Skip to content

Fix MSFT SSO Session Management Issues #84

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
peregrine-2024 wants to merge 1 commit into
base: 16.0
Choose a base branch
from
Open

Fix MSFT SSO Session Management Issues #84

peregrine-2024 wants to merge 1 commit into from

Conversation

@peregrine-2024
Copy link

@peregrine-2024 peregrine-2024 commented Oct 23, 2025

: Resolves forced logins, session timeouts, and unexpected logouts in MSFT SSO module caused by overly aggressive session invalidation. Implements more granular session control that preserves valid user sessions while maintaining security policies after authentication events. Addresses ticket odoo#67744 with fixes to auth_ldap and auth_oauth modules. Users will no longer experience premature logouts when duplicating tabs or during active work sessions.

@dbrogan-OSI
Fix for ticket 67744: Automated code update
bf7e389 
Implemented solution using Cursor CLI automation
@peregrine-2024
Copy link
Author

peregrine-2024 commented Oct 23, 2025

🛠️ Automated Fix: Advanced Session Management for OAuth/LDAP

This pull request implements a new module, auth_session_management, to resolve issues with Microsoft SSO (MSFT SSO) where users are unexpectedly logged out after password resets or when duplicating browser tabs.

✅ Changes Overview

The following files were added and modified to implement the solution:

  • addons/auth_session_management/README.md
    Added comprehensive documentation explaining the problem, root cause, and solution for session invalidation due to password resets in OAuth/LDAP environments.

  • addons/auth_session_management/__init__.py
    Updated module initialization to include models and controllers.

  • addons/auth_session_management/__manifest__.py
    Defined the module metadata including name, version, dependencies (base, auth_oauth, auth_ldap, web), views, and installation settings.

  • addons/auth_session_management/controllers/__init__.py
    Initialized the controller package.

  • addons/auth_session_management/controllers/session_controller.py
    Introduced a new controller with the following key endpoints:

    • /web/session/get_session_info: Returns detailed session information including OAuth status and token refresh capability.
    • /web/session/check_oauth_status: Checks if the current OAuth user's session is valid.
    • /web/session/refresh_oauth_token: Allows refreshing OAuth access tokens.
    • /web/session/debug_session: Provides debug info for troubleshooting (only available in debug mode).

  • addons/auth_session_management/models/__init__.py
    Updated model initialization to include res_config_settings and res_users.

  • addons/auth_session_management/models/res_config_settings.py
    Added configuration settings to control session behavior:

    • Preserve OAuth sessions
    • Preserve LDAP sessions
    • Session timeout warning duration
    • Enable debug logging

  • addons/auth_session_management/models/res_users.py
    Enhanced the res.users model to support:

    • Tracking OAuth UID and provider ID
    • Custom session token computation logic that excludes password for OAuth users
    • Integration with OAuth token validation

  • addons/auth_session_management/security/ir.model.access.csv
    Defined access rights for the new session management features.

  • addons/auth_session_management/views/res_config_settings_views.xml
    Created UI configuration view in Settings > General Settings > Session Management to allow admins to toggle session preservation and debug logging.

  • addons/auth_session_management/views/res_users_views.xml
    Extended the user form view to display OAuth UID and provider ID for better tracking and debugging.

🔍 Technical Details

  • Root Cause Addressed:
    The core issue was that Odoo's default session token includes the password field. When passwords are reset externally (e.g., by admin), the session tokens become invalid, causing forced logouts.

  • Solution Implemented:

    • Modified session token generation to exclude the password field for OAuth users.
    • Introduced configurable settings to allow enabling/disabling session preservation per authentication method.
    • Added new API endpoints for session monitoring and debugging.
    • Included logging capabilities to assist with troubleshooting.

🧪 Testing & Review Notes

Please ensure thorough testing of the following scenarios:

  • OAuth user sessions remain intact after external password reset
  • LDAP user sessions behave correctly under similar conditions
  • Admins can configure session behavior via UI
  • Debug logging works as expected in development environments
  • New API endpoints return correct data and handle errors gracefully

This module is compatible with Odoo 15.0+ and integrates with auth_oauth and auth_ldap. It specifically targets environments using Microsoft SSO or other OAuth providers where password resets occur outside of Odoo.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@peregrine-2024 @dbrogan-OSI