KEYCLOAK SSO SETUP
Keycloak SSO Setup for Odoo
Section titled “Keycloak SSO Setup for Odoo”Single Sign-On between Keycloak and Odoo. Users logged into Nekazari access Odoo without a second login.
Prerequisites
Section titled “Prerequisites”- Odoo module deployed and running
- Keycloak configured with
nekazarirealm KEYCLOAK_PUBLIC_URLandODOO_OAUTH_CLIENT_IDset in ConfigMap
Step 1: Create Keycloak Client for Odoo
Section titled “Step 1: Create Keycloak Client for Odoo”- Access Keycloak Admin Console:
https://auth.YOUR_DOMAIN/auth/admin/ - Select realm:
nekazari - Go to Clients → Create client
- Configure:
Client ID: nekazari-odooClient Protocol: openid-connectClient Authentication: ON (confidential)Implicit Flow: ENABLED (required for Odoo 16 auth_oauth)Valid Redirect URIs: - https://odoo.YOUR_DOMAIN/*Web Origins: - https://odoo.YOUR_DOMAIN - https://frontend.YOUR_DOMAIN- Go to Credentials tab and copy the Client Secret (needed if using authorization code flow in future)
Step 2: Deploy with Configuration
Section titled “Step 2: Deploy with Configuration”Replace YOUR_DOMAIN in k8s/configmap.yaml:
KEYCLOAK_PUBLIC_URL: "https://auth.YOUR_DOMAIN/auth"ODOO_OAUTH_CLIENT_ID: "nekazari-odoo"ODOO_URL: "https://odoo.YOUR_DOMAIN"Replace YOUR_DOMAIN in k8s/ingress.yaml for both API and Odoo direct ingresses.
Step 3: Automatic OAuth Configuration
Section titled “Step 3: Automatic OAuth Configuration”When a tenant provisions Odoo (POST /api/odoo/tenant/provision), the backend
automatically creates the Keycloak OAuth provider in the tenant’s Odoo database
via XML-RPC. No manual setup per tenant is needed.
The provisioning response includes odooLoginUrl — a direct SSO URL that skips the
Odoo login page entirely.
SSO Flow
Section titled “SSO Flow”- User logs into Nekazari via Keycloak
- User navigates to Odoo module in Nekazari
- Clicks “Open Odoo ERP” → browser navigates to
odooLoginUrl - Odoo redirects to Keycloak → user already has session → auto-redirect back
- Odoo creates/matches user by email → user is logged in
User Matching
Section titled “User Matching”Users are matched by email address. The auth_oauth_nekazari_fix addon overrides
Odoo’s signup to use email as login (not UUID), ensuring consistent matching.
Troubleshooting
Section titled “Troubleshooting”OAuth Provider not visible in Odoo
Section titled “OAuth Provider not visible in Odoo”- Ensure
auth_oauthmodule is installed: Settings → Apps → Search “auth_oauth” - Check backend logs for “OAuth provider setup failed”
Token validation fails
Section titled “Token validation fails”- Verify Keycloak client has Implicit Flow enabled
- Check redirect URIs match exactly (including trailing slash)
- Check CORS settings in Keycloak
User not created/matched
Section titled “User not created/matched”- Verify email in Keycloak matches Odoo (case-sensitive)
- Check that
auth_oauth_nekazari_fixaddon is installed
SSO URL missing (odooLoginUrl is null)
Section titled “SSO URL missing (odooLoginUrl is null)”- Verify
KEYCLOAK_PUBLIC_URLis set in ConfigMap (not empty) - Check that
ODOO_URLis set (SSO requires an absolute URL) - Re-provision or restart backend to retry OAuth provider creation
Security Notes
Section titled “Security Notes”- Client secrets are not needed on the Odoo side for implicit flow
- Use HTTPS for all OAuth endpoints
- The
list_db = Truesetting inodoo.confis restricted by blocking/web/database/managerin the ingress