From 6b9541efbfbfd7d5e08aea7f3ce12a49803b683f Mon Sep 17 00:00:00 2001
From: chaule97 <lebaochau97@gmail.com>
Date: Mon, 22 Dec 2025 11:29:44 +0700
Subject: [PATCH] [ADD] auth_autologin_via_jwt_cookie

---
 auth_autologin_via_jwt_cookie/README.rst      |  72 +++
 auth_autologin_via_jwt_cookie/__init__.py     |   1 +
 auth_autologin_via_jwt_cookie/__manifest__.py |  21 +
 .../models/__init__.py                        |   5 +
 .../models/ir_http.py                         | 182 ++++++++
 .../models/res_config_settings.py             |  24 +
 .../readme/DESCRIPTION.rst                    |   2 +
 .../static/description/index.html             | 417 ++++++++++++++++++
 .../views/res_config_settings_view.xml        |  58 +++
 .../odoo/addons/auth_autologin_via_jwt_cookie |   1 +
 setup/auth_autologin_via_jwt_cookie/setup.py  |   6 +
 11 files changed, 789 insertions(+)
 create mode 100644 auth_autologin_via_jwt_cookie/README.rst
 create mode 100644 auth_autologin_via_jwt_cookie/__init__.py
 create mode 100644 auth_autologin_via_jwt_cookie/__manifest__.py
 create mode 100644 auth_autologin_via_jwt_cookie/models/__init__.py
 create mode 100644 auth_autologin_via_jwt_cookie/models/ir_http.py
 create mode 100644 auth_autologin_via_jwt_cookie/models/res_config_settings.py
 create mode 100644 auth_autologin_via_jwt_cookie/readme/DESCRIPTION.rst
 create mode 100644 auth_autologin_via_jwt_cookie/static/description/index.html
 create mode 100644 auth_autologin_via_jwt_cookie/views/res_config_settings_view.xml
 create mode 120000 setup/auth_autologin_via_jwt_cookie/odoo/addons/auth_autologin_via_jwt_cookie
 create mode 100644 setup/auth_autologin_via_jwt_cookie/setup.py

diff --git a/auth_autologin_via_jwt_cookie/README.rst b/auth_autologin_via_jwt_cookie/README.rst
new file mode 100644
index 0000000000..ac8b5dbb5f
--- /dev/null
+++ b/auth_autologin_via_jwt_cookie/README.rst
@@ -0,0 +1,72 @@
+=============================
+Auth Autologin via JWT Cookie
+=============================
+
+.. 
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! This file is generated by oca-gen-addon-readme !!
+   !! changes will be overwritten.                   !!
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! source digest: sha256:235b6c7853637cc201cf62eb0b9a6cfa257c77d6199a697f0a09c7be9c3afa8b
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+
+.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
+    :target: https://odoo-community.org/page/development-status
+    :alt: Beta
+.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png
+    :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
+    :alt: License: AGPL-3
+.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
+    :target: https://github.com/OCA/server-auth/tree/16.0/auth_autologin_via_jwt_cookie
+    :alt: OCA/server-auth
+.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
+    :target: https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-auth_autologin_via_jwt_cookie
+    :alt: Translate me on Weblate
+.. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png
+    :target: https://runboat.odoo-community.org/builds?repo=OCA/server-auth&target_branch=16.0
+    :alt: Try me on Runboat
+
+|badge1| |badge2| |badge3| |badge4| |badge5|
+
+This module automatically authenticates Odoo users using a valid JWT found in a shared browser cookie.
+If no Odoo session exists, the JWT is verified via a JWKS endpoint, user information is retrieved from a userinfo endpoint, and the matching user is logged in transparently based on email.
+
+**Table of contents**
+
+.. contents::
+   :local:
+
+Bug Tracker
+===========
+
+Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-auth/issues>`_.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_autologin_via_jwt_cookie%0Aversion:%2016.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+
+Do not contact contributors directly about support or help with technical issues.
+
+Credits
+=======
+
+Authors
+~~~~~~~
+
+* Kencove
+
+Maintainers
+~~~~~~~~~~~
+
+This module is maintained by the OCA.
+
+.. image:: https://odoo-community.org/logo.png
+   :alt: Odoo Community Association
+   :target: https://odoo-community.org
+
+OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.
+
+This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/16.0/auth_autologin_via_jwt_cookie>`_ project on GitHub.
+
+You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.
diff --git a/auth_autologin_via_jwt_cookie/__init__.py b/auth_autologin_via_jwt_cookie/__init__.py
new file mode 100644
index 0000000000..0650744f6b
--- /dev/null
+++ b/auth_autologin_via_jwt_cookie/__init__.py
@@ -0,0 +1 @@
+from . import models
diff --git a/auth_autologin_via_jwt_cookie/__manifest__.py b/auth_autologin_via_jwt_cookie/__manifest__.py
new file mode 100644
index 0000000000..6f0a4f368f
--- /dev/null
+++ b/auth_autologin_via_jwt_cookie/__manifest__.py
@@ -0,0 +1,21 @@
+# Copyright 2025 Kencove (https://www.kencove.com/)
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
+
+{
+    "name": "Auth Autologin via JWT Cookie",
+    "summary": "Auto-authenticate users using a shared JWT cookie",
+    "version": "16.0.1.0.0",
+    "category": "Authentication",
+    "author": "Kencove,Odoo Community Association (OCA)",
+    "website": "https://github.com/OCA/server-auth",
+    "license": "AGPL-3",
+    "depends": ["base_setup"],
+    "data": [
+        "views/res_config_settings_view.xml",
+    ],
+    "installable": True,
+    "application": False,
+    "external_dependencies": {
+        "python": ["pyjwt"],
+    },
+}
diff --git a/auth_autologin_via_jwt_cookie/models/__init__.py b/auth_autologin_via_jwt_cookie/models/__init__.py
new file mode 100644
index 0000000000..8828c2e1e1
--- /dev/null
+++ b/auth_autologin_via_jwt_cookie/models/__init__.py
@@ -0,0 +1,5 @@
+# Copyright 2025 Kencove (https://www.kencove.com/)
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
+
+from . import ir_http
+from . import res_config_settings
diff --git a/auth_autologin_via_jwt_cookie/models/ir_http.py b/auth_autologin_via_jwt_cookie/models/ir_http.py
new file mode 100644
index 0000000000..b2aab69e29
--- /dev/null
+++ b/auth_autologin_via_jwt_cookie/models/ir_http.py
@@ -0,0 +1,182 @@
+# Copyright 2025 Kencove (https://www.kencove.com/)
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
+
+import logging
+from functools import lru_cache
+
+import jwt
+import requests
+from jwt import PyJWKClient
+from jwt.exceptions import InvalidTokenError, PyJWTError
+
+from odoo import models
+from odoo.http import request
+from odoo.service import security
+
+_logger = logging.getLogger(__name__)
+
+
+@lru_cache(maxsize=16)
+def _get_jwk_client(jwks_url: str) -> PyJWKClient:
+    """
+    Cache a PyJWKClient per JWKS URL (per worker).
+    PyJWKClient itself caches fetched JWKS keys.
+    """
+    return PyJWKClient(jwks_url)
+
+
+class IrHttp(models.AbstractModel):
+    _inherit = "ir.http"
+
+    @classmethod
+    def _authenticate(cls, endpoint):
+        # If already authenticated, keep default flow
+        if getattr(request, "session", None) and request.session.uid:
+            return super()._authenticate(endpoint)
+
+        result = cls._try_autologin_from_jwt_cookie()
+
+        if not result:
+            return super()._authenticate(endpoint)
+
+    @classmethod
+    def _try_autologin_from_jwt_cookie(cls):
+        settings = cls._get_autologin_settings()
+        if not settings:
+            return False
+
+        token = cls._get_cookie_token(settings["cookie_name"])
+        if not token:
+            return False
+
+        claims = cls._verify_jwt_with_pyjwt(token, settings["jwks_url"])
+        if not claims:
+            return False
+
+        # Optional hardening: accept only access tokens when claim exists
+        token_use = claims.get("token_use")
+        if token_use and token_use != "access":
+            _logger.info("Skipping autologin: token_use=%s", token_use)
+            return False
+
+        email = cls._get_email_from_userinfo(settings["userinfo_url"], token)
+        if not email:
+            return False
+
+        user = cls._find_user_by_email(email)
+        if not user:
+            return False
+
+        cls._force_login(user)
+
+        return True
+
+    @classmethod
+    def _get_autologin_settings(cls):
+        icp = request.env["ir.config_parameter"].sudo()
+        cookie_name = (
+            icp.get_param("auth_autologin_via_jwt_cookie.jwt_cookie_name") or ""
+        ).strip()
+        jwks_url = (
+            icp.get_param("auth_autologin_via_jwt_cookie.jwks_url") or ""
+        ).strip()
+        userinfo_url = (
+            icp.get_param("auth_autologin_via_jwt_cookie.userinfo_url") or ""
+        ).strip()
+
+        if not (cookie_name and jwks_url and userinfo_url):
+            return None
+        return {
+            "cookie_name": cookie_name,
+            "jwks_url": jwks_url,
+            "userinfo_url": userinfo_url,
+        }
+
+    @classmethod
+    def _get_cookie_token(cls, cookie_name: str):
+        return request.httprequest.cookies.get(cookie_name)
+
+    @classmethod
+    def _verify_jwt_with_pyjwt(cls, token: str, jwks_url: str):
+        """
+        Verify RS256 token using JWKS URL via PyJWKClient (cached).
+        Returns claims dict if valid, otherwise None.
+        """
+        try:
+            header = jwt.get_unverified_header(token)
+        except PyJWTError as e:
+            _logger.info("Invalid JWT header: %s", e)
+            return None
+
+        if header.get("alg") != "RS256":
+            _logger.info("Skipping autologin: unexpected alg=%s", header.get("alg"))
+            return None
+
+        if not header.get("kid"):
+            _logger.info("Skipping autologin: missing kid")
+            return None
+
+        try:
+            jwk_client = _get_jwk_client(jwks_url)
+            signing_key = jwk_client.get_signing_key_from_jwt(token).key
+        except (requests.RequestException, PyJWTError) as e:
+            _logger.warning("Unable to fetch/resolve JWKS signing key: %s", e)
+            return None
+
+        try:
+            claims = jwt.decode(
+                token,
+                signing_key,
+                algorithms=["RS256"],
+                options={
+                    "verify_aud": False,
+                },
+            )
+            return claims
+        except InvalidTokenError as e:
+            _logger.info("JWT verification failed: %s", e)
+            return None
+
+    @classmethod
+    def _get_email_from_userinfo(cls, userinfo_url: str, token: str):
+        try:
+            res = requests.get(
+                userinfo_url,
+                headers={"Authorization": f"Bearer {token}"},
+                timeout=5,
+            )
+            res.raise_for_status()
+        except requests.RequestException as e:
+            _logger.warning("Userinfo request failed: %s", e)
+            return None
+
+        try:
+            data = res.json()
+        except ValueError:
+            _logger.info("Userinfo response is not JSON")
+            return None
+
+        email = (data.get("email") or "").strip()
+        return email or None
+
+    @classmethod
+    def _find_user_by_email(cls, email: str):
+        user = (
+            request.env["res.users"]
+            .sudo()
+            .search(
+                ["|", ("login", "=", email), ("email", "=", email)],
+                limit=1,
+            )
+        )
+        return user if user and user.active else None
+
+    @classmethod
+    def _force_login(cls, user):
+        request.update_env(user=user.id)
+        request.session.uid = user.id
+        request.session.session_token = security.compute_session_token(
+            request.session, request.env
+        )
+
+        _logger.info("Auto-authenticated user %s via JWT cookie", user.login)
diff --git a/auth_autologin_via_jwt_cookie/models/res_config_settings.py b/auth_autologin_via_jwt_cookie/models/res_config_settings.py
new file mode 100644
index 0000000000..86a8c86308
--- /dev/null
+++ b/auth_autologin_via_jwt_cookie/models/res_config_settings.py
@@ -0,0 +1,24 @@
+# Copyright 2025 Kencove (https://www.kencove.com/)
+# License AGPL-3.0 or later (https://www.gnu.org/licenses/agpl).
+
+from odoo import fields, models
+
+
+class ResConfigSettings(models.TransientModel):
+    _inherit = "res.config.settings"
+
+    auth_autologin_jwt_cookie_name = fields.Char(
+        string="JWT Cookie Name",
+        config_parameter="auth_autologin_via_jwt_cookie.jwt_cookie_name",
+        help="Name of the shared cookie containing the JWT.",
+    )
+    auth_autologin_jwks_url = fields.Char(
+        string="JWKS URL",
+        config_parameter="auth_autologin_via_jwt_cookie.jwks_url",
+        help="JWKS endpoint used to verify JWT signatures.",
+    )
+    auth_autologin_userinfo_url = fields.Char(
+        string="Userinfo URL",
+        config_parameter="auth_autologin_via_jwt_cookie.userinfo_url",
+        help="Endpoint called with the JWT to retrieve the user email.",
+    )
diff --git a/auth_autologin_via_jwt_cookie/readme/DESCRIPTION.rst b/auth_autologin_via_jwt_cookie/readme/DESCRIPTION.rst
new file mode 100644
index 0000000000..8e0f0cebba
--- /dev/null
+++ b/auth_autologin_via_jwt_cookie/readme/DESCRIPTION.rst
@@ -0,0 +1,2 @@
+This module automatically authenticates Odoo users using a valid JWT found in a shared browser cookie.
+If no Odoo session exists, the JWT is verified via a JWKS endpoint, user information is retrieved from a userinfo endpoint, and the matching user is logged in transparently based on email.
diff --git a/auth_autologin_via_jwt_cookie/static/description/index.html b/auth_autologin_via_jwt_cookie/static/description/index.html
new file mode 100644
index 0000000000..60bc690564
--- /dev/null
+++ b/auth_autologin_via_jwt_cookie/static/description/index.html
@@ -0,0 +1,417 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+<meta name="generator" content="Docutils: https://docutils.sourceforge.io/" />
+<title>Auth Autologin via JWT Cookie</title>
+<style type="text/css">
+
+/*
+:Author: David Goodger (goodger@python.org)
+:Id: $Id: html4css1.css 9511 2024-01-13 09:50:07Z milde $
+:Copyright: This stylesheet has been placed in the public domain.
+
+Default cascading style sheet for the HTML output of Docutils.
+Despite the name, some widely supported CSS2 features are used.
+
+See https://docutils.sourceforge.io/docs/howto/html-stylesheets.html for how to
+customize this style sheet.
+*/
+
+/* used to remove borders from tables and images */
+.borderless, table.borderless td, table.borderless th {
+  border: 0 }
+
+table.borderless td, table.borderless th {
+  /* Override padding for "table.docutils td" with "! important".
+     The right padding separates the table cells. */
+  padding: 0 0.5em 0 0 ! important }
+
+.first {
+  /* Override more specific margin styles with "! important". */
+  margin-top: 0 ! important }
+
+.last, .with-subtitle {
+  margin-bottom: 0 ! important }
+
+.hidden {
+  display: none }
+
+.subscript {
+  vertical-align: sub;
+  font-size: smaller }
+
+.superscript {
+  vertical-align: super;
+  font-size: smaller }
+
+a.toc-backref {
+  text-decoration: none ;
+  color: black }
+
+blockquote.epigraph {
+  margin: 2em 5em ; }
+
+dl.docutils dd {
+  margin-bottom: 0.5em }
+
+object[type="image/svg+xml"], object[type="application/x-shockwave-flash"] {
+  overflow: hidden;
+}
+
+/* Uncomment (and remove this text!) to get bold-faced definition list terms
+dl.docutils dt {
+  font-weight: bold }
+*/
+
+div.abstract {
+  margin: 2em 5em }
+
+div.abstract p.topic-title {
+  font-weight: bold ;
+  text-align: center }
+
+div.admonition, div.attention, div.caution, div.danger, div.error,
+div.hint, div.important, div.note, div.tip, div.warning {
+  margin: 2em ;
+  border: medium outset ;
+  padding: 1em }
+
+div.admonition p.admonition-title, div.hint p.admonition-title,
+div.important p.admonition-title, div.note p.admonition-title,
+div.tip p.admonition-title {
+  font-weight: bold ;
+  font-family: sans-serif }
+
+div.attention p.admonition-title, div.caution p.admonition-title,
+div.danger p.admonition-title, div.error p.admonition-title,
+div.warning p.admonition-title, .code .error {
+  color: red ;
+  font-weight: bold ;
+  font-family: sans-serif }
+
+/* Uncomment (and remove this text!) to get reduced vertical space in
+   compound paragraphs.
+div.compound .compound-first, div.compound .compound-middle {
+  margin-bottom: 0.5em }
+
+div.compound .compound-last, div.compound .compound-middle {
+  margin-top: 0.5em }
+*/
+
+div.dedication {
+  margin: 2em 5em ;
+  text-align: center ;
+  font-style: italic }
+
+div.dedication p.topic-title {
+  font-weight: bold ;
+  font-style: normal }
+
+div.figure {
+  margin-left: 2em ;
+  margin-right: 2em }
+
+div.footer, div.header {
+  clear: both;
+  font-size: smaller }
+
+div.line-block {
+  display: block ;
+  margin-top: 1em ;
+  margin-bottom: 1em }
+
+div.line-block div.line-block {
+  margin-top: 0 ;
+  margin-bottom: 0 ;
+  margin-left: 1.5em }
+
+div.sidebar {
+  margin: 0 0 0.5em 1em ;
+  border: medium outset ;
+  padding: 1em ;
+  background-color: #ffffee ;
+  width: 40% ;
+  float: right ;
+  clear: right }
+
+div.sidebar p.rubric {
+  font-family: sans-serif ;
+  font-size: medium }
+
+div.system-messages {
+  margin: 5em }
+
+div.system-messages h1 {
+  color: red }
+
+div.system-message {
+  border: medium outset ;
+  padding: 1em }
+
+div.system-message p.system-message-title {
+  color: red ;
+  font-weight: bold }
+
+div.topic {
+  margin: 2em }
+
+h1.section-subtitle, h2.section-subtitle, h3.section-subtitle,
+h4.section-subtitle, h5.section-subtitle, h6.section-subtitle {
+  margin-top: 0.4em }
+
+h1.title {
+  text-align: center }
+
+h2.subtitle {
+  text-align: center }
+
+hr.docutils {
+  width: 75% }
+
+img.align-left, .figure.align-left, object.align-left, table.align-left {
+  clear: left ;
+  float: left ;
+  margin-right: 1em }
+
+img.align-right, .figure.align-right, object.align-right, table.align-right {
+  clear: right ;
+  float: right ;
+  margin-left: 1em }
+
+img.align-center, .figure.align-center, object.align-center {
+  display: block;
+  margin-left: auto;
+  margin-right: auto;
+}
+
+table.align-center {
+  margin-left: auto;
+  margin-right: auto;
+}
+
+.align-left {
+  text-align: left }
+
+.align-center {
+  clear: both ;
+  text-align: center }
+
+.align-right {
+  text-align: right }
+
+/* reset inner alignment in figures */
+div.align-right {
+  text-align: inherit }
+
+/* div.align-center * { */
+/*   text-align: left } */
+
+.align-top    {
+  vertical-align: top }
+
+.align-middle {
+  vertical-align: middle }
+
+.align-bottom {
+  vertical-align: bottom }
+
+ol.simple, ul.simple {
+  margin-bottom: 1em }
+
+ol.arabic {
+  list-style: decimal }
+
+ol.loweralpha {
+  list-style: lower-alpha }
+
+ol.upperalpha {
+  list-style: upper-alpha }
+
+ol.lowerroman {
+  list-style: lower-roman }
+
+ol.upperroman {
+  list-style: upper-roman }
+
+p.attribution {
+  text-align: right ;
+  margin-left: 50% }
+
+p.caption {
+  font-style: italic }
+
+p.credits {
+  font-style: italic ;
+  font-size: smaller }
+
+p.label {
+  white-space: nowrap }
+
+p.rubric {
+  font-weight: bold ;
+  font-size: larger ;
+  color: maroon ;
+  text-align: center }
+
+p.sidebar-title {
+  font-family: sans-serif ;
+  font-weight: bold ;
+  font-size: larger }
+
+p.sidebar-subtitle {
+  font-family: sans-serif ;
+  font-weight: bold }
+
+p.topic-title {
+  font-weight: bold }
+
+pre.address {
+  margin-bottom: 0 ;
+  margin-top: 0 ;
+  font: inherit }
+
+pre.literal-block, pre.doctest-block, pre.math, pre.code {
+  margin-left: 2em ;
+  margin-right: 2em }
+
+pre.code .ln { color: gray; } /* line numbers */
+pre.code, code { background-color: #eeeeee }
+pre.code .comment, code .comment { color: #5C6576 }
+pre.code .keyword, code .keyword { color: #3B0D06; font-weight: bold }
+pre.code .literal.string, code .literal.string { color: #0C5404 }
+pre.code .name.builtin, code .name.builtin { color: #352B84 }
+pre.code .deleted, code .deleted { background-color: #DEB0A1}
+pre.code .inserted, code .inserted { background-color: #A3D289}
+
+span.classifier {
+  font-family: sans-serif ;
+  font-style: oblique }
+
+span.classifier-delimiter {
+  font-family: sans-serif ;
+  font-weight: bold }
+
+span.interpreted {
+  font-family: sans-serif }
+
+span.option {
+  white-space: nowrap }
+
+span.pre {
+  white-space: pre }
+
+span.problematic, pre.problematic {
+  color: red }
+
+span.section-subtitle {
+  /* font-size relative to parent (h1..h6 element) */
+  font-size: 80% }
+
+table.citation {
+  border-left: solid 1px gray;
+  margin-left: 1px }
+
+table.docinfo {
+  margin: 2em 4em }
+
+table.docutils {
+  margin-top: 0.5em ;
+  margin-bottom: 0.5em }
+
+table.footnote {
+  border-left: solid 1px black;
+  margin-left: 1px }
+
+table.docutils td, table.docutils th,
+table.docinfo td, table.docinfo th {
+  padding-left: 0.5em ;
+  padding-right: 0.5em ;
+  vertical-align: top }
+
+table.docutils th.field-name, table.docinfo th.docinfo-name {
+  font-weight: bold ;
+  text-align: left ;
+  white-space: nowrap ;
+  padding-left: 0 }
+
+/* "booktabs" style (no vertical lines) */
+table.docutils.booktabs {
+  border: 0px;
+  border-top: 2px solid;
+  border-bottom: 2px solid;
+  border-collapse: collapse;
+}
+table.docutils.booktabs * {
+  border: 0px;
+}
+table.docutils.booktabs th {
+  border-bottom: thin solid;
+  text-align: left;
+}
+
+h1 tt.docutils, h2 tt.docutils, h3 tt.docutils,
+h4 tt.docutils, h5 tt.docutils, h6 tt.docutils {
+  font-size: 100% }
+
+ul.auto-toc {
+  list-style-type: none }
+
+</style>
+</head>
+<body>
+<div class="document" id="auth-autologin-via-jwt-cookie">
+<h1 class="title">Auth Autologin via JWT Cookie</h1>
+
+<!-- !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!! This file is generated by oca-gen-addon-readme !!
+!! changes will be overwritten.                   !!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!! source digest: sha256:235b6c7853637cc201cf62eb0b9a6cfa257c77d6199a697f0a09c7be9c3afa8b
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->
+<p><a class="reference external image-reference" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external image-reference" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/licence-AGPL--3-blue.png" /></a> <a class="reference external image-reference" href="https://github.com/OCA/server-auth/tree/16.0/auth_autologin_via_jwt_cookie"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external image-reference" href="https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-auth_autologin_via_jwt_cookie"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external image-reference" href="https://runboat.odoo-community.org/builds?repo=OCA/server-auth&amp;target_branch=16.0"><img alt="Try me on Runboat" src="https://img.shields.io/badge/runboat-Try%20me-875A7B.png" /></a></p>
+<p>This module automatically authenticates Odoo users using a valid JWT found in a shared browser cookie.
+If no Odoo session exists, the JWT is verified via a JWKS endpoint, user information is retrieved from a userinfo endpoint, and the matching user is logged in transparently based on email.</p>
+<p><strong>Table of contents</strong></p>
+<div class="contents local topic" id="contents">
+<ul class="simple">
+<li><a class="reference internal" href="#bug-tracker" id="toc-entry-1">Bug Tracker</a></li>
+<li><a class="reference internal" href="#credits" id="toc-entry-2">Credits</a><ul>
+<li><a class="reference internal" href="#authors" id="toc-entry-3">Authors</a></li>
+<li><a class="reference internal" href="#maintainers" id="toc-entry-4">Maintainers</a></li>
+</ul>
+</li>
+</ul>
+</div>
+<div class="section" id="bug-tracker">
+<h1><a class="toc-backref" href="#toc-entry-1">Bug Tracker</a></h1>
+<p>Bugs are tracked on <a class="reference external" href="https://github.com/OCA/server-auth/issues">GitHub Issues</a>.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+<a class="reference external" href="https://github.com/OCA/server-auth/issues/new?body=module:%20auth_autologin_via_jwt_cookie%0Aversion:%2016.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**">feedback</a>.</p>
+<p>Do not contact contributors directly about support or help with technical issues.</p>
+</div>
+<div class="section" id="credits">
+<h1><a class="toc-backref" href="#toc-entry-2">Credits</a></h1>
+<div class="section" id="authors">
+<h2><a class="toc-backref" href="#toc-entry-3">Authors</a></h2>
+<ul class="simple">
+<li>Kencove</li>
+</ul>
+</div>
+<div class="section" id="maintainers">
+<h2><a class="toc-backref" href="#toc-entry-4">Maintainers</a></h2>
+<p>This module is maintained by the OCA.</p>
+<a class="reference external image-reference" href="https://odoo-community.org">
+<img alt="Odoo Community Association" src="https://odoo-community.org/logo.png" />
+</a>
+<p>OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.</p>
+<p>This module is part of the <a class="reference external" href="https://github.com/OCA/server-auth/tree/16.0/auth_autologin_via_jwt_cookie">OCA/server-auth</a> project on GitHub.</p>
+<p>You are welcome to contribute. To learn how please visit <a class="reference external" href="https://odoo-community.org/page/Contribute">https://odoo-community.org/page/Contribute</a>.</p>
+</div>
+</div>
+</div>
+</body>
+</html>
diff --git a/auth_autologin_via_jwt_cookie/views/res_config_settings_view.xml b/auth_autologin_via_jwt_cookie/views/res_config_settings_view.xml
new file mode 100644
index 0000000000..9fc4fbdd26
--- /dev/null
+++ b/auth_autologin_via_jwt_cookie/views/res_config_settings_view.xml
@@ -0,0 +1,58 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<odoo>
+    <record
+        id="res_config_settings_view_form_auth_autologin_via_jwt_cookie"
+        model="ir.ui.view"
+    >
+        <field
+            name="name"
+        >res.config.settings.view.form.auth.autologin.jwt.cookie</field>
+        <field name="model">res.config.settings</field>
+        <field name="inherit_id" ref="base_setup.res_config_settings_view_form" />
+        <field name="arch" type="xml">
+            <div
+                class="row mt16 o_settings_container"
+                name="integration"
+                position="after"
+            >
+                <h2>JWT Cookie Autologin</h2>
+
+                <div class="row mt16 o_settings_container" name="jWT_cookie_autologin">
+                    <div class="col-12 col-lg-6 o_setting_box">
+                        <div class="o_setting_left_pane" />
+                        <div class="o_setting_right_pane">
+                            <label for="auth_autologin_jwt_cookie_name" />
+                            <div class="text-muted">
+                                Shared cookie name
+                            </div>
+                            <field name="auth_autologin_jwt_cookie_name" />
+                        </div>
+                    </div>
+
+                    <div class="col-12 col-lg-6 o_setting_box">
+                        <div class="o_setting_left_pane" />
+                        <div class="o_setting_right_pane">
+                            <label for="auth_autologin_jwks_url" />
+                            <div class="text-muted">
+                                JWKS endpoint used to validate the cookie JWT signature.
+                            </div>
+                            <field name="auth_autologin_jwks_url" />
+                        </div>
+                    </div>
+
+                    <div class="col-12 col-lg-6 o_setting_box">
+                        <div class="o_setting_left_pane" />
+                        <div class="o_setting_right_pane">
+                            <label for="auth_autologin_userinfo_url" />
+                            <div class="text-muted">
+                                Userinfo endpoint returning email, called with <code
+                                >Authorization: Bearer &lt;JWT&gt;</code>.
+                            </div>
+                            <field name="auth_autologin_userinfo_url" />
+                        </div>
+                    </div>
+                </div>
+            </div>
+        </field>
+    </record>
+</odoo>
diff --git a/setup/auth_autologin_via_jwt_cookie/odoo/addons/auth_autologin_via_jwt_cookie b/setup/auth_autologin_via_jwt_cookie/odoo/addons/auth_autologin_via_jwt_cookie
new file mode 120000
index 0000000000..1c4f88a98f
--- /dev/null
+++ b/setup/auth_autologin_via_jwt_cookie/odoo/addons/auth_autologin_via_jwt_cookie
@@ -0,0 +1 @@
+../../../../auth_autologin_via_jwt_cookie
\ No newline at end of file
diff --git a/setup/auth_autologin_via_jwt_cookie/setup.py b/setup/auth_autologin_via_jwt_cookie/setup.py
new file mode 100644
index 0000000000..28c57bb640
--- /dev/null
+++ b/setup/auth_autologin_via_jwt_cookie/setup.py
@@ -0,0 +1,6 @@
+import setuptools
+
+setuptools.setup(
+    setup_requires=['setuptools-odoo'],
+    odoo_addon=True,
+)