diff --git a/auth_oidc/models/res_users.py b/auth_oidc/models/res_users.py index 1684480fa..b19693901 100644 --- a/auth_oidc/models/res_users.py +++ b/auth_oidc/models/res_users.py @@ -8,6 +8,7 @@ from odoo import api, models from odoo.exceptions import AccessDenied +from odoo.fields import Command from odoo.http import request _logger = logging.getLogger(__name__) @@ -44,6 +45,41 @@ def _auth_oauth_get_tokens_auth_code_flow(self, oauth_provider, params): # https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse return response_json.get("access_token"), response_json.get("id_token") + @api.model + def _auth_oauth_signin(self, provider, validation, params): + """ + retrieve and sign in the user corresponding to provider and validated + access token + + :param provider: oauth provider id (int) + :param validation: result of validation of access token (dict) + :param params: oauth parameters (dict) + :return: user login (str) + :raise: AccessDenied if signin failed + """ + login = super()._auth_oauth_signin(provider, validation, params) + user = self.search([("login", "=", login)]) + oauth_provider = self.env["auth.oauth.provider"].browse(provider) + # Assume the groups are exclusively managed via OAuth 'groups' + if user and oauth_provider.groups_field in validation: + group_updates = [] + for group_line in oauth_provider.group_line_ids: + if group_line.oauth_group_name in validation.get( + oauth_provider.groups_field + ): + _logger.debug( + f"Add user {user.id} to the group {group_line.group_id.id}" + ) + group_updates.append((Command.LINK, group_line.group_id.id)) + else: + _logger.debug( + f"Remove user {user.id} from the group {group_line.group_id.id}" + ) + group_updates.append((Command.UNLINK, group_line.group_id.id)) + if group_updates: + user.write({"groups_id": group_updates}) + return login + @api.model def auth_oauth(self, provider, params): oauth_provider = self.env["auth.oauth.provider"].browse(provider)