odoo/v12-test/env/lib/python3.6/site-packages/odoo-12.0-py3.6.egg/odoo/http.py", line 941, in __call__
    return self.method(*args, **kw)
  File "/opt/odoo/v12-test/env/lib/python3.6/site-packages/odoo-12.0-py3.6.egg/odoo/http.py", line 519, in response_wrap
    response = f(*args, **kw)
  File "/opt/odoo/v12-test/odoo/addons/website/controllers/main.py", line 96, in web_login
    response = super(Website, self).web_login(redirect=redirect, *args, **kw)
  File "/opt/odoo/v12-test/env/lib/python3.6/site-packages/odoo-12.0-py3.6.egg/odoo/http.py", line 519, in response_wrap
    response = f(*args, **kw)
  File "/opt/odoo/v12-test/odoo/addons/auth_oauth/controllers/main.py", line 94, in web_login
    response = super(OAuthLogin, self).web_login(*args, **kw)
  File "/opt/odoo/v12-test/env/lib/python3.6/site-packages/odoo-12.0-py3.6.egg/odoo/http.py", line 519, in response_wrap
    response = f(*args, **kw)
  File "/opt/odoo/v12-test/odoo/addons/auth_signup/controllers/main.py", line 21, in web_login
    response = super(AuthSignupHome, self).web_login(*args, **kw)
  File "/opt/odoo/v12-test/env/lib/python3.6/site-packages/odoo-12.0-py3.6.egg/odoo/http.py", line 519, in response_wrap
    response = f(*args, **kw)
  File "/opt/odoo/v12-test/src/tko-addons/tko_web_sessions_management/models/main.py", line 58, in web_login
    request.params['password'])
  File "/opt/odoo/v12-test/env/lib/python3.6/site-packages/odoo-12.0-py3.6.egg/odoo/http.py", line 1041, in authenticate
    uid = odoo.registry(db)['res.users'].authenticate(db, login, password, env)
  File "/opt/odoo/v12-test/env/lib/python3.6/site-packages/odoo-12.0-py3.6.egg/odoo/addons/base/models/res_users.py", line 594, in authenticate
    uid = cls._login(db, login, password)
  File "/opt/odoo/v12-test/src/server-auth/users_ldap_groups/models/res_users.py", line 12, in _login
    user_id = super()._login(db, login, password)
  File "/opt/odoo/v12-test/odoo/addons/auth_ldap/models/res_users.py", line 21, in _login
    raise e
  File "/opt/odoo/v12-test/odoo/addons/auth_ldap/models/res_users.py", line 15, in _login
    return super(Users, cls)._login(db, login, password)
  File "/opt/odoo/v12-test/env/lib/python3.6/site-packages/odoo-12.0-py3.6.egg/odoo/addons/base/models/res_users.py", line 573, in _login
    user._check_credentials(password)
  File "/opt/odoo/v12-test/odoo/addons/auth_oauth/models/res_users.py", line 114, in _check_credentials
    return super(ResUsers, self)._check_credentials(password)
  File "/opt/odoo/v12-test/src/server-auth/auth_ldap_attribute_sync/models/res_users.py", line 12, in _check_credentials
    super()._check_credentials(password)
  File "/opt/odoo/v12-test/odoo/addons/auth_ldap/models/res_users.py", line 33, in _check_credentials
    super(Users, self)._check_credentials(password)
  File "/opt/odoo/v12-test/src/server-auth/auth_totp/models/res_users.py", line 106, in _check_credentials
    raise MfaLoginNeeded
odoo.addons.auth_totp.exceptions.MfaLoginNeeded: Access denied

Expected result

• Being redirected to /auth_totp/login to enter the code

Todo

https://github.com/OCA/maintainer-tools/wiki/Migration-to-version-12.0

Modules to migrate

• auth_admin_passkey - By @fkantelberg - #116
• auth_api_key - By @sbidoul - #56
• auth_brute_force Not needed as Odoo includes now this feature in core. More details in #38 (comment)
• auth_from_http_remote_user
• auth_keycloak - By @shepilov-vladislav - #152
• auth_ldaps - By @alexey-pelykh - #42
• auth_oauth_multi_token - By @sla-subteno-it - #62 - By @fmdl - #106
• auth_saml - By @gurneyalex - #64 By @yajo - #64
• auth_session_timeout - By @jarroyomorales - #109
• auth_signup_verify_email - By @SalahAdDin - #69 By @Tardo - #108
• auth_totp - By @fkantelberg - #114
• auth_totp_password_security - By @fkantelberg - #115
• auth_u2f - By @fkantelberg - #90
• auth_user_case_insensitive - By @Retropikzel - #104
• keychain - By @hparfr - #39
• password_security - By @pnajman-modoolar - #66 - By @shepilov-vladislav - #83
• users_ldap_mail - By @Tardo - #151
• users_ldap_groups - By @alexey-pelykh - #46
• users_ldap_populate - By @Tardo - #132

Tested on v11 and v12 runbot, unable to test on v10/v9

When opening the wizard to add a new MFA device the secret code (and QR code) displayed is not the same as the secret code used to validate.

After entering any Confirmation Code and clicking Create, the secret code and QR code reloads and shows the correct code. If this is not noticed by user they continue entering the 6 digit code from the first secret and continue receiving validation errors.

Workaround: Enter any 6 digit code and click validate, then add the displayed secret code / QR to authenticator

Hi all,
I have installed the module auth_session_timeout-11.0.1.0.0, and after that started to get redirect link and the error - Too many redirects. Problem was gone, when I removed the module.
What can be the issue?
This is the log line.
2019-05-25 10:56:02,747 873 INFO 7danat werkzeug: 217.165.21.202 - - [25/May/201 9 10:56:02] "GET /web/login?redirect=http%3A%2F%2F7danat.com%3A8069%2Fweb%2Flogi n%3Fredirect%3Dhttp%253A%252F%252F7danat.com%253A8069%252Fweb%252Flogin%253Fredi rect%253Dhttp%25253A%25252F%25252F7danat.com%25253A8069%25252Fweb%25252Flogin%25 253Fredirect%25253Dhttp%2525253A%2525252F%2525252F7danat.com%2525253A8069%252525 2Fweb%2525252Flogin%2525253Fredirect%2525253Dhttp%252525253A%252525252F%25252525 2F7danat.com%252525253A8069%252525252Fweb%252525252Flogin%252525253Fredirect%252 525253Dhttp%25252525253A%25252525252F%25252525252F7danat.com%25252525253A8069%25 252525252Fweb%25252525252Flogin%25252525253Fredirect%25252525253Dhttp%2525252525 253A%2525252525252F%2525252525252F7danat.com%2525252525253A8069%2525252525252Fwe b%2525252525252Flogin%2525252525253Fredirect%2525252525253Dhttp%252525252525253A %252525252525252F%252525252525252F7danat.com%252525252525253A8069%25252525252525 2Fweb%252525252525252Flogin%252525252525253Fredirect%252525252525253Dhttp%252525 25252525253A%25252525252525252F%25252525252525252F7danat.com%25252525252525253A8 069%25252525252525252Fweb%25252525252525252Flogin%25252525252525253Fredirect%252 52525252525253Dhttp%2525252525252525253A%2525252525252525252F%252525252525252525 2F7danat.com%2525252525252525253A8069%2525252525252525252Fweb%252525252525252525 2Flogin%2525252525252525253Fredirect%2525252525252525253Dhttp%252525252525252525 253A%252525252525252525252F%252525252525252525252F7danat.com%2525252525252525252 53A8069%252525252525252525252Fweb%252525252525252525252Flogin%252525252525252525 253Fredirect%252525252525252525253Dhttp%25252525252525252525253A%252525252525252 52525252F%25252525252525252525252F7danat.com%25252525252525252525253A8069%252525 25252525252525252Fweb%25252525252525252525252Flogin%25252525252525252525253Fredi rect%25252525252525252525253Dhttp%2525252525252525252525253A%2525252525252525252 525252F%2525252525252525252525252F7danat.com%2525252525252525252525253A8069%2525 252525252525252525252F HTTP/1.1" 302 -

I need a way to show records of res.users.log model. Odoo doesn't provide views for the model and I haven't found a ready solution for that. So, I think to create the module.

My question is: what could be a proper name / technical name for such a module and is server-auth proper repository for it?

Running into an issue with auth_signup once tried to login I get “--HACK--’’ on signup Screen

Was able to reach this point,

But not really sure what is happening here.

Working on Odoo v12e.

Often companies will want to maintain a whitelist of IP address expressed by ranges of IP's instead of having to express them one by one.

See https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation
And a sample implementation in python of logic to check if an IP address is whithin a range expressed by a CIDR expression: https://diego.assencio.com/?index=85e407d6c771ba2bc5f02b17714241e2

Steps to reproduce

• Install website and auth_totp
• Login as demo
• Go to your preferences, setup your 2FA device and activate 2FA
• Logout and login
• On the page to enter your 2FA code, click on the main menu or "My account"

Result

• You are logged in. You can access the backend, your portal or edit the website (if the user is in the Website Editor group)

Expected result

• You are not logged in and you are redirected to the page to enter your 2FA code.

Hi Hello

I'm trying to change

auth_brute_force.max_by_ip

But I don't know where are those parameter stored.

Hi we want to use the auth_saml module in Odoo (OpenERP)
The installation was successful but when we try to login using SAML the brower wants to go to https://url.of.our.odoo.server/auth_saml/get_auth_request?pid=2 and we get a 404 error page.

Any idea of what could be the solution for this issue?

Currently, auth_from_http_remote_users does not allow the same user to connect from different browser sessions at the same time (different browsers, different machines etc).

This is due to the fact that, when creating a new session, the module generates a new random pseudo-password (sso_key)
that is subsequently used to check credentials at the beginning of each request (via check_security). So when the same user tries to connect via two sessions, they invalidate each other.

While there are reasons to make this sso_key secret, there is no reason for it to be random, IMO.

So I propose to change the module to generate that sso_key by hashing the combination of the user id, and a per-database secret to be set in a system parameter. For compatibility, if the system parameter is absent, log a warning and fall back on the current mechanism.

odoo v12
I got this error a lot in the log file !

2020-03-27 10:39:37,513 104143 ERROR DataBase odoo.addons.auth_session_timeout.models.res_users: Exception reading session file modified time. 
Traceback (most recent call last):
  File "/odoo/custom/others/auth_session_timeout/models/res_users.py", line 74, in _auth_timeout_check
    expired = getmtime(path) < deadline
  File "/usr/lib/python3.6/genericpath.py", line 55, in getmtime
    return os.stat(filename).st_mtime
FileNotFoundError: [Errno 2] No such file or directory: '/odoo/.local/share/Odoo/sessions/werkzeug_f984108a7183103f7971885c14707c95811e9310.sess'
2020-03-27 10:39:37,915 104123 INFO DataBase werkzeug: 127.0.0.1 - - [27/Mar/2020 10:39:37] "POST /web/dataset/call_kw/project.phase/name_search HTT

module: auth_saml
version: 11.0

Steps to reproduce

• ...

Current behavior

Expected behavior

Currently the module password_security is using a similar case to:

Unsafe password is passed as safe:

Safe password is passed as unsafe:

The following python library:

• https://pypi.org/project/zxcvbn/

Works a little different similar to:

And gives you a score of security of your password considering the name of the user too.
I mean, name = John Smith and password = JhonSmith123 it is unsafe.

For more information check the following readme:

• https://github.com/dwolfhub/zxcvbn-python/blob/master/README.rst

Note: Help wanted here.

Odoo Server Error

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/odoo/http.py", line 624, in _handle_exception
return super(JsonRequest, self)._handle_exception(exception)
File "/usr/lib/python3/dist-packages/odoo/http.py", line 310, in _handle_exception
raise pycompat.reraise(type(exception), exception, sys.exc_info()[2])
File "/usr/lib/python3/dist-packages/odoo/tools/pycompat.py", line 14, in reraise
raise value
File "/usr/lib/python3/dist-packages/odoo/http.py", line 669, in dispatch
result = self._call_function(**self.params)
File "/usr/lib/python3/dist-packages/odoo/http.py", line 350, in _call_function
return checked_call(self.db, *args, **kwargs)
File "/usr/lib/python3/dist-packages/odoo/service/model.py", line 94, in wrapper
return f(dbname, *args, **kwargs)
File "/usr/lib/python3/dist-packages/odoo/http.py", line 339, in checked_call
result = self.endpoint(*a, **kw)
File "/usr/lib/python3/dist-packages/odoo/http.py", line 915, in call
return self.method(*args, **kw)
File "/usr/lib/python3/dist-packages/odoo/http.py", line 515, in response_wrap
response = f(*args, **kw)
File "/usr/lib/python3/dist-packages/odoo/addons/web/controllers/main.py", line 1326, in call_button
action = self._call_kw(model, method, args, kwargs)
File "/usr/lib/python3/dist-packages/odoo/addons/web/controllers/main.py", line 1314, in _call_kw
return call_kw(request.env[model], method, args, kwargs)
File "/usr/lib/python3/dist-packages/odoo/api.py", line 387, in call_kw
result = _call_kw_multi(method, model, args, kwargs)
File "/usr/lib/python3/dist-packages/odoo/api.py", line 374, in _call_kw_multi
result = method(recs, *args, **kwargs)
File "/usr/lib/python3/dist-packages/odoo/addons/users_ldap_populate/models/users_ldap.py", line 189, in populate_wizard
res_id = wizard_obj.create({'ldap_id': self.id}).id
File "", line 2, in create
File "/usr/lib/python3/dist-packages/odoo/api.py", line 335, in _model_create_multi
return create(self, [arg])
File "/usr/lib/python3/dist-packages/odoo/addons/users_ldap_populate/models/populate_wizard.py", line 32, in create
ldap.action_populate()
File "/usr/lib/python3/dist-packages/odoo/addons/users_ldap_populate/models/users_ldap.py", line 65, in action_populate
results = self._get_ldap_entry_dicts(conf)
File "/usr/lib/python3/dist-packages/odoo/addons/users_ldap_populate/models/users_ldap.py", line 128, in _get_ldap_entry_dicts
ldap_password.encode('utf-8')
File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 443, in simple_bind_s
msgid = self.simple_bind(who,cred,serverctrls,clientctrls)
File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 437, in simple_bind
return self._ldap_call(self._l.simple_bind,who,cred,RequestControlTuples(serverctrls),RequestControlTuples(clientctrls))
File "/usr/lib/python3/dist-packages/ldap/ldapobject.py", line 313, in _ldap_call
result = func(*args,**kwargs)
TypeError: simple_bind() argument 1 must be str or None, not bytes

See OCA/server-tools#1398

[13.0] password_security migrate to odoo version 13 ? when can i expected this module to be upgrade to version 13 ?

How to replicate
Install Odoo
Add saml_auth to you addons path
Start the Odoo server
Log in with the administrator account
Configure SAML Provider [Using F5 in my case] (Matching attribute / IDP Configuration / SP Configuration / Private key of our service provider (this openerpserver)) and enable provider. (Provide a name and a body here we used Provider name = "F5" Body = "Login with F5")
Log out from the administrator account
Click on Login with the SAML Provider [Here Login with F5]
You are redirected to the external authentification system.
You log in with your user on the external authentification system. (In this scenario user doesn't exist in Odoo database on purpose)
You are redirected to the Odoo page localhost:9999/web/login#action=login&saml_error=3

Current behaviour
No error message is displayed Login page
Odoo/addons/web/views/webclient_templates.xml ln.407

<p class="alert alert-danger" t-if="error">
    <t t-esc="error"/>
 </p>

Expected behavior
The following message should be displayed:

                "You do not have access to this database or your "
                "invitation has expired. Please ask for an invitation "
                "and be sure to follow the link in your invitation email."

Issue: request.params.get('saml_error') doesn't get the proper value and error is empty
Eventual solution path: grab the saml_error from the url variable.
FYI: Login with a valid user works perfectly the configuration as is seems to work. But in case of an unexisting user, the message is not displayed. Maybe I am missing something in the configuration.

Source: The message is provided by the method web_login() in server-auth/auth_saml/controllers/main.py

    @http.route()
    def web_login(self, *args, **kw):
        ensure_db()
        if (
            request.httprequest.method == 'GET' and
            request.session.uid and
            request.params.get('redirect')
        ):

            # Redirect if already logged in and redirect param is present
            return http.redirect_with_hash(request.params.get('redirect'))

        providers = self.list_providers()

        response = super(SAMLLogin, self).web_login(*args, **kw)
        if response.is_qweb:
            error = request.params.get('saml_error')
            if error == '1':
                error = _("Sign up is not allowed on this database.")
            elif error == '2':
                error = _("Access Denied")
            elif error == '3':
                error = _(
                    "You do not have access to this database or your "
                    "invitation has expired. Please ask for an invitation "
                    "and be sure to follow the link in your invitation email."
                )
            else:
                error = None

            response.qcontext['providers'] = providers

            if error:
                response.qcontext['error'] = error

        return response

module: auth_session_timeout
version: 12.0

Steps to reproduce
inactive_session_time_out_ignored_url，Excluding addresses has no effect
All incoming HTTP are killed，
Similar to dingtalk approval callback
Current behavior

Expected behavior
auth session timeout, should point to the user, not all

The password_security module throws a warning during tests. Although it is just a warning, it makes odoo.sh flag the tests as yellow. So an Odoo instance using password_security cannot pass its tests on odoo.sh.

Sample warning from the log:

2019-10-10 11:18:13,150 7 WARNING jmcvetta-dev-632767 odoo.http: <function odoo.addons.password_security.controllers.main.web_auth_signup> returns an invalid response type for an http request 

Warning is thrown from within odoo.http.route decorator, which is wrapping password_security.controllers.main.web_auth_signup().

Within that method we have the line:

            return request.render('auth_signup.signup', qcontext)

@route is unhappy because the response from request.render() is an instance of MagicMock. Whereas @route is expecting an instance of odoo.http.Response, or one of a few other types.

Need to change the mocking setup, so the MagicMock object will report itself as an instance of odoo.http.Response.

I am using keycloak v8.0.1 and odoo v11. After setting up the keycloak integration, everything works great, however, when I log out of odoo and try to log in again, I get a 502 error from keycloak.

One thing I did notice is the redirect_uri contains the http protocol instead of the https protocol, even though all of my config says to use https. I would blame it on my configuration setup, except that it really does work the first time I login.

https://iam.siliconhills.dev/auth/realms/master/protocol/openid-connect/auth?client_id=hq.siliconhills.dev&redirect_uri=http%3A%2F%2Fhq.siliconhills.dev%2Fauth_oauth%2Fsignin&response_type=token&state=%7B%22r%22%3A+%22http%253A%252F%252Fhq.siliconhills.dev%252Fweb%22%2C+%22d%22%3A+%22hq-siliconhills-dev%22%2C+%22p%22%3A+7%7D&scope=False

In order to make it work, I have to logout of keycloak, and then try to login to odoo with keycloak. But, if I'm already logged into keycloak and I try to login to odoo with keycloak, it always throws a 502 error.

Below is my configuration.

Neither keycloak or odoo give me any error logs. Keycloak only logs the following warnings.

I have noticed password_security/models/res_users.py is different for versions 11 and 12 regarding the _password_has_expired function: in version 12, there is a condition that allows to disable password expiration just by setting password_expiration = 0 (which makes sense),

    @api.multi
    def _password_has_expired(self):
        self.ensure_one()
        if not self.password_write_date:
            return True

        if not self.company_id.password_expiration:
            return False

        days = (fields.Datetime.now() - self.password_write_date).days
        return days > self.company_id.password_expiration

while in version 11, the function does not accept a value just to disable it.

    @api.multi
    def _password_has_expired(self):
        self.ensure_one()
        if not self.password_write_date:
            return True
        write_date = fields.Datetime.from_string(self.password_write_date)
        today = fields.Datetime.from_string(fields.Datetime.now())
        days = (today - write_date).days
        return days > self.company_id.password_expiration

Can we "backport" that feature or is there any reason not to implement it that way in version 11? Will you accept a pull request of that feature to be merged in 11.0 branch?

lasso fail with pip (ubuntu18.04, ubuntu 20.04):

pip3 install lasso
Collecting lasso
Downloading https://files.pythonhosted.org/packages/4e/8d/515757f262f53ed72e7695a2274097aafe0aa28d8017fb6e7c357baab2ab/lasso-0.0.5.tar.gz
Collecting delorean>=0.4.4 (from lasso)
Downloading https://files.pythonhosted.org/packages/76/40/5e8d179a0311236b2e83aa1c80b0b363700035ad6639858c75ef5be975e6/Delorean-1.0.0.tar.gz
Collecting schema<0.4.0,>=0.3.1 (from lasso)
Downloading https://files.pythonhosted.org/packages/0c/1f/1bb243c03e7109f18256b0485c6a1c400019a76d023f36983c99232c0141/schema-0.3.1.tar.gz
Complete output from command python setup.py egg_info:
Traceback (most recent call last):
File "", line 1, in
File "/tmp/pip-build-bl27l9pf/schema/setup.py", line 16, in
long_description=open('README.rst').read(),
File "/usr/lib/python3.6/encodings/ascii.py", line 26, in decode
return codecs.ascii_decode(input, self.errors)[0]
UnicodeDecodeError: 'ascii' codec can't decode byte 0xe2 in position 2360: ordinal not in range(128)

----------------------------------------

Command "python setup.py egg_info" failed with error code 1 in /tmp/pip-build-bl27l9pf/schema/

In github, the project is now https://github.com/aperezdc/gnarl, maybe we should exchange lasso for gnarl?

Sorry for the previous issue. I thought i wrote the message in English.

I am in a project using version 8.0 of odoo and I was wondering if in the past the module auth_saml worked in this version, although it does not have support anymore.

Thank you!

Hello,
Can i use this module with Odoo Enterprise V11 ?
I've a fresh install debian jessie and odoo Enterprise V11 with demo data.
Only install one module and auth_session_timeout.
Put delay at 120 to be disconnect after 2 minutes.
The session still active even if i use demo or admin account.
Thanks for your help
Ericzen

When a user clicks on their name in the upper right corner -> Preferences and scrolls to MFA devices, the field for authenticator_ids shows devices for other users as being available.

Fix: add domain="[('user_id', '=', id)]" to the authenticator_ids field on view_users_form_simple_modif