Implementing OAuth for email within Odoo

Guide to configuring modern email authentication with Outlook/Office 365 for better security and compliance
12 April 2022 by
Implementing OAuth for email within Odoo
Open User Systems Ltd, Chris Mann

Cyber Security is a hot topic and will only become ever more critical as our reliance on technology grows.

Over the last few years there have been numerous public cases of exploits and security breaches, with attacks becoming more targeted and using ever more cunning techniques. Many exploiting the shift to work-from-home that created greater reliance on security and massive challenges for IT departments to manage.

OAuth was devised to help remove the reliance on username / password authentication back in 2012 but has become the modern standard for authentication in online applications.
Instead of relying on a password, which is usually the main weak-point, it uses unique access "tokens" which are specific to the software application.
Therefore if there is a breach of security, you can revoke just a single client key and not have to reset passwords that are used by multiple systems or people.

Both Microsoft and Google have pushed for greater email security methods, making OAuth the recommended setting, along with MFA (Multi Factor Authentication).
At the date of writing this article it is still possible to enable password authentication in MS Office 365 and Google Gmail, however in October 2022 Microsoft plans to disable this entirely. Google will likely follow soon after.

For those using Odoo with either of these email providers, it was important that an option exist to achieve modern authentication. Thankfully in March 2022 this was implemented in the latest security updates across ALL recent Odoo versions including V12-V16

Follow the guide below to setup on your own system - Odoo and Office 365


Entra (Azure AD) Authentication

  1. Go to Azure AD Portal (https://aad.portal.azure.com/)

  2. Create a new app registration - named "My Company Odoo Outlook Email"

  3. Set the redirect URLs to: https://yourdomain.com/microsoft_account/authentication and https://yourdomain.com/microsoft_outlook/confirm

  4. In “Supported account types” choose “Accounts in any organizational directory (Any Azure AD directory – Multitenant)

  5. From Overview tab, click on "Managed Application in local directory". Then go to "Users and Groups". Ensure you add your Office 365 Admin user that you will use when logged in to authenticate to Odoo.
  6. Go to API Permissions and add the following as delegated permissions:
    SMTP.Send
    IMAP.AccessAsUser.All
    User.Read (may already be added)

  7. Go to Certifications & Secrets menu, create a new secret. Copy the "Client Secret" to a temporary text document (this will be lost if not)

  8. In your text document, also make a copy of the “Client ID” from the Overview section

Module Installation and Client ID

  1. In Odoo login as admin and enable debug mode (developer mode)

  2. Go to the apps page, do a search for Outlook. You should see microsoft_outlook and fetchmail_outlook, if not you will need to update to the latest security patch of Odoo then run the “Update Apps List” to ensure you have the latest list of apps available for your version

  3. Install both apps - Either Outlook or Gmail

  4. Go to Settings > General Settings. You should see a section named "Outlook Credentials". Enter your Client ID and Client Secret here.

Mail Servers


  1. Go to Settings > Technical > Incoming Mail Servers

  2. You should see tickboxes for Gmail / Outlook

  3. Tick the relevant box and configure your server settings. Note: There is no password needed here, instead a prompt will explain you need to set your API credentials in general settings which we did in the earlier step

  4. For now, enter the correct details.
    Server Name: outlook.office365.com
    Port: 993
    SSL/TLS: Yes
    Username: [Email address of an Office 365 admin]

  5. You should see a link next to the password field called Connect to Outlook
    Click this and then login with your Office365 admin details to authenticate. [Outlook Token Valid] should be displayed.

  6. In Outgoing mail servers you may be using an SMTP relay in Office 365, if this is the case then you will not need to use OAuth and can instead use IP based or certificate based authentication

    However if you are using a single outgoing mailbox (fixed address), you can configure this in Odoo as an Outgoing mail server

    For SMTP relay, use the settings:
    SMTP Server: mydomain-com.mail.protection.outlook.com
    Connection Security: TLS (STARTTLS)
    SMTP Port: 25

References

Some useful references below cover other aspects of setting up Office 365 integration of emails with Odoo. Particularly the Ventor guide is very good as a starting point.
Also there are guides for setting up calendar integration, which can use the same Client ID / Secret that you setup for the email integration if you wish or create new ones.
The guide for Gmail is similar, however you must follow the specific Google advice for creating API credentials as per the calendar guide.

Implementing OAuth for email within Odoo
Open User Systems Ltd, Chris Mann 12 April 2022
Share this post
Labels
Communications Cyber Security Guides Odoo
Read Next
Odoo 15 - New features and talks
Our favourite picks from 2021's Odoo Experience event of particular interest to engineering and manufacturing sectors, plus top new features for everyone to be aware of