Authenticate via HTTP Remote User

by ,
Odoo
v 9.0 v 11.0 v 12.0 Third Party 534
Download for v 11.0 Deploy on Odoo.sh
Availability
Odoo Online
Odoo.sh
On Premise
Lines of code 85
Technical Name auth_from_http_remote_user
LicenseAGPL-3
Websitehttps://github.com/OCA/server-auth
Versions 11.0 13.0 9.0 12.0
You bought this module and need support? Click here!
License: AGPL-3

Authentication From HTTP Remote User

This module initialize the session by looking for the field HTTP_REMOTE_USER in the HEADERS of the HTTP request and trying to bind the given value to a user. To be active, the module must be installed in the expected databases and loaded at startup; Add the --load parameter to the startup command:

--load=web,auth_from_http_remote_user, ...

If the field is found in the header and no user matches the given one, the system issue a login error page. (401 Unauthorized)

Configuration

The module allows integration with external security systems [1] that can pass along authentication of a user via Remote_User HTTP header field. In many cases, this is achieved via server like Apache HTTPD or nginx proxying Odoo.

Important

When proxying your Odoo server with Apache or nginx, It's important to filter out the Remote_User HTTP header field before your request is processed by the proxy to avoid security issues. In apache you can do it by using the RequestHeader directive in your VirtualHost section

<VirtualHost *:80>
 ServerName MY_VHOST.com
 ProxyRequests Off
...

 RequestHeader unset Remote-User early
 ProxyPass / http://127.0.0.1:8069/  retry=10
 ProxyPassReverse  / http://127.0.0.1:8069/
 ProxyPreserveHost On
</VirtualHost>

How to test the module with Apache [2]

Apache can be used as a reverse proxy providing the authentication and adding the required field in the Http headers.

Install apache:

$ sudo apt-get install apache2

Define a new vhost to Apache by putting a new file in /etc/apache2/sites-available:

$ sudo vi  /etc/apache2/sites-available/MY_VHOST.com

with the following content:

<VirtualHost *:80>
  ServerName MY_VHOST.com
  ProxyRequests Off
  <Location />
    AuthType Basic
    AuthName "Test Odoo auth_from_http_remote_user"
    AuthBasicProvider file
    AuthUserFile /etc/apache2/MY_VHOST.htpasswd
    Require valid-user

    RewriteEngine On
    RewriteCond %{LA-U:REMOTE_USER} (.+)
    RewriteRule . - [E=RU:%1]
    RequestHeader set Remote-User "%{RU}e" env=RU
  </Location>

  RequestHeader unset Remote-User early
  ProxyPass / http://127.0.0.1:8069/  retry=10
  ProxyPassReverse  / http://127.0.0.1:8069/
  ProxyPreserveHost On
</VirtualHost>

Important

The RequestHeader directive is used to add the Remote-User field in the http headers. By default an 'Http-' prefix is added to the field name. In Odoo, header's fields name are normalized. As result of this normalization, the 'Http-Remote-User' is available as 'HTTP_REMOTE_USER'. If you don't know how your specified field is seen by Odoo, run your server in debug mode once the module is activated and look for an entry like:

DEBUG openerp1 openerp.addons.auth_from_http_remote_user.controllers.
session:
Field 'HTTP_MY_REMOTE_USER' not found in http headers
{'HTTP_AUTHORIZATION': 'Basic YWRtaW46YWRtaW4=', ...,
'HTTP_REMOTE_USER': 'demo')

Enable the required apache modules:

$ sudo a2enmod headers
$ sudo a2enmod proxy
$ sudo a2enmod rewrite
$ sudo a2enmod proxy_http

Enable your new vhost:

$ sudo a2ensite MY_VHOST.com

Create the htpassword file used by the configured basic authentication:

$ sudo htpasswd -cb /etc/apache2/MY_VHOST.htpasswd admin admin
$ sudo htpasswd -b /etc/apache2/MY_VHOST.htpasswd demo demo

For local test, add the MY_VHOST.com in your /etc/vhosts file.

Finally reload the configuration:

$ sudo service apache2 reload

Open your browser and go to MY_VHOST.com. If everything is well configured, you are prompted for a login and password outside Odoo and are automatically logged in the system.

[1]Shibboleth, Tivoli access manager, ..
[2]Based on a ubuntu 12.04 env

Usage

Try me on Runbot

Bug Tracker

Bugs are tracked on GitHub Issues. In case of trouble, please check there if your issue has already been reported. If you spotted it first, help us to smash it by providing detailed and welcomed feedback.

Credits

Images

  • Odoo Community Association: Icon.

Contributors

  • Laurent Mignon

Maintainer

Odoo Community Association

This module is maintained by the OCA.

OCA, or the Odoo Community Association, is a nonprofit organization whose mission is to support the collaborative development of Odoo features and promote its widespread use.

To contribute to this module, please visit https://odoo-community.org.

Please log in to comment on this module

  • The author can leave a single reply to each comment.
  • This section is meant to ask simple questions or leave a rating. Every report of a problem experienced while using the module should be addressed to the author directly (refer to the following point).
  • If you want to start a discussion with the author, please use the developer contact information. They can usually be found in the description.
Please choose a rating from 1 to 5 for this module.
There are no ratings yet!
Behaviour of logout with this module
by
Isabelle Richard
on 3/9/21, 6:13 AM

Hi,

Thanks for this great module, this really helped us for authentication via a reverse proxy.

I have a question about logout : some users use the menu "Logout", and then after refreshing to try to access to the application, this error is persistent:

You don't have the permission to access the requested resource. It is either read-protected or not readable by the server.

Any idea of how to fix that? May be we should disable the ability to logout from Odoo, by adding the menu?