跳至內容
此問題已被標幟
authenticationapi
3 回覆
2933 瀏覽次數
頭像
Martin

We'd like to develop a mobile app linked to a Odoo (19). Our goal is to use the JSON API, both because it seems to be the way of the future and also because we're more familiar with that kind of tech.


We have something that we can't figure out. Our goal is to have our end user to identify with their login/password in the app, and then use their credential to use the API (for example to retrieve their current holidays).

Issue: this works only using the API key, which cannot be generated from an endpoint - even with the user's password.

What's the current advice/strategy in this case? We could have a technical user with high access and use it everywhere but it looks extremely dangerous and actually not practical (I want to retrieve the current user's holiday, not all of them, etc).


People here making mobile apps, how are you interacting with the new API?

頭像
捨棄
Martin
作者

Thanks - I get the idea but your example is using the jsonrpc api - I don't see any way to use this "with_user "on the json2 ("rest") one.

頭像
Atliis 360
最佳答案
Hi Martin,

The standard Odoo JSON-RPC authenticate call does return a session_id you can reuse — that's your bridge between user credentials and scoped API access.

Step 1 — Authenticate and get a session:


POST /web/dataset/call_kw
{
  "jsonrpc": "2.0",
  "method": "call",
  "params": {
    "model": "res.users",
    "method": "authenticate",
    "args": ["your-db", "user@example.com", "password", {}],
    "kwargs": {}
  }
}
The response includes a uid and the cookie header carries a session_id.

Step 2 — Use that session for all subsequent calls, passing the session_id cookie. Every call will execute as that specific user, so Odoo's record rules apply automatically — fetching holidays (or any model) returns only their own records.

The key insight is: don't try to generate an API key on behalf of the user. Just reuse the authenticated session. It's stateful but works perfectly for mobile apps.

If you'd rather have a cleaner REST interface with proper Bearer token auth, user-scoped API key issuance, and a dedicated POST /api/v1/auth/login endpoint — we built exactly that. Check out REST API Toolkit on the Odoo App Store.

Hope that unblocks you!

頭像
捨棄
頭像
Cybrosys Techno Solutions Pvt.Ltd
最佳答案
Hi,

You're encountering a frequent issue when integrating Odoo 19 JSON-RPC API with mobile app user authentication. Since API keys are not suitable for individual mobile users authenticating with personal credentials, the correct solution is session-based authentication.
Why session-based authentication is ideal for mobile apps

    Users log in using their own username and password

    User context is automatically applied (no need to pass user ID manually)

    Access rights, record rules, and ACLs are enforced correctly

    No need to generate or maintain API keys for each user

Authenticate from the mobile app

Send a POST request to the Odoo session authentication endpoint:

POST https://your-odoo-instance.com/web/session/authenticate

Content-Type: application/json

Request payload:

{
    "jsonrpc": "2.0",
    "params": {
        "db": "your_database",
        "login": "user@example.com",
        "password": "user_password"
    }
}

If authentication succeeds:

    Odoo returns session_id

    The session_id is also set in response cookies

Store session_id securely in your mobile app

Use platform-specific secure storage:
Create a custom authenticated API endpoint in Odoo

In your custom Odoo module, define a controller with auth="user":

from odoo import http

class MobileHolidaysController(http.Controller):

    @http.route('/api/mobile/my/holidays', type='json', auth='user')
    def get_my_holidays(self, **kwargs):
        # Business logic goes here
        return {
            "status": "success",
            "message": "Authenticated successfully",
            "data": {}  # Replace with your actual holiday records
        }
Call the endpoint from the mobile app

Include the stored session_id in cookies for all requests:

POST https://your-odoo-instance.com/api/mobile/my/holidays

Cookie: session_id=your_stored_session_id
Content-Type: application/json

Payload:

{
    "jsonrpc": "2.0",
    "params": {}
}


Hope it helps

頭像
捨棄
頭像
Ray Carnes (ray)
最佳答案

with_user might be helpful here

self.env['hr.leave'].with_user(mobile_user).search([])

https://www.odoo.com/forum/help-1/what-is-the-purpose-of-with-user-means-what-is-the-advantage-of-using-it-189340

頭像
捨棄
相關帖文 回覆 瀏覽次數 活動
How i can auth my user to access odoo with API Key or Access Token?
authentication api
頭像
頭像
頭像
頭像
4
3月 26
47735
Error when trying to authenticate through API (v14) 已解決
authentication api
頭像
頭像
頭像
頭像
頭像
5
12月 20
13508
Question about how to authentication using api key 已解決
authentication api api-key
頭像
頭像
1
9月 25
8452
API authentication not working with API key
authentication api api-key
頭像
0
1月 24
5920
How to authenticate users from res.users model in laradoo package
authentication api odoo
頭像
0
7月 21
5438