feat(auth_oidc): allow optional linking by email

Author: zamberjo

auth_oidc/README.rst

@@ -1,7 +1,3 @@
-.. image:: https://odoo-community.org/readme-banner-image
-   :target: https://odoo-community.org/get-involved?utm_source=readme
-   :alt: Odoo Community Association
-
 =============================
 Authentication OpenID Connect
 =============================
@@ -17,7 +13,7 @@ Authentication OpenID Connect
 .. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
     :target: https://odoo-community.org/page/development-status
     :alt: Beta
-.. |badge2| image:: https://img.shields.io/badge/license-AGPL--3-blue.png
+.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png
     :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
     :alt: License: AGPL-3
 .. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
@@ -130,6 +126,26 @@ In Odoo, create a new Oauth Provider with the following parameters:
 - JWKS URL: The "jwks_uri" URL found in the OpenID Endpoint
   Configuration of your Keycloak realm
 
+Auto-link existing users by email
+---------------------------------
+
+By default, a user must already have ``oauth_uid`` set to be recognised
+on login. To automatically link **existing** Odoo users on their first
+OIDC login (matching by ``login = email`` from the token), enable the
+system parameter:
+
+=========================== ========
+Key                         Value
+=========================== ========
+``auth_oidc.link_by_email`` ``True``
+=========================== ========
+
+The link is performed only when **exactly one** active user matches the
+email. If zero or more than one match is found the request falls through
+to the standard behaviour (signup or ``AccessDenied``). Once linked, the
+user's ``oauth_uid`` is stored and subsequent logins follow the normal
+path.
+
 .. |image| image:: https://raw.githubusercontent.com/OCA/server-auth/17.0/auth_oidc/static/description/oauth-microsoft_azure-api_permissions.png
 .. |image1| image:: https://raw.githubusercontent.com/OCA/server-auth/17.0/auth_oidc/static/description/oauth-microsoft_azure-optional_claims.png
 .. |image2| image:: https://raw.githubusercontent.com/OCA/server-auth/17.0/auth_oidc/static/description/odoo-azure_ad_multitenant.png
@@ -151,6 +167,12 @@ Known issues / Roadmap
 Changelog
 =========
 
+17.0.1.3.0 2026-05-18
+---------------------
+
+- Add optional auto-link of existing users by email on first OIDC login
+  (``auth_oidc.link_by_email`` system parameter, disabled by default).
+
 17.0.1.0.0 2024-03-20
 ---------------------
 
@@ -223,6 +245,7 @@ Contributors
 - Stéphane Bidoul <stephane.bidoul@acsone.eu>
 - David Jaen <david.jaen.revert@gmail.com>
 - Andreas Perhab <andreas.perhab@wt-io-it.at>
+- Jose Zambudio Bernabeu <zamberjo@gmail.com>
 
 Maintainers
 -----------

auth_oidc/models/res_users.py

@@ -12,6 +12,8 @@
 
 _logger = logging.getLogger(__name__)
 
+_PARAM_LINK_BY_EMAIL = "auth_oidc.link_by_email"
+
 
 class ResUsers(models.Model):
     _inherit = "res.users"
@@ -80,3 +82,57 @@ def auth_oauth(self, provider, params):
             raise AccessDenied()
         # return user credentials
         return (self.env.cr.dbname, login, access_token)
+
+    @api.model
+    def _is_oidc_link_by_email_enabled(self):
+        return (
+            self.env["ir.config_parameter"]
+            .sudo()
+            .get_param(_PARAM_LINK_BY_EMAIL, default="False")
+            == "True"
+        )
+
+    @api.model
+    def _oidc_link_user_by_email(self, provider, oauth_uid, email, access_token):
+        user = self.search([("login", "=", email)], limit=1)
+        if not user:
+            _logger.warning(
+                "OIDC link by email: found %d user(s) with login=%s, skipping.",
+                len(user),
+                email,
+            )
+            return None
+        user.write(
+            {
+                "oauth_provider_id": provider,
+                "oauth_uid": oauth_uid,
+                "oauth_access_token": access_token,
+            }
+        )
+        _logger.info(
+            "OIDC link by email: user '%s' linked to provider %s with oauth_uid=%s.",
+            user.login,
+            provider,
+            oauth_uid,
+        )
+        return user
+
+    @api.model
+    def _auth_oauth_signin(self, provider, validation, params):
+        oauth_uid = validation["user_id"]
+        already_linked = self.search(
+            [
+                ("oauth_uid", "=", oauth_uid),
+                ("oauth_provider_id", "=", provider),
+            ],
+            limit=1,
+        )
+        if not already_linked and self._is_oidc_link_by_email_enabled():
+            email = validation.get("email")
+            if email:
+                linked_user = self._oidc_link_user_by_email(
+                    provider, oauth_uid, email, params["access_token"]
+                )
+                if linked_user:
+                    return linked_user.login
+        return super()._auth_oauth_signin(provider, validation, params)

auth_oidc/readme/CONFIGURE.md

@@ -74,3 +74,19 @@ In Odoo, create a new Oauth Provider with the following parameters:
   Configuration of your Keycloak realm
 - JWKS URL: The "jwks_uri" URL found in the OpenID Endpoint
   Configuration of your Keycloak realm
+
+## Auto-link existing users by email
+
+By default, a user must already have `oauth_uid` set to be recognised on
+login. To automatically link **existing** Odoo users on their first OIDC
+login (matching by `login = email` from the token), enable the system
+parameter:
+
+| Key | Value |
+|-----|-------|
+| `auth_oidc.link_by_email` | `True` |
+
+The link is performed only when **exactly one** active user matches the
+email. If zero or more than one match is found the request falls through
+to the standard behaviour (signup or `AccessDenied`). Once linked, the
+user's `oauth_uid` is stored and subsequent logins follow the normal path.

auth_oidc/readme/CONTRIBUTORS.md

@@ -2,3 +2,4 @@
 - Stéphane Bidoul \<<stephane.bidoul@acsone.eu>\>
 - David Jaen \<<david.jaen.revert@gmail.com>\>
 - Andreas Perhab \<<andreas.perhab@wt-io-it.at>\>
+- Jose Zambudio Bernabeu \<<zamberjo@gmail.com>\>

auth_oidc/readme/HISTORY.md

@@ -1,3 +1,8 @@
+## 17.0.1.3.0 2026-05-18
+
+- Add optional auto-link of existing users by email on first OIDC login
+  (`auth_oidc.link_by_email` system parameter, disabled by default).
+
 ## 17.0.1.0.0 2024-03-20
 
 - Odoo 17 migration