feat(auth_oauth_link_by_email): add new module to allow linking OAuth accounts by email

Author: zamberjo

auth_oauth_link_by_email/README.rst

@@ -0,0 +1,124 @@
+====================================
+OAuth - Link existing users by email
+====================================
+
+.. 
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! This file is generated by oca-gen-addon-readme !!
+   !! changes will be overwritten.                   !!
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! source digest: sha256:7b1f947b629d3f0ea59aca3c89d6656b6a1e8ae5c4378ec0650e9ca03cc54e9f
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
+    :target: https://odoo-community.org/page/development-status
+    :alt: Beta
+.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png
+    :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
+    :alt: License: AGPL-3
+.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
+    :target: https://github.com/OCA/server-auth/tree/17.0/auth_oauth_link_by_email
+    :alt: OCA/server-auth
+.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
+    :target: https://translation.odoo-community.org/projects/server-auth-17-0/server-auth-17-0-auth_oauth_link_by_email
+    :alt: Translate me on Weblate
+.. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png
+    :target: https://runboat.odoo-community.org/builds?repo=OCA/server-auth&target_branch=17.0
+    :alt: Try me on Runboat
+
+|badge1| |badge2| |badge3| |badge4| |badge5|
+
+When installed, this module automatically links existing Odoo users to
+an OAuth provider on their first login, by matching the email address
+from the OAuth token with the user's login (which is their email in
+Odoo).
+
+This is useful when users already exist in Odoo (created manually or
+imported) and you want them to authenticate via an OAuth provider
+without having to recreate their accounts.
+
+**Table of contents**
+
+.. contents::
+   :local:
+
+Installation
+============
+
+No additional installation steps are required beyond installing the
+module itself. It depends only on the standard ``auth_oauth`` module.
+
+Configuration
+=============
+
+No configuration is required. The auto-link feature is active as soon as
+the module is installed.
+
+How it works
+------------
+
+When a user attempts to log in through an OAuth provider and no Odoo
+user is found with a matching ``oauth_uid`` + ``oauth_provider_id``,
+this module will:
+
+1. Extract the ``email`` claim from the OAuth token validation response.
+2. Search for an active Odoo user whose ``login`` matches that email.
+3. If found, write the ``oauth_provider_id``, ``oauth_uid``, and
+   ``oauth_access_token`` onto that user record and return their login.
+4. Subsequent logins will resolve directly via ``oauth_uid`` as usual.
+
+If no matching user is found, or the email claim is absent, the standard
+``auth_oauth`` flow continues (raising ``AccessDenied`` for unknown
+accounts).
+
+Changelog
+=========
+
+17.0.1.0.0 (2026)
+-----------------
+
+- Initial release. Auto-links existing Odoo users to OAuth providers by
+  email on first login. The feature is active as soon as the module is
+  installed.
+
+Bug Tracker
+===========
+
+Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-auth/issues>`_.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_oauth_link_by_email%0Aversion:%2017.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+
+Do not contact contributors directly about support or help with technical issues.
+
+Credits
+=======
+
+Authors
+-------
+
+* Heligrafics Fotogrametria S.L.
+
+Contributors
+------------
+
+- `Heligrafics <https://www.heligrafics.net>`__
+
+  - Jose Zambudio Bernabeu <zamberjo@gmail.com>
+
+Maintainers
+-----------
+
+This module is maintained by the OCA.
+
+.. image:: https://odoo-community.org/logo.png
+   :alt: Odoo Community Association
+   :target: https://odoo-community.org
+
+OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.
+
+This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/17.0/auth_oauth_link_by_email>`_ project on GitHub.
+
+You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.

auth_oauth_link_by_email/__init__.py

@@ -0,0 +1,4 @@
+# Copyright 2026 Heligrafics <https://www.heligrafics.net>
+# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
+
+from . import models

auth_oauth_link_by_email/__manifest__.py

@@ -0,0 +1,16 @@
+# Copyright 2026 Heligrafics <https://www.heligrafics.net>
+# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
+
+{
+    "name": "OAuth - Link existing users by email",
+    "version": "17.0.1.0.0",
+    "license": "AGPL-3",
+    "author": "Heligrafics Fotogrametria S.L., Odoo Community Association (OCA)",
+    "website": "https://github.com/OCA/server-auth",
+    "summary": (
+        "Automatically link existing Odoo users to an OAuth provider "
+        "on first login by matching their email address."
+    ),
+    "depends": ["auth_oauth"],
+    "installable": True,
+}

auth_oauth_link_by_email/i18n/auth_oauth_link_by_email.pot

@@ -0,0 +1,14 @@
+# Translation of Odoo Server.
+# This file contains the translation of the following modules:
+#	* auth_oauth_link_by_email
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: Odoo Server 17.0\n"
+"Report-Msgid-Bugs-To: \n"
+"Last-Translator: \n"
+"Language-Team: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: \n"
+"Plural-Forms: \n"

auth_oauth_link_by_email/models/__init__.py

@@ -0,0 +1,4 @@
+# Copyright 2026 Heligrafics <https://www.heligrafics.net>
+# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
+
+from . import res_users

auth_oauth_link_by_email/models/res_users.py

@@ -0,0 +1,56 @@
+# Copyright 2026 Heligrafics <https://www.heligrafics.net>
+# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
+
+import logging
+
+from odoo import api, models
+
+_logger = logging.getLogger(__name__)
+
+
+class ResUsers(models.Model):
+    _inherit = "res.users"
+
+    @api.model
+    def _oauth_link_user_by_email(self, provider, oauth_uid, email, access_token):
+        user = self.search([("login", "=", email)], limit=1)
+        if not user:
+            _logger.warning(
+                "OAuth link by email: no user found with login=%s, skipping.",
+                email,
+            )
+            return None
+        user.write(
+            {
+                "oauth_provider_id": provider,
+                "oauth_uid": oauth_uid,
+                "oauth_access_token": access_token,
+            }
+        )
+        _logger.info(
+            "OAuth link by email: user '%s' linked to provider %s with oauth_uid=%s.",
+            user.login,
+            provider,
+            oauth_uid,
+        )
+        return user
+
+    @api.model
+    def _auth_oauth_signin(self, provider, validation, params):
+        oauth_uid = validation["user_id"]
+        already_linked = self.search(
+            [
+                ("oauth_uid", "=", oauth_uid),
+                ("oauth_provider_id", "=", provider),
+            ],
+            limit=1,
+        )
+        if not already_linked:
+            email = validation.get("email")
+            if email:
+                linked_user = self._oauth_link_user_by_email(
+                    provider, oauth_uid, email, params["access_token"]
+                )
+                if linked_user:
+                    return linked_user.login
+        return super()._auth_oauth_signin(provider, validation, params)

auth_oauth_link_by_email/pyproject.toml

@@ -0,0 +1,3 @@
+[build-system]
+requires = ["whool"]
+build-backend = "whool.buildapi"

auth_oauth_link_by_email/readme/CONFIGURE.md

@@ -0,0 +1,16 @@
+No configuration is required. The auto-link feature is active as soon as the
+module is installed.
+
+## How it works
+
+When a user attempts to log in through an OAuth provider and no Odoo user is
+found with a matching ``oauth_uid`` + ``oauth_provider_id``, this module will:
+
+1. Extract the ``email`` claim from the OAuth token validation response.
+2. Search for an active Odoo user whose ``login`` matches that email.
+3. If found, write the ``oauth_provider_id``, ``oauth_uid``, and
+   ``oauth_access_token`` onto that user record and return their login.
+4. Subsequent logins will resolve directly via ``oauth_uid`` as usual.
+
+If no matching user is found, or the email claim is absent, the standard
+``auth_oauth`` flow continues (raising ``AccessDenied`` for unknown accounts).

auth_oauth_link_by_email/readme/CONTRIBUTORS.md

@@ -0,0 +1,2 @@
+* [Heligrafics](https://www.heligrafics.net)
+  - Jose Zambudio Bernabeu \<<zamberjo@gmail.com>\>

auth_oauth_link_by_email/readme/DESCRIPTION.md

@@ -0,0 +1,7 @@
+When installed, this module automatically links existing Odoo users to an
+OAuth provider on their first login, by matching the email address from the
+OAuth token with the user's login (which is their email in Odoo).
+
+This is useful when users already exist in Odoo (created manually or imported)
+and you want them to authenticate via an OAuth provider without having to
+recreate their accounts.