A made-to-order OpenID Connect and OAuth2 login layer for Odoo that connects your sign-in page to any enterprise or social identity provider from a single discovery URL. ECOSIRE builds, installs, and supports it around your exact provider, claim mapping, and security policy. Built to order by ECOSIRE for Odoo 17, 18, 19 — indicative price from $299.00 USD; request a quote for a scoped proposal.

A made-to-order OpenID Connect and OAuth2 login layer for Odoo that connects your sign-in page to any enterprise or social identity provider from a single discovery URL. ECOSIRE builds, installs, and supports it around your exact provider, claim mapping, and security policy.
No payment now. This sends a quote request to our team — we'll follow up by email with pricing and next steps.
Most teams reach a point where "one more Odoo password" is the problem, not the solution. Your staff already authenticate to Google Workspace, Microsoft/Entra, or a self-hosted identity server every morning, yet Odoo keeps its own separate credential store. Odoo Community ships auth_oauth, but out of the box it is geared toward a short list of hard-coded social providers and — critically — still leans on the OAuth2 implicit flow, which returns tokens directly in the browser URL fragment and does no cryptographic verification of the ID token against the provider's signing keys. For a modern enterprise IdP that speaks OpenID Connect, that native path is either brittle to configure or falls short of what your security team will sign off on. This is where teams run out of road: they want a real OIDC client, provider-agnostic, standards-correct, and mapped to their own Odoo groups — not a fixed menu of buttons.
Generic OpenID Connect client configured from a single issuer / `.well-known/openid-configuration` discovery URL — no hand-wiring of authorize, token, JWKS, or userinfo endpoints
Provider presets for the major enterprise and social identity platforms, each configurable in minutes on top of the discovery layer
Authorization Code flow with PKCE for public-client security, a hardening over Odoo core's implicit-flow default
ID-token signature verification against the provider's JWKS endpoint, with automatic signing-key rotation so routine key rolls never lock users out
Just-in-time `res.users` creation and profile sync (name, email, avatar) from OIDC claims on first and subsequent logins
Claim-to-group mapping that translates provider roles/groups into Odoo `res.groups` security groups on every login (re-evaluated, not just at signup)
ECOSIRE builds that client for you. The core is a generic OpenID Connect provider record configured from a single issuer or .well-known/openid-configuration discovery URL, so onboarding a new provider is a matter of pasting one endpoint rather than hand-wiring authorize, token, JWKS, and userinfo URLs. On top of the discovery layer we ship provider presets for the identity platforms you are most likely to use, each rendering its own branded button on the Odoo sign-in page via QWeb template inheritance. Authentication runs the Authorization Code flow with PKCE — a hardening over Odoo's implicit-flow default — and the returned ID token is validated against the provider's JWKS endpoint, with automatic key-rotation handling so a routine key roll at the IdP never locks your users out.
Technically, the work lives in a clean-room addon with its own __manifest__.py declaring dependencies on base, web, and auth_oauth. Provider configuration is a new models.Model with fields for the issuer, client id, secret, scopes, and enforcement flags, plus @api.depends computes that derive endpoints from discovery. Access is locked down through ir.model.access.csv and record rules so only administrators read client secrets, and a token/claim inspection log lets you troubleshoot a failed login by seeing exactly which claims arrived — without ever exposing the secret. On each successful login the addon performs just-in-time user creation and profile sync (name, email, avatar) from OIDC claims, and applies claim-to-group mapping so a provider role or group membership translates into the correct Odoo security groups (res.groups) every time the user signs in. You can run multiple concurrent providers, restrict a provider to whitelisted email domains, fetch the userinfo endpoint for IdPs that issue thin ID tokens, and optionally enforce "SSO only" so matched users can no longer fall back to a password. Everything is built and tested for Odoo 17.0, 18.0, and 19.0, Community or Enterprise.
Because this is build-to-order, delivery follows a defined path rather than an instant download: a short scoping call to confirm your provider(s), the exact claims available in your tokens, and your group-mapping and enforcement rules; then we build against a spec, deliver to a staging database for UAT, and cut over with a rollback plan. Typical delivery is 2–4 weeks from confirmed scope. Pricing starts from $299 (indicative, single-company base scope); additional identity providers, complex claim-to-group and domain-restriction rules, multi-company or multi-database rollouts, and deeper enforcement/audit requirements increase the quoted scope. You receive a fixed quote after the scoping call — never a surprise.
Runs Odoo alongside Google Workspace or Microsoft/Entra and wants staff to sign in with their existing corporate identity — quick to onboard, no separate Odoo password to reset, and users provisioned automatically on first login.
Won't approve implicit-flow logins or unverified tokens. Needs Authorization Code + PKCE, JWKS signature validation, an audit trail of who authenticated via which provider, and the ability to enforce SSO-only for sensitive accounts.
Operates an in-house OIDC provider and needs Odoo to be just another relying party — driven by a discovery URL, with provider group claims mapped straight into Odoo security groups so access follows the same source of truth as the rest of the stack.
Tired of manually creating and deactivating Odoo users as people join and leave. Wants just-in-time provisioning, domain-restricted access, and profile sync so directory changes flow into Odoo without an admin ticket for every hire.
Buy the license on ecosire.com and download the OAuth / OIDC Login module ZIP from your account dashboard.
Extract the ZIP into your Odoo custom addons folder on the server (or upload via Apps > Install from file on Odoo.sh / runbot).
Activate Developer Mode, open Apps, click Update Apps List, search for OAuth / OIDC Login, and press Install.
Open the new menu, paste your ECOSIRE license key, connect any external credentials (Shopify, Amazon, Stripe, etc.), and save.
Run the built-in connection test, sync your first 10 records, and schedule the recurring cron. Contact support if anything fails.
| Criterion | ECOSIRE | Custom Build | Competitor | Odoo Native |
|---|---|---|---|---|
| OIDC standards support | Full OIDC client: Auth Code + PKCE, JWKS validation | Depends entirely on your developer's depth | Varies; often implicit flow or partial OIDC | |
| Provider onboarding | Single discovery URL derives all endpoints | Hand-wired per provider unless you build discovery | Usually a fixed provider list | |
| Claim-to-group mapping | Provider roles mapped to Odoo groups each login | Buildable but costs dev time to get right | Rarely included or superficial | |
| Just-in-time provisioning + profile sync | Name, email, avatar synced on every login | Possible with extra scope | Basic user creation, limited sync | |
| SSO enforcement & domain restriction | Per-provider SSO-only + email-domain whitelist | Extra work to design and secure | Seldom offered | |
| Fit to your exact providers | Built and tested against your real IdP + claims | Fully bespoke but you carry the risk | Generic; you adapt to it | |
| Troubleshooting & audit | Claim inspection log, secrets protected by ACLs | Only if explicitly built | Limited visibility | |
| Support & ownership | Support window, docs, training, git handover | You own maintenance from day one | Vendor SLA varies; no source access |
This is a build-to-order product, not an instant download. After a scoping call to confirm your provider(s), available claims, and group-mapping rules, typical delivery is 2–4 weeks from confirmed scope. We build against the agreed spec, deliver to a staging database for UAT, and cut over with a rollback plan.
Pricing starts from $299, which is indicative for a single-company base scope with one provider. Additional identity providers, complex claim-to-group or domain-restriction rules, multi-company or multi-database rollouts, and deeper enforcement/audit needs increase the scope. You receive a fixed written quote after the scoping call — the from-price is a starting point, not a final number.
Any provider that supports OpenID Connect discovery. Because the client is driven by a single issuer / `.well-known/openid-configuration` URL, it works with the common enterprise and social platforms as well as self-hosted identity servers. We ship presets for the most-used platforms and confirm your specific provider during scoping.
Odoo core's `auth_oauth` targets a fixed set of social providers and relies on the implicit flow with no cryptographic verification of the ID token. We build a full OIDC client: Authorization Code flow with PKCE, JWKS signature validation with automatic key rotation, discovery-based configuration, claim-to-group mapping, and per-provider SSO enforcement — standards-correct and provider-agnostic.
Yes. We build and regression-test for Odoo 17.0, 18.0, and 19.0 on both Community and Enterprise. You tell us your version during scoping and we deliver an addon compatible with that major version.
Every build includes a defined post-go-live support window for defect fixes and configuration adjustments, plus a git repository handover so your team owns the code. For ongoing coverage across Odoo point releases and provider metadata changes, we offer a support/maintenance arrangement scoped to your environment.
Yes. Each provider can be set to 'SSO only', which disables password fallback for users matched to that provider, so those accounts can only authenticate through your identity provider. You can apply this selectively rather than across the whole database.
A made-to-order OpenID Connect and OAuth2 login layer for Odoo that connects your sign-in page to any enterprise or social identity provider from a single discovery URL. ECOSIRE builds, installs, and supports it around your exact provider, claim mapping, and security policy.