Pular para o conteúdo
Esta pergunta foi sinalizada
authenticationapi
3 Respostas
2925 Visualizações
Avatar
Martin

We'd like to develop a mobile app linked to a Odoo (19). Our goal is to use the JSON API, both because it seems to be the way of the future and also because we're more familiar with that kind of tech.


We have something that we can't figure out. Our goal is to have our end user to identify with their login/password in the app, and then use their credential to use the API (for example to retrieve their current holidays).

Issue: this works only using the API key, which cannot be generated from an endpoint - even with the user's password.

What's the current advice/strategy in this case? We could have a technical user with high access and use it everywhere but it looks extremely dangerous and actually not practical (I want to retrieve the current user's holiday, not all of them, etc).


People here making mobile apps, how are you interacting with the new API?

Avatar
Cancelar
Martin
Autor

Thanks - I get the idea but your example is using the jsonrpc api - I don't see any way to use this "with_user "on the json2 ("rest") one.

Avatar
Atliis 360
Melhor resposta
Hi Martin,

The standard Odoo JSON-RPC authenticate call does return a session_id you can reuse — that's your bridge between user credentials and scoped API access.

Step 1 — Authenticate and get a session:


POST /web/dataset/call_kw
{
  "jsonrpc": "2.0",
  "method": "call",
  "params": {
    "model": "res.users",
    "method": "authenticate",
    "args": ["your-db", "user@example.com", "password", {}],
    "kwargs": {}
  }
}
The response includes a uid and the cookie header carries a session_id.

Step 2 — Use that session for all subsequent calls, passing the session_id cookie. Every call will execute as that specific user, so Odoo's record rules apply automatically — fetching holidays (or any model) returns only their own records.

The key insight is: don't try to generate an API key on behalf of the user. Just reuse the authenticated session. It's stateful but works perfectly for mobile apps.

If you'd rather have a cleaner REST interface with proper Bearer token auth, user-scoped API key issuance, and a dedicated POST /api/v1/auth/login endpoint — we built exactly that. Check out REST API Toolkit on the Odoo App Store.

Hope that unblocks you!

Avatar
Cancelar
Avatar
Cybrosys Techno Solutions Pvt.Ltd
Melhor resposta
Hi,

You're encountering a frequent issue when integrating Odoo 19 JSON-RPC API with mobile app user authentication. Since API keys are not suitable for individual mobile users authenticating with personal credentials, the correct solution is session-based authentication.
Why session-based authentication is ideal for mobile apps

    Users log in using their own username and password

    User context is automatically applied (no need to pass user ID manually)

    Access rights, record rules, and ACLs are enforced correctly

    No need to generate or maintain API keys for each user

Authenticate from the mobile app

Send a POST request to the Odoo session authentication endpoint:

POST https://your-odoo-instance.com/web/session/authenticate

Content-Type: application/json

Request payload:

{
    "jsonrpc": "2.0",
    "params": {
        "db": "your_database",
        "login": "user@example.com",
        "password": "user_password"
    }
}

If authentication succeeds:

    Odoo returns session_id

    The session_id is also set in response cookies

Store session_id securely in your mobile app

Use platform-specific secure storage:
Create a custom authenticated API endpoint in Odoo

In your custom Odoo module, define a controller with auth="user":

from odoo import http

class MobileHolidaysController(http.Controller):

    @http.route('/api/mobile/my/holidays', type='json', auth='user')
    def get_my_holidays(self, **kwargs):
        # Business logic goes here
        return {
            "status": "success",
            "message": "Authenticated successfully",
            "data": {}  # Replace with your actual holiday records
        }
Call the endpoint from the mobile app

Include the stored session_id in cookies for all requests:

POST https://your-odoo-instance.com/api/mobile/my/holidays

Cookie: session_id=your_stored_session_id
Content-Type: application/json

Payload:

{
    "jsonrpc": "2.0",
    "params": {}
}


Hope it helps

Avatar
Cancelar
Avatar
Ray Carnes (ray)
Melhor resposta

with_user might be helpful here

self.env['hr.leave'].with_user(mobile_user).search([])

https://www.odoo.com/forum/help-1/what-is-the-purpose-of-with-user-means-what-is-the-advantage-of-using-it-189340

Avatar
Cancelar
Publicações relacionadas Respostas Visualizações Atividade
How i can auth my user to access odoo with API Key or Access Token?
authentication api
Avatar
Avatar
Avatar
Avatar
4
mar. 26
47735
Error when trying to authenticate through API (v14) Resolvido
authentication api
Avatar
Avatar
Avatar
Avatar
Avatar
5
dez. 20
13506
Question about how to authentication using api key Resolvido
authentication api api-key
Avatar
Avatar
1
set. 25
8450
API authentication not working with API key
authentication api api-key
Avatar
0
jan. 24
5907
How to authenticate users from res.users model in laradoo package
authentication api odoo
Avatar
0
jul. 21
5435