Oauth1 Authentication

Start with setting up a new consumer by following the instructions on Configuration. When you have obtained a key and a secret you can try out OAuth 1.0 resapi/1.0/common/oauth1 the flow goes as follows to get authorized:

Note

OAuth endpoints:

1. POST {your_Odoo_server_url}/restapi/1.0/common/oauth1/request_token (Temporary Credential Request endpoint)

2. GET {your_Odoo_server_url}/restapi/1.0/common/oauth1/authorize (Resource Owner Authorization endpoint)

3. POST {your_Odoo_server_url}/restapi/1.0/common/oauth1/access_token (Token Credentials Request endpoint)

1. Temporary Credential Request

Obtain a request token that will identify you (the consumer) in the next step. At this stage, you will only need your consumer key and secret.

POST /restapi/1.0/common/oauth1/request_token

Request:

POST /restapi/1.0/common/oauth1/request_token HTTP/1.1
Host: {your_Odoo_server_url}
Authorization: OAuth oauth_consumer_key='uwCrAHAQbL7D9cvJLIztNaZ0bziEGMDh',
                     oauth_nonce='71257790252100875101500704380',
                     oauth_callback='https%3A%2F%2F127.0.0.1%2Fcallback',
                     oauth_signature_method='HMAC-SHA1',
                     oauth_timestamp='1500704388',
                     oauth_signature='KbLt0XDVjljXhMJHmmpWxHkFnfs%3D',
                     oauth_version='1.0'

Response:

HTTP/1.1 200 OK

{
  'oauth_token': 'mXYKtuv8k3NJfnpLMpU3KFuEijXx2Aat',
  'oauth_token_secret': 'QAlvAmzyULWeitpe24oNhj3n91los7W5'
}

Query Parameters:

• oauth_consumer_key – Odoo consumer key

• oauth_nonce – A randomly selected value provided by your application, which is unique for each authorization request. During the OAuth callback phase, your application must check that this value matches the one you provided during authorization. This mechanism is important for the security of your application.

• oauth_callback – An absolute URL to which the Odoo will redirect the User back when the Obtaining User Authorization step is completed.

• oauth_signature_method – The signature method that the Consumer used to sign the request. The protocol defines three signature methods: HMAC-SHA1, RSA-SHA1, and PLAINTEXT.

• oauth_timestamp – The timestamp is expressed in the number of seconds since January 1, 1970 00:00:00 GMT. The timestamp value MUST be a positive integer and MUST be equal to or greater than the timestamp used in previous requests.

• oauth_singature – Base64-encoded HMAC-SHA256 signature signed with the consumer’s private key containing all the components of the request and some OAuth value. The signature can be used to verify that the identity URL wasn’t modified because it was sent by the server.

• oauth_version – OPTIONAL. If present, the value MUST be 1.0. Odoo assumes the protocol version to be 1.0 if this parameter is not present. Odoo’s response to the non-1.0 value is left undefined.

Headers and Status Codes	Description
Request Headers	Accept – the response content type depends on Accept header Authorization – The OAuth protocol parameters to authenticate.
Response Headers:	Content-Type – this depends on Accept header of the request
Status Codes:	200 OK – no error 404 Not Found – there’s no resource 401 Unauthorized – authentication failed

2. Resource Owner Authorization

Obtain authorization from the user (resource owner) to access their protected resources (customers, orders, etc.). This is commonly done by redirecting the user to a specific URL to which you add the request token as a query parameter. Note that not all services will give you a verifier even if they should. Also, the oauth_token given here will be the same as the one in the previous step.

GET /restapi/1.0/common/oauth1/authorize

Request:

GET /restapi/1.0/common/oauth1/authorize HTTP/1.1
Host: {your_Odoo_server_url}

Response:

HTTP/1.1 200 OK

{
  'oauth_token': 'mXYKtuv8k3NJfnpLMpU3KFuEijXx2Aat',
  'oauth_verifier': 'sdflk3450FASDLJasd2349dfs'
}

Query Parameters:

oauth_token – OPTIONAL. The Request Token obtained in the previous step.

Headers and Status Codes
Request Headers	Accept – the response content type depends on Accept header Authorization – OPTIONAL OAuth token to authenticate
Response Headers	Content-Type – this depends on Accept header of the request
Status Codes	200 OK – no error 404 Not Found – there’s no resource 401 Unauthorized – authentication failed

3. Token Credentials Request

Obtain an access token from Odoo. Save this token as it can be re-used later. In this step, we will re-use most of the credentials obtained up til this point.

POST /restapi/1.0/common/oauth1/access_token

Request:

POST /restapi/1.0/common/oauth1/access_token HTTP/1.1
Host: {your_Odoo_server_url}
Authorization: OAuth oauth_consumer_key='uwCrAHAQbL7D9cvJLIztNaZ0bziEGMDh',
                     oauth_token='mXYKtuv8k3NJfnpLMpU3KFuEijXx2Aat',
                     oauth_nonce='156754554473268986001500738176',
                     oauth_signature_method='HMAC-SHA1',
                     oauth_timestamp='1500738189',
                     oauth_verifier='sdflk3450FASDLJasd2349dfs',
                     oauth_signature='KbLt0XDVjljXhMJHmmpWxHkFnfs%3D',
                     oauth_version='1.0'

Response:

HTTP/1.1 200 OK

{
  'oauth_token': 'RF7gImCv0B58eogLiPmOmNPizZEVVUWP',
  'oauth_token_secret': 'oxBUTIjTl8gfbxEv2jpXo5rRtQ16u3Lg'
}

Query Parameters

• oauth_consumer_key – Odoo consumer key

• oauth_token – The Request Token obtained previously.

• oauth_nonce – A randomly selected value provided by your application, which is unique for each authorization request. During the OAuth callback phase, your application must check that this value matches the one you provided during authorization. This mechanism is important for the security of your application.

• oauth_signature_method – The signature method that the Consumer used to sign the request. The protocol defines three signature methods: HMAC-SHA1, RSA-SHA1, and PLAINTEXT.

• oauth_timestamp – The timestamp is expressed in the number of seconds since January 1, 1970 00:00:00 GMT. The timestamp value MUST be a positive integer and MUST be equal to or greater than the timestamp used in previous requests.

• oauth_verifier – The verification code received from Odoo.

• oauth_singature – Base64-encoded HMAC-SHA256 signature signed with the consumer’s private key containing all the components of the request and some OAuth value. The signature can be used to verify that the identity URL wasn’t modified because it was sent by the server.

• oauth_version – OPTIONAL. If present, the value MUST be 1.0. Odoo assumes the protocol version to be 1.0 if this parameter is not present. Odoo’s response to the non-1.0 value is left undefined.

Headers and Status Codes	Description
Request Headers	Accept – the response content type depends on Accept header Authorization – The OAuth protocol parameters to authenticate
Response Headers	Content-Type – this depends on Accept header of the request
Status Codes	200 OK – no error 404 Not Found – there’s no resource 401 Unauthorized – authentication failed