Accessing ODOO with BrowZer

Introduction

This guide is a walk through to setup a BrowZer application to access ODOO. Please visit this video link for the presentation.

Naming Conventions

In this document you may see the following acronyms, phrases, or words. This explains what they represent in a general way.

  • Zero Trust: “The main concept behind zero trust is “never trust, always verify,” which means that devices should not be trusted by default, even if they are connected to a managed corporate network such as the corporate LAN and even if they were previously verified.” (wikipedia)

  • Ziti SDK: Zero Trust Software Development Kit created by NetFoundry which is an interface to a ZITI network. The ZITI SDK enables easy application modification (pre-compile) to augment the way the application requests access to resources it requires to perform work. ZITI SDKs and associated ZITI-Enabled applications are completely open source works on GitHub. AKA - THE FUTURE!

  • ServicePolicy(AppWan): A Service Policy(AppWan) is a policy group of Indentites(Endpoints) which shall be able to access other identities(Endpoints) which provide services.

  • Console: The CloudZiti NPaaS, multitenant, cloud solution which customers of NetFoundry utilizes to manipulate, augment, create, and destroy elements of a ZITI network.

  • VPN: Virtual Private Network: A mechanism of many different methods which transports data on behalf of application running on a CLIENT device. It is generally designed to extend a private networks over public infrastructure and normally includes security protocols to protect it while doing so. VPNs were not designed with Zero Trust in mind as they must be heavily augmented to protect private services from unauthorized access to services by even authenticated devices/users. AKA - THE OLD WAY!

  • BrowZer: A group of Ziti components that work in concert to enable and facilitate clientless browser access to web servers that are dark on the internet.

  • ODOO: open-source suite of integrated business applications that includes modules for various business needs such as CRM (Customer Relationship Management), sales, inventory management, manufacturing, financial management, and more.

Prerequisites

  • A Cloud Ziti Network up and running.
  • Having an ODOO instance up and running with an edge router. Please follow Appendix instructions to install ODOO and autonomous edge router. In this example document, the edge router is named ODOO-ER

 

Deployment 

Part 1: Setup Needed Items to support a BrowZer Application

In this section:

In the Console, Create a NetFoundry Hosted Edge Router with the WSS Listener enable. BrowZer requires at least one Edge Router with the WSS Listener enabled.  Launching a NF Hosted is recommended. 

browzer2.png

In the Console, Create an Edge Router Policy to make ensure this router is available for your Identities(Endpoints).

browzer13.png

In the Console, Create the Service you want to access ODOO.  We recommend using an Advance Service.  For the FORWARD ADDRESS, use the container name "odoo" or the container's IP address.  The FORWARD PORT should be 8069.

odoo1.jpg

 

In the Console, Create a Service Policy(AppWan) to allow the access to the specified clients we’ll create later.

browzer4.png

Part 2: Auth0 & JWT Signer

In this section:

  • Create an Auth0 Account
  • Create an Auth0 Application(SPA)
  • Add callback & logout
  • Create an Auth0 API
  • Create an Auth0 Custom Trigger
  • Gather Information from Auth0 needed
  • Create a new JWT Signer
  • Create a new Authentication Policy
  • Create or update the Identities(Endpoints)

This tutorial follows the Auth0 settings. Other IDP must have their own settings. If you don't already have an account you can sign up for a free account at https://auth0.com/signup

Adding a new Application in Auth0

Once you have an account setup you can add a new "Application":

mceclip2.png

 

Then click on the "Create Application":

mceclip3.png

Then Create a "Single Page Web Application":

 

Adding the callback & logout URL to your BrowZer App(s) you created

All BrowZer Apps have the following template:

https://<APP_NAME>.<NET_NAME>.browzer.cloudziti.io

where:

  • APP_NAME, is the name we’ll assign to the BrowZer app we’ll create.
  • NET_NAME, is the name we’ll assign the first time you click on “BrowZer Apps”.

In Auth0, under the Application/Settings you'll find "Allowed Callback URLs" & "Allowed Logout URLs"

You can add one callback URL for all apps are created under the same NET_NAME In this case, NET_NAME=natashell.  The URL needs to be in this format: https://*.<NET_NAME>.browzer.cloudziti.io

For example:

 https://*.natashell.browzer.cloudziti.io

For Example:

image.png

Create an API

Now you can add a new "API":

 

Click on Create API

Auth0 Applications

Fill out the form using the URL

https://<APP_NAME>.<NET_NAME>.browzer.cloudziti.io

 Create a custom trigger

Under Actions select "Triggers":

Click on "post-login":
Auth0 Applications

Click on the + symbol & select "Build from Scratch":
Auth0 Applications Auth0 Applications

 

Name the a new Action "Add Email to Access Token":

Auth0 Applications

Remove the prefilled out content & past the following:

/**
* Handler called during a PostLogin flow.
*
* @param {Event} event - Details about the user and the
* context in which they are logging in.
* @param {PostLoginAPI} api - Interface whose methods can be
* used to change the behavior of the login.
*/
exports.onExecutePostLogin = async (event, api) => {

if (event.authorization) {
api.accessToken.setCustomClaim(`email`, event.user.email);
}
};

then click on "Deploy":

Auth0 Applications

 

Return to "post-login" & click on "Custom"

Auth0 Applications

 

Click and drag your Add Email to Access Token Action onto the Trigger, then drop it into place, then click Apply in the top right.

Auth0 Applications

Gathering Information from Auth0

In order to setup the new JWT Signer we'll need to get some information from the new Auth0 Application that was just created.

 

From the Application we’ll require a few things we’ll need to write down. From the basic Information we’ll gather the “Domain” and “ClientID
browzer5.png

Scroll down to the Advanced Settings and click on Endpoints

You’ll also need to write down the OAuth Token URL that will be used on the BrowZer App creation and the JSON Web Key Set.

browzer7.png

 

 

 

Adding a JWT Signer & Authentication Policy

Create the JWT

In the Console, Create a new JWT Signer

Using the values from Auth0 fill out the information in the new JWT Signer dialog.

For the ISSUER, use the “Domain” value.

https://<Domain>/ 

(Please make sure to add the trailing slash).

For the Audience, use the Identifier you used when creating the API above.

For the JWKS Endpoint, use the "JSON Web Key Set URL" value.

For the External Auth URL, use the "OAUTH Token URL" value.

Finally set the JWT Claim "email" & the Identities to "External Id".

 

Create the Authentication Policy

In the Console, Create a new Authentication Policy

In this example we disable the certificate options & only use the JWT Signer as the Authenticator.

browzer9.png

 

Create or Assign Identities(Endpoints) to the Authentication Policy

In the Console, Create or update the Identities(Endpoints) that will have the access to BrowZer. Please ensure you have add the necessary attributes you define in your Service Policy(AppWan) to the Identities(Endpoints) so it’ll have access to the service.

Finally make sure it has an Authentication Policy you created for BrowZer

 

browzer10.png

Part 3: The BrowZer Application

In this section:

Make sure to complete the BrowZer Getting Started by clicking on the BrowZer Apps in the navigation menu.

Create a BrowZer Application

In the MOP Console, Create a new BrowZer Application.

For the App Entry, Select the service you created on Part 1.

For the Public URL, you’ll set a name for your app (APP_NAME), this name creates the whole URL you’ll use to access your service securely. In this case, APP_NAME=private-app and the URL is

For example:

https://private-app.natashell.browzer.cloudziti.io/

Set the OIDC Base URL to the “Domain” value from Auth0 in Part2, in the format:

https://<domain> 

(This time without any slash at the end)

Set the ClientID to the "ClientId" value you got from Auth0 in Part 2.

image-20230814-193429.png

Access your Application

The URL access is the one you got in the previous step. For this tutorial the URL is:
After the authentication, you will be connected to odoo landing page.  If this is your first time connect to the page, you will be presented with the following screen. Please reset the master password. You can create a data base.  The user name and password were setup in the docker compose file. (Please refer to the Appendix for for information)
If you have created Database, before your landing page looks like this:

APPENDIX

Create Your Own ODOO Instance

In any Linux/Windows Machine, create a working directory for the ODOO instance. We’ll call this directory WORK_DIR.

Cd into WORK_DIR and create a file called .env. This will hold the configuration required to create the ODOO database and the required passwords.

The .env file also holds the registration key for the edge router. You need to create an customer hosted edge router on the CloudZiti console and enter the registration key (REG_KEY) into this file.

Please follow this guide for the detail information on how to deploy edge router.

POSTGRES_DB=postgres
POSTGRES_PASSWORD=rSQXEEOujTkyAaMmyoK42YKgRQCoq7TRYWz6xu2L
POSTGRES_USER=odoo
PGDATA=/var/lib/postgresql/data/pgdata
HOST=postgres
USER=odoo
PASSWORD=rSQXEEOujTkyAaMmyoK42YKgRQCoq7TRYWz6xu2L
VERBOSE=1
REG_KEY=ONETIMEKEY

 

Create a docker compose file (docker-compose.yaml) in your WORK_DIR, where you can define the services needed for ODOO. In the following docker compose example, we showed four containers:

  • odoo (required)
  • postgres db (required)
  • edge router (er) (required)
  • nginx (optional).

version: '3'
services:
odoo:
container_name: odoo
image: odoo:latest
env_file: .env
depends_on:
- postgres
volumes:
- ./addons-extra:/mnt/extra-addons
- odoo-web-data:/var/lib/odoo
ports:
- "127.0.0.1:8069:8069"
nginx:
container_name: nginx
image: nginx:latest
restart: unless-stopped
depends_on:
- odoo
volumes:
- ./nginx/conf:/etc/nginx/conf.d
ports:
- "127.0.0.1:8080:80"
postgres:
image: postgres:13
env_file: .env
volumes:
- db:/var/lib/postgresql/data/pgdata
er:
container_name: netfoundry-er
image: netfoundry/autonomous-router:latest
restart: unless-stopped
env_file: .env
volumes:
- ./ziti_router:/etc/netfoundry
volumes:
odoo-web-data:
db:

After you have created the file, start your ODOO instance with the command:

docker-compose up -d
Was this article helpful?
1 out of 1 found this helpful