[5188][ADD] auth_oauth_enforced #60
Conversation
There was a problem hiding this comment.
@nobuQuartile Can you please rename the module to auth_oauth_enforced? Please also fix the pre-commit error.
nobuQuartile
force-pushed
the
4777-add-auth_oauth_force_oauth
branch
2 times, most recently
from
b8bbef1 to
f249ccc
Compare
nobuQuartile
changed the title
nobuQuartile
force-pushed
the
4777-add-auth_oauth_force_oauth
branch
from
f249ccc to
afe7cf9
Compare
|
@yostashiro |
There was a problem hiding this comment.
@nobuQuartile Please add CONFIGURE.md (and USAGE.md and CONTEXT.md as appropriate).
| This module controls login methods by email domain, requiring OAuth for | ||
| specified domains, as defined in company | ||
| settings. |
There was a problem hiding this comment.
Let's avoid random line breaks.
| This module controls login methods by email domain, requiring OAuth for | |
| specified domains, as defined in company | |
| settings. | |
| This module controls login methods by email domain, requiring OAuth for specified | |
| domains, as defined in company settings. |
nobuQuartile
force-pushed
the
4777-add-auth_oauth_force_oauth
branch
2 times, most recently
from
d217c65 to
4e095ae
Compare
nobuQuartile
force-pushed
the
4777-add-auth_oauth_force_oauth
branch
2 times, most recently
from
fafe793 to
daabfd5
Compare
There was a problem hiding this comment.
@nobuQuartile The commits shouldn't have squashed for this PR. It makes it hard to see what changes you have made.
| @@ -0,0 +1 @@ | |||
| To streamline security practices, many companies are adopting an OAuth-only login policy, reducing risks associated with managing multiple passwords. However, in B2B scenarios—such as when third-party service providers like accounting firms require access to Odoo—enforcing OAuth exclusively can lead to operational inefficiencies, as third parties may need to create and manage dedicated accounts for this purpose. To overcome this challenge, implementing domain-specific OAuth enforcement offers a more flexible and targeted solution. No newline at end of file | |||
There was a problem hiding this comment.
Make it more concise as it sounds a bit too verbose (the last sentence sounds very ChatGPTish and we don't want that), and apply the 88-char max length for better readability, although it's not required by the linter.
auth_oauth_enforced/readme/USAGE.md
Outdated
| 1. Navigate to Settings → Companies → Update Info to open your company's form view. | ||
| 2. In the General Information tab, locate the field Force OAuth Domains. | ||
| 3. Enter the domain names you want to block in login IDs. You can specify multiple domains by separating them with commas (,). |
There was a problem hiding this comment.
These steps should be in CONFIGURE.md.
Step 3 sounds incorrect.
auth_oauth_enforced/readme/USAGE.md
Outdated
| 1. Navigate to Settings → Companies → Update Info to open your company's form view. | ||
| 2. In the General Information tab, locate the field Force OAuth Domains. | ||
| 3. Enter the domain names you want to block in login IDs. You can specify multiple domains by separating them with commas (,). | ||
| 4. Once configured, users with emails from the blocked domains will be restricted from logging in. Additionally, if a user tries to access the company's admin panel with a password instead of OAuth, they will see the notification: "You are not allowed to login with password. Please use OAuth login." No newline at end of file |
There was a problem hiding this comment.
This sounds incorrect or doesn't clearly tell what the module does.
nobuQuartile
force-pushed
the
4777-add-auth_oauth_force_oauth
branch
2 times, most recently
from
da15744 to
a8d5063
Compare
|
I fixed some point. |
nobuQuartile
force-pushed
the
4777-add-auth_oauth_force_oauth
branch
4 times, most recently
from
7c225d2 to
0612927
Compare
|
I fixed some point. |
nobuQuartile
force-pushed
the
4777-add-auth_oauth_force_oauth
branch
2 times, most recently
from
bf5a0ad to
049bc8e
Compare
|
I fixed the USAGE. |
auth_oauth_enforced/readme/USAGE.md
Outdated
| Users with a blocked domain in their login ID cannot log in with a password | ||
| and will receive a notification on the login page if they attempt this, | ||
| instructing them to use OAuth instead. No newline at end of file |
There was a problem hiding this comment.
For better flow (IMO).
| Users with a blocked domain in their login ID cannot log in with a password | |
| and will receive a notification on the login page if they attempt this, | |
| instructing them to use OAuth instead. | |
| On the login page, users with a blocked domain in their login will receive an error | |
| message directing them to use OAuth login instead, if they attempt to log in with a | |
| password. |
| @@ -0,0 +1,4 @@ | |||
| 1. Navigate to Settings → Companies → Update Info to open your company's form view. | |||
There was a problem hiding this comment.
| 1. Navigate to Settings → Companies → Update Info to open your company's form view. | |
| 1. Navigate to *Settings > Users & Companies > Companies*. |
| @@ -0,0 +1,4 @@ | |||
| 1. Navigate to Settings → Companies → Update Info to open your company's form view. | |||
| 2. In the General Information tab, locate the field Force OAuth Domains. | |||
| 3. Enter the domain names you want to block for email-based login IDs. | |||
There was a problem hiding this comment.
| 3. Enter the domain names you want to block for email-based login IDs. | |
| 3. Enter the domain names you wish to block for password-based login, i.e., users with | |
| a login that matches the domains listed here will not be able to log in with a password. |
| For example, some companies may have wanted to enforce OAuth for their users. | ||
| On the other hand, there may be those who prefer not to enforce OAuth for users | ||
| such as stakeholders accessing the portal. No newline at end of file |
There was a problem hiding this comment.
| For example, some companies may have wanted to enforce OAuth for their users. | |
| On the other hand, there may be those who prefer not to enforce OAuth for users | |
| such as stakeholders accessing the portal. | |
| Sometimes, you may want to enforce OAuth login for your employees for security reasons, | |
| while it may not be appropriate to do so for portal users. This module intends to | |
| address this need. |
| This module controls login methods by email domain, requiring OAuth for | ||
| specified domains, as defined in company settings. No newline at end of file |
There was a problem hiding this comment.
| This module controls login methods by email domain, requiring OAuth for | |
| specified domains, as defined in company settings. | |
| This module enforces OAuth login for users with specific domains listed in the company | |
| settings. |
nobuQuartile
force-pushed
the
4777-add-auth_oauth_force_oauth
branch
from
3b0a54a to
a8d13ef
Compare
|
@yostashiro |
|
|
||
| @api.model | ||
| def _is_allowed_password_login(self): | ||
| force_domains = self.company_id.force_oauth_domains |
There was a problem hiding this comment.
| force_domains = self.company_id.force_oauth_domains | |
| # Skip enforcing the password login in Odoo.sh staging instances as their URIs are not predictable. | |
| if self.env["ir.config_parameter"].sudo().get_param("database.is_neutralized"): | |
| return True | |
| force_domains = self.company_id.force_oauth_domains |
|
@yostashiro |
|
I have the behaviour test in the staging env. |
nobuQuartile
changed the title
|
The ticket number has been changed. Please update the commit message when this PR is merged. |
5188