diff --git a/README.md b/README.md
index bed2aeb247..93b102861c 100644
--- a/README.md
+++ b/README.md
@@ -22,6 +22,10 @@ Available addons
 addon | version | maintainers | summary
 --- | --- | --- | ---
 [auth_admin_passkey](auth_admin_passkey/) | 17.0.1.0.0 |  | Allows system administrator to authenticate with any account
+[auth_api_key](auth_api_key/) | 17.0.1.0.0 |  | Authenticate http requests from an API key
+[auth_api_key_server_env](auth_api_key_server_env/) | 17.0.1.0.0 |  | Configure api keys via server env. This can be very useful to avoid mixing your keys between your various environments when restoring databases. All you have to do is to add a new section to your configuration file according to the following convention:
+[auth_oidc](auth_oidc/) | 17.0.1.0.0 | [![sbidoul](https://github.com/sbidoul.png?size=30px)](https://github.com/sbidoul) | Allow users to login through OpenID Connect Provider
+[user_log_view](user_log_view/) | 17.0.1.0.0 | [![trojikman](https://github.com/trojikman.png?size=30px)](https://github.com/trojikman) | Allow to see user's actions log
 
 [//]: # (end addons)
 
diff --git a/auth_admin_passkey/i18n/it.po b/auth_admin_passkey/i18n/it.po
index 23262c5932..6fb8ad6ab4 100644
--- a/auth_admin_passkey/i18n/it.po
+++ b/auth_admin_passkey/i18n/it.po
@@ -9,15 +9,15 @@ msgstr ""
 "Project-Id-Version: Odoo Server 10.0\n"
 "Report-Msgid-Bugs-To: \n"
 "POT-Creation-Date: 2017-08-01 02:43+0000\n"
-"PO-Revision-Date: 2022-02-21 12:17+0000\n"
-"Last-Translator: Simone Rubino <simone.rubino@agilebg.com>\n"
+"PO-Revision-Date: 2024-02-04 15:37+0000\n"
+"Last-Translator: mymage <stefano.consolaro@mymage.it>\n"
 "Language-Team: Italian (https://www.transifex.com/oca/teams/23907/it/)\n"
 "Language: it\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: \n"
 "Plural-Forms: nplurals=2; plural=n != 1;\n"
-"X-Generator: Weblate 4.3.2\n"
+"X-Generator: Weblate 4.17\n"
 
 #. module: auth_admin_passkey
 #. odoo-python
@@ -40,11 +40,20 @@ msgid ""
 "- Login date : %(login_date)s\n"
 "\n"
 msgstr ""
+"L'utente amministratore di sistemaha usato la sua passkey per accedere con "
+"%(login)s.\n"
+"\n"
+"\n"
+"\n"
+"Informazioni tecniche di seguito: \n"
+"\n"
+"- Data accesso : %(login_date)s\n"
+"\n"
 
 #. module: auth_admin_passkey
 #: model:ir.model,name:auth_admin_passkey.model_res_users
 msgid "User"
-msgstr ""
+msgstr "Utente"
 
 #, python-format
 #~ msgid "<pre>User with login '%s' has the same password as you.</pre>"
diff --git a/auth_api_key/README.rst b/auth_api_key/README.rst
new file mode 100644
index 0000000000..99e2eda85f
--- /dev/null
+++ b/auth_api_key/README.rst
@@ -0,0 +1,116 @@
+============
+Auth Api Key
+============
+
+.. 
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! This file is generated by oca-gen-addon-readme !!
+   !! changes will be overwritten.                   !!
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! source digest: sha256:455a0f8646088cc228c9423fcbabbc1d81cabbebd0cac6dcf07bbbe000a6fc87
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
+    :target: https://odoo-community.org/page/development-status
+    :alt: Beta
+.. |badge2| image:: https://img.shields.io/badge/licence-LGPL--3-blue.png
+    :target: http://www.gnu.org/licenses/lgpl-3.0-standalone.html
+    :alt: License: LGPL-3
+.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
+    :target: https://github.com/OCA/server-auth/tree/17.0/auth_api_key
+    :alt: OCA/server-auth
+.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
+    :target: https://translation.odoo-community.org/projects/server-auth-17-0/server-auth-17-0-auth_api_key
+    :alt: Translate me on Weblate
+.. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png
+    :target: https://runboat.odoo-community.org/builds?repo=OCA/server-auth&target_branch=17.0
+    :alt: Try me on Runboat
+
+|badge1| |badge2| |badge3| |badge4| |badge5|
+
+Authenticate http requests from an API key.
+
+API keys are codes passed in (in the http header API-KEY) by programs
+calling an API in order to identify -in this case- the calling program's
+user.
+
+Take care while using this kind of mechanism since information into http
+headers are visible in clear. Thus, use it only to authenticate requests
+from known sources.
+
+For unknown sources, it is a good practice to filter out this header at
+proxy level.
+
+**Table of contents**
+
+.. contents::
+   :local:
+
+Configuration
+=============
+
+The api key menu is available into Settings > Technical in debug mode.
+By default, when you create an API key, the key is saved into the
+database.
+
+If you want to manage them via serve environment settings use
+auth_api_key_server_env.
+
+Usage
+=====
+
+To apply this authentication system to your http request you must set
+'api_key' as value for the 'auth' parameter of your route definition
+into your controller.
+
+.. code:: python
+
+   class MyController(Controller):
+
+       @route('/my_service', auth='api_key', ...)
+       def my_service(self, *args, **kwargs):
+           pass
+
+Bug Tracker
+===========
+
+Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-auth/issues>`_.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_api_key%0Aversion:%2017.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+
+Do not contact contributors directly about support or help with technical issues.
+
+Credits
+=======
+
+Authors
+-------
+
+* ACSONE SA/NV
+
+Contributors
+------------
+
+-  Denis Robinet <denis.robinet@acsone.eu>
+-  Laurent Mignon <laurent.mignon@acsone.eu>
+-  Quentin Groulard <quentin.groulard@acsone.eu>
+-  Sébastien Beau <sebastien.beau@akretion.com>
+-  Chafique Delli <chafique.delli@akretion.com>
+
+Maintainers
+-----------
+
+This module is maintained by the OCA.
+
+.. image:: https://odoo-community.org/logo.png
+   :alt: Odoo Community Association
+   :target: https://odoo-community.org
+
+OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.
+
+This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/17.0/auth_api_key>`_ project on GitHub.
+
+You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.
diff --git a/auth_api_key/__init__.py b/auth_api_key/__init__.py
new file mode 100644
index 0000000000..0650744f6b
--- /dev/null
+++ b/auth_api_key/__init__.py
@@ -0,0 +1 @@
+from . import models
diff --git a/auth_api_key/__manifest__.py b/auth_api_key/__manifest__.py
new file mode 100644
index 0000000000..c894a84d7b
--- /dev/null
+++ b/auth_api_key/__manifest__.py
@@ -0,0 +1,14 @@
+# Copyright 2018 ACSONE SA/NV
+# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl).
+
+{
+    "name": "Auth Api Key",
+    "summary": """
+        Authenticate http requests from an API key""",
+    "version": "17.0.1.0.0",
+    "license": "LGPL-3",
+    "author": "ACSONE SA/NV,Odoo Community Association (OCA)",
+    "website": "https://github.com/OCA/server-auth",
+    "development_status": "Beta",
+    "data": ["security/ir.model.access.csv", "views/auth_api_key.xml"],
+}
diff --git a/auth_api_key/i18n/auth_api_key.pot b/auth_api_key/i18n/auth_api_key.pot
new file mode 100644
index 0000000000..16489df0cb
--- /dev/null
+++ b/auth_api_key/i18n/auth_api_key.pot
@@ -0,0 +1,108 @@
+# Translation of Odoo Server.
+# This file contains the translation of the following modules:
+# 	* auth_api_key
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: Odoo Server 17.0\n"
+"Report-Msgid-Bugs-To: \n"
+"Last-Translator: \n"
+"Language-Team: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: \n"
+"Plural-Forms: \n"
+
+#. module: auth_api_key
+#: model:ir.model,name:auth_api_key.model_auth_api_key
+msgid "API Key"
+msgstr ""
+
+#. module: auth_api_key
+#: model:ir.model.constraint,message:auth_api_key.constraint_auth_api_key_name_uniq
+msgid "Api Key name must be unique."
+msgstr ""
+
+#. module: auth_api_key
+#: model:ir.actions.act_window,name:auth_api_key.auth_api_key_act_window
+#: model:ir.ui.menu,name:auth_api_key.auth_api_key_menu
+msgid "Auth Api Key"
+msgstr ""
+
+#. module: auth_api_key
+#: model:ir.model.fields,field_description:auth_api_key.field_auth_api_key__create_uid
+msgid "Created by"
+msgstr ""
+
+#. module: auth_api_key
+#: model:ir.model.fields,field_description:auth_api_key.field_auth_api_key__create_date
+msgid "Created on"
+msgstr ""
+
+#. module: auth_api_key
+#: model:ir.model.fields,field_description:auth_api_key.field_auth_api_key__display_name
+msgid "Display Name"
+msgstr ""
+
+#. module: auth_api_key
+#: model:ir.model,name:auth_api_key.model_ir_http
+msgid "HTTP Routing"
+msgstr ""
+
+#. module: auth_api_key
+#: model:ir.model.fields,field_description:auth_api_key.field_auth_api_key__id
+msgid "ID"
+msgstr ""
+
+#. module: auth_api_key
+#: model:ir.model.fields,field_description:auth_api_key.field_auth_api_key__key
+msgid "Key"
+msgstr ""
+
+#. module: auth_api_key
+#: model:ir.model.fields,field_description:auth_api_key.field_auth_api_key__write_uid
+msgid "Last Updated by"
+msgstr ""
+
+#. module: auth_api_key
+#: model:ir.model.fields,field_description:auth_api_key.field_auth_api_key__write_date
+msgid "Last Updated on"
+msgstr ""
+
+#. module: auth_api_key
+#: model:ir.model.fields,field_description:auth_api_key.field_auth_api_key__name
+msgid "Name"
+msgstr ""
+
+#. module: auth_api_key
+#: model:ir.model.fields,help:auth_api_key.field_auth_api_key__key
+msgid ""
+"The API key. Enter a dummy value in this field if it is\n"
+"        obtained from the server environment configuration."
+msgstr ""
+
+#. module: auth_api_key
+#. odoo-python
+#: code:addons/auth_api_key/models/auth_api_key.py:0
+#, python-format
+msgid "The key %s is not allowed"
+msgstr ""
+
+#. module: auth_api_key
+#: model:ir.model.fields,help:auth_api_key.field_auth_api_key__user_id
+msgid ""
+"The user used to process the requests authenticated by\n"
+"        the api key"
+msgstr ""
+
+#. module: auth_api_key
+#: model:ir.model.fields,field_description:auth_api_key.field_auth_api_key__user_id
+msgid "User"
+msgstr ""
+
+#. module: auth_api_key
+#. odoo-python
+#: code:addons/auth_api_key/models/auth_api_key.py:0
+#, python-format
+msgid "User is not allowed"
+msgstr ""
diff --git a/auth_api_key/i18n/it.po b/auth_api_key/i18n/it.po
new file mode 100644
index 0000000000..8e7c286c69
--- /dev/null
+++ b/auth_api_key/i18n/it.po
@@ -0,0 +1,121 @@
+# Translation of Odoo Server.
+# This file contains the translation of the following modules:
+# 	* auth_api_key
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: Odoo Server 15.0\n"
+"Report-Msgid-Bugs-To: \n"
+"PO-Revision-Date: 2024-04-03 12:43+0000\n"
+"Last-Translator: mymage <stefano.consolaro@mymage.it>\n"
+"Language-Team: none\n"
+"Language: it\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: \n"
+"Plural-Forms: nplurals=2; plural=n != 1;\n"
+"X-Generator: Weblate 4.17\n"
+
+#. module: auth_api_key
+#: model:ir.model,name:auth_api_key.model_auth_api_key
+msgid "API Key"
+msgstr "Chiave API"
+
+#. module: auth_api_key
+#: model:ir.model.constraint,message:auth_api_key.constraint_auth_api_key_name_uniq
+msgid "Api Key name must be unique."
+msgstr "La chiave API deve essere univoca."
+
+#. module: auth_api_key
+#: model:ir.actions.act_window,name:auth_api_key.auth_api_key_act_window
+#: model:ir.ui.menu,name:auth_api_key.auth_api_key_menu
+msgid "Auth Api Key"
+msgstr "Chiave API di autenticazione"
+
+#. module: auth_api_key
+#: model:ir.model.fields,field_description:auth_api_key.field_auth_api_key__create_uid
+msgid "Created by"
+msgstr "Creata da"
+
+#. module: auth_api_key
+#: model:ir.model.fields,field_description:auth_api_key.field_auth_api_key__create_date
+msgid "Created on"
+msgstr "Creato il"
+
+#. module: auth_api_key
+#: model:ir.model.fields,field_description:auth_api_key.field_auth_api_key__display_name
+msgid "Display Name"
+msgstr "Nome visualizzato"
+
+#. module: auth_api_key
+#: model:ir.model,name:auth_api_key.model_ir_http
+msgid "HTTP Routing"
+msgstr "Instradamento HTTP"
+
+#. module: auth_api_key
+#: model:ir.model.fields,field_description:auth_api_key.field_auth_api_key__id
+msgid "ID"
+msgstr "ID"
+
+#. module: auth_api_key
+#: model:ir.model.fields,field_description:auth_api_key.field_auth_api_key__key
+msgid "Key"
+msgstr "Chiave"
+
+#. module: auth_api_key
+#: model:ir.model.fields,field_description:auth_api_key.field_auth_api_key__write_uid
+msgid "Last Updated by"
+msgstr "Ultimo aggiornamento di"
+
+#. module: auth_api_key
+#: model:ir.model.fields,field_description:auth_api_key.field_auth_api_key__write_date
+msgid "Last Updated on"
+msgstr "Ultimo aggiornamento il"
+
+#. module: auth_api_key
+#: model:ir.model.fields,field_description:auth_api_key.field_auth_api_key__name
+msgid "Name"
+msgstr "Nome"
+
+#. module: auth_api_key
+#: model:ir.model.fields,help:auth_api_key.field_auth_api_key__key
+msgid ""
+"The API key. Enter a dummy value in this field if it is\n"
+"        obtained from the server environment configuration."
+msgstr ""
+"Chiave API. Se viene acquisita dalla configurazione\n"
+"        ambiente del server, inserire nel campo un valore fittizio."
+
+#. module: auth_api_key
+#. odoo-python
+#: code:addons/auth_api_key/models/auth_api_key.py:0
+#, python-format
+msgid "The key %s is not allowed"
+msgstr "Chiave %s non autorizzata"
+
+#. module: auth_api_key
+#: model:ir.model.fields,help:auth_api_key.field_auth_api_key__user_id
+msgid ""
+"The user used to process the requests authenticated by\n"
+"        the api key"
+msgstr ""
+"Utente utilizzato per elaborare le richieste autenticate\n"
+"        dalla chiave API"
+
+#. module: auth_api_key
+#: model:ir.model.fields,field_description:auth_api_key.field_auth_api_key__user_id
+msgid "User"
+msgstr "Utente"
+
+#. module: auth_api_key
+#. odoo-python
+#: code:addons/auth_api_key/models/auth_api_key.py:0
+#, python-format
+msgid "User is not allowed"
+msgstr "Utente non autorizzato"
+
+#~ msgid "Last Modified on"
+#~ msgstr "Ultima modifica il"
+
+#~ msgid "Server Env Defaults"
+#~ msgstr "Variabili ambiente predefinite del server"
diff --git a/auth_api_key/models/__init__.py b/auth_api_key/models/__init__.py
new file mode 100644
index 0000000000..dee3379fea
--- /dev/null
+++ b/auth_api_key/models/__init__.py
@@ -0,0 +1,2 @@
+from . import ir_http
+from . import auth_api_key
diff --git a/auth_api_key/models/auth_api_key.py b/auth_api_key/models/auth_api_key.py
new file mode 100644
index 0000000000..416cd4ab7f
--- /dev/null
+++ b/auth_api_key/models/auth_api_key.py
@@ -0,0 +1,62 @@
+# Copyright 2018 ACSONE SA/NV
+# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl).
+
+from odoo import _, api, fields, models, tools
+from odoo.exceptions import AccessError, ValidationError
+from odoo.tools import consteq
+
+
+class AuthApiKey(models.Model):
+    _name = "auth.api.key"
+    _description = "API Key"
+
+    name = fields.Char(required=True)
+    key = fields.Char(
+        required=True,
+        help="""The API key. Enter a dummy value in this field if it is
+        obtained from the server environment configuration.""",
+    )
+    user_id = fields.Many2one(
+        comodel_name="res.users",
+        string="User",
+        required=True,
+        help="""The user used to process the requests authenticated by
+        the api key""",
+    )
+
+    _sql_constraints = [("name_uniq", "unique(name)", "Api Key name must be unique.")]
+
+    @api.model
+    def _retrieve_api_key(self, key):
+        return self.browse(self._retrieve_api_key_id(key))
+
+    @api.model
+    @tools.ormcache("key")
+    def _retrieve_api_key_id(self, key):
+        if not self.env.user.has_group("base.group_system"):
+            raise AccessError(_("User is not allowed"))
+        for api_key in self.search([]):
+            if api_key.key and consteq(key, api_key.key):
+                return api_key.id
+        raise ValidationError(_("The key %s is not allowed") % key)
+
+    @api.model
+    @tools.ormcache("key")
+    def _retrieve_uid_from_api_key(self, key):
+        return self._retrieve_api_key(key).user_id.id
+
+    def _clear_key_cache(self):
+        self.env.registry.clear_cache()
+
+    @api.model_create_multi
+    def create(self, vals_list):
+        records = super().create(vals_list)
+        if any(["key" in vals or "user_id" in vals for vals in vals_list]):
+            self._clear_key_cache()
+        return records
+
+    def write(self, vals):
+        super().write(vals)
+        if "key" in vals or "user_id" in vals:
+            self._clear_key_cache()
+        return True
diff --git a/auth_api_key/models/ir_http.py b/auth_api_key/models/ir_http.py
new file mode 100644
index 0000000000..7b02f0c39c
--- /dev/null
+++ b/auth_api_key/models/ir_http.py
@@ -0,0 +1,36 @@
+# Copyright 2018 ACSONE SA/NV
+# Copyright 2017 Akretion (http://www.akretion.com).
+# @author Sébastien BEAU <sebastien.beau@akretion.com>
+# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl).
+
+import logging
+
+from odoo import models
+from odoo.exceptions import AccessDenied
+from odoo.http import request
+
+_logger = logging.getLogger(__name__)
+
+
+class IrHttp(models.AbstractModel):
+    _inherit = "ir.http"
+
+    @classmethod
+    def _auth_method_api_key(cls):
+        headers = request.httprequest.environ
+        api_key = headers.get("HTTP_API_KEY")
+        if api_key:
+            request.update_env(user=1)
+            auth_api_key = request.env["auth.api.key"]._retrieve_api_key(api_key)
+            if auth_api_key:
+                # reset _env on the request since we change the uid...
+                # the next call to env will instantiate an new
+                # odoo.api.Environment with the user defined on the
+                # auth.api_key
+                request._env = None
+                request.update_env(user=auth_api_key.user_id.id)
+                request.auth_api_key = api_key
+                request.auth_api_key_id = auth_api_key.id
+                return True
+        _logger.error("Wrong HTTP_API_KEY, access denied")
+        raise AccessDenied()
diff --git a/auth_api_key/pyproject.toml b/auth_api_key/pyproject.toml
new file mode 100644
index 0000000000..4231d0cccb
--- /dev/null
+++ b/auth_api_key/pyproject.toml
@@ -0,0 +1,3 @@
+[build-system]
+requires = ["whool"]
+build-backend = "whool.buildapi"
diff --git a/auth_api_key/readme/CONFIGURE.md b/auth_api_key/readme/CONFIGURE.md
new file mode 100644
index 0000000000..f791dd13ab
--- /dev/null
+++ b/auth_api_key/readme/CONFIGURE.md
@@ -0,0 +1,6 @@
+The api key menu is available into Settings \> Technical in debug mode.
+By default, when you create an API key, the key is saved into the
+database.
+
+If you want to manage them via serve environment settings use
+auth_api_key_server_env.
diff --git a/auth_api_key/readme/CONTRIBUTORS.md b/auth_api_key/readme/CONTRIBUTORS.md
new file mode 100644
index 0000000000..1168b409a3
--- /dev/null
+++ b/auth_api_key/readme/CONTRIBUTORS.md
@@ -0,0 +1,5 @@
+- Denis Robinet \<<denis.robinet@acsone.eu>\>
+- Laurent Mignon \<<laurent.mignon@acsone.eu>\>
+- Quentin Groulard \<<quentin.groulard@acsone.eu>\>
+- Sébastien Beau \<<sebastien.beau@akretion.com>\>
+- Chafique Delli \<<chafique.delli@akretion.com>\>
diff --git a/auth_api_key/readme/DESCRIPTION.md b/auth_api_key/readme/DESCRIPTION.md
new file mode 100644
index 0000000000..6d09ff29d8
--- /dev/null
+++ b/auth_api_key/readme/DESCRIPTION.md
@@ -0,0 +1,12 @@
+Authenticate http requests from an API key.
+
+API keys are codes passed in (in the http header API-KEY) by programs
+calling an API in order to identify -in this case- the calling program's
+user.
+
+Take care while using this kind of mechanism since information into http
+headers are visible in clear. Thus, use it only to authenticate requests
+from known sources.
+
+For unknown sources, it is a good practice to filter out this header at
+proxy level.
diff --git a/auth_api_key/readme/USAGE.md b/auth_api_key/readme/USAGE.md
new file mode 100644
index 0000000000..547d48759c
--- /dev/null
+++ b/auth_api_key/readme/USAGE.md
@@ -0,0 +1,11 @@
+To apply this authentication system to your http request you must set
+'api_key' as value for the 'auth' parameter of your route definition
+into your controller.
+
+``` python
+class MyController(Controller):
+
+    @route('/my_service', auth='api_key', ...)
+    def my_service(self, *args, **kwargs):
+        pass
+```
diff --git a/auth_api_key/security/ir.model.access.csv b/auth_api_key/security/ir.model.access.csv
new file mode 100644
index 0000000000..b964d8c1de
--- /dev/null
+++ b/auth_api_key/security/ir.model.access.csv
@@ -0,0 +1,2 @@
+id,name,model_id:id,group_id:id,perm_read,perm_write,perm_create,perm_unlink
+access_auth_api_key,access_auth_api_key,model_auth_api_key,base.group_system,1,1,1,1
diff --git a/auth_api_key/static/description/icon.png b/auth_api_key/static/description/icon.png
new file mode 100644
index 0000000000..3a0328b516
Binary files /dev/null and b/auth_api_key/static/description/icon.png differ
diff --git a/auth_api_key/static/description/index.html b/auth_api_key/static/description/index.html
new file mode 100644
index 0000000000..d4234b13ea
--- /dev/null
+++ b/auth_api_key/static/description/index.html
@@ -0,0 +1,455 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+<meta name="generator" content="Docutils: https://docutils.sourceforge.io/" />
+<title>Auth Api Key</title>
+<style type="text/css">
+
+/*
+:Author: David Goodger (goodger@python.org)
+:Id: $Id: html4css1.css 8954 2022-01-20 10:10:25Z milde $
+:Copyright: This stylesheet has been placed in the public domain.
+
+Default cascading style sheet for the HTML output of Docutils.
+
+See https://docutils.sourceforge.io/docs/howto/html-stylesheets.html for how to
+customize this style sheet.
+*/
+
+/* used to remove borders from tables and images */
+.borderless, table.borderless td, table.borderless th {
+  border: 0 }
+
+table.borderless td, table.borderless th {
+  /* Override padding for "table.docutils td" with "! important".
+     The right padding separates the table cells. */
+  padding: 0 0.5em 0 0 ! important }
+
+.first {
+  /* Override more specific margin styles with "! important". */
+  margin-top: 0 ! important }
+
+.last, .with-subtitle {
+  margin-bottom: 0 ! important }
+
+.hidden {
+  display: none }
+
+.subscript {
+  vertical-align: sub;
+  font-size: smaller }
+
+.superscript {
+  vertical-align: super;
+  font-size: smaller }
+
+a.toc-backref {
+  text-decoration: none ;
+  color: black }
+
+blockquote.epigraph {
+  margin: 2em 5em ; }
+
+dl.docutils dd {
+  margin-bottom: 0.5em }
+
+object[type="image/svg+xml"], object[type="application/x-shockwave-flash"] {
+  overflow: hidden;
+}
+
+/* Uncomment (and remove this text!) to get bold-faced definition list terms
+dl.docutils dt {
+  font-weight: bold }
+*/
+
+div.abstract {
+  margin: 2em 5em }
+
+div.abstract p.topic-title {
+  font-weight: bold ;
+  text-align: center }
+
+div.admonition, div.attention, div.caution, div.danger, div.error,
+div.hint, div.important, div.note, div.tip, div.warning {
+  margin: 2em ;
+  border: medium outset ;
+  padding: 1em }
+
+div.admonition p.admonition-title, div.hint p.admonition-title,
+div.important p.admonition-title, div.note p.admonition-title,
+div.tip p.admonition-title {
+  font-weight: bold ;
+  font-family: sans-serif }
+
+div.attention p.admonition-title, div.caution p.admonition-title,
+div.danger p.admonition-title, div.error p.admonition-title,
+div.warning p.admonition-title, .code .error {
+  color: red ;
+  font-weight: bold ;
+  font-family: sans-serif }
+
+/* Uncomment (and remove this text!) to get reduced vertical space in
+   compound paragraphs.
+div.compound .compound-first, div.compound .compound-middle {
+  margin-bottom: 0.5em }
+
+div.compound .compound-last, div.compound .compound-middle {
+  margin-top: 0.5em }
+*/
+
+div.dedication {
+  margin: 2em 5em ;
+  text-align: center ;
+  font-style: italic }
+
+div.dedication p.topic-title {
+  font-weight: bold ;
+  font-style: normal }
+
+div.figure {
+  margin-left: 2em ;
+  margin-right: 2em }
+
+div.footer, div.header {
+  clear: both;
+  font-size: smaller }
+
+div.line-block {
+  display: block ;
+  margin-top: 1em ;
+  margin-bottom: 1em }
+
+div.line-block div.line-block {
+  margin-top: 0 ;
+  margin-bottom: 0 ;
+  margin-left: 1.5em }
+
+div.sidebar {
+  margin: 0 0 0.5em 1em ;
+  border: medium outset ;
+  padding: 1em ;
+  background-color: #ffffee ;
+  width: 40% ;
+  float: right ;
+  clear: right }
+
+div.sidebar p.rubric {
+  font-family: sans-serif ;
+  font-size: medium }
+
+div.system-messages {
+  margin: 5em }
+
+div.system-messages h1 {
+  color: red }
+
+div.system-message {
+  border: medium outset ;
+  padding: 1em }
+
+div.system-message p.system-message-title {
+  color: red ;
+  font-weight: bold }
+
+div.topic {
+  margin: 2em }
+
+h1.section-subtitle, h2.section-subtitle, h3.section-subtitle,
+h4.section-subtitle, h5.section-subtitle, h6.section-subtitle {
+  margin-top: 0.4em }
+
+h1.title {
+  text-align: center }
+
+h2.subtitle {
+  text-align: center }
+
+hr.docutils {
+  width: 75% }
+
+img.align-left, .figure.align-left, object.align-left, table.align-left {
+  clear: left ;
+  float: left ;
+  margin-right: 1em }
+
+img.align-right, .figure.align-right, object.align-right, table.align-right {
+  clear: right ;
+  float: right ;
+  margin-left: 1em }
+
+img.align-center, .figure.align-center, object.align-center {
+  display: block;
+  margin-left: auto;
+  margin-right: auto;
+}
+
+table.align-center {
+  margin-left: auto;
+  margin-right: auto;
+}
+
+.align-left {
+  text-align: left }
+
+.align-center {
+  clear: both ;
+  text-align: center }
+
+.align-right {
+  text-align: right }
+
+/* reset inner alignment in figures */
+div.align-right {
+  text-align: inherit }
+
+/* div.align-center * { */
+/*   text-align: left } */
+
+.align-top    {
+  vertical-align: top }
+
+.align-middle {
+  vertical-align: middle }
+
+.align-bottom {
+  vertical-align: bottom }
+
+ol.simple, ul.simple {
+  margin-bottom: 1em }
+
+ol.arabic {
+  list-style: decimal }
+
+ol.loweralpha {
+  list-style: lower-alpha }
+
+ol.upperalpha {
+  list-style: upper-alpha }
+
+ol.lowerroman {
+  list-style: lower-roman }
+
+ol.upperroman {
+  list-style: upper-roman }
+
+p.attribution {
+  text-align: right ;
+  margin-left: 50% }
+
+p.caption {
+  font-style: italic }
+
+p.credits {
+  font-style: italic ;
+  font-size: smaller }
+
+p.label {
+  white-space: nowrap }
+
+p.rubric {
+  font-weight: bold ;
+  font-size: larger ;
+  color: maroon ;
+  text-align: center }
+
+p.sidebar-title {
+  font-family: sans-serif ;
+  font-weight: bold ;
+  font-size: larger }
+
+p.sidebar-subtitle {
+  font-family: sans-serif ;
+  font-weight: bold }
+
+p.topic-title {
+  font-weight: bold }
+
+pre.address {
+  margin-bottom: 0 ;
+  margin-top: 0 ;
+  font: inherit }
+
+pre.literal-block, pre.doctest-block, pre.math, pre.code {
+  margin-left: 2em ;
+  margin-right: 2em }
+
+pre.code .ln { color: grey; } /* line numbers */
+pre.code, code { background-color: #eeeeee }
+pre.code .comment, code .comment { color: #5C6576 }
+pre.code .keyword, code .keyword { color: #3B0D06; font-weight: bold }
+pre.code .literal.string, code .literal.string { color: #0C5404 }
+pre.code .name.builtin, code .name.builtin { color: #352B84 }
+pre.code .deleted, code .deleted { background-color: #DEB0A1}
+pre.code .inserted, code .inserted { background-color: #A3D289}
+
+span.classifier {
+  font-family: sans-serif ;
+  font-style: oblique }
+
+span.classifier-delimiter {
+  font-family: sans-serif ;
+  font-weight: bold }
+
+span.interpreted {
+  font-family: sans-serif }
+
+span.option {
+  white-space: nowrap }
+
+span.pre {
+  white-space: pre }
+
+span.problematic {
+  color: red }
+
+span.section-subtitle {
+  /* font-size relative to parent (h1..h6 element) */
+  font-size: 80% }
+
+table.citation {
+  border-left: solid 1px gray;
+  margin-left: 1px }
+
+table.docinfo {
+  margin: 2em 4em }
+
+table.docutils {
+  margin-top: 0.5em ;
+  margin-bottom: 0.5em }
+
+table.footnote {
+  border-left: solid 1px black;
+  margin-left: 1px }
+
+table.docutils td, table.docutils th,
+table.docinfo td, table.docinfo th {
+  padding-left: 0.5em ;
+  padding-right: 0.5em ;
+  vertical-align: top }
+
+table.docutils th.field-name, table.docinfo th.docinfo-name {
+  font-weight: bold ;
+  text-align: left ;
+  white-space: nowrap ;
+  padding-left: 0 }
+
+/* "booktabs" style (no vertical lines) */
+table.docutils.booktabs {
+  border: 0px;
+  border-top: 2px solid;
+  border-bottom: 2px solid;
+  border-collapse: collapse;
+}
+table.docutils.booktabs * {
+  border: 0px;
+}
+table.docutils.booktabs th {
+  border-bottom: thin solid;
+  text-align: left;
+}
+
+h1 tt.docutils, h2 tt.docutils, h3 tt.docutils,
+h4 tt.docutils, h5 tt.docutils, h6 tt.docutils {
+  font-size: 100% }
+
+ul.auto-toc {
+  list-style-type: none }
+
+</style>
+</head>
+<body>
+<div class="document" id="auth-api-key">
+<h1 class="title">Auth Api Key</h1>
+
+<!-- !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!! This file is generated by oca-gen-addon-readme !!
+!! changes will be overwritten.                   !!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!! source digest: sha256:455a0f8646088cc228c9423fcbabbc1d81cabbebd0cac6dcf07bbbe000a6fc87
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->
+<p><a class="reference external image-reference" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external image-reference" href="http://www.gnu.org/licenses/lgpl-3.0-standalone.html"><img alt="License: LGPL-3" src="https://img.shields.io/badge/licence-LGPL--3-blue.png" /></a> <a class="reference external image-reference" href="https://github.com/OCA/server-auth/tree/17.0/auth_api_key"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external image-reference" href="https://translation.odoo-community.org/projects/server-auth-17-0/server-auth-17-0-auth_api_key"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external image-reference" href="https://runboat.odoo-community.org/builds?repo=OCA/server-auth&amp;target_branch=17.0"><img alt="Try me on Runboat" src="https://img.shields.io/badge/runboat-Try%20me-875A7B.png" /></a></p>
+<p>Authenticate http requests from an API key.</p>
+<p>API keys are codes passed in (in the http header API-KEY) by programs
+calling an API in order to identify -in this case- the calling program’s
+user.</p>
+<p>Take care while using this kind of mechanism since information into http
+headers are visible in clear. Thus, use it only to authenticate requests
+from known sources.</p>
+<p>For unknown sources, it is a good practice to filter out this header at
+proxy level.</p>
+<p><strong>Table of contents</strong></p>
+<div class="contents local topic" id="contents">
+<ul class="simple">
+<li><a class="reference internal" href="#configuration" id="toc-entry-1">Configuration</a></li>
+<li><a class="reference internal" href="#usage" id="toc-entry-2">Usage</a></li>
+<li><a class="reference internal" href="#bug-tracker" id="toc-entry-3">Bug Tracker</a></li>
+<li><a class="reference internal" href="#credits" id="toc-entry-4">Credits</a><ul>
+<li><a class="reference internal" href="#authors" id="toc-entry-5">Authors</a></li>
+<li><a class="reference internal" href="#contributors" id="toc-entry-6">Contributors</a></li>
+<li><a class="reference internal" href="#maintainers" id="toc-entry-7">Maintainers</a></li>
+</ul>
+</li>
+</ul>
+</div>
+<div class="section" id="configuration">
+<h1><a class="toc-backref" href="#toc-entry-1">Configuration</a></h1>
+<p>The api key menu is available into Settings &gt; Technical in debug mode.
+By default, when you create an API key, the key is saved into the
+database.</p>
+<p>If you want to manage them via serve environment settings use
+auth_api_key_server_env.</p>
+</div>
+<div class="section" id="usage">
+<h1><a class="toc-backref" href="#toc-entry-2">Usage</a></h1>
+<p>To apply this authentication system to your http request you must set
+‘api_key’ as value for the ‘auth’ parameter of your route definition
+into your controller.</p>
+<pre class="code python literal-block">
+<span class="k">class</span> <span class="nc">MyController</span><span class="p">(</span><span class="n">Controller</span><span class="p">):</span><span class="w">
+
+</span>    <span class="nd">&#64;route</span><span class="p">(</span><span class="s1">'/my_service'</span><span class="p">,</span> <span class="n">auth</span><span class="o">=</span><span class="s1">'api_key'</span><span class="p">,</span> <span class="o">...</span><span class="p">)</span><span class="w">
+</span>    <span class="k">def</span> <span class="nf">my_service</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="o">*</span><span class="n">args</span><span class="p">,</span> <span class="o">**</span><span class="n">kwargs</span><span class="p">):</span><span class="w">
+</span>        <span class="k">pass</span>
+</pre>
+</div>
+<div class="section" id="bug-tracker">
+<h1><a class="toc-backref" href="#toc-entry-3">Bug Tracker</a></h1>
+<p>Bugs are tracked on <a class="reference external" href="https://github.com/OCA/server-auth/issues">GitHub Issues</a>.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+<a class="reference external" href="https://github.com/OCA/server-auth/issues/new?body=module:%20auth_api_key%0Aversion:%2017.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**">feedback</a>.</p>
+<p>Do not contact contributors directly about support or help with technical issues.</p>
+</div>
+<div class="section" id="credits">
+<h1><a class="toc-backref" href="#toc-entry-4">Credits</a></h1>
+<div class="section" id="authors">
+<h2><a class="toc-backref" href="#toc-entry-5">Authors</a></h2>
+<ul class="simple">
+<li>ACSONE SA/NV</li>
+</ul>
+</div>
+<div class="section" id="contributors">
+<h2><a class="toc-backref" href="#toc-entry-6">Contributors</a></h2>
+<ul class="simple">
+<li>Denis Robinet &lt;<a class="reference external" href="mailto:denis.robinet&#64;acsone.eu">denis.robinet&#64;acsone.eu</a>&gt;</li>
+<li>Laurent Mignon &lt;<a class="reference external" href="mailto:laurent.mignon&#64;acsone.eu">laurent.mignon&#64;acsone.eu</a>&gt;</li>
+<li>Quentin Groulard &lt;<a class="reference external" href="mailto:quentin.groulard&#64;acsone.eu">quentin.groulard&#64;acsone.eu</a>&gt;</li>
+<li>Sébastien Beau &lt;<a class="reference external" href="mailto:sebastien.beau&#64;akretion.com">sebastien.beau&#64;akretion.com</a>&gt;</li>
+<li>Chafique Delli &lt;<a class="reference external" href="mailto:chafique.delli&#64;akretion.com">chafique.delli&#64;akretion.com</a>&gt;</li>
+</ul>
+</div>
+<div class="section" id="maintainers">
+<h2><a class="toc-backref" href="#toc-entry-7">Maintainers</a></h2>
+<p>This module is maintained by the OCA.</p>
+<a class="reference external image-reference" href="https://odoo-community.org"><img alt="Odoo Community Association" src="https://odoo-community.org/logo.png" /></a>
+<p>OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.</p>
+<p>This module is part of the <a class="reference external" href="https://github.com/OCA/server-auth/tree/17.0/auth_api_key">OCA/server-auth</a> project on GitHub.</p>
+<p>You are welcome to contribute. To learn how please visit <a class="reference external" href="https://odoo-community.org/page/Contribute">https://odoo-community.org/page/Contribute</a>.</p>
+</div>
+</div>
+</div>
+</body>
+</html>
diff --git a/auth_api_key/tests/__init__.py b/auth_api_key/tests/__init__.py
new file mode 100644
index 0000000000..56e3e32a3a
--- /dev/null
+++ b/auth_api_key/tests/__init__.py
@@ -0,0 +1 @@
+from . import test_auth_api_key
diff --git a/auth_api_key/tests/test_auth_api_key.py b/auth_api_key/tests/test_auth_api_key.py
new file mode 100644
index 0000000000..b8e0804097
--- /dev/null
+++ b/auth_api_key/tests/test_auth_api_key.py
@@ -0,0 +1,45 @@
+# Copyright 2018 ACSONE SA/NV
+# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl).
+from odoo.exceptions import AccessError, ValidationError
+from odoo.tests.common import TransactionCase
+
+
+class TestAuthApiKey(TransactionCase):
+    @classmethod
+    def setUpClass(cls, *args, **kwargs):
+        super().setUpClass(*args, **kwargs)
+        cls.AuthApiKey = cls.env["auth.api.key"]
+        cls.demo_user = cls.env.ref("base.user_demo")
+        cls.api_key_good = cls.AuthApiKey.create(
+            {"name": "good", "user_id": cls.demo_user.id, "key": "api_key"}
+        )
+
+    def test_lookup_key_from_db(self):
+        demo_user = self.env.ref("base.user_demo")
+        self.assertEqual(
+            self.env["auth.api.key"]._retrieve_uid_from_api_key("api_key"), demo_user.id
+        )
+
+    def test_wrong_key(self):
+        with self.assertRaises(ValidationError), self.env.cr.savepoint():
+            self.env["auth.api.key"]._retrieve_uid_from_api_key("api_wrong_key")
+
+    def test_user_not_allowed(self):
+        # only system users can check for key
+        with self.assertRaises(AccessError), self.env.cr.savepoint():
+            self.env["auth.api.key"].with_user(
+                user=self.demo_user
+            )._retrieve_uid_from_api_key("api_wrong_key")
+
+    def test_cache_invalidation(self):
+        self.assertEqual(
+            self.env["auth.api.key"]._retrieve_uid_from_api_key("api_key"),
+            self.demo_user.id,
+        )
+        self.api_key_good.write({"key": "updated_key"})
+        self.assertEqual(
+            self.env["auth.api.key"]._retrieve_uid_from_api_key("updated_key"),
+            self.demo_user.id,
+        )
+        with self.assertRaises(ValidationError):
+            self.env["auth.api.key"]._retrieve_uid_from_api_key("api_key")
diff --git a/auth_api_key/views/auth_api_key.xml b/auth_api_key/views/auth_api_key.xml
new file mode 100644
index 0000000000..c2305274ae
--- /dev/null
+++ b/auth_api_key/views/auth_api_key.xml
@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!-- Copyright 2019 ACSONE SA/NV
+     License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl). -->
+<odoo>
+    <record model="ir.ui.view" id="auth_api_key_form_view">
+        <field name="name">auth.api.key.form (in auth_api_key)</field>
+        <field name="model">auth.api.key</field>
+        <field name="arch" type="xml">
+            <form create="false" edit="false">
+                <sheet>
+                    <label for="name" class="oe_edit_only" />
+                    <h1>
+                        <field name="name" class="oe_inline" />
+                    </h1>
+                    <group name="config" colspan="4" col="4">
+                        <field name="user_id" colspan="4" />
+                        <field name="key" colspan="4" />
+                    </group>
+                </sheet>
+            </form>
+        </field>
+    </record>
+    <record model="ir.ui.view" id="auth_api_key_tree_view">
+        <field name="name">auth.api.key.tree (in auth_api_key)</field>
+        <field name="model">auth.api.key</field>
+        <field name="arch" type="xml">
+            <tree>
+                <field name="name" />
+                <field name="user_id" />
+            </tree>
+        </field>
+    </record>
+    <record model="ir.actions.act_window" id="auth_api_key_act_window">
+        <field name="name">Auth Api Key</field>
+        <field name="res_model">auth.api.key</field>
+        <field name="view_mode">tree,form</field>
+        <field name="domain">[]</field>
+        <field name="context">{}</field>
+    </record>
+    <record model="ir.ui.menu" id="auth_api_key_menu">
+        <field name="name">Auth Api Key</field>
+        <field name="parent_id" ref="base.menu_custom" />
+        <field name="action" ref="auth_api_key_act_window" />
+        <field name="sequence" eval="100" />
+    </record>
+</odoo>
diff --git a/auth_api_key_server_env/README.rst b/auth_api_key_server_env/README.rst
new file mode 100644
index 0000000000..f718fce84f
--- /dev/null
+++ b/auth_api_key_server_env/README.rst
@@ -0,0 +1,92 @@
+===============================
+Auth API key server environment
+===============================
+
+.. 
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! This file is generated by oca-gen-addon-readme !!
+   !! changes will be overwritten.                   !!
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! source digest: sha256:e6609698db2b7ba4cab3f9aa8cfca5e51a1418bbf74c8bd802b9bce9be8c54a9
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+.. |badge1| image:: https://img.shields.io/badge/maturity-Alpha-red.png
+    :target: https://odoo-community.org/page/development-status
+    :alt: Alpha
+.. |badge2| image:: https://img.shields.io/badge/licence-LGPL--3-blue.png
+    :target: http://www.gnu.org/licenses/lgpl-3.0-standalone.html
+    :alt: License: LGPL-3
+.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
+    :target: https://github.com/OCA/server-auth/tree/17.0/auth_api_key_server_env
+    :alt: OCA/server-auth
+.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
+    :target: https://translation.odoo-community.org/projects/server-auth-17-0/server-auth-17-0-auth_api_key_server_env
+    :alt: Translate me on Weblate
+.. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png
+    :target: https://runboat.odoo-community.org/builds?repo=OCA/server-auth&target_branch=17.0
+    :alt: Try me on Runboat
+
+|badge1| |badge2| |badge3| |badge4| |badge5|
+
+Configure api keys via server env.
+
+This can be very useful to avoid mixing your keys between your various
+environments when restoring databases. All you have to do is to add a
+new section to your configuration file according to the following
+convention:
+
+.. code:: ini
+
+   [api_key_<record.tech_name>]
+   key=my_api_key
+
+.. IMPORTANT::
+   This is an alpha version, the data model and design can change at any time without warning.
+   Only for development or testing purpose, do not use in production.
+   `More details on development status <https://odoo-community.org/page/development-status>`_
+
+**Table of contents**
+
+.. contents::
+   :local:
+
+Bug Tracker
+===========
+
+Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-auth/issues>`_.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_api_key_server_env%0Aversion:%2017.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+
+Do not contact contributors directly about support or help with technical issues.
+
+Credits
+=======
+
+Authors
+-------
+
+* Camptocamp
+
+Contributors
+------------
+
+-  Simone Orsi <simone.orsi@camptocamp.com>
+-  Florian da Costa <florian.dacosta@akretion.com>
+
+Maintainers
+-----------
+
+This module is maintained by the OCA.
+
+.. image:: https://odoo-community.org/logo.png
+   :alt: Odoo Community Association
+   :target: https://odoo-community.org
+
+OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.
+
+This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/17.0/auth_api_key_server_env>`_ project on GitHub.
+
+You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.
diff --git a/auth_api_key_server_env/__init__.py b/auth_api_key_server_env/__init__.py
new file mode 100644
index 0000000000..0650744f6b
--- /dev/null
+++ b/auth_api_key_server_env/__init__.py
@@ -0,0 +1 @@
+from . import models
diff --git a/auth_api_key_server_env/__manifest__.py b/auth_api_key_server_env/__manifest__.py
new file mode 100644
index 0000000000..08dccc8b2b
--- /dev/null
+++ b/auth_api_key_server_env/__manifest__.py
@@ -0,0 +1,21 @@
+# Copyright 2021 Camptocamp SA
+# @author: Simone Orsi <simone.orsi@camptocamp.com>
+# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl).
+
+{
+    "name": "Auth API key server environment",
+    "summary": """
+Configure api keys via server env.
+
+This can be very useful to avoid mixing your keys between your various
+environments when restoring databases. All you have to do is to add a new
+section to your configuration file according to the following convention:
+    """,
+    "version": "17.0.1.0.0",
+    "development_status": "Alpha",
+    "license": "LGPL-3",
+    "website": "https://github.com/OCA/server-auth",
+    "author": "Camptocamp,Odoo Community Association (OCA)",
+    "depends": ["auth_api_key", "server_environment"],
+    "data": [],
+}
diff --git a/auth_api_key_server_env/i18n/auth_api_key_server_env.pot b/auth_api_key_server_env/i18n/auth_api_key_server_env.pot
new file mode 100644
index 0000000000..d8a75c2c29
--- /dev/null
+++ b/auth_api_key_server_env/i18n/auth_api_key_server_env.pot
@@ -0,0 +1,34 @@
+# Translation of Odoo Server.
+# This file contains the translation of the following modules:
+# 	* auth_api_key_server_env
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: Odoo Server 17.0\n"
+"Report-Msgid-Bugs-To: \n"
+"Last-Translator: \n"
+"Language-Team: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: \n"
+"Plural-Forms: \n"
+
+#. module: auth_api_key_server_env
+#: model:ir.model,name:auth_api_key_server_env.model_auth_api_key
+msgid "API Key"
+msgstr ""
+
+#. module: auth_api_key_server_env
+#: model:ir.model.fields,field_description:auth_api_key_server_env.field_auth_api_key__server_env_defaults
+msgid "Server Env Defaults"
+msgstr ""
+
+#. module: auth_api_key_server_env
+#: model:ir.model.fields,field_description:auth_api_key_server_env.field_auth_api_key__tech_name
+msgid "Tech Name"
+msgstr ""
+
+#. module: auth_api_key_server_env
+#: model:ir.model.fields,help:auth_api_key_server_env.field_auth_api_key__tech_name
+msgid "Unique name for technical purposes. Eg: server env keys."
+msgstr ""
diff --git a/auth_api_key_server_env/i18n/it.po b/auth_api_key_server_env/i18n/it.po
new file mode 100644
index 0000000000..81dba352b5
--- /dev/null
+++ b/auth_api_key_server_env/i18n/it.po
@@ -0,0 +1,37 @@
+# Translation of Odoo Server.
+# This file contains the translation of the following modules:
+# 	* auth_api_key_server_env
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: Odoo Server 17.0\n"
+"Report-Msgid-Bugs-To: \n"
+"PO-Revision-Date: 2024-02-04 22:36+0000\n"
+"Last-Translator: mymage <stefano.consolaro@mymage.it>\n"
+"Language-Team: none\n"
+"Language: it\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: \n"
+"Plural-Forms: nplurals=2; plural=n != 1;\n"
+"X-Generator: Weblate 4.17\n"
+
+#. module: auth_api_key_server_env
+#: model:ir.model,name:auth_api_key_server_env.model_auth_api_key
+msgid "API Key"
+msgstr "Chiave API"
+
+#. module: auth_api_key_server_env
+#: model:ir.model.fields,field_description:auth_api_key_server_env.field_auth_api_key__server_env_defaults
+msgid "Server Env Defaults"
+msgstr "Server ambiente predefinito"
+
+#. module: auth_api_key_server_env
+#: model:ir.model.fields,field_description:auth_api_key_server_env.field_auth_api_key__tech_name
+msgid "Tech Name"
+msgstr "Nome tecnico"
+
+#. module: auth_api_key_server_env
+#: model:ir.model.fields,help:auth_api_key_server_env.field_auth_api_key__tech_name
+msgid "Unique name for technical purposes. Eg: server env keys."
+msgstr "Nome univoco per motivi tecnici. Es: chiavi server ambiente."
diff --git a/auth_api_key_server_env/models/__init__.py b/auth_api_key_server_env/models/__init__.py
new file mode 100644
index 0000000000..6dfe3f790b
--- /dev/null
+++ b/auth_api_key_server_env/models/__init__.py
@@ -0,0 +1 @@
+from . import auth_api_key
diff --git a/auth_api_key_server_env/models/auth_api_key.py b/auth_api_key_server_env/models/auth_api_key.py
new file mode 100644
index 0000000000..64db93d4e8
--- /dev/null
+++ b/auth_api_key_server_env/models/auth_api_key.py
@@ -0,0 +1,29 @@
+# Copyright 2018 ACSONE SA/NV
+# Copyright 2021 Camptocamp SA
+# @author: Simone Orsi <simone.orsi@camptocamp.com>
+# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl).
+
+
+from odoo import models
+
+
+class AuthApiKey(models.Model):
+    _name = "auth.api.key"
+    _inherit = ["auth.api.key", "server.env.techname.mixin", "server.env.mixin"]
+
+    def _server_env_section_name(self):
+        """Name of the section in the configuration files
+        We override the default implementation to keep the compatibility
+        with the previous implementation of auth_api_key. The section name
+        into the configuration file must be formatted as
+            'api_key_{name}'
+        """
+        self.ensure_one()
+        return f"api_key_{getattr(self, self._server_env_section_name_field)}"
+
+    @property
+    def _server_env_fields(self):
+        base_fields = super()._server_env_fields
+        api_key_fields = {"key": {}}
+        api_key_fields.update(base_fields)
+        return api_key_fields
diff --git a/auth_api_key_server_env/pyproject.toml b/auth_api_key_server_env/pyproject.toml
new file mode 100644
index 0000000000..4231d0cccb
--- /dev/null
+++ b/auth_api_key_server_env/pyproject.toml
@@ -0,0 +1,3 @@
+[build-system]
+requires = ["whool"]
+build-backend = "whool.buildapi"
diff --git a/auth_api_key_server_env/readme/CONTRIBUTORS.md b/auth_api_key_server_env/readme/CONTRIBUTORS.md
new file mode 100644
index 0000000000..ce82e0f8d5
--- /dev/null
+++ b/auth_api_key_server_env/readme/CONTRIBUTORS.md
@@ -0,0 +1,2 @@
+- Simone Orsi \<<simone.orsi@camptocamp.com>\>
+- Florian da Costa \<<florian.dacosta@akretion.com>\>
diff --git a/auth_api_key_server_env/readme/DESCRIPTION.md b/auth_api_key_server_env/readme/DESCRIPTION.md
new file mode 100644
index 0000000000..fd3f7ddf12
--- /dev/null
+++ b/auth_api_key_server_env/readme/DESCRIPTION.md
@@ -0,0 +1,11 @@
+Configure api keys via server env.
+
+This can be very useful to avoid mixing your keys between your various
+environments when restoring databases. All you have to do is to add a
+new section to your configuration file according to the following
+convention:
+
+``` ini
+[api_key_<record.tech_name>]
+key=my_api_key
+```
diff --git a/auth_api_key_server_env/static/description/icon.png b/auth_api_key_server_env/static/description/icon.png
new file mode 100644
index 0000000000..3a0328b516
Binary files /dev/null and b/auth_api_key_server_env/static/description/icon.png differ
diff --git a/auth_api_key_server_env/static/description/index.html b/auth_api_key_server_env/static/description/index.html
new file mode 100644
index 0000000000..5799d109dd
--- /dev/null
+++ b/auth_api_key_server_env/static/description/index.html
@@ -0,0 +1,435 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+<meta name="generator" content="Docutils: https://docutils.sourceforge.io/" />
+<title>Auth API key server environment</title>
+<style type="text/css">
+
+/*
+:Author: David Goodger (goodger@python.org)
+:Id: $Id: html4css1.css 8954 2022-01-20 10:10:25Z milde $
+:Copyright: This stylesheet has been placed in the public domain.
+
+Default cascading style sheet for the HTML output of Docutils.
+
+See https://docutils.sourceforge.io/docs/howto/html-stylesheets.html for how to
+customize this style sheet.
+*/
+
+/* used to remove borders from tables and images */
+.borderless, table.borderless td, table.borderless th {
+  border: 0 }
+
+table.borderless td, table.borderless th {
+  /* Override padding for "table.docutils td" with "! important".
+     The right padding separates the table cells. */
+  padding: 0 0.5em 0 0 ! important }
+
+.first {
+  /* Override more specific margin styles with "! important". */
+  margin-top: 0 ! important }
+
+.last, .with-subtitle {
+  margin-bottom: 0 ! important }
+
+.hidden {
+  display: none }
+
+.subscript {
+  vertical-align: sub;
+  font-size: smaller }
+
+.superscript {
+  vertical-align: super;
+  font-size: smaller }
+
+a.toc-backref {
+  text-decoration: none ;
+  color: black }
+
+blockquote.epigraph {
+  margin: 2em 5em ; }
+
+dl.docutils dd {
+  margin-bottom: 0.5em }
+
+object[type="image/svg+xml"], object[type="application/x-shockwave-flash"] {
+  overflow: hidden;
+}
+
+/* Uncomment (and remove this text!) to get bold-faced definition list terms
+dl.docutils dt {
+  font-weight: bold }
+*/
+
+div.abstract {
+  margin: 2em 5em }
+
+div.abstract p.topic-title {
+  font-weight: bold ;
+  text-align: center }
+
+div.admonition, div.attention, div.caution, div.danger, div.error,
+div.hint, div.important, div.note, div.tip, div.warning {
+  margin: 2em ;
+  border: medium outset ;
+  padding: 1em }
+
+div.admonition p.admonition-title, div.hint p.admonition-title,
+div.important p.admonition-title, div.note p.admonition-title,
+div.tip p.admonition-title {
+  font-weight: bold ;
+  font-family: sans-serif }
+
+div.attention p.admonition-title, div.caution p.admonition-title,
+div.danger p.admonition-title, div.error p.admonition-title,
+div.warning p.admonition-title, .code .error {
+  color: red ;
+  font-weight: bold ;
+  font-family: sans-serif }
+
+/* Uncomment (and remove this text!) to get reduced vertical space in
+   compound paragraphs.
+div.compound .compound-first, div.compound .compound-middle {
+  margin-bottom: 0.5em }
+
+div.compound .compound-last, div.compound .compound-middle {
+  margin-top: 0.5em }
+*/
+
+div.dedication {
+  margin: 2em 5em ;
+  text-align: center ;
+  font-style: italic }
+
+div.dedication p.topic-title {
+  font-weight: bold ;
+  font-style: normal }
+
+div.figure {
+  margin-left: 2em ;
+  margin-right: 2em }
+
+div.footer, div.header {
+  clear: both;
+  font-size: smaller }
+
+div.line-block {
+  display: block ;
+  margin-top: 1em ;
+  margin-bottom: 1em }
+
+div.line-block div.line-block {
+  margin-top: 0 ;
+  margin-bottom: 0 ;
+  margin-left: 1.5em }
+
+div.sidebar {
+  margin: 0 0 0.5em 1em ;
+  border: medium outset ;
+  padding: 1em ;
+  background-color: #ffffee ;
+  width: 40% ;
+  float: right ;
+  clear: right }
+
+div.sidebar p.rubric {
+  font-family: sans-serif ;
+  font-size: medium }
+
+div.system-messages {
+  margin: 5em }
+
+div.system-messages h1 {
+  color: red }
+
+div.system-message {
+  border: medium outset ;
+  padding: 1em }
+
+div.system-message p.system-message-title {
+  color: red ;
+  font-weight: bold }
+
+div.topic {
+  margin: 2em }
+
+h1.section-subtitle, h2.section-subtitle, h3.section-subtitle,
+h4.section-subtitle, h5.section-subtitle, h6.section-subtitle {
+  margin-top: 0.4em }
+
+h1.title {
+  text-align: center }
+
+h2.subtitle {
+  text-align: center }
+
+hr.docutils {
+  width: 75% }
+
+img.align-left, .figure.align-left, object.align-left, table.align-left {
+  clear: left ;
+  float: left ;
+  margin-right: 1em }
+
+img.align-right, .figure.align-right, object.align-right, table.align-right {
+  clear: right ;
+  float: right ;
+  margin-left: 1em }
+
+img.align-center, .figure.align-center, object.align-center {
+  display: block;
+  margin-left: auto;
+  margin-right: auto;
+}
+
+table.align-center {
+  margin-left: auto;
+  margin-right: auto;
+}
+
+.align-left {
+  text-align: left }
+
+.align-center {
+  clear: both ;
+  text-align: center }
+
+.align-right {
+  text-align: right }
+
+/* reset inner alignment in figures */
+div.align-right {
+  text-align: inherit }
+
+/* div.align-center * { */
+/*   text-align: left } */
+
+.align-top    {
+  vertical-align: top }
+
+.align-middle {
+  vertical-align: middle }
+
+.align-bottom {
+  vertical-align: bottom }
+
+ol.simple, ul.simple {
+  margin-bottom: 1em }
+
+ol.arabic {
+  list-style: decimal }
+
+ol.loweralpha {
+  list-style: lower-alpha }
+
+ol.upperalpha {
+  list-style: upper-alpha }
+
+ol.lowerroman {
+  list-style: lower-roman }
+
+ol.upperroman {
+  list-style: upper-roman }
+
+p.attribution {
+  text-align: right ;
+  margin-left: 50% }
+
+p.caption {
+  font-style: italic }
+
+p.credits {
+  font-style: italic ;
+  font-size: smaller }
+
+p.label {
+  white-space: nowrap }
+
+p.rubric {
+  font-weight: bold ;
+  font-size: larger ;
+  color: maroon ;
+  text-align: center }
+
+p.sidebar-title {
+  font-family: sans-serif ;
+  font-weight: bold ;
+  font-size: larger }
+
+p.sidebar-subtitle {
+  font-family: sans-serif ;
+  font-weight: bold }
+
+p.topic-title {
+  font-weight: bold }
+
+pre.address {
+  margin-bottom: 0 ;
+  margin-top: 0 ;
+  font: inherit }
+
+pre.literal-block, pre.doctest-block, pre.math, pre.code {
+  margin-left: 2em ;
+  margin-right: 2em }
+
+pre.code .ln { color: grey; } /* line numbers */
+pre.code, code { background-color: #eeeeee }
+pre.code .comment, code .comment { color: #5C6576 }
+pre.code .keyword, code .keyword { color: #3B0D06; font-weight: bold }
+pre.code .literal.string, code .literal.string { color: #0C5404 }
+pre.code .name.builtin, code .name.builtin { color: #352B84 }
+pre.code .deleted, code .deleted { background-color: #DEB0A1}
+pre.code .inserted, code .inserted { background-color: #A3D289}
+
+span.classifier {
+  font-family: sans-serif ;
+  font-style: oblique }
+
+span.classifier-delimiter {
+  font-family: sans-serif ;
+  font-weight: bold }
+
+span.interpreted {
+  font-family: sans-serif }
+
+span.option {
+  white-space: nowrap }
+
+span.pre {
+  white-space: pre }
+
+span.problematic {
+  color: red }
+
+span.section-subtitle {
+  /* font-size relative to parent (h1..h6 element) */
+  font-size: 80% }
+
+table.citation {
+  border-left: solid 1px gray;
+  margin-left: 1px }
+
+table.docinfo {
+  margin: 2em 4em }
+
+table.docutils {
+  margin-top: 0.5em ;
+  margin-bottom: 0.5em }
+
+table.footnote {
+  border-left: solid 1px black;
+  margin-left: 1px }
+
+table.docutils td, table.docutils th,
+table.docinfo td, table.docinfo th {
+  padding-left: 0.5em ;
+  padding-right: 0.5em ;
+  vertical-align: top }
+
+table.docutils th.field-name, table.docinfo th.docinfo-name {
+  font-weight: bold ;
+  text-align: left ;
+  white-space: nowrap ;
+  padding-left: 0 }
+
+/* "booktabs" style (no vertical lines) */
+table.docutils.booktabs {
+  border: 0px;
+  border-top: 2px solid;
+  border-bottom: 2px solid;
+  border-collapse: collapse;
+}
+table.docutils.booktabs * {
+  border: 0px;
+}
+table.docutils.booktabs th {
+  border-bottom: thin solid;
+  text-align: left;
+}
+
+h1 tt.docutils, h2 tt.docutils, h3 tt.docutils,
+h4 tt.docutils, h5 tt.docutils, h6 tt.docutils {
+  font-size: 100% }
+
+ul.auto-toc {
+  list-style-type: none }
+
+</style>
+</head>
+<body>
+<div class="document" id="auth-api-key-server-environment">
+<h1 class="title">Auth API key server environment</h1>
+
+<!-- !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!! This file is generated by oca-gen-addon-readme !!
+!! changes will be overwritten.                   !!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!! source digest: sha256:e6609698db2b7ba4cab3f9aa8cfca5e51a1418bbf74c8bd802b9bce9be8c54a9
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->
+<p><a class="reference external image-reference" href="https://odoo-community.org/page/development-status"><img alt="Alpha" src="https://img.shields.io/badge/maturity-Alpha-red.png" /></a> <a class="reference external image-reference" href="http://www.gnu.org/licenses/lgpl-3.0-standalone.html"><img alt="License: LGPL-3" src="https://img.shields.io/badge/licence-LGPL--3-blue.png" /></a> <a class="reference external image-reference" href="https://github.com/OCA/server-auth/tree/17.0/auth_api_key_server_env"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external image-reference" href="https://translation.odoo-community.org/projects/server-auth-17-0/server-auth-17-0-auth_api_key_server_env"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external image-reference" href="https://runboat.odoo-community.org/builds?repo=OCA/server-auth&amp;target_branch=17.0"><img alt="Try me on Runboat" src="https://img.shields.io/badge/runboat-Try%20me-875A7B.png" /></a></p>
+<p>Configure api keys via server env.</p>
+<p>This can be very useful to avoid mixing your keys between your various
+environments when restoring databases. All you have to do is to add a
+new section to your configuration file according to the following
+convention:</p>
+<pre class="code ini literal-block">
+<span class="k">[api_key_&lt;record.tech_name&gt;]</span><span class="w">
+</span><span class="na">key</span><span class="o">=</span><span class="s">my_api_key</span>
+</pre>
+<div class="admonition important">
+<p class="first admonition-title">Important</p>
+<p class="last">This is an alpha version, the data model and design can change at any time without warning.
+Only for development or testing purpose, do not use in production.
+<a class="reference external" href="https://odoo-community.org/page/development-status">More details on development status</a></p>
+</div>
+<p><strong>Table of contents</strong></p>
+<div class="contents local topic" id="contents">
+<ul class="simple">
+<li><a class="reference internal" href="#bug-tracker" id="toc-entry-1">Bug Tracker</a></li>
+<li><a class="reference internal" href="#credits" id="toc-entry-2">Credits</a><ul>
+<li><a class="reference internal" href="#authors" id="toc-entry-3">Authors</a></li>
+<li><a class="reference internal" href="#contributors" id="toc-entry-4">Contributors</a></li>
+<li><a class="reference internal" href="#maintainers" id="toc-entry-5">Maintainers</a></li>
+</ul>
+</li>
+</ul>
+</div>
+<div class="section" id="bug-tracker">
+<h1><a class="toc-backref" href="#toc-entry-1">Bug Tracker</a></h1>
+<p>Bugs are tracked on <a class="reference external" href="https://github.com/OCA/server-auth/issues">GitHub Issues</a>.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+<a class="reference external" href="https://github.com/OCA/server-auth/issues/new?body=module:%20auth_api_key_server_env%0Aversion:%2017.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**">feedback</a>.</p>
+<p>Do not contact contributors directly about support or help with technical issues.</p>
+</div>
+<div class="section" id="credits">
+<h1><a class="toc-backref" href="#toc-entry-2">Credits</a></h1>
+<div class="section" id="authors">
+<h2><a class="toc-backref" href="#toc-entry-3">Authors</a></h2>
+<ul class="simple">
+<li>Camptocamp</li>
+</ul>
+</div>
+<div class="section" id="contributors">
+<h2><a class="toc-backref" href="#toc-entry-4">Contributors</a></h2>
+<ul class="simple">
+<li>Simone Orsi &lt;<a class="reference external" href="mailto:simone.orsi&#64;camptocamp.com">simone.orsi&#64;camptocamp.com</a>&gt;</li>
+<li>Florian da Costa &lt;<a class="reference external" href="mailto:florian.dacosta&#64;akretion.com">florian.dacosta&#64;akretion.com</a>&gt;</li>
+</ul>
+</div>
+<div class="section" id="maintainers">
+<h2><a class="toc-backref" href="#toc-entry-5">Maintainers</a></h2>
+<p>This module is maintained by the OCA.</p>
+<a class="reference external image-reference" href="https://odoo-community.org"><img alt="Odoo Community Association" src="https://odoo-community.org/logo.png" /></a>
+<p>OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.</p>
+<p>This module is part of the <a class="reference external" href="https://github.com/OCA/server-auth/tree/17.0/auth_api_key_server_env">OCA/server-auth</a> project on GitHub.</p>
+<p>You are welcome to contribute. To learn how please visit <a class="reference external" href="https://odoo-community.org/page/Contribute">https://odoo-community.org/page/Contribute</a>.</p>
+</div>
+</div>
+</div>
+</body>
+</html>
diff --git a/auth_api_key_server_env/tests/__init__.py b/auth_api_key_server_env/tests/__init__.py
new file mode 100644
index 0000000000..56e3e32a3a
--- /dev/null
+++ b/auth_api_key_server_env/tests/__init__.py
@@ -0,0 +1 @@
+from . import test_auth_api_key
diff --git a/auth_api_key_server_env/tests/test_auth_api_key.py b/auth_api_key_server_env/tests/test_auth_api_key.py
new file mode 100644
index 0000000000..1444349a79
--- /dev/null
+++ b/auth_api_key_server_env/tests/test_auth_api_key.py
@@ -0,0 +1,37 @@
+# Copyright 2018 ACSONE SA/NV
+# Copyright 2021 Camptocamp SA
+# @author: Simone Orsi <simone.orsi@camptocamp.com>
+# License LGPL-3.0 or later (http://www.gnu.org/licenses/lgpl).
+from odoo.exceptions import ValidationError
+from odoo.tests.common import TransactionCase
+
+from odoo.addons.server_environment import serv_config
+
+
+class TestAuthApiKey(TransactionCase):
+    @classmethod
+    def setUpClass(cls, *args, **kwargs):
+        super().setUpClass(*args, **kwargs)
+        cls.AuthApiKey = cls.env["auth.api.key"]
+        cls.demo_user = cls.env.ref("base.user_demo")
+        cls.api_key_from_env = cls.AuthApiKey.create(
+            {
+                "name": "From Env",
+                "key": "dummy",
+                "user_id": cls.demo_user.id,
+                "tech_name": "test_env",
+            }
+        )
+        cls.api_key_from_env.invalidate_recordset()
+        serv_config.add_section("api_key_test_env")
+        serv_config.set("api_key_test_env", "key", "api_key_from_env")
+
+    def test_lookup_key_from_env(self):
+        self.assertEqual(
+            self.env["auth.api.key"]._retrieve_uid_from_api_key("api_key_from_env"),
+            self.demo_user.id,
+        )
+        with self.assertRaises(ValidationError):
+            # dummy key must be replace with the one from env and
+            # therefore should be unusable
+            self.env["auth.api.key"]._retrieve_uid_from_api_key("dummy")
diff --git a/auth_oidc/README.rst b/auth_oidc/README.rst
new file mode 100644
index 0000000000..837cc8704b
--- /dev/null
+++ b/auth_oidc/README.rst
@@ -0,0 +1,242 @@
+=============================
+Authentication OpenID Connect
+=============================
+
+.. 
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! This file is generated by oca-gen-addon-readme !!
+   !! changes will be overwritten.                   !!
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! source digest: sha256:e65c1c978ca0266a8e54f8121675cbf710359cf407413e35518f670be9c9753f
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
+    :target: https://odoo-community.org/page/development-status
+    :alt: Beta
+.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png
+    :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
+    :alt: License: AGPL-3
+.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
+    :target: https://github.com/OCA/server-auth/tree/17.0/auth_oidc
+    :alt: OCA/server-auth
+.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
+    :target: https://translation.odoo-community.org/projects/server-auth-17-0/server-auth-17-0-auth_oidc
+    :alt: Translate me on Weblate
+.. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png
+    :target: https://runboat.odoo-community.org/builds?repo=OCA/server-auth&target_branch=17.0
+    :alt: Try me on Runboat
+
+|badge1| |badge2| |badge3| |badge4| |badge5|
+
+This module allows users to login through an OpenID Connect provider
+using the authorization code flow or implicit flow.
+
+Note the implicit flow is not recommended because it exposes access
+tokens to the browser and in http logs.
+
+**Table of contents**
+
+.. contents::
+   :local:
+
+Installation
+============
+
+This module depends on the
+`python-jose <https://pypi.org/project/python-jose/>`__ library, not to
+be confused with ``jose`` which is also available on PyPI.
+
+Configuration
+=============
+
+Setup for Microsoft Azure
+-------------------------
+
+Example configuration with OpenID Connect authorization code flow.
+
+1. configure a new web application in Azure with OpenID and code flow
+   (see the `provider
+   documentation <https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-provider>`__))
+
+2. in this application the redirect url must be be "<url of your
+   server>/auth_oauth/signin" and of course this URL should be reachable
+   from Azure
+
+3. create a new authentication provider in Odoo with the following
+   parameters (see the `portal
+   documentation <https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-settings>`__
+   for more information):
+
+|image|
+
+|image1|
+
+Single tenant provider limits the access to user of your tenant, while
+Multitenants allow access for all AzureAD users, so user of foreign
+companies can use their AzureAD login without an guest account.
+
+-  Provider Name: Azure AD Single Tenant
+-  Client ID: Application (client) id
+-  Client Secret: Client secret
+-  Allowed: yes
+
+or
+
+-  Provider Name: Azure AD Multitenant
+-  Client ID: Application (client) id
+-  Client Secret: Client secret
+-  Allowed: yes
+-  replace {tenant_id} in urls with your Azure tenant id
+
+|image2|
+
+Setup for Keycloak
+------------------
+
+Example configuration with OpenID Connect authorization code flow.
+
+In Keycloak:
+
+1. configure a new Client
+2. make sure Authorization Code Flow is Enabled.
+3. configure the client Access Type as "confidential" and take note of
+   the client secret in the Credentials tab
+4. configure the redirect url to be "<url of your
+   server>/auth_oauth/signin"
+
+In Odoo, create a new Oauth Provider with the following parameters:
+
+-  Provider name: Keycloak (or any name you like that identify your
+   keycloak provider)
+-  Auth Flow: OpenID Connect (authorization code flow)
+-  Client ID: the same Client ID you entered when configuring the client
+   in Keycloak
+-  Client Secret: found in keycloak on the client Credentials tab
+-  Allowed: yes
+-  Body: the link text to appear on the login page, such as Login with
+   Keycloak
+-  Scope: openid email
+-  Authentication URL: The "authorization_endpoint" URL found in the
+   OpenID Endpoint Configuration of your Keycloak realm
+-  Token URL: The "token_endpoint" URL found in the OpenID Endpoint
+   Configuration of your Keycloak realm
+-  JWKS URL: The "jwks_uri" URL found in the OpenID Endpoint
+   Configuration of your Keycloak realm
+
+.. |image| image:: https://raw.githubusercontent.com/OCA/server-auth/17.0/auth_oidc/static/description/oauth-microsoft_azure-api_permissions.png
+.. |image1| image:: https://raw.githubusercontent.com/OCA/server-auth/17.0/auth_oidc/static/description/oauth-microsoft_azure-optional_claims.png
+.. |image2| image:: https://raw.githubusercontent.com/OCA/server-auth/17.0/auth_oidc/static/description/odoo-azure_ad_multitenant.png
+
+Usage
+=====
+
+On the login page, click on the authentication provider you configured.
+
+Known issues / Roadmap
+======================
+
+-  When going to the login screen, check for a existing token and do a
+   direct login without the clicking on the SSO link
+-  When doing a logout an extra option to also logout at the SSO
+   provider.
+
+Changelog
+=========
+
+17.0.1.0.0 2024-03-20
+---------------------
+
+-  Odoo 17 migration
+
+16.0.1.1.0 2024-02-28
+---------------------
+
+-  Forward port OpenID Connect fixes from 15.0 to 16.0
+
+16.0.1.0.2 2023-11-16
+---------------------
+
+-  Readme link updates
+
+16.0.1.0.1 2023-10-09
+---------------------
+
+-  Add AzureAD code flow provider
+
+16.0.1.0.0 2023-01-27
+---------------------
+
+-  Odoo 16 migration
+
+15.0.1.0.0 2023-01-06
+---------------------
+
+-  Odoo 15 migration
+
+14.0.1.0.0 2021-12-10
+---------------------
+
+-  Odoo 14 migration
+
+13.0.1.0.0 2020-04-10
+---------------------
+
+-  Odoo 13 migration, add authorization code flow.
+
+10.0.1.0.0 2018-10-05
+---------------------
+
+-  Initial implementation
+
+Bug Tracker
+===========
+
+Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-auth/issues>`_.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_oidc%0Aversion:%2017.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+
+Do not contact contributors directly about support or help with technical issues.
+
+Credits
+=======
+
+Authors
+-------
+
+* ICTSTUDIO
+* André Schenkels
+* ACSONE SA/NV
+
+Contributors
+------------
+
+-  Alexandre Fayolle <alexandre.fayolle@camptocamp.com>
+-  Stéphane Bidoul <stephane.bidoul@acsone.eu>
+-  David Jaen <david.jaen.revert@gmail.com>
+-  Andreas Perhab <andreas.perhab@wt-io-it.at>
+
+Maintainers
+-----------
+
+This module is maintained by the OCA.
+
+.. image:: https://odoo-community.org/logo.png
+   :alt: Odoo Community Association
+   :target: https://odoo-community.org
+
+OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.
+
+.. |maintainer-sbidoul| image:: https://github.com/sbidoul.png?size=40px
+    :target: https://github.com/sbidoul
+    :alt: sbidoul
+
+Current `maintainer <https://odoo-community.org/page/maintainer-role>`__:
+
+|maintainer-sbidoul| 
+
+This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/17.0/auth_oidc>`_ project on GitHub.
+
+You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.
diff --git a/auth_oidc/__init__.py b/auth_oidc/__init__.py
new file mode 100644
index 0000000000..8b36099f76
--- /dev/null
+++ b/auth_oidc/__init__.py
@@ -0,0 +1,5 @@
+# Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
+# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
+
+from . import controllers
+from . import models
diff --git a/auth_oidc/__manifest__.py b/auth_oidc/__manifest__.py
new file mode 100644
index 0000000000..5e046a73f3
--- /dev/null
+++ b/auth_oidc/__manifest__.py
@@ -0,0 +1,21 @@
+# Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
+# Copyright 2021 ACSONE SA/NV <https://acsone.eu>
+# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
+
+{
+    "name": "Authentication OpenID Connect",
+    "version": "17.0.1.0.0",
+    "license": "AGPL-3",
+    "author": (
+        "ICTSTUDIO, André Schenkels, "
+        "ACSONE SA/NV, "
+        "Odoo Community Association (OCA)"
+    ),
+    "maintainers": ["sbidoul"],
+    "website": "https://github.com/OCA/server-auth",
+    "summary": "Allow users to login through OpenID Connect Provider",
+    "external_dependencies": {"python": ["python-jose"]},
+    "depends": ["auth_oauth"],
+    "data": ["views/auth_oauth_provider.xml", "data/auth_oauth_data.xml"],
+    "demo": ["demo/local_keycloak.xml"],
+}
diff --git a/auth_oidc/controllers/__init__.py b/auth_oidc/controllers/__init__.py
new file mode 100644
index 0000000000..eaa83817e9
--- /dev/null
+++ b/auth_oidc/controllers/__init__.py
@@ -0,0 +1,4 @@
+# Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
+# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
+
+from . import main
diff --git a/auth_oidc/controllers/main.py b/auth_oidc/controllers/main.py
new file mode 100644
index 0000000000..2104a6cca0
--- /dev/null
+++ b/auth_oidc/controllers/main.py
@@ -0,0 +1,50 @@
+# Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
+# Copyright 2021 ACSONE SA/NV <https://acsone.eu>
+# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
+
+import base64
+import hashlib
+import logging
+import secrets
+
+from werkzeug.urls import url_decode, url_encode
+
+from odoo.addons.auth_oauth.controllers.main import OAuthLogin
+
+_logger = logging.getLogger(__name__)
+
+
+class OpenIDLogin(OAuthLogin):
+    def list_providers(self):
+        providers = super().list_providers()
+        for provider in providers:
+            flow = provider.get("flow")
+            if flow in ("id_token", "id_token_code"):
+                params = url_decode(provider["auth_link"].split("?")[-1])
+                # nonce
+                params["nonce"] = secrets.token_urlsafe()
+                # response_type
+                if flow == "id_token":
+                    # https://openid.net/specs/openid-connect-core-1_0.html
+                    # #ImplicitAuthRequest
+                    params["response_type"] = "id_token token"
+                elif flow == "id_token_code":
+                    # https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
+                    params["response_type"] = "code"
+                # PKCE (https://tools.ietf.org/html/rfc7636)
+                code_verifier = provider["code_verifier"]
+                code_challenge = base64.urlsafe_b64encode(
+                    hashlib.sha256(code_verifier.encode("ascii")).digest()
+                ).rstrip(b"=")
+                params["code_challenge"] = code_challenge
+                params["code_challenge_method"] = "S256"
+                # scope
+                if provider.get("scope"):
+                    if "openid" not in provider["scope"].split():
+                        _logger.error("openid connect scope must contain 'openid'")
+                    params["scope"] = provider["scope"]
+                # auth link that the user will click
+                provider["auth_link"] = "{}?{}".format(
+                    provider["auth_endpoint"], url_encode(params)
+                )
+        return providers
diff --git a/auth_oidc/data/auth_oauth_data.xml b/auth_oidc/data/auth_oauth_data.xml
new file mode 100644
index 0000000000..bdeea59a5c
--- /dev/null
+++ b/auth_oidc/data/auth_oauth_data.xml
@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<odoo noupdate="1">
+    <record id="provider_azuread_multi" model="auth.oauth.provider">
+        <field name="name">Azure AD Multitenant</field>
+        <field name="flow">id_token_code</field>
+        <field name="enabled">False</field>
+        <field name="token_map">upn:user_id upn:email</field>
+        <field
+            name="auth_endpoint"
+        >https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize</field>
+        <field name="scope">profile openid</field>
+        <field
+            name="token_endpoint"
+        >https://login.microsoftonline.com/organizations/oauth2/v2.0/token</field>
+        <field
+            name="jwks_uri"
+        >https://login.microsoftonline.com/organizations/discovery/v2.0/keys</field>
+        <field name="css_class">fa fa-fw fa-windows</field>
+        <field name="body">Log in with Microsoft</field>
+    </record>
+    <record id="provider_azuread_single" model="auth.oauth.provider">
+        <field name="name">Azure AD Single Tenant</field>
+        <field name="flow">id_token_code</field>
+        <field name="enabled">False</field>
+        <field name="token_map">upn:user_id upn:email</field>
+        <field
+            name="auth_endpoint"
+        >https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/authorize</field>
+        <field name="scope">profile openid</field>
+        <field
+            name="token_endpoint"
+        >https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token</field>
+        <field
+            name="jwks_uri"
+        >https://login.microsoftonline.com/{tenant_id}/discovery/v2.0/keys</field>
+        <field name="css_class">fa fa-fw fa-windows</field>
+        <field name="body">Log in with Microsoft</field>
+    </record>
+</odoo>
diff --git a/auth_oidc/demo/local_keycloak.xml b/auth_oidc/demo/local_keycloak.xml
new file mode 100644
index 0000000000..919754db99
--- /dev/null
+++ b/auth_oidc/demo/local_keycloak.xml
@@ -0,0 +1,20 @@
+<odoo>
+    <record id="local_keycloak" model="auth.oauth.provider">
+        <field name="name">keycloak:8080 on localhost</field>
+        <field name="flow">id_token_code</field>
+        <field name="client_id">auth_oidc-test</field>
+        <field name="token_map">preferred_username:user_id</field>
+        <field name="body">keycloak:8080 on localhost</field>
+        <field name="enabled" eval="True" />
+        <field name="scope">openid email</field>
+        <field
+            name="auth_endpoint"
+        >http://localhost:8080/auth/realms/master/protocol/openid-connect/auth</field>
+        <field
+            name="token_endpoint"
+        >http://localhost:8080/auth/realms/master/protocol/openid-connect/token</field>
+        <field
+            name="jwks_uri"
+        >http://localhost:8080/auth/realms/master/protocol/openid-connect/certs</field>
+    </record>
+</odoo>
diff --git a/auth_oidc/i18n/auth_oidc.pot b/auth_oidc/i18n/auth_oidc.pot
new file mode 100644
index 0000000000..630ac018ee
--- /dev/null
+++ b/auth_oidc/i18n/auth_oidc.pot
@@ -0,0 +1,119 @@
+# Translation of Odoo Server.
+# This file contains the translation of the following modules:
+# 	* auth_oidc
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: Odoo Server 17.0\n"
+"Report-Msgid-Bugs-To: \n"
+"Last-Translator: \n"
+"Language-Team: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: \n"
+"Plural-Forms: \n"
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__flow
+msgid "Auth Flow"
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__client_secret
+msgid "Client Secret"
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__code_verifier
+msgid "Code Verifier"
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__jwks_uri
+msgid "JWKS URL"
+msgstr ""
+
+#. module: auth_oidc
+#: model:auth.oauth.provider,body:auth_oidc.provider_azuread_multi
+#: model:auth.oauth.provider,body:auth_oidc.provider_azuread_single
+msgid "Log in with Microsoft"
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__access_token
+msgid "OAuth2"
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model,name:auth_oidc.model_auth_oauth_provider
+msgid "OAuth2 provider"
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__id_token_code
+msgid "OpenID Connect (authorization code flow)"
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__id_token
+msgid "OpenID Connect (implicit flow, not recommended)"
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__token_endpoint
+msgid "Required for OpenID Connect authorization code flow."
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__jwks_uri
+msgid "Required for OpenID Connect."
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__token_map
+msgid ""
+"Some Oauth providers don't map keys in their responses exactly as required."
+"  It is important to ensure user_id and email at least are mapped. For "
+"OpenID Connect user_id is the sub key in the standard."
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__token_map
+msgid "Token Map"
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__token_endpoint
+msgid "Token URL"
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__code_verifier
+msgid "Used for PKCE."
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__client_secret
+msgid ""
+"Used in OpenID Connect authorization code flow for confidential clients."
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model,name:auth_oidc.model_res_users
+msgid "User"
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__validation_endpoint
+msgid "UserInfo URL"
+msgstr ""
+
+#. module: auth_oidc
+#: model_terms:ir.ui.view,arch_db:auth_oidc.view_oidc_provider_form
+msgid "e.g from:to upn:email sub:user_id"
+msgstr ""
+
+#. module: auth_oidc
+#: model:auth.oauth.provider,body:auth_oidc.local_keycloak
+msgid "keycloak:8080 on localhost"
+msgstr ""
diff --git a/auth_oidc/i18n/es.po b/auth_oidc/i18n/es.po
new file mode 100644
index 0000000000..6cda9344b2
--- /dev/null
+++ b/auth_oidc/i18n/es.po
@@ -0,0 +1,128 @@
+# Translation of Odoo Server.
+# This file contains the translation of the following modules:
+# 	* auth_oidc
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: Odoo Server 16.0\n"
+"Report-Msgid-Bugs-To: \n"
+"PO-Revision-Date: 2023-10-15 19:36+0000\n"
+"Last-Translator: Ivorra78 <informatica@totmaterial.es>\n"
+"Language-Team: none\n"
+"Language: es\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: \n"
+"Plural-Forms: nplurals=2; plural=n != 1;\n"
+"X-Generator: Weblate 4.17\n"
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__flow
+msgid "Auth Flow"
+msgstr "Flujo de autenticación"
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__client_secret
+msgid "Client Secret"
+msgstr "Secreto del cliente"
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__code_verifier
+msgid "Code Verifier"
+msgstr "Verificador del código"
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__jwks_uri
+msgid "JWKS URL"
+msgstr "URL JWKS"
+
+#. module: auth_oidc
+#: model:auth.oauth.provider,body:auth_oidc.provider_azuread_multi
+#: model:auth.oauth.provider,body:auth_oidc.provider_azuread_single
+msgid "Log in with Microsoft"
+msgstr "Iniciar sesión con Microsoft"
+
+#. module: auth_oidc
+#: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__access_token
+msgid "OAuth2"
+msgstr "OAuth2"
+
+#. module: auth_oidc
+#: model:ir.model,name:auth_oidc.model_auth_oauth_provider
+msgid "OAuth2 provider"
+msgstr "Proveedor OAuth2"
+
+#. module: auth_oidc
+#: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__id_token_code
+msgid "OpenID Connect (authorization code flow)"
+msgstr "OpenID Connect (flujo de código de autorización)"
+
+#. module: auth_oidc
+#: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__id_token
+msgid "OpenID Connect (implicit flow, not recommended)"
+msgstr "OpenID Connect (flujo implícito, no recomendado)"
+
+#. module: auth_oidc
+#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__token_endpoint
+msgid "Required for OpenID Connect authorization code flow."
+msgstr "Necesario para el flujo de código de autorización de OpenID Connect."
+
+#. module: auth_oidc
+#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__jwks_uri
+msgid "Required for OpenID Connect."
+msgstr "Requerido para OpenID Connect."
+
+#. module: auth_oidc
+#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__token_map
+msgid ""
+"Some Oauth providers don't map keys in their responses exactly as required.  "
+"It is important to ensure user_id and email at least are mapped. For OpenID "
+"Connect user_id is the sub key in the standard."
+msgstr ""
+"Algunos proveedores de Oauth no mapean las claves en sus respuestas "
+"exactamente como se requiere.  Es importante asegurarse de que al menos "
+"user_id y email están mapeados. Para OpenID Connect user_id es la subclave "
+"en el estándar."
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__token_map
+msgid "Token Map"
+msgstr "Mapa de Símbolos"
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__token_endpoint
+msgid "Token URL"
+msgstr "URL de la ficha"
+
+#. module: auth_oidc
+#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__code_verifier
+msgid "Used for PKCE."
+msgstr "Utilizado para PKCE."
+
+#. module: auth_oidc
+#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__client_secret
+msgid ""
+"Used in OpenID Connect authorization code flow for confidential clients."
+msgstr ""
+"Se utiliza en el flujo de código de autorización de OpenID Connect para "
+"clientes confidenciales."
+
+#. module: auth_oidc
+#: model:ir.model,name:auth_oidc.model_res_users
+msgid "User"
+msgstr "Usuario"
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__validation_endpoint
+msgid "UserInfo URL"
+msgstr "URL de información del usuario"
+
+#. module: auth_oidc
+#: model_terms:ir.ui.view,arch_db:auth_oidc.view_oidc_provider_form
+msgid "e.g from:to upn:email sub:user_id"
+msgstr "p.ej. from:to upn:email sub:user_id"
+
+#. module: auth_oidc
+#: model:auth.oauth.provider,body:auth_oidc.local_keycloak
+msgid "keycloak:8080 on localhost"
+msgstr "keycloak:8080 en el servidor local"
diff --git a/auth_oidc/i18n/it.po b/auth_oidc/i18n/it.po
new file mode 100644
index 0000000000..e4f38a45a8
--- /dev/null
+++ b/auth_oidc/i18n/it.po
@@ -0,0 +1,127 @@
+# Translation of Odoo Server.
+# This file contains the translation of the following modules:
+# 	* auth_oidc
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: Odoo Server 16.0\n"
+"Report-Msgid-Bugs-To: \n"
+"PO-Revision-Date: 2024-01-05 10:34+0000\n"
+"Last-Translator: mymage <stefano.consolaro@mymage.it>\n"
+"Language-Team: none\n"
+"Language: it\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: \n"
+"Plural-Forms: nplurals=2; plural=n != 1;\n"
+"X-Generator: Weblate 4.17\n"
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__flow
+msgid "Auth Flow"
+msgstr "Flusso atorizzazione"
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__client_secret
+msgid "Client Secret"
+msgstr "Chiave segreta client"
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__code_verifier
+msgid "Code Verifier"
+msgstr "Verificatore codice"
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__jwks_uri
+msgid "JWKS URL"
+msgstr "URL JWKS"
+
+#. module: auth_oidc
+#: model:auth.oauth.provider,body:auth_oidc.provider_azuread_multi
+#: model:auth.oauth.provider,body:auth_oidc.provider_azuread_single
+msgid "Log in with Microsoft"
+msgstr "Accedi con Mcrosoft"
+
+#. module: auth_oidc
+#: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__access_token
+msgid "OAuth2"
+msgstr "OAuth2"
+
+#. module: auth_oidc
+#: model:ir.model,name:auth_oidc.model_auth_oauth_provider
+msgid "OAuth2 provider"
+msgstr "Provider OAuth2"
+
+#. module: auth_oidc
+#: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__id_token_code
+msgid "OpenID Connect (authorization code flow)"
+msgstr "OpenID Connect (flusso codice autorizzazione)"
+
+#. module: auth_oidc
+#: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__id_token
+msgid "OpenID Connect (implicit flow, not recommended)"
+msgstr "OpenID Connect (flusso implicito, non raccomandato)"
+
+#. module: auth_oidc
+#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__token_endpoint
+msgid "Required for OpenID Connect authorization code flow."
+msgstr "Richiesto per flusso codice atorizzazione OpenID Connect."
+
+#. module: auth_oidc
+#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__jwks_uri
+msgid "Required for OpenID Connect."
+msgstr "Richiesto per OpenID Connect."
+
+#. module: auth_oidc
+#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__token_map
+msgid ""
+"Some Oauth providers don't map keys in their responses exactly as required."
+"  It is important to ensure user_id and email at least are mapped. For "
+"OpenID Connect user_id is the sub key in the standard."
+msgstr ""
+"Alcuni Provider Oauth non mappano le chiavi nelle loro risposte esattamente "
+"come richiesto.   È importante assicurare che almeno user_id ed e-mail siano "
+"mappati. Per OpenID Connect user_id è la sotto-chiave nello standard."
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__token_map
+msgid "Token Map"
+msgstr "Mappa token"
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__token_endpoint
+msgid "Token URL"
+msgstr "URL token"
+
+#. module: auth_oidc
+#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__code_verifier
+msgid "Used for PKCE."
+msgstr "Utilizzato per PKCE."
+
+#. module: auth_oidc
+#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__client_secret
+msgid ""
+"Used in OpenID Connect authorization code flow for confidential clients."
+msgstr ""
+"Utilizzato nel flusso codice autorizzazione OpenID Connect per client "
+"riservati."
+
+#. module: auth_oidc
+#: model:ir.model,name:auth_oidc.model_res_users
+msgid "User"
+msgstr "Utente"
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__validation_endpoint
+msgid "UserInfo URL"
+msgstr "URL info utente"
+
+#. module: auth_oidc
+#: model_terms:ir.ui.view,arch_db:auth_oidc.view_oidc_provider_form
+msgid "e.g from:to upn:email sub:user_id"
+msgstr "es. from:to upn:email sub:user_id"
+
+#. module: auth_oidc
+#: model:auth.oauth.provider,body:auth_oidc.local_keycloak
+msgid "keycloak:8080 on localhost"
+msgstr "keycloak:8080 su localhost"
diff --git a/auth_oidc/models/__init__.py b/auth_oidc/models/__init__.py
new file mode 100644
index 0000000000..ebc8e5bfda
--- /dev/null
+++ b/auth_oidc/models/__init__.py
@@ -0,0 +1,5 @@
+# Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
+# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
+
+from . import auth_oauth_provider
+from . import res_users
diff --git a/auth_oidc/models/auth_oauth_provider.py b/auth_oidc/models/auth_oauth_provider.py
new file mode 100644
index 0000000000..ac498a7cdb
--- /dev/null
+++ b/auth_oidc/models/auth_oauth_provider.py
@@ -0,0 +1,106 @@
+# Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
+# Copyright 2021 ACSONE SA/NV <https://acsone.eu>
+# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
+
+import logging
+import secrets
+
+import requests
+
+from odoo import fields, models, tools
+
+try:
+    from jose import jwt
+    from jose.exceptions import JWSError, JWTError
+except ImportError:
+    logging.getLogger(__name__).debug("jose library not installed")
+
+
+class AuthOauthProvider(models.Model):
+    _inherit = "auth.oauth.provider"
+
+    flow = fields.Selection(
+        [
+            ("access_token", "OAuth2"),
+            ("id_token_code", "OpenID Connect (authorization code flow)"),
+            ("id_token", "OpenID Connect (implicit flow, not recommended)"),
+        ],
+        string="Auth Flow",
+        required=True,
+        default="access_token",
+    )
+    token_map = fields.Char(
+        help="Some Oauth providers don't map keys in their responses "
+        "exactly as required.  It is important to ensure user_id and "
+        "email at least are mapped. For OpenID Connect user_id is "
+        "the sub key in the standard."
+    )
+    client_secret = fields.Char(
+        help="Used in OpenID Connect authorization code flow for confidential clients.",
+    )
+    code_verifier = fields.Char(
+        default=lambda self: secrets.token_urlsafe(32), help="Used for PKCE."
+    )
+    validation_endpoint = fields.Char(required=False)
+    token_endpoint = fields.Char(
+        string="Token URL", help="Required for OpenID Connect authorization code flow."
+    )
+    jwks_uri = fields.Char(string="JWKS URL", help="Required for OpenID Connect.")
+
+    @tools.ormcache("self.jwks_uri", "kid")
+    def _get_keys(self, kid):
+        r = requests.get(self.jwks_uri, timeout=10)
+        r.raise_for_status()
+        response = r.json()
+        # the keys returned here should follow
+        # JWS Notes on Key Selection
+        # https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-signature#appendix-D
+        return [
+            key
+            for key in response["keys"]
+            if kid is None or key.get("kid", None) == kid
+        ]
+
+    def _map_token_values(self, res):
+        if self.token_map:
+            for pair in self.token_map.split(" "):
+                from_key, to_key = (k.strip() for k in pair.split(":", 1))
+                if to_key not in res:
+                    res[to_key] = res.get(from_key, "")
+        return res
+
+    def _parse_id_token(self, id_token, access_token):
+        self.ensure_one()
+        res = {}
+        header = jwt.get_unverified_header(id_token)
+        res.update(self._decode_id_token(access_token, id_token, header.get("kid")))
+        res.update(self._map_token_values(res))
+        return res
+
+    def _decode_id_token(self, access_token, id_token, kid):
+        keys = self._get_keys(kid)
+        if len(keys) > 1 and kid is None:
+            # https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.10.1
+            # If there are multiple keys in the referenced JWK Set document, a kid
+            # value MUST be provided in the JOSE Header.
+            raise JWTError(
+                "OpenID Connect requires kid to be set if there is more"
+                " than one key in the JWKS"
+            )
+        error = None
+        # we accept multiple keys with the same kid in case a key gets rotated.
+        for key in keys:
+            try:
+                values = jwt.decode(
+                    id_token,
+                    key,
+                    algorithms=["RS256"],
+                    audience=self.client_id,
+                    access_token=access_token,
+                )
+                return values
+            except (JWTError, JWSError) as e:
+                error = e
+        if error:
+            raise error
+        return {}
diff --git a/auth_oidc/models/res_users.py b/auth_oidc/models/res_users.py
new file mode 100644
index 0000000000..1684480fa4
--- /dev/null
+++ b/auth_oidc/models/res_users.py
@@ -0,0 +1,82 @@
+# Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
+# Copyright 2021 ACSONE SA/NV <https://acsone.eu>
+# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
+
+import logging
+
+import requests
+
+from odoo import api, models
+from odoo.exceptions import AccessDenied
+from odoo.http import request
+
+_logger = logging.getLogger(__name__)
+
+
+class ResUsers(models.Model):
+    _inherit = "res.users"
+
+    def _auth_oauth_get_tokens_implicit_flow(self, oauth_provider, params):
+        # https://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthResponse
+        return params.get("access_token"), params.get("id_token")
+
+    def _auth_oauth_get_tokens_auth_code_flow(self, oauth_provider, params):
+        # https://openid.net/specs/openid-connect-core-1_0.html#AuthResponse
+        code = params.get("code")
+        # https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest
+        auth = None
+        if oauth_provider.client_secret:
+            auth = (oauth_provider.client_id, oauth_provider.client_secret)
+        response = requests.post(
+            oauth_provider.token_endpoint,
+            data=dict(
+                client_id=oauth_provider.client_id,
+                grant_type="authorization_code",
+                code=code,
+                code_verifier=oauth_provider.code_verifier,  # PKCE
+                redirect_uri=request.httprequest.url_root + "auth_oauth/signin",
+            ),
+            auth=auth,
+            timeout=10,
+        )
+        response.raise_for_status()
+        response_json = response.json()
+        # https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse
+        return response_json.get("access_token"), response_json.get("id_token")
+
+    @api.model
+    def auth_oauth(self, provider, params):
+        oauth_provider = self.env["auth.oauth.provider"].browse(provider)
+        if oauth_provider.flow == "id_token":
+            access_token, id_token = self._auth_oauth_get_tokens_implicit_flow(
+                oauth_provider, params
+            )
+        elif oauth_provider.flow == "id_token_code":
+            access_token, id_token = self._auth_oauth_get_tokens_auth_code_flow(
+                oauth_provider, params
+            )
+        else:
+            return super().auth_oauth(provider, params)
+        if not access_token:
+            _logger.error("No access_token in response.")
+            raise AccessDenied()
+        if not id_token:
+            _logger.error("No id_token in response.")
+            raise AccessDenied()
+        validation = oauth_provider._parse_id_token(id_token, access_token)
+        # required check
+        if "sub" in validation and "user_id" not in validation:
+            # set user_id for auth_oauth, user_id is not an OpenID Connect standard
+            # claim:
+            # https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
+            validation["user_id"] = validation["sub"]
+        elif not validation.get("user_id"):
+            _logger.error("user_id claim not found in id_token (after mapping).")
+            raise AccessDenied()
+        # retrieve and sign in user
+        params["access_token"] = access_token
+        login = self._auth_oauth_signin(provider, validation, params)
+        if not login:
+            raise AccessDenied()
+        # return user credentials
+        return (self.env.cr.dbname, login, access_token)
diff --git a/auth_oidc/pyproject.toml b/auth_oidc/pyproject.toml
new file mode 100644
index 0000000000..4231d0cccb
--- /dev/null
+++ b/auth_oidc/pyproject.toml
@@ -0,0 +1,3 @@
+[build-system]
+requires = ["whool"]
+build-backend = "whool.buildapi"
diff --git a/auth_oidc/readme/CONFIGURE.md b/auth_oidc/readme/CONFIGURE.md
new file mode 100644
index 0000000000..275e4c0a20
--- /dev/null
+++ b/auth_oidc/readme/CONFIGURE.md
@@ -0,0 +1,72 @@
+## Setup for Microsoft Azure
+
+Example configuration with OpenID Connect authorization code flow.
+
+1. configure a new web application in Azure with OpenID and code flow (see
+the [provider
+documentation](https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-provider)))
+
+2. in this application the redirect url must be be "\<url of your
+server\>/auth_oauth/signin" and of course this URL should be reachable
+from Azure
+
+3. create a new authentication provider in Odoo with the following
+parameters (see the [portal
+documentation](https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-settings)
+for more information):
+
+![image](../static/description/oauth-microsoft_azure-api_permissions.png)
+
+![image](../static/description/oauth-microsoft_azure-optional_claims.png)
+
+Single tenant provider limits the access to user of your tenant, while
+Multitenants allow access for all AzureAD users, so user of foreign
+companies can use their AzureAD login without an guest account.
+
+- Provider Name: Azure AD Single Tenant
+- Client ID: Application (client) id
+- Client Secret: Client secret
+- Allowed: yes
+
+or
+
+- Provider Name: Azure AD Multitenant
+- Client ID: Application (client) id
+- Client Secret: Client secret
+- Allowed: yes
+- replace {tenant_id} in urls with your Azure tenant id
+
+![image](../static/description/odoo-azure_ad_multitenant.png)
+
+## Setup for Keycloak
+
+Example configuration with OpenID Connect authorization code flow.
+
+In Keycloak:
+
+1. configure a new Client
+2. make sure Authorization Code Flow is
+Enabled.
+3. configure the client Access Type as "confidential" and take
+note of the client secret in the Credentials tab
+4. configure the
+redirect url to be "\<url of your server\>/auth_oauth/signin"
+
+In Odoo, create a new Oauth Provider with the following parameters:
+
+- Provider name: Keycloak (or any name you like that identify your
+  keycloak provider)
+- Auth Flow: OpenID Connect (authorization code flow)
+- Client ID: the same Client ID you entered when configuring the client
+  in Keycloak
+- Client Secret: found in keycloak on the client Credentials tab
+- Allowed: yes
+- Body: the link text to appear on the login page, such as Login with
+  Keycloak
+- Scope: openid email
+- Authentication URL: The "authorization_endpoint" URL found in the
+  OpenID Endpoint Configuration of your Keycloak realm
+- Token URL: The "token_endpoint" URL found in the OpenID Endpoint
+  Configuration of your Keycloak realm
+- JWKS URL: The "jwks_uri" URL found in the OpenID Endpoint
+  Configuration of your Keycloak realm
diff --git a/auth_oidc/readme/CONTRIBUTORS.md b/auth_oidc/readme/CONTRIBUTORS.md
new file mode 100644
index 0000000000..8bdbc1daa2
--- /dev/null
+++ b/auth_oidc/readme/CONTRIBUTORS.md
@@ -0,0 +1,4 @@
+- Alexandre Fayolle \<<alexandre.fayolle@camptocamp.com>\>
+- Stéphane Bidoul \<<stephane.bidoul@acsone.eu>\>
+- David Jaen \<<david.jaen.revert@gmail.com>\>
+- Andreas Perhab \<<andreas.perhab@wt-io-it.at>\>
diff --git a/auth_oidc/readme/DESCRIPTION.md b/auth_oidc/readme/DESCRIPTION.md
new file mode 100644
index 0000000000..3677c8bbaa
--- /dev/null
+++ b/auth_oidc/readme/DESCRIPTION.md
@@ -0,0 +1,5 @@
+This module allows users to login through an OpenID Connect provider
+using the authorization code flow or implicit flow.
+
+Note the implicit flow is not recommended because it exposes access
+tokens to the browser and in http logs.
diff --git a/auth_oidc/readme/HISTORY.md b/auth_oidc/readme/HISTORY.md
new file mode 100644
index 0000000000..3df4dd917b
--- /dev/null
+++ b/auth_oidc/readme/HISTORY.md
@@ -0,0 +1,35 @@
+## 17.0.1.0.0 2024-03-20
+
+- Odoo 17 migration
+
+## 16.0.1.1.0 2024-02-28
+
+- Forward port OpenID Connect fixes from 15.0 to 16.0
+
+## 16.0.1.0.2 2023-11-16
+
+- Readme link updates
+
+## 16.0.1.0.1 2023-10-09
+
+- Add AzureAD code flow provider
+
+## 16.0.1.0.0 2023-01-27
+
+- Odoo 16 migration
+
+## 15.0.1.0.0 2023-01-06
+
+- Odoo 15 migration
+
+## 14.0.1.0.0 2021-12-10
+
+- Odoo 14 migration
+
+## 13.0.1.0.0 2020-04-10
+
+- Odoo 13 migration, add authorization code flow.
+
+## 10.0.1.0.0 2018-10-05
+
+- Initial implementation
diff --git a/auth_oidc/readme/INSTALL.md b/auth_oidc/readme/INSTALL.md
new file mode 100644
index 0000000000..37af7b9c93
--- /dev/null
+++ b/auth_oidc/readme/INSTALL.md
@@ -0,0 +1,3 @@
+This module depends on the
+[python-jose](https://pypi.org/project/python-jose/) library, not to be
+confused with `jose` which is also available on PyPI.
diff --git a/auth_oidc/readme/ROADMAP.md b/auth_oidc/readme/ROADMAP.md
new file mode 100644
index 0000000000..712da2fde6
--- /dev/null
+++ b/auth_oidc/readme/ROADMAP.md
@@ -0,0 +1,4 @@
+- When going to the login screen, check for a existing token and do a
+  direct login without the clicking on the SSO link
+- When doing a logout an extra option to also logout at the SSO
+  provider.
diff --git a/auth_oidc/readme/USAGE.md b/auth_oidc/readme/USAGE.md
new file mode 100644
index 0000000000..0fa74256b4
--- /dev/null
+++ b/auth_oidc/readme/USAGE.md
@@ -0,0 +1 @@
+On the login page, click on the authentication provider you configured.
diff --git a/auth_oidc/static/description/icon.png b/auth_oidc/static/description/icon.png
new file mode 100755
index 0000000000..06a05ebd48
Binary files /dev/null and b/auth_oidc/static/description/icon.png differ
diff --git a/auth_oidc/static/description/index.html b/auth_oidc/static/description/index.html
new file mode 100644
index 0000000000..412ba2dc79
--- /dev/null
+++ b/auth_oidc/static/description/index.html
@@ -0,0 +1,597 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+<meta name="generator" content="Docutils: https://docutils.sourceforge.io/" />
+<title>Authentication OpenID Connect</title>
+<style type="text/css">
+
+/*
+:Author: David Goodger (goodger@python.org)
+:Id: $Id: html4css1.css 8954 2022-01-20 10:10:25Z milde $
+:Copyright: This stylesheet has been placed in the public domain.
+
+Default cascading style sheet for the HTML output of Docutils.
+
+See https://docutils.sourceforge.io/docs/howto/html-stylesheets.html for how to
+customize this style sheet.
+*/
+
+/* used to remove borders from tables and images */
+.borderless, table.borderless td, table.borderless th {
+  border: 0 }
+
+table.borderless td, table.borderless th {
+  /* Override padding for "table.docutils td" with "! important".
+     The right padding separates the table cells. */
+  padding: 0 0.5em 0 0 ! important }
+
+.first {
+  /* Override more specific margin styles with "! important". */
+  margin-top: 0 ! important }
+
+.last, .with-subtitle {
+  margin-bottom: 0 ! important }
+
+.hidden {
+  display: none }
+
+.subscript {
+  vertical-align: sub;
+  font-size: smaller }
+
+.superscript {
+  vertical-align: super;
+  font-size: smaller }
+
+a.toc-backref {
+  text-decoration: none ;
+  color: black }
+
+blockquote.epigraph {
+  margin: 2em 5em ; }
+
+dl.docutils dd {
+  margin-bottom: 0.5em }
+
+object[type="image/svg+xml"], object[type="application/x-shockwave-flash"] {
+  overflow: hidden;
+}
+
+/* Uncomment (and remove this text!) to get bold-faced definition list terms
+dl.docutils dt {
+  font-weight: bold }
+*/
+
+div.abstract {
+  margin: 2em 5em }
+
+div.abstract p.topic-title {
+  font-weight: bold ;
+  text-align: center }
+
+div.admonition, div.attention, div.caution, div.danger, div.error,
+div.hint, div.important, div.note, div.tip, div.warning {
+  margin: 2em ;
+  border: medium outset ;
+  padding: 1em }
+
+div.admonition p.admonition-title, div.hint p.admonition-title,
+div.important p.admonition-title, div.note p.admonition-title,
+div.tip p.admonition-title {
+  font-weight: bold ;
+  font-family: sans-serif }
+
+div.attention p.admonition-title, div.caution p.admonition-title,
+div.danger p.admonition-title, div.error p.admonition-title,
+div.warning p.admonition-title, .code .error {
+  color: red ;
+  font-weight: bold ;
+  font-family: sans-serif }
+
+/* Uncomment (and remove this text!) to get reduced vertical space in
+   compound paragraphs.
+div.compound .compound-first, div.compound .compound-middle {
+  margin-bottom: 0.5em }
+
+div.compound .compound-last, div.compound .compound-middle {
+  margin-top: 0.5em }
+*/
+
+div.dedication {
+  margin: 2em 5em ;
+  text-align: center ;
+  font-style: italic }
+
+div.dedication p.topic-title {
+  font-weight: bold ;
+  font-style: normal }
+
+div.figure {
+  margin-left: 2em ;
+  margin-right: 2em }
+
+div.footer, div.header {
+  clear: both;
+  font-size: smaller }
+
+div.line-block {
+  display: block ;
+  margin-top: 1em ;
+  margin-bottom: 1em }
+
+div.line-block div.line-block {
+  margin-top: 0 ;
+  margin-bottom: 0 ;
+  margin-left: 1.5em }
+
+div.sidebar {
+  margin: 0 0 0.5em 1em ;
+  border: medium outset ;
+  padding: 1em ;
+  background-color: #ffffee ;
+  width: 40% ;
+  float: right ;
+  clear: right }
+
+div.sidebar p.rubric {
+  font-family: sans-serif ;
+  font-size: medium }
+
+div.system-messages {
+  margin: 5em }
+
+div.system-messages h1 {
+  color: red }
+
+div.system-message {
+  border: medium outset ;
+  padding: 1em }
+
+div.system-message p.system-message-title {
+  color: red ;
+  font-weight: bold }
+
+div.topic {
+  margin: 2em }
+
+h1.section-subtitle, h2.section-subtitle, h3.section-subtitle,
+h4.section-subtitle, h5.section-subtitle, h6.section-subtitle {
+  margin-top: 0.4em }
+
+h1.title {
+  text-align: center }
+
+h2.subtitle {
+  text-align: center }
+
+hr.docutils {
+  width: 75% }
+
+img.align-left, .figure.align-left, object.align-left, table.align-left {
+  clear: left ;
+  float: left ;
+  margin-right: 1em }
+
+img.align-right, .figure.align-right, object.align-right, table.align-right {
+  clear: right ;
+  float: right ;
+  margin-left: 1em }
+
+img.align-center, .figure.align-center, object.align-center {
+  display: block;
+  margin-left: auto;
+  margin-right: auto;
+}
+
+table.align-center {
+  margin-left: auto;
+  margin-right: auto;
+}
+
+.align-left {
+  text-align: left }
+
+.align-center {
+  clear: both ;
+  text-align: center }
+
+.align-right {
+  text-align: right }
+
+/* reset inner alignment in figures */
+div.align-right {
+  text-align: inherit }
+
+/* div.align-center * { */
+/*   text-align: left } */
+
+.align-top    {
+  vertical-align: top }
+
+.align-middle {
+  vertical-align: middle }
+
+.align-bottom {
+  vertical-align: bottom }
+
+ol.simple, ul.simple {
+  margin-bottom: 1em }
+
+ol.arabic {
+  list-style: decimal }
+
+ol.loweralpha {
+  list-style: lower-alpha }
+
+ol.upperalpha {
+  list-style: upper-alpha }
+
+ol.lowerroman {
+  list-style: lower-roman }
+
+ol.upperroman {
+  list-style: upper-roman }
+
+p.attribution {
+  text-align: right ;
+  margin-left: 50% }
+
+p.caption {
+  font-style: italic }
+
+p.credits {
+  font-style: italic ;
+  font-size: smaller }
+
+p.label {
+  white-space: nowrap }
+
+p.rubric {
+  font-weight: bold ;
+  font-size: larger ;
+  color: maroon ;
+  text-align: center }
+
+p.sidebar-title {
+  font-family: sans-serif ;
+  font-weight: bold ;
+  font-size: larger }
+
+p.sidebar-subtitle {
+  font-family: sans-serif ;
+  font-weight: bold }
+
+p.topic-title {
+  font-weight: bold }
+
+pre.address {
+  margin-bottom: 0 ;
+  margin-top: 0 ;
+  font: inherit }
+
+pre.literal-block, pre.doctest-block, pre.math, pre.code {
+  margin-left: 2em ;
+  margin-right: 2em }
+
+pre.code .ln { color: grey; } /* line numbers */
+pre.code, code { background-color: #eeeeee }
+pre.code .comment, code .comment { color: #5C6576 }
+pre.code .keyword, code .keyword { color: #3B0D06; font-weight: bold }
+pre.code .literal.string, code .literal.string { color: #0C5404 }
+pre.code .name.builtin, code .name.builtin { color: #352B84 }
+pre.code .deleted, code .deleted { background-color: #DEB0A1}
+pre.code .inserted, code .inserted { background-color: #A3D289}
+
+span.classifier {
+  font-family: sans-serif ;
+  font-style: oblique }
+
+span.classifier-delimiter {
+  font-family: sans-serif ;
+  font-weight: bold }
+
+span.interpreted {
+  font-family: sans-serif }
+
+span.option {
+  white-space: nowrap }
+
+span.pre {
+  white-space: pre }
+
+span.problematic {
+  color: red }
+
+span.section-subtitle {
+  /* font-size relative to parent (h1..h6 element) */
+  font-size: 80% }
+
+table.citation {
+  border-left: solid 1px gray;
+  margin-left: 1px }
+
+table.docinfo {
+  margin: 2em 4em }
+
+table.docutils {
+  margin-top: 0.5em ;
+  margin-bottom: 0.5em }
+
+table.footnote {
+  border-left: solid 1px black;
+  margin-left: 1px }
+
+table.docutils td, table.docutils th,
+table.docinfo td, table.docinfo th {
+  padding-left: 0.5em ;
+  padding-right: 0.5em ;
+  vertical-align: top }
+
+table.docutils th.field-name, table.docinfo th.docinfo-name {
+  font-weight: bold ;
+  text-align: left ;
+  white-space: nowrap ;
+  padding-left: 0 }
+
+/* "booktabs" style (no vertical lines) */
+table.docutils.booktabs {
+  border: 0px;
+  border-top: 2px solid;
+  border-bottom: 2px solid;
+  border-collapse: collapse;
+}
+table.docutils.booktabs * {
+  border: 0px;
+}
+table.docutils.booktabs th {
+  border-bottom: thin solid;
+  text-align: left;
+}
+
+h1 tt.docutils, h2 tt.docutils, h3 tt.docutils,
+h4 tt.docutils, h5 tt.docutils, h6 tt.docutils {
+  font-size: 100% }
+
+ul.auto-toc {
+  list-style-type: none }
+
+</style>
+</head>
+<body>
+<div class="document" id="authentication-openid-connect">
+<h1 class="title">Authentication OpenID Connect</h1>
+
+<!-- !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!! This file is generated by oca-gen-addon-readme !!
+!! changes will be overwritten.                   !!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!! source digest: sha256:e65c1c978ca0266a8e54f8121675cbf710359cf407413e35518f670be9c9753f
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->
+<p><a class="reference external image-reference" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external image-reference" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/licence-AGPL--3-blue.png" /></a> <a class="reference external image-reference" href="https://github.com/OCA/server-auth/tree/17.0/auth_oidc"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external image-reference" href="https://translation.odoo-community.org/projects/server-auth-17-0/server-auth-17-0-auth_oidc"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external image-reference" href="https://runboat.odoo-community.org/builds?repo=OCA/server-auth&amp;target_branch=17.0"><img alt="Try me on Runboat" src="https://img.shields.io/badge/runboat-Try%20me-875A7B.png" /></a></p>
+<p>This module allows users to login through an OpenID Connect provider
+using the authorization code flow or implicit flow.</p>
+<p>Note the implicit flow is not recommended because it exposes access
+tokens to the browser and in http logs.</p>
+<p><strong>Table of contents</strong></p>
+<div class="contents local topic" id="contents">
+<ul class="simple">
+<li><a class="reference internal" href="#installation" id="toc-entry-1">Installation</a></li>
+<li><a class="reference internal" href="#configuration" id="toc-entry-2">Configuration</a><ul>
+<li><a class="reference internal" href="#setup-for-microsoft-azure" id="toc-entry-3">Setup for Microsoft Azure</a></li>
+<li><a class="reference internal" href="#setup-for-keycloak" id="toc-entry-4">Setup for Keycloak</a></li>
+</ul>
+</li>
+<li><a class="reference internal" href="#usage" id="toc-entry-5">Usage</a></li>
+<li><a class="reference internal" href="#known-issues-roadmap" id="toc-entry-6">Known issues / Roadmap</a></li>
+<li><a class="reference internal" href="#changelog" id="toc-entry-7">Changelog</a><ul>
+<li><a class="reference internal" href="#section-1" id="toc-entry-8">17.0.1.0.0 2024-03-20</a></li>
+<li><a class="reference internal" href="#section-2" id="toc-entry-9">16.0.1.1.0 2024-02-28</a></li>
+<li><a class="reference internal" href="#section-3" id="toc-entry-10">16.0.1.0.2 2023-11-16</a></li>
+<li><a class="reference internal" href="#section-4" id="toc-entry-11">16.0.1.0.1 2023-10-09</a></li>
+<li><a class="reference internal" href="#section-5" id="toc-entry-12">16.0.1.0.0 2023-01-27</a></li>
+<li><a class="reference internal" href="#section-6" id="toc-entry-13">15.0.1.0.0 2023-01-06</a></li>
+<li><a class="reference internal" href="#section-7" id="toc-entry-14">14.0.1.0.0 2021-12-10</a></li>
+<li><a class="reference internal" href="#section-8" id="toc-entry-15">13.0.1.0.0 2020-04-10</a></li>
+<li><a class="reference internal" href="#section-9" id="toc-entry-16">10.0.1.0.0 2018-10-05</a></li>
+</ul>
+</li>
+<li><a class="reference internal" href="#bug-tracker" id="toc-entry-17">Bug Tracker</a></li>
+<li><a class="reference internal" href="#credits" id="toc-entry-18">Credits</a><ul>
+<li><a class="reference internal" href="#authors" id="toc-entry-19">Authors</a></li>
+<li><a class="reference internal" href="#contributors" id="toc-entry-20">Contributors</a></li>
+<li><a class="reference internal" href="#maintainers" id="toc-entry-21">Maintainers</a></li>
+</ul>
+</li>
+</ul>
+</div>
+<div class="section" id="installation">
+<h1><a class="toc-backref" href="#toc-entry-1">Installation</a></h1>
+<p>This module depends on the
+<a class="reference external" href="https://pypi.org/project/python-jose/">python-jose</a> library, not to
+be confused with <tt class="docutils literal">jose</tt> which is also available on PyPI.</p>
+</div>
+<div class="section" id="configuration">
+<h1><a class="toc-backref" href="#toc-entry-2">Configuration</a></h1>
+<div class="section" id="setup-for-microsoft-azure">
+<h2><a class="toc-backref" href="#toc-entry-3">Setup for Microsoft Azure</a></h2>
+<p>Example configuration with OpenID Connect authorization code flow.</p>
+<ol class="arabic simple">
+<li>configure a new web application in Azure with OpenID and code flow
+(see the <a class="reference external" href="https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-provider">provider
+documentation</a>))</li>
+<li>in this application the redirect url must be be “&lt;url of your
+server&gt;/auth_oauth/signin” and of course this URL should be reachable
+from Azure</li>
+<li>create a new authentication provider in Odoo with the following
+parameters (see the <a class="reference external" href="https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-settings">portal
+documentation</a>
+for more information):</li>
+</ol>
+<p><img alt="image" src="https://raw.githubusercontent.com/OCA/server-auth/17.0/auth_oidc/static/description/oauth-microsoft_azure-api_permissions.png" /></p>
+<p><img alt="image1" src="https://raw.githubusercontent.com/OCA/server-auth/17.0/auth_oidc/static/description/oauth-microsoft_azure-optional_claims.png" /></p>
+<p>Single tenant provider limits the access to user of your tenant, while
+Multitenants allow access for all AzureAD users, so user of foreign
+companies can use their AzureAD login without an guest account.</p>
+<ul class="simple">
+<li>Provider Name: Azure AD Single Tenant</li>
+<li>Client ID: Application (client) id</li>
+<li>Client Secret: Client secret</li>
+<li>Allowed: yes</li>
+</ul>
+<p>or</p>
+<ul class="simple">
+<li>Provider Name: Azure AD Multitenant</li>
+<li>Client ID: Application (client) id</li>
+<li>Client Secret: Client secret</li>
+<li>Allowed: yes</li>
+<li>replace {tenant_id} in urls with your Azure tenant id</li>
+</ul>
+<p><img alt="image2" src="https://raw.githubusercontent.com/OCA/server-auth/17.0/auth_oidc/static/description/odoo-azure_ad_multitenant.png" /></p>
+</div>
+<div class="section" id="setup-for-keycloak">
+<h2><a class="toc-backref" href="#toc-entry-4">Setup for Keycloak</a></h2>
+<p>Example configuration with OpenID Connect authorization code flow.</p>
+<p>In Keycloak:</p>
+<ol class="arabic simple">
+<li>configure a new Client</li>
+<li>make sure Authorization Code Flow is Enabled.</li>
+<li>configure the client Access Type as “confidential” and take note of
+the client secret in the Credentials tab</li>
+<li>configure the redirect url to be “&lt;url of your
+server&gt;/auth_oauth/signin”</li>
+</ol>
+<p>In Odoo, create a new Oauth Provider with the following parameters:</p>
+<ul class="simple">
+<li>Provider name: Keycloak (or any name you like that identify your
+keycloak provider)</li>
+<li>Auth Flow: OpenID Connect (authorization code flow)</li>
+<li>Client ID: the same Client ID you entered when configuring the client
+in Keycloak</li>
+<li>Client Secret: found in keycloak on the client Credentials tab</li>
+<li>Allowed: yes</li>
+<li>Body: the link text to appear on the login page, such as Login with
+Keycloak</li>
+<li>Scope: openid email</li>
+<li>Authentication URL: The “authorization_endpoint” URL found in the
+OpenID Endpoint Configuration of your Keycloak realm</li>
+<li>Token URL: The “token_endpoint” URL found in the OpenID Endpoint
+Configuration of your Keycloak realm</li>
+<li>JWKS URL: The “jwks_uri” URL found in the OpenID Endpoint
+Configuration of your Keycloak realm</li>
+</ul>
+</div>
+</div>
+<div class="section" id="usage">
+<h1><a class="toc-backref" href="#toc-entry-5">Usage</a></h1>
+<p>On the login page, click on the authentication provider you configured.</p>
+</div>
+<div class="section" id="known-issues-roadmap">
+<h1><a class="toc-backref" href="#toc-entry-6">Known issues / Roadmap</a></h1>
+<ul class="simple">
+<li>When going to the login screen, check for a existing token and do a
+direct login without the clicking on the SSO link</li>
+<li>When doing a logout an extra option to also logout at the SSO
+provider.</li>
+</ul>
+</div>
+<div class="section" id="changelog">
+<h1><a class="toc-backref" href="#toc-entry-7">Changelog</a></h1>
+<div class="section" id="section-1">
+<h2><a class="toc-backref" href="#toc-entry-8">17.0.1.0.0 2024-03-20</a></h2>
+<ul class="simple">
+<li>Odoo 17 migration</li>
+</ul>
+</div>
+<div class="section" id="section-2">
+<h2><a class="toc-backref" href="#toc-entry-9">16.0.1.1.0 2024-02-28</a></h2>
+<ul class="simple">
+<li>Forward port OpenID Connect fixes from 15.0 to 16.0</li>
+</ul>
+</div>
+<div class="section" id="section-3">
+<h2><a class="toc-backref" href="#toc-entry-10">16.0.1.0.2 2023-11-16</a></h2>
+<ul class="simple">
+<li>Readme link updates</li>
+</ul>
+</div>
+<div class="section" id="section-4">
+<h2><a class="toc-backref" href="#toc-entry-11">16.0.1.0.1 2023-10-09</a></h2>
+<ul class="simple">
+<li>Add AzureAD code flow provider</li>
+</ul>
+</div>
+<div class="section" id="section-5">
+<h2><a class="toc-backref" href="#toc-entry-12">16.0.1.0.0 2023-01-27</a></h2>
+<ul class="simple">
+<li>Odoo 16 migration</li>
+</ul>
+</div>
+<div class="section" id="section-6">
+<h2><a class="toc-backref" href="#toc-entry-13">15.0.1.0.0 2023-01-06</a></h2>
+<ul class="simple">
+<li>Odoo 15 migration</li>
+</ul>
+</div>
+<div class="section" id="section-7">
+<h2><a class="toc-backref" href="#toc-entry-14">14.0.1.0.0 2021-12-10</a></h2>
+<ul class="simple">
+<li>Odoo 14 migration</li>
+</ul>
+</div>
+<div class="section" id="section-8">
+<h2><a class="toc-backref" href="#toc-entry-15">13.0.1.0.0 2020-04-10</a></h2>
+<ul class="simple">
+<li>Odoo 13 migration, add authorization code flow.</li>
+</ul>
+</div>
+<div class="section" id="section-9">
+<h2><a class="toc-backref" href="#toc-entry-16">10.0.1.0.0 2018-10-05</a></h2>
+<ul class="simple">
+<li>Initial implementation</li>
+</ul>
+</div>
+</div>
+<div class="section" id="bug-tracker">
+<h1><a class="toc-backref" href="#toc-entry-17">Bug Tracker</a></h1>
+<p>Bugs are tracked on <a class="reference external" href="https://github.com/OCA/server-auth/issues">GitHub Issues</a>.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+<a class="reference external" href="https://github.com/OCA/server-auth/issues/new?body=module:%20auth_oidc%0Aversion:%2017.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**">feedback</a>.</p>
+<p>Do not contact contributors directly about support or help with technical issues.</p>
+</div>
+<div class="section" id="credits">
+<h1><a class="toc-backref" href="#toc-entry-18">Credits</a></h1>
+<div class="section" id="authors">
+<h2><a class="toc-backref" href="#toc-entry-19">Authors</a></h2>
+<ul class="simple">
+<li>ICTSTUDIO</li>
+<li>André Schenkels</li>
+<li>ACSONE SA/NV</li>
+</ul>
+</div>
+<div class="section" id="contributors">
+<h2><a class="toc-backref" href="#toc-entry-20">Contributors</a></h2>
+<ul class="simple">
+<li>Alexandre Fayolle &lt;<a class="reference external" href="mailto:alexandre.fayolle&#64;camptocamp.com">alexandre.fayolle&#64;camptocamp.com</a>&gt;</li>
+<li>Stéphane Bidoul &lt;<a class="reference external" href="mailto:stephane.bidoul&#64;acsone.eu">stephane.bidoul&#64;acsone.eu</a>&gt;</li>
+<li>David Jaen &lt;<a class="reference external" href="mailto:david.jaen.revert&#64;gmail.com">david.jaen.revert&#64;gmail.com</a>&gt;</li>
+<li>Andreas Perhab &lt;<a class="reference external" href="mailto:andreas.perhab&#64;wt-io-it.at">andreas.perhab&#64;wt-io-it.at</a>&gt;</li>
+</ul>
+</div>
+<div class="section" id="maintainers">
+<h2><a class="toc-backref" href="#toc-entry-21">Maintainers</a></h2>
+<p>This module is maintained by the OCA.</p>
+<a class="reference external image-reference" href="https://odoo-community.org"><img alt="Odoo Community Association" src="https://odoo-community.org/logo.png" /></a>
+<p>OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.</p>
+<p>Current <a class="reference external" href="https://odoo-community.org/page/maintainer-role">maintainer</a>:</p>
+<p><a class="reference external image-reference" href="https://github.com/sbidoul"><img alt="sbidoul" src="https://github.com/sbidoul.png?size=40px" /></a></p>
+<p>This module is part of the <a class="reference external" href="https://github.com/OCA/server-auth/tree/17.0/auth_oidc">OCA/server-auth</a> project on GitHub.</p>
+<p>You are welcome to contribute. To learn how please visit <a class="reference external" href="https://odoo-community.org/page/Contribute">https://odoo-community.org/page/Contribute</a>.</p>
+</div>
+</div>
+</div>
+</body>
+</html>
diff --git a/auth_oidc/static/description/oauth-microsoft_azure-api_permissions.png b/auth_oidc/static/description/oauth-microsoft_azure-api_permissions.png
new file mode 100644
index 0000000000..7f28000a95
Binary files /dev/null and b/auth_oidc/static/description/oauth-microsoft_azure-api_permissions.png differ
diff --git a/auth_oidc/static/description/oauth-microsoft_azure-optional_claims.png b/auth_oidc/static/description/oauth-microsoft_azure-optional_claims.png
new file mode 100644
index 0000000000..1aa7206311
Binary files /dev/null and b/auth_oidc/static/description/oauth-microsoft_azure-optional_claims.png differ
diff --git a/auth_oidc/static/description/odoo-azure_ad_multitenant.png b/auth_oidc/static/description/odoo-azure_ad_multitenant.png
new file mode 100644
index 0000000000..31033f3816
Binary files /dev/null and b/auth_oidc/static/description/odoo-azure_ad_multitenant.png differ
diff --git a/auth_oidc/tests/__init__.py b/auth_oidc/tests/__init__.py
new file mode 100644
index 0000000000..e603d993b8
--- /dev/null
+++ b/auth_oidc/tests/__init__.py
@@ -0,0 +1 @@
+from . import test_auth_oidc_auth_code
diff --git a/auth_oidc/tests/keycloak/keycloak-config.json b/auth_oidc/tests/keycloak/keycloak-config.json
new file mode 100644
index 0000000000..5a0456b55c
--- /dev/null
+++ b/auth_oidc/tests/keycloak/keycloak-config.json
@@ -0,0 +1,1997 @@
+{
+  "id": "master",
+  "realm": "master",
+  "displayName": "Keycloak",
+  "displayNameHtml": "<div class=\"kc-logo-text\"><span>Keycloak</span></div>",
+  "notBefore": 0,
+  "revokeRefreshToken": false,
+  "refreshTokenMaxReuse": 0,
+  "accessTokenLifespan": 60,
+  "accessTokenLifespanForImplicitFlow": 900,
+  "ssoSessionIdleTimeout": 1800,
+  "ssoSessionMaxLifespan": 36000,
+  "ssoSessionIdleTimeoutRememberMe": 0,
+  "ssoSessionMaxLifespanRememberMe": 0,
+  "offlineSessionIdleTimeout": 2592000,
+  "offlineSessionMaxLifespanEnabled": false,
+  "offlineSessionMaxLifespan": 5184000,
+  "clientSessionIdleTimeout": 0,
+  "clientSessionMaxLifespan": 0,
+  "clientOfflineSessionIdleTimeout": 0,
+  "clientOfflineSessionMaxLifespan": 0,
+  "accessCodeLifespan": 60,
+  "accessCodeLifespanUserAction": 300,
+  "accessCodeLifespanLogin": 1800,
+  "actionTokenGeneratedByAdminLifespan": 43200,
+  "actionTokenGeneratedByUserLifespan": 300,
+  "enabled": true,
+  "sslRequired": "external",
+  "registrationAllowed": false,
+  "registrationEmailAsUsername": false,
+  "rememberMe": false,
+  "verifyEmail": false,
+  "loginWithEmailAllowed": true,
+  "duplicateEmailsAllowed": false,
+  "resetPasswordAllowed": false,
+  "editUsernameAllowed": false,
+  "bruteForceProtected": false,
+  "permanentLockout": false,
+  "maxFailureWaitSeconds": 900,
+  "minimumQuickLoginWaitSeconds": 60,
+  "waitIncrementSeconds": 60,
+  "quickLoginCheckMilliSeconds": 1000,
+  "maxDeltaTimeSeconds": 43200,
+  "failureFactor": 30,
+  "roles": {
+    "realm": [
+      {
+        "id": "39f27ebe-139e-435b-840a-beb824d5d355",
+        "name": "admin",
+        "description": "${role_admin}",
+        "composite": true,
+        "composites": {
+          "realm": ["create-realm"],
+          "client": {
+            "master-realm": [
+              "create-client",
+              "view-realm",
+              "view-events",
+              "manage-clients",
+              "query-clients",
+              "view-identity-providers",
+              "impersonation",
+              "manage-events",
+              "query-realms",
+              "query-groups",
+              "manage-authorization",
+              "query-users",
+              "view-authorization",
+              "manage-identity-providers",
+              "manage-users",
+              "view-clients",
+              "view-users",
+              "manage-realm"
+            ]
+          }
+        },
+        "clientRole": false,
+        "containerId": "master",
+        "attributes": {}
+      },
+      {
+        "id": "3fd38fac-f708-4783-b8e9-4e47963fc4bf",
+        "name": "offline_access",
+        "description": "${role_offline-access}",
+        "composite": false,
+        "clientRole": false,
+        "containerId": "master",
+        "attributes": {}
+      },
+      {
+        "id": "4ac4a81b-0a30-41db-94ce-dbd621c331d2",
+        "name": "uma_authorization",
+        "description": "${role_uma_authorization}",
+        "composite": false,
+        "clientRole": false,
+        "containerId": "master",
+        "attributes": {}
+      },
+      {
+        "id": "20b16986-2361-454c-af0b-81f403152ef8",
+        "name": "create-realm",
+        "description": "${role_create-realm}",
+        "composite": false,
+        "clientRole": false,
+        "containerId": "master",
+        "attributes": {}
+      }
+    ],
+    "client": {
+      "auth_oidc-test": [],
+      "security-admin-console": [],
+      "admin-cli": [],
+      "account-console": [],
+      "broker": [
+        {
+          "id": "5fa108a0-2e5e-4e2e-8ee3-1317592517f8",
+          "name": "read-token",
+          "description": "${role_read-token}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "d1dd5ade-20bf-4d53-a371-a33f10bc1087",
+          "attributes": {}
+        }
+      ],
+      "master-realm": [
+        {
+          "id": "0d062a1c-5165-4ea5-b550-55d02ca86226",
+          "name": "create-client",
+          "description": "${role_create-client}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "4e03d0f9-4c56-42c8-958c-337f6eede3ac",
+          "attributes": {}
+        },
+        {
+          "id": "f5795bcb-ab2d-4a74-b954-51f335c21198",
+          "name": "view-realm",
+          "description": "${role_view-realm}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "4e03d0f9-4c56-42c8-958c-337f6eede3ac",
+          "attributes": {}
+        },
+        {
+          "id": "1c0e3231-db03-4b03-961f-32308318f4f1",
+          "name": "view-events",
+          "description": "${role_view-events}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "4e03d0f9-4c56-42c8-958c-337f6eede3ac",
+          "attributes": {}
+        },
+        {
+          "id": "ed9949d1-b11d-4742-b259-ee260f62f111",
+          "name": "manage-clients",
+          "description": "${role_manage-clients}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "4e03d0f9-4c56-42c8-958c-337f6eede3ac",
+          "attributes": {}
+        },
+        {
+          "id": "b29b494a-9cd4-4410-8d16-207a3bb2e528",
+          "name": "query-clients",
+          "description": "${role_query-clients}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "4e03d0f9-4c56-42c8-958c-337f6eede3ac",
+          "attributes": {}
+        },
+        {
+          "id": "8afdd284-070b-4d6f-9d21-d9917d8827af",
+          "name": "view-identity-providers",
+          "description": "${role_view-identity-providers}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "4e03d0f9-4c56-42c8-958c-337f6eede3ac",
+          "attributes": {}
+        },
+        {
+          "id": "b5807416-f8f3-41ae-a29e-298ec3aae028",
+          "name": "impersonation",
+          "description": "${role_impersonation}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "4e03d0f9-4c56-42c8-958c-337f6eede3ac",
+          "attributes": {}
+        },
+        {
+          "id": "6400b20c-a72b-4228-87d1-01b0d1315026",
+          "name": "manage-events",
+          "description": "${role_manage-events}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "4e03d0f9-4c56-42c8-958c-337f6eede3ac",
+          "attributes": {}
+        },
+        {
+          "id": "6c3b14c3-0797-4e39-b5fa-b07d0e073e0e",
+          "name": "query-realms",
+          "description": "${role_query-realms}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "4e03d0f9-4c56-42c8-958c-337f6eede3ac",
+          "attributes": {}
+        },
+        {
+          "id": "3fbf2279-9661-4cfc-b381-c7e4a8c459dc",
+          "name": "query-groups",
+          "description": "${role_query-groups}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "4e03d0f9-4c56-42c8-958c-337f6eede3ac",
+          "attributes": {}
+        },
+        {
+          "id": "1b9e5572-34d5-4284-897c-0471544cf813",
+          "name": "manage-authorization",
+          "description": "${role_manage-authorization}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "4e03d0f9-4c56-42c8-958c-337f6eede3ac",
+          "attributes": {}
+        },
+        {
+          "id": "a226e0fa-aa45-490d-9d64-78e88c3152cb",
+          "name": "query-users",
+          "description": "${role_query-users}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "4e03d0f9-4c56-42c8-958c-337f6eede3ac",
+          "attributes": {}
+        },
+        {
+          "id": "d78736d4-250c-4012-a8ad-55b5c718a57a",
+          "name": "manage-identity-providers",
+          "description": "${role_manage-identity-providers}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "4e03d0f9-4c56-42c8-958c-337f6eede3ac",
+          "attributes": {}
+        },
+        {
+          "id": "68e9559f-d467-46c3-ae48-d67c74582ca8",
+          "name": "view-authorization",
+          "description": "${role_view-authorization}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "4e03d0f9-4c56-42c8-958c-337f6eede3ac",
+          "attributes": {}
+        },
+        {
+          "id": "908beec6-d8d1-441a-a5ad-f45d39df6b43",
+          "name": "manage-users",
+          "description": "${role_manage-users}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "4e03d0f9-4c56-42c8-958c-337f6eede3ac",
+          "attributes": {}
+        },
+        {
+          "id": "5c5d56a2-e2ea-4b4f-9bb1-f40e18082932",
+          "name": "view-clients",
+          "description": "${role_view-clients}",
+          "composite": true,
+          "composites": {
+            "client": {
+              "master-realm": ["query-clients"]
+            }
+          },
+          "clientRole": true,
+          "containerId": "4e03d0f9-4c56-42c8-958c-337f6eede3ac",
+          "attributes": {}
+        },
+        {
+          "id": "561ec0f4-bd97-4c41-a825-918002afb307",
+          "name": "view-users",
+          "description": "${role_view-users}",
+          "composite": true,
+          "composites": {
+            "client": {
+              "master-realm": ["query-groups", "query-users"]
+            }
+          },
+          "clientRole": true,
+          "containerId": "4e03d0f9-4c56-42c8-958c-337f6eede3ac",
+          "attributes": {}
+        },
+        {
+          "id": "8ae350ac-19cd-431b-80fb-aee88316219e",
+          "name": "manage-realm",
+          "description": "${role_manage-realm}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "4e03d0f9-4c56-42c8-958c-337f6eede3ac",
+          "attributes": {}
+        }
+      ],
+      "account": [
+        {
+          "id": "0a6ac4dd-afdc-4b7b-b16a-ef2ca3b8e396",
+          "name": "delete-account",
+          "description": "${role_delete-account}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "45ef915f-ca72-4bcc-a79b-d2b83ca4be2f",
+          "attributes": {}
+        },
+        {
+          "id": "1a30b2d0-9d49-4a09-9769-ea7f3142e715",
+          "name": "manage-consent",
+          "description": "${role_manage-consent}",
+          "composite": true,
+          "composites": {
+            "client": {
+              "account": ["view-consent"]
+            }
+          },
+          "clientRole": true,
+          "containerId": "45ef915f-ca72-4bcc-a79b-d2b83ca4be2f",
+          "attributes": {}
+        },
+        {
+          "id": "e065f4ba-d97c-4219-b56e-edbe945e14bf",
+          "name": "view-consent",
+          "description": "${role_view-consent}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "45ef915f-ca72-4bcc-a79b-d2b83ca4be2f",
+          "attributes": {}
+        },
+        {
+          "id": "6e5b9a43-0f82-4669-a821-a1d449e4a2be",
+          "name": "view-applications",
+          "description": "${role_view-applications}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "45ef915f-ca72-4bcc-a79b-d2b83ca4be2f",
+          "attributes": {}
+        },
+        {
+          "id": "c386c8c5-bdee-4d52-b124-94379799d5d9",
+          "name": "manage-account-links",
+          "description": "${role_manage-account-links}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "45ef915f-ca72-4bcc-a79b-d2b83ca4be2f",
+          "attributes": {}
+        },
+        {
+          "id": "bcff49f4-7f83-4ec6-9a51-271fc9cbb302",
+          "name": "view-profile",
+          "description": "${role_view-profile}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "45ef915f-ca72-4bcc-a79b-d2b83ca4be2f",
+          "attributes": {}
+        },
+        {
+          "id": "4e36a4bf-80ab-404b-854e-7d593e9248ca",
+          "name": "manage-account",
+          "description": "${role_manage-account}",
+          "composite": true,
+          "composites": {
+            "client": {
+              "account": ["manage-account-links"]
+            }
+          },
+          "clientRole": true,
+          "containerId": "45ef915f-ca72-4bcc-a79b-d2b83ca4be2f",
+          "attributes": {}
+        }
+      ]
+    }
+  },
+  "groups": [],
+  "defaultRoles": ["offline_access", "uma_authorization"],
+  "requiredCredentials": ["password"],
+  "otpPolicyType": "totp",
+  "otpPolicyAlgorithm": "HmacSHA1",
+  "otpPolicyInitialCounter": 0,
+  "otpPolicyDigits": 6,
+  "otpPolicyLookAheadWindow": 1,
+  "otpPolicyPeriod": 30,
+  "otpSupportedApplications": ["FreeOTP", "Google Authenticator"],
+  "webAuthnPolicyRpEntityName": "keycloak",
+  "webAuthnPolicySignatureAlgorithms": ["ES256"],
+  "webAuthnPolicyRpId": "",
+  "webAuthnPolicyAttestationConveyancePreference": "not specified",
+  "webAuthnPolicyAuthenticatorAttachment": "not specified",
+  "webAuthnPolicyRequireResidentKey": "not specified",
+  "webAuthnPolicyUserVerificationRequirement": "not specified",
+  "webAuthnPolicyCreateTimeout": 0,
+  "webAuthnPolicyAvoidSameAuthenticatorRegister": false,
+  "webAuthnPolicyAcceptableAaguids": [],
+  "webAuthnPolicyPasswordlessRpEntityName": "keycloak",
+  "webAuthnPolicyPasswordlessSignatureAlgorithms": ["ES256"],
+  "webAuthnPolicyPasswordlessRpId": "",
+  "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified",
+  "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified",
+  "webAuthnPolicyPasswordlessRequireResidentKey": "not specified",
+  "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified",
+  "webAuthnPolicyPasswordlessCreateTimeout": 0,
+  "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false,
+  "webAuthnPolicyPasswordlessAcceptableAaguids": [],
+  "users": [
+    {
+      "id": "ad01a4d9-c919-4bc6-8b48-b3e3bcbb4149",
+      "createdTimestamp": 1618140941731,
+      "username": "admin",
+      "enabled": true,
+      "totp": false,
+      "emailVerified": false,
+      "credentials": [
+        {
+          "id": "596b17bb-199c-4a23-9c48-4620c0ecfd7a",
+          "type": "password",
+          "createdDate": 1618140941876,
+          "secretData": "{\"value\":\"PXx46hQETQuXQRUl9FvzEJdZtoL57qsad1dFQyOLzj/pNEmwldN54oxQh5p+QB0rNNJPI9ZiaAfZS90ZzJa6pQ==\",\"salt\":\"kiFQwyPm53MgwAByqTw5qQ==\",\"additionalParameters\":{}}",
+          "credentialData": "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}"
+        }
+      ],
+      "disableableCredentialTypes": [],
+      "requiredActions": [],
+      "realmRoles": ["offline_access", "admin", "uma_authorization"],
+      "clientRoles": {
+        "account": ["view-profile", "manage-account"]
+      },
+      "notBefore": 0,
+      "groups": []
+    },
+    {
+      "id": "3752dfb8-d3b5-4597-b83c-fed005d2671c",
+      "createdTimestamp": 1618141153912,
+      "username": "demo",
+      "enabled": true,
+      "totp": false,
+      "emailVerified": false,
+      "credentials": [
+        {
+          "id": "4e5b5a38-3fcb-4703-8b9c-075164dde145",
+          "type": "password",
+          "createdDate": 1618141311783,
+          "secretData": "{\"value\":\"upShAwzTaS89elSkEgK0Phs+XUP3Ya1pOUYtE8k4JmZEJnXWjdOy9brn4cpLKwjF6pZ3glxkJgjdLmDeWm9WwQ==\",\"salt\":\"RnaXCbRf4bw1lZmQX43cMg==\",\"additionalParameters\":{}}",
+          "credentialData": "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}"
+        }
+      ],
+      "disableableCredentialTypes": [],
+      "requiredActions": [],
+      "realmRoles": ["offline_access", "uma_authorization"],
+      "clientRoles": {
+        "account": ["view-profile", "manage-account"]
+      },
+      "notBefore": 0,
+      "groups": []
+    }
+  ],
+  "scopeMappings": [
+    {
+      "clientScope": "offline_access",
+      "roles": ["offline_access"]
+    }
+  ],
+  "clientScopeMappings": {
+    "account": [
+      {
+        "client": "account-console",
+        "roles": ["manage-account"]
+      }
+    ]
+  },
+  "clients": [
+    {
+      "id": "45ef915f-ca72-4bcc-a79b-d2b83ca4be2f",
+      "clientId": "account",
+      "name": "${client_account}",
+      "rootUrl": "${authBaseUrl}",
+      "baseUrl": "/realms/master/account/",
+      "surrogateAuthRequired": false,
+      "enabled": true,
+      "alwaysDisplayInConsole": false,
+      "clientAuthenticatorType": "client-secret",
+      "secret": "055c06d1-ffcc-4762-b8eb-e9814a6995df",
+      "defaultRoles": ["view-profile", "manage-account"],
+      "redirectUris": ["/realms/master/account/*"],
+      "webOrigins": [],
+      "notBefore": 0,
+      "bearerOnly": false,
+      "consentRequired": false,
+      "standardFlowEnabled": true,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": false,
+      "serviceAccountsEnabled": false,
+      "publicClient": false,
+      "frontchannelLogout": false,
+      "protocol": "openid-connect",
+      "attributes": {},
+      "authenticationFlowBindingOverrides": {},
+      "fullScopeAllowed": false,
+      "nodeReRegistrationTimeout": 0,
+      "defaultClientScopes": ["web-origins", "role_list", "roles", "profile", "email"],
+      "optionalClientScopes": ["address", "phone", "offline_access", "microprofile-jwt"]
+    },
+    {
+      "id": "4308a071-7dbf-4d08-a987-b7dc2f42b86e",
+      "clientId": "account-console",
+      "name": "${client_account-console}",
+      "rootUrl": "${authBaseUrl}",
+      "baseUrl": "/realms/master/account/",
+      "surrogateAuthRequired": false,
+      "enabled": true,
+      "alwaysDisplayInConsole": false,
+      "clientAuthenticatorType": "client-secret",
+      "secret": "ec31839f-7ffb-400d-9373-26be6706e619",
+      "redirectUris": ["/realms/master/account/*"],
+      "webOrigins": [],
+      "notBefore": 0,
+      "bearerOnly": false,
+      "consentRequired": false,
+      "standardFlowEnabled": true,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": false,
+      "serviceAccountsEnabled": false,
+      "publicClient": true,
+      "frontchannelLogout": false,
+      "protocol": "openid-connect",
+      "attributes": {
+        "pkce.code.challenge.method": "S256"
+      },
+      "authenticationFlowBindingOverrides": {},
+      "fullScopeAllowed": false,
+      "nodeReRegistrationTimeout": 0,
+      "protocolMappers": [
+        {
+          "id": "e36bba2d-7a07-4c83-a40e-14b4a8316ae9",
+          "name": "audience resolve",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-audience-resolve-mapper",
+          "consentRequired": false,
+          "config": {}
+        }
+      ],
+      "defaultClientScopes": ["web-origins", "role_list", "roles", "profile", "email"],
+      "optionalClientScopes": ["address", "phone", "offline_access", "microprofile-jwt"]
+    },
+    {
+      "id": "0915d9fc-102f-4033-b37e-832b89fee932",
+      "clientId": "admin-cli",
+      "name": "${client_admin-cli}",
+      "surrogateAuthRequired": false,
+      "enabled": true,
+      "alwaysDisplayInConsole": false,
+      "clientAuthenticatorType": "client-secret",
+      "secret": "175303e4-f2d4-4ae9-8fb0-27a1337d3208",
+      "redirectUris": [],
+      "webOrigins": [],
+      "notBefore": 0,
+      "bearerOnly": false,
+      "consentRequired": false,
+      "standardFlowEnabled": false,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": true,
+      "serviceAccountsEnabled": false,
+      "publicClient": true,
+      "frontchannelLogout": false,
+      "protocol": "openid-connect",
+      "attributes": {},
+      "authenticationFlowBindingOverrides": {},
+      "fullScopeAllowed": false,
+      "nodeReRegistrationTimeout": 0,
+      "defaultClientScopes": ["web-origins", "role_list", "roles", "profile", "email"],
+      "optionalClientScopes": ["address", "phone", "offline_access", "microprofile-jwt"]
+    },
+    {
+      "id": "8bf21eb5-63da-4da5-8c12-7a5bafda1bf5",
+      "clientId": "auth_oidc-test",
+      "rootUrl": "http://localhost:8069",
+      "adminUrl": "http://localhost:8069",
+      "surrogateAuthRequired": false,
+      "enabled": true,
+      "alwaysDisplayInConsole": false,
+      "clientAuthenticatorType": "client-secret",
+      "secret": "20c0ad33-0200-43cd-9bd1-5dd1b22918e3",
+      "redirectUris": ["http://localhost:8069/*"],
+      "webOrigins": ["http://localhost:8069"],
+      "notBefore": 0,
+      "bearerOnly": false,
+      "consentRequired": false,
+      "standardFlowEnabled": true,
+      "implicitFlowEnabled": true,
+      "directAccessGrantsEnabled": false,
+      "serviceAccountsEnabled": false,
+      "publicClient": true,
+      "frontchannelLogout": false,
+      "protocol": "openid-connect",
+      "attributes": {
+        "saml.assertion.signature": "false",
+        "saml.force.post.binding": "false",
+        "saml.multivalued.roles": "false",
+        "saml.encrypt": "false",
+        "backchannel.logout.revoke.offline.tokens": "false",
+        "saml.server.signature": "false",
+        "saml.server.signature.keyinfo.ext": "false",
+        "exclude.session.state.from.auth.response": "false",
+        "backchannel.logout.session.required": "true",
+        "client_credentials.use_refresh_token": "false",
+        "saml_force_name_id_format": "false",
+        "saml.client.signature": "false",
+        "tls.client.certificate.bound.access.tokens": "false",
+        "saml.authnstatement": "false",
+        "display.on.consent.screen": "false",
+        "saml.onetimeuse.condition": "false"
+      },
+      "authenticationFlowBindingOverrides": {},
+      "fullScopeAllowed": true,
+      "nodeReRegistrationTimeout": -1,
+      "defaultClientScopes": ["web-origins", "role_list", "roles", "profile", "email"],
+      "optionalClientScopes": ["address", "phone", "offline_access", "microprofile-jwt"]
+    },
+    {
+      "id": "d1dd5ade-20bf-4d53-a371-a33f10bc1087",
+      "clientId": "broker",
+      "name": "${client_broker}",
+      "surrogateAuthRequired": false,
+      "enabled": true,
+      "alwaysDisplayInConsole": false,
+      "clientAuthenticatorType": "client-secret",
+      "secret": "52aab659-5f2d-445a-a93e-6ab04de9db42",
+      "redirectUris": [],
+      "webOrigins": [],
+      "notBefore": 0,
+      "bearerOnly": false,
+      "consentRequired": false,
+      "standardFlowEnabled": true,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": false,
+      "serviceAccountsEnabled": false,
+      "publicClient": false,
+      "frontchannelLogout": false,
+      "protocol": "openid-connect",
+      "attributes": {},
+      "authenticationFlowBindingOverrides": {},
+      "fullScopeAllowed": false,
+      "nodeReRegistrationTimeout": 0,
+      "defaultClientScopes": ["web-origins", "role_list", "roles", "profile", "email"],
+      "optionalClientScopes": ["address", "phone", "offline_access", "microprofile-jwt"]
+    },
+    {
+      "id": "4e03d0f9-4c56-42c8-958c-337f6eede3ac",
+      "clientId": "master-realm",
+      "name": "master Realm",
+      "surrogateAuthRequired": false,
+      "enabled": true,
+      "alwaysDisplayInConsole": false,
+      "clientAuthenticatorType": "client-secret",
+      "secret": "15ca5d76-d964-4761-85d1-8343748481ab",
+      "redirectUris": [],
+      "webOrigins": [],
+      "notBefore": 0,
+      "bearerOnly": true,
+      "consentRequired": false,
+      "standardFlowEnabled": true,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": false,
+      "serviceAccountsEnabled": false,
+      "publicClient": false,
+      "frontchannelLogout": false,
+      "attributes": {},
+      "authenticationFlowBindingOverrides": {},
+      "fullScopeAllowed": true,
+      "nodeReRegistrationTimeout": 0,
+      "defaultClientScopes": ["web-origins", "role_list", "roles", "profile", "email"],
+      "optionalClientScopes": ["address", "phone", "offline_access", "microprofile-jwt"]
+    },
+    {
+      "id": "983b74a1-e7a0-4bc4-8481-0eb8ca4f12e0",
+      "clientId": "security-admin-console",
+      "name": "${client_security-admin-console}",
+      "rootUrl": "${authAdminUrl}",
+      "baseUrl": "/admin/master/console/",
+      "surrogateAuthRequired": false,
+      "enabled": true,
+      "alwaysDisplayInConsole": false,
+      "clientAuthenticatorType": "client-secret",
+      "secret": "121beec3-2388-475b-b989-1ff85d25b4fd",
+      "redirectUris": ["/admin/master/console/*"],
+      "webOrigins": ["+"],
+      "notBefore": 0,
+      "bearerOnly": false,
+      "consentRequired": false,
+      "standardFlowEnabled": true,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": false,
+      "serviceAccountsEnabled": false,
+      "publicClient": true,
+      "frontchannelLogout": false,
+      "protocol": "openid-connect",
+      "attributes": {
+        "pkce.code.challenge.method": "S256"
+      },
+      "authenticationFlowBindingOverrides": {},
+      "fullScopeAllowed": false,
+      "nodeReRegistrationTimeout": 0,
+      "protocolMappers": [
+        {
+          "id": "21a0f25a-a2b7-415e-95a7-23886f00c83b",
+          "name": "locale",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "locale",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "locale",
+            "jsonType.label": "String"
+          }
+        }
+      ],
+      "defaultClientScopes": ["web-origins", "role_list", "roles", "profile", "email"],
+      "optionalClientScopes": ["address", "phone", "offline_access", "microprofile-jwt"]
+    }
+  ],
+  "clientScopes": [
+    {
+      "id": "07bff9f2-498f-4f07-9fb9-019152141a0f",
+      "name": "address",
+      "description": "OpenID Connect built-in scope: address",
+      "protocol": "openid-connect",
+      "attributes": {
+        "include.in.token.scope": "true",
+        "display.on.consent.screen": "true",
+        "consent.screen.text": "${addressScopeConsentText}"
+      },
+      "protocolMappers": [
+        {
+          "id": "46333a31-1e88-4191-8d25-2f4d975af4db",
+          "name": "address",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-address-mapper",
+          "consentRequired": false,
+          "config": {
+            "user.attribute.formatted": "formatted",
+            "user.attribute.country": "country",
+            "user.attribute.postal_code": "postal_code",
+            "userinfo.token.claim": "true",
+            "user.attribute.street": "street",
+            "id.token.claim": "true",
+            "user.attribute.region": "region",
+            "access.token.claim": "true",
+            "user.attribute.locality": "locality"
+          }
+        }
+      ]
+    },
+    {
+      "id": "8c30d3a8-af56-407a-a622-df16e7c2b04b",
+      "name": "email",
+      "description": "OpenID Connect built-in scope: email",
+      "protocol": "openid-connect",
+      "attributes": {
+        "include.in.token.scope": "true",
+        "display.on.consent.screen": "true",
+        "consent.screen.text": "${emailScopeConsentText}"
+      },
+      "protocolMappers": [
+        {
+          "id": "db1117e1-6174-4934-99d0-ff51f319c6f5",
+          "name": "email",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-property-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "email",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "email",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "c1a7d21e-7f45-4559-b314-913cbb560967",
+          "name": "email verified",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-property-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "emailVerified",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "email_verified",
+            "jsonType.label": "boolean"
+          }
+        }
+      ]
+    },
+    {
+      "id": "3d9f47ed-d2f0-474c-baa4-75e0e6619385",
+      "name": "microprofile-jwt",
+      "description": "Microprofile - JWT built-in scope",
+      "protocol": "openid-connect",
+      "attributes": {
+        "include.in.token.scope": "true",
+        "display.on.consent.screen": "false"
+      },
+      "protocolMappers": [
+        {
+          "id": "e7c49c89-b513-4512-9410-bc0f39d4b4e5",
+          "name": "upn",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-property-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "username",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "upn",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "7b65fe0b-2974-445f-a7cd-ccec5141f560",
+          "name": "groups",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-realm-role-mapper",
+          "consentRequired": false,
+          "config": {
+            "multivalued": "true",
+            "user.attribute": "foo",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "groups",
+            "jsonType.label": "String"
+          }
+        }
+      ]
+    },
+    {
+      "id": "a9ed1a18-0e05-4eeb-a247-c84296cfa653",
+      "name": "offline_access",
+      "description": "OpenID Connect built-in scope: offline_access",
+      "protocol": "openid-connect",
+      "attributes": {
+        "consent.screen.text": "${offlineAccessScopeConsentText}",
+        "display.on.consent.screen": "true"
+      }
+    },
+    {
+      "id": "52f62f87-f914-4771-b79c-46a387797be7",
+      "name": "phone",
+      "description": "OpenID Connect built-in scope: phone",
+      "protocol": "openid-connect",
+      "attributes": {
+        "include.in.token.scope": "true",
+        "display.on.consent.screen": "true",
+        "consent.screen.text": "${phoneScopeConsentText}"
+      },
+      "protocolMappers": [
+        {
+          "id": "d8c485dc-7b8a-4469-8868-5bb73a6abafa",
+          "name": "phone number verified",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "phoneNumberVerified",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "phone_number_verified",
+            "jsonType.label": "boolean"
+          }
+        },
+        {
+          "id": "b1b21cd7-06f7-4469-b11e-22bf9de1a3ce",
+          "name": "phone number",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "phoneNumber",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "phone_number",
+            "jsonType.label": "String"
+          }
+        }
+      ]
+    },
+    {
+      "id": "311bf186-6cb2-4bdd-9da5-8ac30ff8b296",
+      "name": "profile",
+      "description": "OpenID Connect built-in scope: profile",
+      "protocol": "openid-connect",
+      "attributes": {
+        "include.in.token.scope": "true",
+        "display.on.consent.screen": "true",
+        "consent.screen.text": "${profileScopeConsentText}"
+      },
+      "protocolMappers": [
+        {
+          "id": "eda5d01f-6841-441e-b7d0-8fa48365a501",
+          "name": "middle name",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "middleName",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "middle_name",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "e131db35-e08b-4805-b11b-59a90650ee2a",
+          "name": "picture",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "picture",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "picture",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "6e311016-71e1-450a-8011-6f6ce9f7e365",
+          "name": "full name",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-full-name-mapper",
+          "consentRequired": false,
+          "config": {
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "userinfo.token.claim": "true"
+          }
+        },
+        {
+          "id": "e0fc1d75-2b19-4fc8-8ea3-778c96b47321",
+          "name": "website",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "website",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "website",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "a94d4acf-0a46-44b0-a739-ed329dfa9f41",
+          "name": "profile",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "profile",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "profile",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "57d4c1ad-4507-4545-8efc-5f83c0dc0be6",
+          "name": "username",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-property-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "username",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "preferred_username",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "0b42528f-d116-4217-9fbe-fe469c80914d",
+          "name": "given name",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-property-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "firstName",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "given_name",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "f698a281-a28c-4b3e-ad73-524c556d1cc5",
+          "name": "locale",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "locale",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "locale",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "50b2c4f9-b4a3-470a-a8e4-af7384bd9536",
+          "name": "zoneinfo",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "zoneinfo",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "zoneinfo",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "12a21276-1f49-4b34-8bf7-df4dd7929ebf",
+          "name": "updated at",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "updatedAt",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "updated_at",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "4abce20a-c47d-430a-85c0-f65cb9ae7aa0",
+          "name": "birthdate",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "birthdate",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "birthdate",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "fa7c99b6-9cdf-4f8f-96af-45df5f2497e2",
+          "name": "nickname",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "nickname",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "nickname",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "983d7499-e23c-4971-9501-d404b405b484",
+          "name": "family name",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-property-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "lastName",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "family_name",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "f42b6bcb-4bac-44a8-8073-c3194b56029c",
+          "name": "gender",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "gender",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "gender",
+            "jsonType.label": "String"
+          }
+        }
+      ]
+    },
+    {
+      "id": "6acc2950-2bbe-49d8-b266-42e3c518f46f",
+      "name": "role_list",
+      "description": "SAML role list",
+      "protocol": "saml",
+      "attributes": {
+        "consent.screen.text": "${samlRoleListScopeConsentText}",
+        "display.on.consent.screen": "true"
+      },
+      "protocolMappers": [
+        {
+          "id": "8b0f3195-f1c2-4188-8045-5d48ba0aeb30",
+          "name": "role list",
+          "protocol": "saml",
+          "protocolMapper": "saml-role-list-mapper",
+          "consentRequired": false,
+          "config": {
+            "single": "false",
+            "attribute.nameformat": "Basic",
+            "attribute.name": "Role"
+          }
+        }
+      ]
+    },
+    {
+      "id": "437e71e0-7728-4763-82af-29fd14b1fa12",
+      "name": "roles",
+      "description": "OpenID Connect scope for add user roles to the access token",
+      "protocol": "openid-connect",
+      "attributes": {
+        "include.in.token.scope": "false",
+        "display.on.consent.screen": "true",
+        "consent.screen.text": "${rolesScopeConsentText}"
+      },
+      "protocolMappers": [
+        {
+          "id": "d255020d-b385-417d-bf27-b3a8c5911579",
+          "name": "client roles",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-client-role-mapper",
+          "consentRequired": false,
+          "config": {
+            "user.attribute": "foo",
+            "access.token.claim": "true",
+            "claim.name": "resource_access.${client_id}.roles",
+            "jsonType.label": "String",
+            "multivalued": "true"
+          }
+        },
+        {
+          "id": "5adb2a9c-5dbb-430c-89c0-9b464677245f",
+          "name": "realm roles",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-realm-role-mapper",
+          "consentRequired": false,
+          "config": {
+            "user.attribute": "foo",
+            "access.token.claim": "true",
+            "claim.name": "realm_access.roles",
+            "jsonType.label": "String",
+            "multivalued": "true"
+          }
+        },
+        {
+          "id": "667e731f-4375-489f-bf03-566a7292719b",
+          "name": "audience resolve",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-audience-resolve-mapper",
+          "consentRequired": false,
+          "config": {}
+        }
+      ]
+    },
+    {
+      "id": "359211aa-1a6d-4441-a9bb-610acc6350db",
+      "name": "web-origins",
+      "description": "OpenID Connect scope for add allowed web origins to the access token",
+      "protocol": "openid-connect",
+      "attributes": {
+        "include.in.token.scope": "false",
+        "display.on.consent.screen": "false",
+        "consent.screen.text": ""
+      },
+      "protocolMappers": [
+        {
+          "id": "6646f9a5-0a1e-4bcc-b1d1-35b035b5aa55",
+          "name": "allowed web origins",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-allowed-origins-mapper",
+          "consentRequired": false,
+          "config": {}
+        }
+      ]
+    }
+  ],
+  "defaultDefaultClientScopes": [
+    "role_list",
+    "profile",
+    "email",
+    "roles",
+    "web-origins"
+  ],
+  "defaultOptionalClientScopes": [
+    "offline_access",
+    "address",
+    "phone",
+    "microprofile-jwt"
+  ],
+  "browserSecurityHeaders": {
+    "contentSecurityPolicyReportOnly": "",
+    "xContentTypeOptions": "nosniff",
+    "xRobotsTag": "none",
+    "xFrameOptions": "SAMEORIGIN",
+    "xXSSProtection": "1; mode=block",
+    "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
+    "strictTransportSecurity": "max-age=31536000; includeSubDomains"
+  },
+  "smtpServer": {},
+  "eventsEnabled": false,
+  "eventsListeners": ["jboss-logging"],
+  "enabledEventTypes": [],
+  "adminEventsEnabled": false,
+  "adminEventsDetailsEnabled": false,
+  "identityProviders": [],
+  "identityProviderMappers": [],
+  "components": {
+    "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [
+      {
+        "id": "070f65ee-8d8f-4fff-ae32-a27016e7bf5c",
+        "name": "Allowed Client Scopes",
+        "providerId": "allowed-client-templates",
+        "subType": "authenticated",
+        "subComponents": {},
+        "config": {
+          "allow-default-scopes": ["true"]
+        }
+      },
+      {
+        "id": "81bc44f5-9bbd-4325-9f63-fc332e30e0e7",
+        "name": "Allowed Protocol Mapper Types",
+        "providerId": "allowed-protocol-mappers",
+        "subType": "anonymous",
+        "subComponents": {},
+        "config": {
+          "allowed-protocol-mapper-types": [
+            "oidc-usermodel-property-mapper",
+            "saml-user-property-mapper",
+            "oidc-full-name-mapper",
+            "oidc-sha256-pairwise-sub-mapper",
+            "oidc-usermodel-attribute-mapper",
+            "oidc-address-mapper",
+            "saml-user-attribute-mapper",
+            "saml-role-list-mapper"
+          ]
+        }
+      },
+      {
+        "id": "f7d673f4-10ef-486d-a168-925b139abbc5",
+        "name": "Consent Required",
+        "providerId": "consent-required",
+        "subType": "anonymous",
+        "subComponents": {},
+        "config": {}
+      },
+      {
+        "id": "c103a051-9371-4021-8a34-8196a78c3638",
+        "name": "Allowed Client Scopes",
+        "providerId": "allowed-client-templates",
+        "subType": "anonymous",
+        "subComponents": {},
+        "config": {
+          "allow-default-scopes": ["true"]
+        }
+      },
+      {
+        "id": "a71eaf13-3e55-4aa6-9cf8-c1b74198d63a",
+        "name": "Trusted Hosts",
+        "providerId": "trusted-hosts",
+        "subType": "anonymous",
+        "subComponents": {},
+        "config": {
+          "host-sending-registration-request-must-match": ["true"],
+          "client-uris-must-match": ["true"]
+        }
+      },
+      {
+        "id": "fb7bdacb-46bc-4266-b217-a1705e87f957",
+        "name": "Allowed Protocol Mapper Types",
+        "providerId": "allowed-protocol-mappers",
+        "subType": "authenticated",
+        "subComponents": {},
+        "config": {
+          "allowed-protocol-mapper-types": [
+            "saml-user-attribute-mapper",
+            "oidc-sha256-pairwise-sub-mapper",
+            "oidc-usermodel-attribute-mapper",
+            "saml-user-property-mapper",
+            "oidc-full-name-mapper",
+            "oidc-usermodel-property-mapper",
+            "oidc-address-mapper",
+            "saml-role-list-mapper"
+          ]
+        }
+      },
+      {
+        "id": "ec4f12ef-2fef-42b2-9cb8-9f251d8c3344",
+        "name": "Full Scope Disabled",
+        "providerId": "scope",
+        "subType": "anonymous",
+        "subComponents": {},
+        "config": {}
+      },
+      {
+        "id": "99778abc-51f8-4480-a778-59ef73a60f56",
+        "name": "Max Clients Limit",
+        "providerId": "max-clients",
+        "subType": "anonymous",
+        "subComponents": {},
+        "config": {
+          "max-clients": ["200"]
+        }
+      }
+    ],
+    "org.keycloak.keys.KeyProvider": [
+      {
+        "id": "052d41cb-6938-40f0-8872-8ab171ec27e9",
+        "name": "fallback-HS256",
+        "providerId": "hmac-generated",
+        "subComponents": {},
+        "config": {
+          "kid": ["489fe44c-d70f-42f7-9a19-e3dc2a0df076"],
+          "secret": [
+            "6dqvUhGU5rhuMOKNuOI4U7nPTcA9jeJJLpmoewnkw_PdFDSjy73iQkPt5hw_8qU34IIFGOM-LkJJ8VWihvwEwQ"
+          ],
+          "priority": ["-100"],
+          "algorithm": ["HS256"]
+        }
+      },
+      {
+        "id": "53901ca8-2f9d-4f2e-804f-756204b9c1c5",
+        "name": "fallback-RS256",
+        "providerId": "rsa-generated",
+        "subComponents": {},
+        "config": {
+          "privateKey": [
+            "MIIEpAIBAAKCAQEAgYNR3Pgh/f1+DUcMBc9T6uT1MwC4oTthGbtJhmqQiawSWzUO8icSM4hFjiN2zqsKx7ofWmP3+ZRTq6fSEref+0tRRWafTq6LtDySa4DilqnQ/WBznnXML9hmsPBW3gNiZAKYbwvb/YE36L+a4nWcEc13jcXgMqLXUD7K/3YIYNT/S7xGgNKYfBmbTfS0A08ZITtyakaGYwLK6zwLYVAeUj1hZjVcz1926Zhhu4YznD6qMgCmBwlSD9lc6v0/RUNjo1NKSU0LXAeUEk1ynxFKJ+cUikHuvsIQvuXY5Sj+Y2tcWFpU51J01com69kdyYeelQv1n41yOB/U4bGmbhUctwIDAQABAoIBAH+RgwwdmRXeH9AiQBRk8Gq5lU/kkPe3TmCTGsv8oVwKEpamP4+Drqj1vFVSV08gKOEsUn+tYm8CjBvTlNd86WcT+/xZJefRg6hH1Y1wiUAQCtvYqmnV7Abgp933Dglm2f5alB0lWE5ufkySlpQjdlQOx4js9HXL8juHblqMv5noJNaDQSDh4UxtET+fVT8pvCL/MImG4C6BtULLDXLdH4pIvn0OIS788Xpc87uc3dSIfVxL1Oa0U1Qrxma5P8p9imremKLdA4iOzopyVsLo0uP2PrSLWD04I9kSwO0MHNDzbkMJiWXX5a7afzRY4g+zQL2STYsbD4B9KQnIpsQNrVkCgYEA4LbUejeexUBsjs3Whkn1BlUvxvDf2Vtudws1XSNmd5lneitfseDXCcH6p1TLHn0xoOmJDFGjLPEYFhqL0I5IyZP6zfiCJL88zFWVXlY8NsAoQeqvgnu5wHpIXEXCaJAAksWy/dmUZwTUyfIIxnLUQMPpJ1stu35e8DyNO4VadPMCgYEAk4teFNWkFBZmjSBUyo8Tw4TmJuCIRVH4FSaspUeVNhToKI3e5R/duz8rvqBj4tul5lyWq9FmcDaawE94jIa17XQnj/O767G72lHRuIlI+qftIca3r4/kDvy730yAOWl/1Su4SrX3t7WSBHIG2j7HMYIsj5xgBUvnbRQUtxByui0CgYEAsLe3YyHoj3D5rlg708HHmqJVf1sgfxvDRIUhA0z6oSWX1eDUUdvi4H6XMw6g6ipEZCokJ/bvn0E+0usvduTeYwAn5eD/4AwwsPTBEb45fkkhn60DN1c7nh3MWBxYJcjRWpt1BuMcLOQEv4fC1OWq+//VlKjEz0UzPjQwUVWu7HcCgYAo6uqhfootY/T2yHObZUiG3ZFyUKyaBNx3CS2x/IMd53hm3slk44x7hE5eZF6vKFj+5MiIR99P2WTbVm7JEgbcHm1mV6LS/4xoRG6T7cbGdNGnn1OLpa0Klv6HM9EPmvlvpdtLJOHZGcqv3uuVlPlq+n3fKe/bKCy7LGl+R1p51QKBgQCEmPS9A9y6YF7zRo8u7vUmJzGktdrSw65zYZVMzXY9A7uKU/OfpZ+papKDr1D9ApFgi5Ip1imirR7K9m4GImowZOTe/E6dT6nmrUtWUkaS4ghhwZ9Gh6kAOWoBYRB/Z4XIzJoSiet+PJ3p8SLhM7nETj7IDaeQgNudSK8/ohNPWQ=="
+          ],
+          "certificate": [
+            "MIICmzCCAYMCBgF4wLeSOTANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMjEwNDExMTEzNDE5WhcNMzEwNDExMTEzNTU5WjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCBg1Hc+CH9/X4NRwwFz1Pq5PUzALihO2EZu0mGapCJrBJbNQ7yJxIziEWOI3bOqwrHuh9aY/f5lFOrp9ISt5/7S1FFZp9Orou0PJJrgOKWqdD9YHOedcwv2Gaw8FbeA2JkAphvC9v9gTfov5ridZwRzXeNxeAyotdQPsr/dghg1P9LvEaA0ph8GZtN9LQDTxkhO3JqRoZjAsrrPAthUB5SPWFmNVzPX3bpmGG7hjOcPqoyAKYHCVIP2Vzq/T9FQ2OjU0pJTQtcB5QSTXKfEUon5xSKQe6+whC+5djlKP5ja1xYWlTnUnTVyibr2R3Jh56VC/WfjXI4H9ThsaZuFRy3AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAHEq+7bncqOh0RJJj+6fSHsIlkRGOeX6djVIKi1/eAJCD61Et3MHKh4kbu4U6phNlnhW5IFYinchGXe1uoG18fWkUS6QJoxHIDLR+tub7NSMraYxK85VgyLHCHaaGX7Bz+sIM628th4LlQd/M2zL45rqlMvB1XLxsMpi9Pb0Zc7qWwrvE5Jfi99UDAi6ZV3OojR6YC79HVHyOVmBIdLrVtn5mQYKJ5tF5F8xSs4ng96IO8Sn8pbUuYG8SlEz6KMmGH1sczlPE/3kAdm9IF+fXpYywuhsRNJyDBVDGpcqHTW+UW+V5TWa/ucZ6cpr1dQP5/FpcHylSWoXJpCk01PXl/M="
+          ],
+          "priority": ["-100"],
+          "algorithm": ["RS256"]
+        }
+      }
+    ]
+  },
+  "internationalizationEnabled": false,
+  "supportedLocales": [],
+  "authenticationFlows": [
+    {
+      "id": "815c3100-241b-4298-8039-54253c2c7e70",
+      "alias": "Account verification options",
+      "description": "Method with which to verity the existing account",
+      "providerId": "basic-flow",
+      "topLevel": false,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "idp-email-verification",
+          "requirement": "ALTERNATIVE",
+          "priority": 10,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "requirement": "ALTERNATIVE",
+          "priority": 20,
+          "flowAlias": "Verify Existing Account by Re-authentication",
+          "userSetupAllowed": false,
+          "autheticatorFlow": true
+        }
+      ]
+    },
+    {
+      "id": "e6a85d70-dc13-4705-9ba3-a980d548a430",
+      "alias": "Authentication Options",
+      "description": "Authentication options.",
+      "providerId": "basic-flow",
+      "topLevel": false,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "basic-auth",
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "authenticator": "basic-auth-otp",
+          "requirement": "DISABLED",
+          "priority": 20,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "authenticator": "auth-spnego",
+          "requirement": "DISABLED",
+          "priority": 30,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        }
+      ]
+    },
+    {
+      "id": "96b14b20-7305-4018-8e75-86b572e3ace0",
+      "alias": "Browser - Conditional OTP",
+      "description": "Flow to determine if the OTP is required for the authentication",
+      "providerId": "basic-flow",
+      "topLevel": false,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "conditional-user-configured",
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "authenticator": "auth-otp-form",
+          "requirement": "REQUIRED",
+          "priority": 20,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        }
+      ]
+    },
+    {
+      "id": "a51abcaa-7495-4526-997f-55cd82f152e2",
+      "alias": "Direct Grant - Conditional OTP",
+      "description": "Flow to determine if the OTP is required for the authentication",
+      "providerId": "basic-flow",
+      "topLevel": false,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "conditional-user-configured",
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "authenticator": "direct-grant-validate-otp",
+          "requirement": "REQUIRED",
+          "priority": 20,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        }
+      ]
+    },
+    {
+      "id": "54fa7607-f4e5-4fe7-a8c3-4fad6ee376b8",
+      "alias": "First broker login - Conditional OTP",
+      "description": "Flow to determine if the OTP is required for the authentication",
+      "providerId": "basic-flow",
+      "topLevel": false,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "conditional-user-configured",
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "authenticator": "auth-otp-form",
+          "requirement": "REQUIRED",
+          "priority": 20,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        }
+      ]
+    },
+    {
+      "id": "31de3d9e-2f81-43cc-a4ad-1112cd4e9d71",
+      "alias": "Handle Existing Account",
+      "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider",
+      "providerId": "basic-flow",
+      "topLevel": false,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "idp-confirm-link",
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "requirement": "REQUIRED",
+          "priority": 20,
+          "flowAlias": "Account verification options",
+          "userSetupAllowed": false,
+          "autheticatorFlow": true
+        }
+      ]
+    },
+    {
+      "id": "f499a904-41cc-41c1-bb43-688672d1533b",
+      "alias": "Reset - Conditional OTP",
+      "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.",
+      "providerId": "basic-flow",
+      "topLevel": false,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "conditional-user-configured",
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "authenticator": "reset-otp",
+          "requirement": "REQUIRED",
+          "priority": 20,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        }
+      ]
+    },
+    {
+      "id": "7cee4451-5b17-4742-8736-8fce85639409",
+      "alias": "User creation or linking",
+      "description": "Flow for the existing/non-existing user alternatives",
+      "providerId": "basic-flow",
+      "topLevel": false,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticatorConfig": "create unique user config",
+          "authenticator": "idp-create-user-if-unique",
+          "requirement": "ALTERNATIVE",
+          "priority": 10,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "requirement": "ALTERNATIVE",
+          "priority": 20,
+          "flowAlias": "Handle Existing Account",
+          "userSetupAllowed": false,
+          "autheticatorFlow": true
+        }
+      ]
+    },
+    {
+      "id": "dafe7404-bce7-4ab6-9e35-fd1aecb93545",
+      "alias": "Verify Existing Account by Re-authentication",
+      "description": "Reauthentication of existing account",
+      "providerId": "basic-flow",
+      "topLevel": false,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "idp-username-password-form",
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "requirement": "CONDITIONAL",
+          "priority": 20,
+          "flowAlias": "First broker login - Conditional OTP",
+          "userSetupAllowed": false,
+          "autheticatorFlow": true
+        }
+      ]
+    },
+    {
+      "id": "d34ac568-3793-4864-8df8-733fa2cd3554",
+      "alias": "browser",
+      "description": "browser based authentication",
+      "providerId": "basic-flow",
+      "topLevel": true,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "auth-cookie",
+          "requirement": "ALTERNATIVE",
+          "priority": 10,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "authenticator": "auth-spnego",
+          "requirement": "DISABLED",
+          "priority": 20,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "authenticator": "identity-provider-redirector",
+          "requirement": "ALTERNATIVE",
+          "priority": 25,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "requirement": "ALTERNATIVE",
+          "priority": 30,
+          "flowAlias": "forms",
+          "userSetupAllowed": false,
+          "autheticatorFlow": true
+        }
+      ]
+    },
+    {
+      "id": "15a43900-948a-487d-a97a-444502dce766",
+      "alias": "clients",
+      "description": "Base authentication for clients",
+      "providerId": "client-flow",
+      "topLevel": true,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "client-secret",
+          "requirement": "ALTERNATIVE",
+          "priority": 10,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "authenticator": "client-jwt",
+          "requirement": "ALTERNATIVE",
+          "priority": 20,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "authenticator": "client-secret-jwt",
+          "requirement": "ALTERNATIVE",
+          "priority": 30,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "authenticator": "client-x509",
+          "requirement": "ALTERNATIVE",
+          "priority": 40,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        }
+      ]
+    },
+    {
+      "id": "1865917e-f56d-453c-bb66-578e1955d199",
+      "alias": "direct grant",
+      "description": "OpenID Connect Resource Owner Grant",
+      "providerId": "basic-flow",
+      "topLevel": true,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "direct-grant-validate-username",
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "authenticator": "direct-grant-validate-password",
+          "requirement": "REQUIRED",
+          "priority": 20,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "requirement": "CONDITIONAL",
+          "priority": 30,
+          "flowAlias": "Direct Grant - Conditional OTP",
+          "userSetupAllowed": false,
+          "autheticatorFlow": true
+        }
+      ]
+    },
+    {
+      "id": "3e151380-0869-4bdb-b9d1-65a7bcfcb6ab",
+      "alias": "docker auth",
+      "description": "Used by Docker clients to authenticate against the IDP",
+      "providerId": "basic-flow",
+      "topLevel": true,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "docker-http-basic-authenticator",
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        }
+      ]
+    },
+    {
+      "id": "79369bf2-9434-4b93-94d9-74a08a361701",
+      "alias": "first broker login",
+      "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account",
+      "providerId": "basic-flow",
+      "topLevel": true,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticatorConfig": "review profile config",
+          "authenticator": "idp-review-profile",
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "requirement": "REQUIRED",
+          "priority": 20,
+          "flowAlias": "User creation or linking",
+          "userSetupAllowed": false,
+          "autheticatorFlow": true
+        }
+      ]
+    },
+    {
+      "id": "322d8eb9-a9cc-422a-a6a2-065b3b863967",
+      "alias": "forms",
+      "description": "Username, password, otp and other auth forms.",
+      "providerId": "basic-flow",
+      "topLevel": false,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "auth-username-password-form",
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "requirement": "CONDITIONAL",
+          "priority": 20,
+          "flowAlias": "Browser - Conditional OTP",
+          "userSetupAllowed": false,
+          "autheticatorFlow": true
+        }
+      ]
+    },
+    {
+      "id": "0cf68f4f-332e-4f7d-a7a9-907189914191",
+      "alias": "http challenge",
+      "description": "An authentication flow based on challenge-response HTTP Authentication Schemes",
+      "providerId": "basic-flow",
+      "topLevel": true,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "no-cookie-redirect",
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "requirement": "REQUIRED",
+          "priority": 20,
+          "flowAlias": "Authentication Options",
+          "userSetupAllowed": false,
+          "autheticatorFlow": true
+        }
+      ]
+    },
+    {
+      "id": "d412906e-1aad-4707-ac40-95406aeed8d0",
+      "alias": "registration",
+      "description": "registration flow",
+      "providerId": "basic-flow",
+      "topLevel": true,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "registration-page-form",
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "flowAlias": "registration form",
+          "userSetupAllowed": false,
+          "autheticatorFlow": true
+        }
+      ]
+    },
+    {
+      "id": "d11ddacf-4fe8-4614-a9f1-fe5dcf621330",
+      "alias": "registration form",
+      "description": "registration form",
+      "providerId": "form-flow",
+      "topLevel": false,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "registration-user-creation",
+          "requirement": "REQUIRED",
+          "priority": 20,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "authenticator": "registration-profile-action",
+          "requirement": "REQUIRED",
+          "priority": 40,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "authenticator": "registration-password-action",
+          "requirement": "REQUIRED",
+          "priority": 50,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "authenticator": "registration-recaptcha-action",
+          "requirement": "DISABLED",
+          "priority": 60,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        }
+      ]
+    },
+    {
+      "id": "48093169-4a24-499b-aad7-b87dcd32269d",
+      "alias": "reset credentials",
+      "description": "Reset credentials for a user if they forgot their password or something",
+      "providerId": "basic-flow",
+      "topLevel": true,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "reset-credentials-choose-user",
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "authenticator": "reset-credential-email",
+          "requirement": "REQUIRED",
+          "priority": 20,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "authenticator": "reset-password",
+          "requirement": "REQUIRED",
+          "priority": 30,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "requirement": "CONDITIONAL",
+          "priority": 40,
+          "flowAlias": "Reset - Conditional OTP",
+          "userSetupAllowed": false,
+          "autheticatorFlow": true
+        }
+      ]
+    },
+    {
+      "id": "f0a1d44c-2bab-408c-91b4-bb730bd65bc4",
+      "alias": "saml ecp",
+      "description": "SAML ECP Profile Authentication Flow",
+      "providerId": "basic-flow",
+      "topLevel": true,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "http-basic-authenticator",
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        }
+      ]
+    }
+  ],
+  "authenticatorConfig": [
+    {
+      "id": "173229da-6a52-4d54-8e88-cba503234cb4",
+      "alias": "create unique user config",
+      "config": {
+        "require.password.update.after.registration": "false"
+      }
+    },
+    {
+      "id": "a72c2a36-a48a-440d-b52f-831c385287fc",
+      "alias": "review profile config",
+      "config": {
+        "update.profile.on.first.login": "missing"
+      }
+    }
+  ],
+  "requiredActions": [
+    {
+      "alias": "CONFIGURE_TOTP",
+      "name": "Configure OTP",
+      "providerId": "CONFIGURE_TOTP",
+      "enabled": true,
+      "defaultAction": false,
+      "priority": 10,
+      "config": {}
+    },
+    {
+      "alias": "terms_and_conditions",
+      "name": "Terms and Conditions",
+      "providerId": "terms_and_conditions",
+      "enabled": false,
+      "defaultAction": false,
+      "priority": 20,
+      "config": {}
+    },
+    {
+      "alias": "UPDATE_PASSWORD",
+      "name": "Update Password",
+      "providerId": "UPDATE_PASSWORD",
+      "enabled": true,
+      "defaultAction": false,
+      "priority": 30,
+      "config": {}
+    },
+    {
+      "alias": "UPDATE_PROFILE",
+      "name": "Update Profile",
+      "providerId": "UPDATE_PROFILE",
+      "enabled": true,
+      "defaultAction": false,
+      "priority": 40,
+      "config": {}
+    },
+    {
+      "alias": "VERIFY_EMAIL",
+      "name": "Verify Email",
+      "providerId": "VERIFY_EMAIL",
+      "enabled": true,
+      "defaultAction": false,
+      "priority": 50,
+      "config": {}
+    },
+    {
+      "alias": "delete_account",
+      "name": "Delete Account",
+      "providerId": "delete_account",
+      "enabled": false,
+      "defaultAction": false,
+      "priority": 60,
+      "config": {}
+    },
+    {
+      "alias": "update_user_locale",
+      "name": "Update User Locale",
+      "providerId": "update_user_locale",
+      "enabled": true,
+      "defaultAction": false,
+      "priority": 1000,
+      "config": {}
+    }
+  ],
+  "browserFlow": "browser",
+  "registrationFlow": "registration",
+  "directGrantFlow": "direct grant",
+  "resetCredentialsFlow": "reset credentials",
+  "clientAuthenticationFlow": "clients",
+  "dockerAuthenticationFlow": "docker auth",
+  "attributes": {},
+  "keycloakVersion": "12.0.4",
+  "userManagedAccessAllowed": false
+}
diff --git a/auth_oidc/tests/keycloak/keycloak.sh b/auth_oidc/tests/keycloak/keycloak.sh
new file mode 100755
index 0000000000..7c81d562e7
--- /dev/null
+++ b/auth_oidc/tests/keycloak/keycloak.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+set -x
+$(which docker || which podman) run --rm \
+  -v $(dirname $0)/keycloak-config.json:/tmp/keycloak-config.json \
+  -p 8080:8080 \
+  quay.io/keycloak/keycloak:12.0.4 \
+  -Dkeycloak.migration.action=import \
+  -Dkeycloak.migration.provider=singleFile \
+  -Dkeycloak.migration.file=/tmp/keycloak-config.json \
+  -Dkeycloak.migration.strategy=OVERWRITE_EXISTING
diff --git a/auth_oidc/tests/test_auth_oidc_auth_code.py b/auth_oidc/tests/test_auth_oidc_auth_code.py
new file mode 100644
index 0000000000..a1a08b0a71
--- /dev/null
+++ b/auth_oidc/tests/test_auth_oidc_auth_code.py
@@ -0,0 +1,310 @@
+# Copyright 2021 ACSONE SA/NV <https://acsone.eu>
+# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
+
+import contextlib
+import json
+from urllib.parse import parse_qs, urlparse
+
+import responses
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric import rsa
+from jose import jwt
+from jose.exceptions import JWTError
+from jose.utils import long_to_base64
+
+import odoo
+from odoo.exceptions import AccessDenied
+from odoo.tests import common
+
+from odoo.addons.website.tools import MockRequest as _MockRequest
+
+from ..controllers.main import OpenIDLogin
+
+BASE_URL = "http://localhost:%s" % odoo.tools.config["http_port"]
+
+
+@contextlib.contextmanager
+def MockRequest(env):
+    with _MockRequest(env) as request:
+        request.httprequest.url_root = BASE_URL + "/"
+        request.params = {}
+        yield request
+
+
+class TestAuthOIDCAuthorizationCodeFlow(common.HttpCase):
+    @classmethod
+    def setUpClass(cls):
+        super().setUpClass()
+        (
+            cls.rsa_key_pem,
+            cls.rsa_key_public_pem,
+            cls.rsa_key_public_jwk,
+        ) = cls._generate_key()
+        _, cls.second_key_public_pem, _ = cls._generate_key()
+
+    @staticmethod
+    def _generate_key():
+        rsa_key = rsa.generate_private_key(
+            public_exponent=65537,
+            key_size=4096,
+        )
+        rsa_key_pem = rsa_key.private_bytes(
+            serialization.Encoding.PEM,
+            serialization.PrivateFormat.TraditionalOpenSSL,
+            serialization.NoEncryption(),
+        ).decode("utf8")
+        rsa_key_public = rsa_key.public_key()
+        rsa_key_public_pem = rsa_key_public.public_bytes(
+            serialization.Encoding.PEM,
+            serialization.PublicFormat.SubjectPublicKeyInfo,
+        ).decode("utf8")
+        jwk = {
+            # https://datatracker.ietf.org/doc/html/rfc7518#section-6.1
+            "kty": "RSA",
+            "use": "sig",
+            "n": long_to_base64(rsa_key_public.public_numbers().n).decode("utf-8"),
+            "e": long_to_base64(rsa_key_public.public_numbers().e).decode("utf-8"),
+        }
+        return rsa_key_pem, rsa_key_public_pem, jwk
+
+    def setUp(self):
+        super().setUp()
+        # search our test provider and bind the demo user to it
+        self.provider_rec = self.env["auth.oauth.provider"].search(
+            [("client_id", "=", "auth_oidc-test")]
+        )
+        self.assertEqual(len(self.provider_rec), 1)
+
+    def test_auth_link(self):
+        """Test that the authentication link is correct."""
+        # disable existing providers except our test provider
+        self.env["auth.oauth.provider"].search(
+            [("client_id", "!=", "auth_oidc-test")]
+        ).write(dict(enabled=False))
+        with MockRequest(self.env):
+            providers = OpenIDLogin().list_providers()
+            self.assertEqual(len(providers), 1)
+            auth_link = providers[0]["auth_link"]
+            assert auth_link.startswith(self.provider_rec.auth_endpoint)
+            params = parse_qs(urlparse(auth_link).query)
+            self.assertEqual(params["response_type"], ["code"])
+            self.assertEqual(params["client_id"], [self.provider_rec.client_id])
+            self.assertEqual(params["scope"], ["openid email"])
+            self.assertTrue(params["code_challenge"])
+            self.assertEqual(params["code_challenge_method"], ["S256"])
+            self.assertTrue(params["nonce"])
+            self.assertTrue(params["state"])
+            self.assertEqual(params["redirect_uri"], [BASE_URL + "/auth_oauth/signin"])
+
+    def _prepare_login_test_user(self):
+        user = self.env.ref("base.user_demo")
+        user.write({"oauth_provider_id": self.provider_rec.id, "oauth_uid": user.login})
+        return user
+
+    def _prepare_login_test_responses(
+        self, access_token="42", id_token_body=None, id_token_headers=None, keys=None
+    ):
+        if id_token_body is None:
+            id_token_body = {}
+        if id_token_headers is None:
+            id_token_headers = {"kid": "the_key_id"}
+        responses.add(
+            responses.POST,
+            "http://localhost:8080/auth/realms/master/protocol/openid-connect/token",
+            json={
+                "access_token": access_token,
+                "id_token": jwt.encode(
+                    id_token_body,
+                    self.rsa_key_pem,
+                    algorithm="RS256",
+                    headers=id_token_headers,
+                ),
+            },
+        )
+        if keys is None:
+            if "kid" in id_token_headers:
+                keys = [{"kid": "the_key_id", "keys": [self.rsa_key_public_pem]}]
+            else:
+                keys = [{"keys": [self.rsa_key_public_pem]}]
+        responses.add(
+            responses.GET,
+            "http://localhost:8080/auth/realms/master/protocol/openid-connect/certs",
+            json={"keys": keys},
+        )
+
+    @responses.activate
+    def test_login(self):
+        """Test that login works"""
+        user = self._prepare_login_test_user()
+        self._prepare_login_test_responses(id_token_body={"user_id": user.login})
+
+        params = {"state": json.dumps({})}
+        with MockRequest(self.env):
+            db, login, token = self.env["res.users"].auth_oauth(
+                self.provider_rec.id,
+                params,
+            )
+        self.assertEqual(token, "42")
+        self.assertEqual(login, user.login)
+
+    @responses.activate
+    def test_login_without_kid(self):
+        """Test that login works when ID Token has no kid in header"""
+        user = self._prepare_login_test_user()
+        self._prepare_login_test_responses(
+            id_token_body={"user_id": user.login},
+            id_token_headers={},
+            access_token=chr(42),
+        )
+
+        params = {"state": json.dumps({})}
+        with MockRequest(self.env):
+            db, login, token = self.env["res.users"].auth_oauth(
+                self.provider_rec.id,
+                params,
+            )
+        self.assertEqual(token, "*")
+        self.assertEqual(login, user.login)
+
+    @responses.activate
+    def test_login_with_sub_claim(self):
+        """Test that login works when ID Token contains only standard claims"""
+        self.provider_rec.token_map = False
+        user = self._prepare_login_test_user()
+        self._prepare_login_test_responses(
+            id_token_body={"sub": user.login}, access_token="1764"
+        )
+
+        params = {"state": json.dumps({})}
+        with MockRequest(self.env):
+            db, login, token = self.env["res.users"].auth_oauth(
+                self.provider_rec.id,
+                params,
+            )
+        self.assertEqual(token, "1764")
+        self.assertEqual(login, user.login)
+
+    @responses.activate
+    def test_login_without_kid_multiple_keys_in_jwks(self):
+        """
+        Test that login fails if no kid is provided in ID Token and JWKS has multiple
+        keys
+        """
+        user = self._prepare_login_test_user()
+        self._prepare_login_test_responses(
+            id_token_body={"user_id": user.login},
+            id_token_headers={},
+            access_token="6*7",
+            keys=[
+                {"kid": "other_key_id", "keys": [self.second_key_public_pem]},
+                {"kid": "the_key_id", "keys": [self.rsa_key_public_pem]},
+            ],
+        )
+
+        with self.assertRaises(
+            JWTError,
+            msg="OpenID Connect requires kid to be set if there is"
+            " more than one key in the JWKS",
+        ):
+            with MockRequest(self.env):
+                self.env["res.users"].auth_oauth(
+                    self.provider_rec.id,
+                    {"state": json.dumps({})},
+                )
+
+    @responses.activate
+    def test_login_without_matching_key(self):
+        """Test that login fails if no matching key can be found"""
+        user = self._prepare_login_test_user()
+        self._prepare_login_test_responses(
+            id_token_body={"user_id": user.login},
+            id_token_headers={},
+            access_token="168/4",
+            keys=[{"kid": "other_key_id", "keys": [self.second_key_public_pem]}],
+        )
+
+        with self.assertRaises(JWTError):
+            with MockRequest(self.env):
+                self.env["res.users"].auth_oauth(
+                    self.provider_rec.id,
+                    {"state": json.dumps({})},
+                )
+
+    @responses.activate
+    def test_login_without_any_key(self):
+        """Test that login fails if no key is provided by JWKS"""
+        user = self._prepare_login_test_user()
+        self._prepare_login_test_responses(
+            id_token_body={"user_id": user.login},
+            id_token_headers={},
+            access_token="168/4",
+            keys=[],
+        )
+
+        with self.assertRaises(AccessDenied):
+            with MockRequest(self.env):
+                self.env["res.users"].auth_oauth(
+                    self.provider_rec.id,
+                    {"state": json.dumps({})},
+                )
+
+    @responses.activate
+    def test_login_with_multiple_keys_in_jwks(self):
+        """Test that login works with multiple keys present in jwks"""
+        user = self._prepare_login_test_user()
+        self._prepare_login_test_responses(
+            id_token_body={"user_id": user.login},
+            access_token="2*3*7",
+            keys=[
+                {"kid": "other_key_id", "keys": [self.second_key_public_pem]},
+                {"kid": "the_key_id", "keys": [self.rsa_key_public_pem]},
+            ],
+        )
+
+        with MockRequest(self.env):
+            db, login, token = self.env["res.users"].auth_oauth(
+                self.provider_rec.id,
+                {"state": json.dumps({})},
+            )
+        self.assertEqual(token, "2*3*7")
+        self.assertEqual(login, user.login)
+
+    @responses.activate
+    def test_login_with_multiple_keys_in_jwks_same_kid(self):
+        """Test that login works with multiple keys with the same kid present in jwks"""
+        user = self._prepare_login_test_user()
+        self._prepare_login_test_responses(
+            id_token_body={"user_id": user.login},
+            access_token="84/2",
+            keys=[
+                {"kid": "the_key_id", "keys": [self.second_key_public_pem]},
+                {"kid": "the_key_id", "keys": [self.rsa_key_public_pem]},
+            ],
+        )
+
+        with MockRequest(self.env):
+            db, login, token = self.env["res.users"].auth_oauth(
+                self.provider_rec.id,
+                {"state": json.dumps({})},
+            )
+        self.assertEqual(token, "84/2")
+        self.assertEqual(login, user.login)
+
+    @responses.activate
+    def test_login_with_jwk_format(self):
+        """Test that login works with proper jwks format"""
+        user = self._prepare_login_test_user()
+        self.rsa_key_public_jwk["kid"] = "the_key_id"
+        self._prepare_login_test_responses(
+            id_token_body={"user_id": user.login},
+            keys=[self.rsa_key_public_jwk],
+            access_token="122/3",
+        )
+
+        with MockRequest(self.env):
+            db, login, token = self.env["res.users"].auth_oauth(
+                self.provider_rec.id,
+                {"state": json.dumps({})},
+            )
+        self.assertEqual(token, "122/3")
+        self.assertEqual(login, user.login)
diff --git a/auth_oidc/views/auth_oauth_provider.xml b/auth_oidc/views/auth_oauth_provider.xml
new file mode 100644
index 0000000000..90c931b417
--- /dev/null
+++ b/auth_oidc/views/auth_oauth_provider.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" ?>
+<odoo>
+    <record model="ir.ui.view" id="view_oidc_provider_form">
+        <field name="name">auth.oidc.provider.form</field>
+        <field name="model">auth.oauth.provider</field>
+        <field name="inherit_id" ref="auth_oauth.view_oauth_provider_form" />
+        <field name="arch" type="xml">
+            <field name="name" position="after">
+                <field name="flow" />
+                <field
+                    name="token_map"
+                    placeholder="e.g from:to upn:email sub:user_id"
+                />
+            </field>
+            <field name="client_id" position="after">
+                <field name="client_secret" />
+            </field>
+            <field name="validation_endpoint" position="after">
+                <field name="token_endpoint" />
+                <field name="jwks_uri" />
+            </field>
+        </field>
+    </record>
+</odoo>
diff --git a/requirements.txt b/requirements.txt
index 976ea8d3b0..9d2c2ad67d 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,3 +1,4 @@
 # generated from manifests external_dependencies
+python-jose
 email_validator
 lxml
diff --git a/setup/_metapackage/pyproject.toml b/setup/_metapackage/pyproject.toml
index 270561f3be..16070caa93 100644
--- a/setup/_metapackage/pyproject.toml
+++ b/setup/_metapackage/pyproject.toml
@@ -1,8 +1,12 @@
 [project]
 name = "odoo-addons-oca-server-auth"
-version = "17.0.20231126.0"
+version = "17.0.20240327.0"
 dependencies = [
     "odoo-addon-auth_admin_passkey>=17.0dev,<17.1dev",
+    "odoo-addon-auth_api_key>=17.0dev,<17.1dev",
+    "odoo-addon-auth_api_key_server_env>=17.0dev,<17.1dev",
+    "odoo-addon-auth_oidc>=17.0dev,<17.1dev",
+    "odoo-addon-user_log_view>=17.0dev,<17.1dev",
 ]
 classifiers=[
     "Programming Language :: Python",
diff --git a/test-requirements.txt b/test-requirements.txt
new file mode 100644
index 0000000000..2cb24f43db
--- /dev/null
+++ b/test-requirements.txt
@@ -0,0 +1 @@
+responses
diff --git a/user_log_view/README.rst b/user_log_view/README.rst
new file mode 100644
index 0000000000..996806dc45
--- /dev/null
+++ b/user_log_view/README.rst
@@ -0,0 +1,98 @@
+=================
+User's Log Viewer
+=================
+
+.. 
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! This file is generated by oca-gen-addon-readme !!
+   !! changes will be overwritten.                   !!
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! source digest: sha256:41582a56f8deb42c9cdd0873300d9ef7116dccde5b22414dcfde2cd9597fb934
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+.. |badge1| image:: https://img.shields.io/badge/maturity-Production%2FStable-green.png
+    :target: https://odoo-community.org/page/development-status
+    :alt: Production/Stable
+.. |badge2| image:: https://img.shields.io/badge/licence-LGPL--3-blue.png
+    :target: http://www.gnu.org/licenses/lgpl-3.0-standalone.html
+    :alt: License: LGPL-3
+.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
+    :target: https://github.com/OCA/server-auth/tree/17.0/user_log_view
+    :alt: OCA/server-auth
+.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
+    :target: https://translation.odoo-community.org/projects/server-auth-17-0/server-auth-17-0-user_log_view
+    :alt: Translate me on Weblate
+.. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png
+    :target: https://runboat.odoo-community.org/builds?repo=OCA/server-auth&target_branch=17.0
+    :alt: Try me on Runboat
+
+|badge1| |badge2| |badge3| |badge4| |badge5|
+
+This module adds a smart button on user's form to display authentication
+logs.
+
+**Table of contents**
+
+.. contents::
+   :local:
+
+Usage
+=====
+
+To use this module, you need to:
+
+1) Go to Settings
+2) Go to Users & Companies
+3) Choose the User whose logs you need to see and go to Authentication
+   logs
+4) You will see a list of authentications for a specific user
+
+Bug Tracker
+===========
+
+Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-auth/issues>`_.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20user_log_view%0Aversion:%2017.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+
+Do not contact contributors directly about support or help with technical issues.
+
+Credits
+=======
+
+Authors
+-------
+
+* IT-Projects LLC
+
+Contributors
+------------
+
+-  Denis Mudarisov <mudarisov@it-projects.info>
+   (https://www.it-projects.info/)
+-  Chandresh Thakkar <cthakkar@opensourceintegrators.com>
+
+Maintainers
+-----------
+
+This module is maintained by the OCA.
+
+.. image:: https://odoo-community.org/logo.png
+   :alt: Odoo Community Association
+   :target: https://odoo-community.org
+
+OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.
+
+.. |maintainer-trojikman| image:: https://github.com/trojikman.png?size=40px
+    :target: https://github.com/trojikman
+    :alt: trojikman
+
+Current `maintainer <https://odoo-community.org/page/maintainer-role>`__:
+
+|maintainer-trojikman| 
+
+This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/17.0/user_log_view>`_ project on GitHub.
+
+You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.
diff --git a/user_log_view/__init__.py b/user_log_view/__init__.py
new file mode 100644
index 0000000000..ca03eda077
--- /dev/null
+++ b/user_log_view/__init__.py
@@ -0,0 +1 @@
+# License LGPL-3.0 or later (https://www.gnu.org/licenses/lgpl.html).
diff --git a/user_log_view/__manifest__.py b/user_log_view/__manifest__.py
new file mode 100644
index 0000000000..33e54dc242
--- /dev/null
+++ b/user_log_view/__manifest__.py
@@ -0,0 +1,21 @@
+# Copyright 2019 Denis Mudarisov (IT-Projects LLC)
+# License LGPL-3.0 or later (https://www.gnu.org/licenses/lgpl).
+{
+    "name": "User's Log Viewer",
+    "summary": "Allow to see user's actions log",
+    "version": "17.0.1.0.0",
+    "development_status": "Production/Stable",
+    "category": "Extra Tools",
+    "website": "https://github.com/OCA/server-auth",
+    "author": "IT-Projects LLC, Odoo Community Association (OCA)",
+    "maintainers": ["trojikman"],
+    "license": "LGPL-3",
+    "application": False,
+    "installable": True,
+    "depends": [
+        "base",
+    ],
+    "data": [
+        "views/res_users_views.xml",
+    ],
+}
diff --git a/user_log_view/i18n/it.po b/user_log_view/i18n/it.po
new file mode 100644
index 0000000000..4719f62cbe
--- /dev/null
+++ b/user_log_view/i18n/it.po
@@ -0,0 +1,38 @@
+# Translation of Odoo Server.
+# This file contains the translation of the following modules:
+# 	* user_log_view
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: Odoo Server 16.0\n"
+"Report-Msgid-Bugs-To: \n"
+"PO-Revision-Date: 2024-01-03 14:33+0000\n"
+"Last-Translator: mymage <stefano.consolaro@mymage.it>\n"
+"Language-Team: none\n"
+"Language: it\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: \n"
+"Plural-Forms: nplurals=2; plural=n != 1;\n"
+"X-Generator: Weblate 4.17\n"
+
+#. module: user_log_view
+#: model:ir.actions.act_window,name:user_log_view.action_user_log
+#: model_terms:ir.ui.view,arch_db:user_log_view.res_users_view_form
+msgid "Authentication logs"
+msgstr "Registri autenticazione"
+
+#. module: user_log_view
+#: model_terms:ir.ui.view,arch_db:user_log_view.res_users_log_view_search
+msgid "Date"
+msgstr "Data"
+
+#. module: user_log_view
+#: model_terms:ir.ui.view,arch_db:user_log_view.res_users_log_view_search
+msgid "Group By"
+msgstr "Raggruppa per"
+
+#. module: user_log_view
+#: model_terms:ir.ui.view,arch_db:user_log_view.res_users_log_view_search
+msgid "Test Search"
+msgstr "Testa ricerca"
diff --git a/user_log_view/i18n/user_log_view.pot b/user_log_view/i18n/user_log_view.pot
new file mode 100644
index 0000000000..58030cebde
--- /dev/null
+++ b/user_log_view/i18n/user_log_view.pot
@@ -0,0 +1,35 @@
+# Translation of Odoo Server.
+# This file contains the translation of the following modules:
+# 	* user_log_view
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: Odoo Server 17.0\n"
+"Report-Msgid-Bugs-To: \n"
+"Last-Translator: \n"
+"Language-Team: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: \n"
+"Plural-Forms: \n"
+
+#. module: user_log_view
+#: model:ir.actions.act_window,name:user_log_view.action_user_log
+#: model_terms:ir.ui.view,arch_db:user_log_view.res_users_view_form
+msgid "Authentication logs"
+msgstr ""
+
+#. module: user_log_view
+#: model_terms:ir.ui.view,arch_db:user_log_view.res_users_log_view_search
+msgid "Date"
+msgstr ""
+
+#. module: user_log_view
+#: model_terms:ir.ui.view,arch_db:user_log_view.res_users_log_view_search
+msgid "Group By"
+msgstr ""
+
+#. module: user_log_view
+#: model_terms:ir.ui.view,arch_db:user_log_view.res_users_log_view_search
+msgid "Test Search"
+msgstr ""
diff --git a/user_log_view/pyproject.toml b/user_log_view/pyproject.toml
new file mode 100644
index 0000000000..4231d0cccb
--- /dev/null
+++ b/user_log_view/pyproject.toml
@@ -0,0 +1,3 @@
+[build-system]
+requires = ["whool"]
+build-backend = "whool.buildapi"
diff --git a/user_log_view/readme/CONTRIBUTORS.md b/user_log_view/readme/CONTRIBUTORS.md
new file mode 100644
index 0000000000..e7986970d8
--- /dev/null
+++ b/user_log_view/readme/CONTRIBUTORS.md
@@ -0,0 +1,3 @@
+- Denis Mudarisov \<<mudarisov@it-projects.info>\>
+  (<https://www.it-projects.info/>)
+- Chandresh Thakkar \<<cthakkar@opensourceintegrators.com>\>
diff --git a/user_log_view/readme/DESCRIPTION.md b/user_log_view/readme/DESCRIPTION.md
new file mode 100644
index 0000000000..97f032815a
--- /dev/null
+++ b/user_log_view/readme/DESCRIPTION.md
@@ -0,0 +1,2 @@
+This module adds a smart button on user's form to display authentication
+logs.
diff --git a/user_log_view/readme/USAGE.md b/user_log_view/readme/USAGE.md
new file mode 100644
index 0000000000..1c3c3b23b0
--- /dev/null
+++ b/user_log_view/readme/USAGE.md
@@ -0,0 +1,7 @@
+To use this module, you need to:
+
+1)  Go to Settings
+2)  Go to Users & Companies
+3)  Choose the User whose logs you need to see and go to Authentication
+    logs
+4)  You will see a list of authentications for a specific user
diff --git a/user_log_view/static/description/icon.png b/user_log_view/static/description/icon.png
new file mode 100644
index 0000000000..3a0328b516
Binary files /dev/null and b/user_log_view/static/description/icon.png differ
diff --git a/user_log_view/static/description/index.html b/user_log_view/static/description/index.html
new file mode 100644
index 0000000000..ba4964e877
--- /dev/null
+++ b/user_log_view/static/description/index.html
@@ -0,0 +1,437 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+<meta name="generator" content="Docutils: https://docutils.sourceforge.io/" />
+<title>User's Log Viewer</title>
+<style type="text/css">
+
+/*
+:Author: David Goodger (goodger@python.org)
+:Id: $Id: html4css1.css 8954 2022-01-20 10:10:25Z milde $
+:Copyright: This stylesheet has been placed in the public domain.
+
+Default cascading style sheet for the HTML output of Docutils.
+
+See https://docutils.sourceforge.io/docs/howto/html-stylesheets.html for how to
+customize this style sheet.
+*/
+
+/* used to remove borders from tables and images */
+.borderless, table.borderless td, table.borderless th {
+  border: 0 }
+
+table.borderless td, table.borderless th {
+  /* Override padding for "table.docutils td" with "! important".
+     The right padding separates the table cells. */
+  padding: 0 0.5em 0 0 ! important }
+
+.first {
+  /* Override more specific margin styles with "! important". */
+  margin-top: 0 ! important }
+
+.last, .with-subtitle {
+  margin-bottom: 0 ! important }
+
+.hidden {
+  display: none }
+
+.subscript {
+  vertical-align: sub;
+  font-size: smaller }
+
+.superscript {
+  vertical-align: super;
+  font-size: smaller }
+
+a.toc-backref {
+  text-decoration: none ;
+  color: black }
+
+blockquote.epigraph {
+  margin: 2em 5em ; }
+
+dl.docutils dd {
+  margin-bottom: 0.5em }
+
+object[type="image/svg+xml"], object[type="application/x-shockwave-flash"] {
+  overflow: hidden;
+}
+
+/* Uncomment (and remove this text!) to get bold-faced definition list terms
+dl.docutils dt {
+  font-weight: bold }
+*/
+
+div.abstract {
+  margin: 2em 5em }
+
+div.abstract p.topic-title {
+  font-weight: bold ;
+  text-align: center }
+
+div.admonition, div.attention, div.caution, div.danger, div.error,
+div.hint, div.important, div.note, div.tip, div.warning {
+  margin: 2em ;
+  border: medium outset ;
+  padding: 1em }
+
+div.admonition p.admonition-title, div.hint p.admonition-title,
+div.important p.admonition-title, div.note p.admonition-title,
+div.tip p.admonition-title {
+  font-weight: bold ;
+  font-family: sans-serif }
+
+div.attention p.admonition-title, div.caution p.admonition-title,
+div.danger p.admonition-title, div.error p.admonition-title,
+div.warning p.admonition-title, .code .error {
+  color: red ;
+  font-weight: bold ;
+  font-family: sans-serif }
+
+/* Uncomment (and remove this text!) to get reduced vertical space in
+   compound paragraphs.
+div.compound .compound-first, div.compound .compound-middle {
+  margin-bottom: 0.5em }
+
+div.compound .compound-last, div.compound .compound-middle {
+  margin-top: 0.5em }
+*/
+
+div.dedication {
+  margin: 2em 5em ;
+  text-align: center ;
+  font-style: italic }
+
+div.dedication p.topic-title {
+  font-weight: bold ;
+  font-style: normal }
+
+div.figure {
+  margin-left: 2em ;
+  margin-right: 2em }
+
+div.footer, div.header {
+  clear: both;
+  font-size: smaller }
+
+div.line-block {
+  display: block ;
+  margin-top: 1em ;
+  margin-bottom: 1em }
+
+div.line-block div.line-block {
+  margin-top: 0 ;
+  margin-bottom: 0 ;
+  margin-left: 1.5em }
+
+div.sidebar {
+  margin: 0 0 0.5em 1em ;
+  border: medium outset ;
+  padding: 1em ;
+  background-color: #ffffee ;
+  width: 40% ;
+  float: right ;
+  clear: right }
+
+div.sidebar p.rubric {
+  font-family: sans-serif ;
+  font-size: medium }
+
+div.system-messages {
+  margin: 5em }
+
+div.system-messages h1 {
+  color: red }
+
+div.system-message {
+  border: medium outset ;
+  padding: 1em }
+
+div.system-message p.system-message-title {
+  color: red ;
+  font-weight: bold }
+
+div.topic {
+  margin: 2em }
+
+h1.section-subtitle, h2.section-subtitle, h3.section-subtitle,
+h4.section-subtitle, h5.section-subtitle, h6.section-subtitle {
+  margin-top: 0.4em }
+
+h1.title {
+  text-align: center }
+
+h2.subtitle {
+  text-align: center }
+
+hr.docutils {
+  width: 75% }
+
+img.align-left, .figure.align-left, object.align-left, table.align-left {
+  clear: left ;
+  float: left ;
+  margin-right: 1em }
+
+img.align-right, .figure.align-right, object.align-right, table.align-right {
+  clear: right ;
+  float: right ;
+  margin-left: 1em }
+
+img.align-center, .figure.align-center, object.align-center {
+  display: block;
+  margin-left: auto;
+  margin-right: auto;
+}
+
+table.align-center {
+  margin-left: auto;
+  margin-right: auto;
+}
+
+.align-left {
+  text-align: left }
+
+.align-center {
+  clear: both ;
+  text-align: center }
+
+.align-right {
+  text-align: right }
+
+/* reset inner alignment in figures */
+div.align-right {
+  text-align: inherit }
+
+/* div.align-center * { */
+/*   text-align: left } */
+
+.align-top    {
+  vertical-align: top }
+
+.align-middle {
+  vertical-align: middle }
+
+.align-bottom {
+  vertical-align: bottom }
+
+ol.simple, ul.simple {
+  margin-bottom: 1em }
+
+ol.arabic {
+  list-style: decimal }
+
+ol.loweralpha {
+  list-style: lower-alpha }
+
+ol.upperalpha {
+  list-style: upper-alpha }
+
+ol.lowerroman {
+  list-style: lower-roman }
+
+ol.upperroman {
+  list-style: upper-roman }
+
+p.attribution {
+  text-align: right ;
+  margin-left: 50% }
+
+p.caption {
+  font-style: italic }
+
+p.credits {
+  font-style: italic ;
+  font-size: smaller }
+
+p.label {
+  white-space: nowrap }
+
+p.rubric {
+  font-weight: bold ;
+  font-size: larger ;
+  color: maroon ;
+  text-align: center }
+
+p.sidebar-title {
+  font-family: sans-serif ;
+  font-weight: bold ;
+  font-size: larger }
+
+p.sidebar-subtitle {
+  font-family: sans-serif ;
+  font-weight: bold }
+
+p.topic-title {
+  font-weight: bold }
+
+pre.address {
+  margin-bottom: 0 ;
+  margin-top: 0 ;
+  font: inherit }
+
+pre.literal-block, pre.doctest-block, pre.math, pre.code {
+  margin-left: 2em ;
+  margin-right: 2em }
+
+pre.code .ln { color: grey; } /* line numbers */
+pre.code, code { background-color: #eeeeee }
+pre.code .comment, code .comment { color: #5C6576 }
+pre.code .keyword, code .keyword { color: #3B0D06; font-weight: bold }
+pre.code .literal.string, code .literal.string { color: #0C5404 }
+pre.code .name.builtin, code .name.builtin { color: #352B84 }
+pre.code .deleted, code .deleted { background-color: #DEB0A1}
+pre.code .inserted, code .inserted { background-color: #A3D289}
+
+span.classifier {
+  font-family: sans-serif ;
+  font-style: oblique }
+
+span.classifier-delimiter {
+  font-family: sans-serif ;
+  font-weight: bold }
+
+span.interpreted {
+  font-family: sans-serif }
+
+span.option {
+  white-space: nowrap }
+
+span.pre {
+  white-space: pre }
+
+span.problematic {
+  color: red }
+
+span.section-subtitle {
+  /* font-size relative to parent (h1..h6 element) */
+  font-size: 80% }
+
+table.citation {
+  border-left: solid 1px gray;
+  margin-left: 1px }
+
+table.docinfo {
+  margin: 2em 4em }
+
+table.docutils {
+  margin-top: 0.5em ;
+  margin-bottom: 0.5em }
+
+table.footnote {
+  border-left: solid 1px black;
+  margin-left: 1px }
+
+table.docutils td, table.docutils th,
+table.docinfo td, table.docinfo th {
+  padding-left: 0.5em ;
+  padding-right: 0.5em ;
+  vertical-align: top }
+
+table.docutils th.field-name, table.docinfo th.docinfo-name {
+  font-weight: bold ;
+  text-align: left ;
+  white-space: nowrap ;
+  padding-left: 0 }
+
+/* "booktabs" style (no vertical lines) */
+table.docutils.booktabs {
+  border: 0px;
+  border-top: 2px solid;
+  border-bottom: 2px solid;
+  border-collapse: collapse;
+}
+table.docutils.booktabs * {
+  border: 0px;
+}
+table.docutils.booktabs th {
+  border-bottom: thin solid;
+  text-align: left;
+}
+
+h1 tt.docutils, h2 tt.docutils, h3 tt.docutils,
+h4 tt.docutils, h5 tt.docutils, h6 tt.docutils {
+  font-size: 100% }
+
+ul.auto-toc {
+  list-style-type: none }
+
+</style>
+</head>
+<body>
+<div class="document" id="user-s-log-viewer">
+<h1 class="title">User’s Log Viewer</h1>
+
+<!-- !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!! This file is generated by oca-gen-addon-readme !!
+!! changes will be overwritten.                   !!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!! source digest: sha256:41582a56f8deb42c9cdd0873300d9ef7116dccde5b22414dcfde2cd9597fb934
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->
+<p><a class="reference external image-reference" href="https://odoo-community.org/page/development-status"><img alt="Production/Stable" src="https://img.shields.io/badge/maturity-Production%2FStable-green.png" /></a> <a class="reference external image-reference" href="http://www.gnu.org/licenses/lgpl-3.0-standalone.html"><img alt="License: LGPL-3" src="https://img.shields.io/badge/licence-LGPL--3-blue.png" /></a> <a class="reference external image-reference" href="https://github.com/OCA/server-auth/tree/17.0/user_log_view"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external image-reference" href="https://translation.odoo-community.org/projects/server-auth-17-0/server-auth-17-0-user_log_view"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external image-reference" href="https://runboat.odoo-community.org/builds?repo=OCA/server-auth&amp;target_branch=17.0"><img alt="Try me on Runboat" src="https://img.shields.io/badge/runboat-Try%20me-875A7B.png" /></a></p>
+<p>This module adds a smart button on user’s form to display authentication
+logs.</p>
+<p><strong>Table of contents</strong></p>
+<div class="contents local topic" id="contents">
+<ul class="simple">
+<li><a class="reference internal" href="#usage" id="toc-entry-1">Usage</a></li>
+<li><a class="reference internal" href="#bug-tracker" id="toc-entry-2">Bug Tracker</a></li>
+<li><a class="reference internal" href="#credits" id="toc-entry-3">Credits</a><ul>
+<li><a class="reference internal" href="#authors" id="toc-entry-4">Authors</a></li>
+<li><a class="reference internal" href="#contributors" id="toc-entry-5">Contributors</a></li>
+<li><a class="reference internal" href="#maintainers" id="toc-entry-6">Maintainers</a></li>
+</ul>
+</li>
+</ul>
+</div>
+<div class="section" id="usage">
+<h1><a class="toc-backref" href="#toc-entry-1">Usage</a></h1>
+<p>To use this module, you need to:</p>
+<ol class="arabic simple">
+<li>Go to Settings</li>
+<li>Go to Users &amp; Companies</li>
+<li>Choose the User whose logs you need to see and go to Authentication
+logs</li>
+<li>You will see a list of authentications for a specific user</li>
+</ol>
+</div>
+<div class="section" id="bug-tracker">
+<h1><a class="toc-backref" href="#toc-entry-2">Bug Tracker</a></h1>
+<p>Bugs are tracked on <a class="reference external" href="https://github.com/OCA/server-auth/issues">GitHub Issues</a>.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+<a class="reference external" href="https://github.com/OCA/server-auth/issues/new?body=module:%20user_log_view%0Aversion:%2017.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**">feedback</a>.</p>
+<p>Do not contact contributors directly about support or help with technical issues.</p>
+</div>
+<div class="section" id="credits">
+<h1><a class="toc-backref" href="#toc-entry-3">Credits</a></h1>
+<div class="section" id="authors">
+<h2><a class="toc-backref" href="#toc-entry-4">Authors</a></h2>
+<ul class="simple">
+<li>IT-Projects LLC</li>
+</ul>
+</div>
+<div class="section" id="contributors">
+<h2><a class="toc-backref" href="#toc-entry-5">Contributors</a></h2>
+<ul class="simple">
+<li>Denis Mudarisov &lt;<a class="reference external" href="mailto:mudarisov&#64;it-projects.info">mudarisov&#64;it-projects.info</a>&gt;
+(<a class="reference external" href="https://www.it-projects.info/">https://www.it-projects.info/</a>)</li>
+<li>Chandresh Thakkar &lt;<a class="reference external" href="mailto:cthakkar&#64;opensourceintegrators.com">cthakkar&#64;opensourceintegrators.com</a>&gt;</li>
+</ul>
+</div>
+<div class="section" id="maintainers">
+<h2><a class="toc-backref" href="#toc-entry-6">Maintainers</a></h2>
+<p>This module is maintained by the OCA.</p>
+<a class="reference external image-reference" href="https://odoo-community.org"><img alt="Odoo Community Association" src="https://odoo-community.org/logo.png" /></a>
+<p>OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.</p>
+<p>Current <a class="reference external" href="https://odoo-community.org/page/maintainer-role">maintainer</a>:</p>
+<p><a class="reference external image-reference" href="https://github.com/trojikman"><img alt="trojikman" src="https://github.com/trojikman.png?size=40px" /></a></p>
+<p>This module is part of the <a class="reference external" href="https://github.com/OCA/server-auth/tree/17.0/user_log_view">OCA/server-auth</a> project on GitHub.</p>
+<p>You are welcome to contribute. To learn how please visit <a class="reference external" href="https://odoo-community.org/page/Contribute">https://odoo-community.org/page/Contribute</a>.</p>
+</div>
+</div>
+</div>
+</body>
+</html>
diff --git a/user_log_view/views/res_users_views.xml b/user_log_view/views/res_users_views.xml
new file mode 100644
index 0000000000..e87a35940c
--- /dev/null
+++ b/user_log_view/views/res_users_views.xml
@@ -0,0 +1,76 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!-- Copyright 2019 Denis Mudarisov (IT-Projects LLC)
+     License LGPL-3.0 or later (https://www.gnu.org/licenses/lgpl). -->
+<odoo>
+
+<record id="action_user_log" model="ir.actions.act_window">
+    <field name="name">Authentication logs</field>
+    <field name="type">ir.actions.act_window</field>
+    <field name="res_model">res.users.log</field>
+    <field name="views">[[False, 'tree'], [False, 'form']]</field>
+    <field name="domain">[('create_uid', '=', active_id)]</field>
+    <field name="target">current</field>
+    <field name="context">{'search_default_groupby_date': True}</field>
+</record>
+
+<record id="res_users_log_view_search" model="ir.ui.view">
+    <field name="name">res.users.log.search</field>
+    <field name="model">res.users.log</field>
+    <field name="arch" type="xml">
+        <search string="Test Search">
+            <field name="create_uid" />
+            <field name="create_date" />
+                <group expand="0" string="Group By">
+                    <filter
+                        string="Date"
+                        name="groupby_date"
+                        context="{'group_by':'create_date:day'}"
+                    />
+                </group>
+        </search>
+    </field>
+</record>
+
+<record id="res_users_view_form" model="ir.ui.view">
+    <field name="name">res.users.view.form</field>
+    <field name="model">res.users</field>
+    <field name="inherit_id" ref="base.view_users_form" />
+    <field name="arch" type="xml">
+        <xpath expr="//button[hasclass('oe_stat_button')]" position="after">
+            <button
+                    name="user_log_view.action_user_log"
+                    type="action"
+                    string="Authentication logs"
+                    icon="fa-user-secret"
+                />
+        </xpath>
+    </field>
+</record>
+
+<record id="res_users_log_view_tree" model="ir.ui.view">
+    <field name="name">res.users.log.tree</field>
+    <field name="model">res.users.log</field>
+    <field name="arch" type="xml">
+        <tree create="false" default_order="create_date desc">
+            <field name="create_uid" />
+            <field name="create_date" />
+        </tree>
+    </field>
+</record>
+
+<record id="res_users_log_view_form" model="ir.ui.view">
+    <field name="name">res.users.log.form</field>
+    <field name="model">res.users.log</field>
+    <field name="arch" type="xml">
+        <form create="false">
+            <sheet>
+                <group>
+                    <field name="create_uid" />
+                    <field name="create_date" />
+                </group>
+            </sheet>
+        </form>
+    </field>
+</record>
+
+</odoo>