From a169182522c4b07395f4027e9a0cadec151d4385 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Schenkels?= <a.schenkels@ictstudio.eu>
Date: Fri, 5 Oct 2018 15:43:47 +0200
Subject: [PATCH 01/46] [ADD] auth_oidc module

---
 auth_oidc/__init__.py                   |   6 +++
 auth_oidc/__manifest__.py               |  25 +++++++++
 auth_oidc/controllers/__init__.py       |   6 +++
 auth_oidc/controllers/main.py           |  25 +++++++++
 auth_oidc/models/__init__.py            |   6 +++
 auth_oidc/models/auth_oauth_provider.py |  64 ++++++++++++++++++++++++
 auth_oidc/models/res_users.py           |  25 +++++++++
 auth_oidc/static/description/icon.png   | Bin 0 -> 2780 bytes
 auth_oidc/views/auth_oauth_provider.xml |  14 ++++++
 9 files changed, 171 insertions(+)
 create mode 100644 auth_oidc/__init__.py
 create mode 100644 auth_oidc/__manifest__.py
 create mode 100644 auth_oidc/controllers/__init__.py
 create mode 100644 auth_oidc/controllers/main.py
 create mode 100644 auth_oidc/models/__init__.py
 create mode 100644 auth_oidc/models/auth_oauth_provider.py
 create mode 100644 auth_oidc/models/res_users.py
 create mode 100755 auth_oidc/static/description/icon.png
 create mode 100644 auth_oidc/views/auth_oauth_provider.xml

diff --git a/auth_oidc/__init__.py b/auth_oidc/__init__.py
new file mode 100644
index 0000000000..000324e3e2
--- /dev/null
+++ b/auth_oidc/__init__.py
@@ -0,0 +1,6 @@
+# -*- coding: utf-8 -*-
+# Copyright© 2016 ICTSTUDIO <http://www.ictstudio.eu>
+# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
+
+from . import controllers
+from . import models
diff --git a/auth_oidc/__manifest__.py b/auth_oidc/__manifest__.py
new file mode 100644
index 0000000000..bb96a321f1
--- /dev/null
+++ b/auth_oidc/__manifest__.py
@@ -0,0 +1,25 @@
+# -*- coding: utf-8 -*-
+# Copyright© 2016 ICTSTUDIO <http://www.ictstudio.eu>
+# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
+
+{
+    'name': 'Authentication OpenID Connect',
+    'version': '10.0.1.0.0',
+    'license': 'AGPL-3',
+    'author': 'ICTSTUDIO, André Schenkels',
+    'website': 'https://www.ictstudio.eu',
+    'description': """
+Allow users to login through OpenID Connect Provider.
+=====================================================
+- Keycloak with ClientID and Secret + Implicit Flow
+
+""",
+    'external_dependencies': {'python': [
+        'jose',
+        'cryptography'
+    ]},
+    'depends': ['auth_oauth'],
+    'data': [
+        'views/auth_oauth_provider.xml',
+    ],
+}
diff --git a/auth_oidc/controllers/__init__.py b/auth_oidc/controllers/__init__.py
new file mode 100644
index 0000000000..832d7f07a1
--- /dev/null
+++ b/auth_oidc/controllers/__init__.py
@@ -0,0 +1,6 @@
+# -*- coding: utf-8 -*-
+# Copyright© 2016 ICTSTUDIO <http://www.ictstudio.eu>
+# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
+
+import main
+
diff --git a/auth_oidc/controllers/main.py b/auth_oidc/controllers/main.py
new file mode 100644
index 0000000000..7e99f1e930
--- /dev/null
+++ b/auth_oidc/controllers/main.py
@@ -0,0 +1,25 @@
+# -*- coding: utf-8 -*-
+# Copyright© 2016 ICTSTUDIO <http://www.ictstudio.eu>
+# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
+
+import werkzeug.utils
+import uuid
+
+from odoo.addons.auth_oauth.controllers.main import OAuthLogin
+
+
+class OpenIDLogin(OAuthLogin):
+
+    def list_providers(self):
+        providers = super(OpenIDLogin, self).list_providers()
+        for provider in providers:
+            if provider.get('flow') == 'id_token':
+                provider['nonce'] = uuid.uuid1().hex
+                params = werkzeug.url_decode(provider['auth_link'].split('?')[-1])
+                params.pop('response_type')
+                params.update(dict(response_type='id_token',
+                                   nonce=provider['nonce']))
+                if provider.get('scope'):
+                    params['scope'] = provider['scope']
+                provider['auth_link'] = "%s?%s" % (provider['auth_endpoint'], werkzeug.url_encode(params))
+        return providers
diff --git a/auth_oidc/models/__init__.py b/auth_oidc/models/__init__.py
new file mode 100644
index 0000000000..37e1a690a6
--- /dev/null
+++ b/auth_oidc/models/__init__.py
@@ -0,0 +1,6 @@
+# -*- coding: utf-8 -*-
+# Copyright© 2016 ICTSTUDIO <http://www.ictstudio.eu>
+# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
+
+from . import auth_oauth_provider
+from . import res_users
diff --git a/auth_oidc/models/auth_oauth_provider.py b/auth_oidc/models/auth_oauth_provider.py
new file mode 100644
index 0000000000..a593736b9a
--- /dev/null
+++ b/auth_oidc/models/auth_oauth_provider.py
@@ -0,0 +1,64 @@
+# -*- coding: utf-8 -*-
+# Copyright© 2016 ICTSTUDIO <http://www.ictstudio.eu>
+# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
+
+from odoo import models, fields, api
+from jose import jwt
+import urllib2
+import json
+
+
+class AuthOauthProvider(models.Model):
+    _inherit = 'auth.oauth.provider'
+
+    flow = fields.Selection([
+        ('access_token', 'OAuth2'),
+        ('id_token', 'OpenID Connect')
+    ],
+        string='Auth Flow',
+        required=True,
+        default='access_token')
+
+    token_map = fields.Char(
+        help="Some Oauth providers don't map keys in their responses "
+             "exactly as required.  It is important to ensure user_id and "
+             "email at least are mapped. For OpenID Connect user_id is "
+             "the sub key in the standard.")
+
+    validation_endpoint = fields.Char(
+        help='For OpenID Connect this should be the location for public keys ')
+
+    @api.model
+    def _get_key(self, header):
+        if self.flow != 'id_token':
+            return False
+        f = urllib2.urlopen(self.validation_endpoint)
+        response = json.loads(f.read())
+        rsa_key = {}
+        for key in response["keys"]:
+            if key["kid"] == header.get('kid'):
+                rsa_key = key
+        return rsa_key
+
+    @api.model
+    def map_token_values(self, res):
+        if self.token_map:
+            for pair in self.token_map.split(' '):
+                from_key, to_key = pair.split(':')
+                if to_key not in res:
+                    res[to_key] = res.get(from_key, '')
+        return res
+
+    @api.multi
+    def _parse_id_token(self, id_token):
+        self.ensure_one()
+        res = {}
+        header = jwt.get_unverified_header(id_token)
+        res.update(jwt.decode(
+            id_token,
+            self._get_key(header),
+            algorithms=['RS256'],
+            audience=self.client_id))
+
+        res.update(self.map_token_values(res))
+        return res
\ No newline at end of file
diff --git a/auth_oidc/models/res_users.py b/auth_oidc/models/res_users.py
new file mode 100644
index 0000000000..1c67ab2d43
--- /dev/null
+++ b/auth_oidc/models/res_users.py
@@ -0,0 +1,25 @@
+# -*- coding: utf-8 -*-
+# Copyright© 2016 ICTSTUDIO <http://www.ictstudio.eu>
+# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
+
+from odoo import models, api
+
+
+class ResUsers(models.Model):
+    _inherit = 'res.users'
+
+    @api.model
+    def _auth_oauth_validate(self, provider, access_token):
+        """ return the validation data corresponding to the access token """
+        oauth_provider = self.env['auth.oauth.provider'].browse(provider)
+        if oauth_provider.flow == 'id_token':
+            return oauth_provider._parse_id_token(access_token)
+        else:
+            return super(ResUsers, self)._auth_oauth_validate()
+    
+    @api.model
+    def auth_oauth(self, provider, params):
+        id_token = params.get('id_token')
+        if id_token:
+            params['access_token'] = id_token
+        return super(ResUsers, self).auth_oauth(provider, params)
diff --git a/auth_oidc/static/description/icon.png b/auth_oidc/static/description/icon.png
new file mode 100755
index 0000000000000000000000000000000000000000..06a05ebd480fdd359c2600a27660aced7a5a48a0
GIT binary patch
literal 2780
zcma)8_gfN-7Dhxcw`q!d?}`e^kpow1&aAX7Z>S}1Gc_lPBhy4$_&E?q!;xw3G?Srz
zWrZVirKmX)Ck`xy9M|vu1K)klc%SDz=lt?M=Z81L)!9~9Kvn<%00`ULS-Tw|_MhSh
zAM_40?=J@c_HnSa2JHV6#cgFz512!@?5;!{TnztHJeJzTm;(|LY42nM`2hh59zJ#T
zh5o@zAi&<*;$qC`3TgEr!Q;qB3KKZ?B16;b0ZKrQG2}ygCh2bJjkbw)$nW#SW!NFq
z0~7x43FeB<3;J$e%A;9N`Uie9$Zt45CjI$n0Q!#3*QiS2ORrD%1s-{c{7U`HixHo&
z&M1QSwzrG0>GknuVW=XK(jNx9jaeAM!m#*27GnRJsn;y8U{1m#h-9sn^Qr(L@c5<^
z9G>2_8$XuSkB6Ns|GP4zscHcS@l6m(R7&sky1D<LZ$6~KVeB$_ge1p<8Uj>wz9@ih
zY%fIL3SY!*<+mwOCMlWPTyulwFLz>rGC-+$t_-#gJb;TXtDX+(-4}rEuB=k&j`I;o
zNA%V%_ZlZeyYR>jzXk#Pt4auUO8lCE4k?Wh{FmPY`($58>cb_)3wKwR47ZnLZ>{8q
zuY+p9gmZVBLV9o=DZJWJO<aH44xVJ&(x!+6^?f$PCVd`Rb$vB-*eVdeI@%N!Npe-x
zExtVBmpaYYFR}%*Km|#Hv92;i>k94zN~!h`Wsb0fb8Adf`!#&6ro0i)rxt)>#$(Tg
z0AGIfoSk5Xf{PHTZ}dckQO${Z>4X?;&*G1Q(WRAN=f<Iv%!r6Dq-1j6TFc8o;cV^=
zN#0bQ8{2OiDjHOPHAY5qZ-eFjL!7u$;iB$)7b+;mBd>>A#cWOgNFn0BwtR0R7TKN+
z(jL})?+nc>b*}MG1NaH6-i*6z%K9`^C4u9I{w(2<6vUwX3SyR&MmP*XDjk6}oc|%O
zFJ59Y@^G43_N=nR-2V~@nTEXz1*c2m2b>yulQPotKX5;*wVpp3>>y;Hs<5<5+s-i;
zjjZxtJFFWQ6c9;|PgXvm4!E%>63Yg)NCCu+)GjVcXuDsx7Ybe6t7f)N^d2vFm;>#Y
z(0YDtp>{rL9Tsoy?Mn)M;@vI+q08zDL3y7ub);O4SbNoO%s8^}bOEhH1)wde89Mm~
z_<*t9(Pj!wyscD|(83YAN5~abdybHoA?kZgW)>^hsEQ*|CthA;u;s3!Y=geBGkGzk
z(YLJt1ZWmudD-j!`kMrv`9%Q%WVh94p9+atV}2ZvoVH^cH?G!tl0j)yshJrVd+YJA
zC>GLM7_X8CZ|*@);*FC)N$hTR2R00ELNU?DTD3N%DusKkj8&d7ualaA{El@IlfnW2
z5MCh?5_h(;@_a)VK?-_U_gPMMiTbEk-?5f?(pGiHc9ItM4C}<|P4g;wyV97=n+MV)
zQ8(%fi=X=fPF<+|lq|CHVW;1}tp(Ll0PWhG+UNtM35vE9bp(tPGvJCWugr7a_qPCa
z+WeHMWre5J%hTSt<zb0OdH6ZGSOaln5PN58ugc<(VQx=UWy+j{vc{+BlD+$`ilYjN
zFxzaU3tHtyE{}4IEzt2;zFCg-Cr@lcMlnYgYvE^~XIWcw<Y!4zGYf4#`66#f;y_ip
z6A2l0YwNmeq0&1H_}QQd`!p6qvRBBwXQq~1Y$%42YRy%KMJ4xi13e!xTa|^ff{^}-
zO=#(ODt?I$#aoMs@XXH1Y+TfupEstqZ|vy%PWY_O%;mKkO4M4pMGUUFFM=GNi->`2
z(n*2+R76n1i)PP!+rml4OjwK8g$ZU_ind|^InS*zbVvf!t7RtypqRnLcx5~eKEF8f
zwPGtL&5m*;cFz({@F@}fNoyBQ(DR+WJbp~qzB(P?Sm;8ojqE?FHDM<AB2Hd9u1oHJ
z%O9Pq5D)H|T}(4G{kX*?)Lz8Mz{u+!IsFd+szpx9Hin5D%rbWYhJlIf4~{O-@Rfqy
zZ0SWB!L85Jx4EVplIC1Kw0EcRar+GH(mE?UpaOK3bK?AyH}ILU=O2?QD$+K;{EX!H
z*l1Ag4f}gC%+zJ}(6cL@#Tjp|(V}1Zs$xIb*^5sxvMb9AOa|W*1j!@5S(9}p6ux`9
zur#VfGg|mZ4pHvByctKUpw&bJxaRBa!%!j{AEG;!Wu{8%TJahVP>!8iv)tJEtIHtw
zwW`~3O>I#rdOcVmmy`uh&6C+dCAfi5@xqQRzld*0jyk{9+x+5tJ%yyX*8;N3z3Vhm
z7To>tnw77$>c7)`mD*sjoAgr5=d#4fxZQ`U*b}mQYzhqEQQEH-;I|XAimoO;MV}nc
z=X%YZj|6N_6yDW$y8Jy6cHNm}q!ARpu<Rp^9JyMV7%TYosS(eaxVSZHek<?8q`BKy
zAsf`i?2(E3(}gtxEY3U;{Y0fRMtDoV-p#=ZAUV5P27AxUnsmK0PAM6FLyzV}m<^39
zjPwzW<@f>U<NpEb{B-jO{PvuwkOK|`I~P!(!`zg@Q!)G80lJE)P{@2pd34MH?H^cB
zurPj8kyjh&e4XS>y2XRd8rn5*A2yZ;uhkCfF?V*yzQJklRQ44;b%Fe9TQ{ASmfbp^
zyxr?%1k;f}_Tdq-bmO>&*W;Nsr?Pl<2FmRr<BUIy<BxBv^0Z2wcvnPi{?ctKQQ;T}
zRX7E5?ckaXO6ntAYMD%$Ah1^kG+Npl7n{3?t$w1YeUjNX8zFqnt|I)FrYV^XQceee
z#IediF>63FKT?c`Ulm~Sf07(YWQQ@w2p>$G8O#*uSyQZ!KP`3_{qTyjQ6qfRUnfeU
zhXHN6GO#B<y*B$y<5!F!pKzU!U7;YZQ0%l%pS!5BhYSCAwWaayvu9FeJ0xV-5q=vz
zzrQ2Z%dj<WpNiVM<EzNAQ%}ZHGxFFoklgUa9SurGWOKcd;W{=y<=dCK*yX6$rjSlo
z>zGYes7b`{;JQlp7&B4v(`J86?vl$;otDbe*M#_m+R4wev~qQky}&>jMX$k?JLfd&
z;Yg|I><Yk>h$QIMq1WwjtqTR(@Xf@%%#Vq`ed;dw6W^wIH75#28yU2cUfl!)CEWg{
z8_lRP?d*?x_c9x-+b;b!*ipnU(3q16DEw7@A;KB=kh=ZOoBj>yA^kh-`|N#0tJm?0
zmyI^Kkf(!6%@S&&q55Y<5-U?odAlGNS~5T@I=)lur>I?XPM3FSXR;v0^Wx#3i+Af~
z_l-ieljFFyKQdR3vD&|Qjpt$(D-C32b3V`>%eS2SU{2Z7C}**j8Xe85LZi>LRLY?#
zwUimvY{x$OvO)BaJ@iKE+5ikcwI)}FT?n8sLu;yz8lp8ys*mG>CsNDIx4v`09~-v$
ziqS?glZf<B%dZr|2*00B7IZ4@MfHR=65rx`aV`nlR))<OwiD@UgF1*x4>rgwCA>37
z2p{2$>2;0Y&j@dS+EtyyI+h2;+94F4N#-Q%Ua_3I^*Bd`dL*`Ly-M47zAKlmmn6v-
z9j>AtnG<|1Pzy1UwF=7!L28m0kg&gMA=seYS^sV2W5M$}gw~_fbOdAd5#nDR9H`{p
aj#6WMOub(s7;@l40rob|*437%<o^Oz(I#{N

literal 0
HcmV?d00001

diff --git a/auth_oidc/views/auth_oauth_provider.xml b/auth_oidc/views/auth_oauth_provider.xml
new file mode 100644
index 0000000000..0cfe735814
--- /dev/null
+++ b/auth_oidc/views/auth_oauth_provider.xml
@@ -0,0 +1,14 @@
+<?xml version="1.0"?>
+<odoo>
+    <record model="ir.ui.view" id="view_oidc_provider_form">
+        <field name="name">auth.oidc.provider.form</field>
+        <field name="model">auth.oauth.provider</field>
+        <field name="inherit_id" ref="auth_oauth.view_oauth_provider_form" />
+        <field name="arch" type="xml">
+            <field name="name" position="after">
+                <field name="flow"/>
+                <field name="token_map" placeholder="e.g from:to upn:email sub:user_id"/>
+            </field>
+        </field>
+    </record>
+</odoo>

From 25c81d44279fa4e0324f18537df62c14307c7801 Mon Sep 17 00:00:00 2001
From: Alexandre Fayolle <alexandre.fayolle@camptocamp.com>
Date: Thu, 19 Nov 2020 18:15:08 +0100
Subject: [PATCH 02/46] Adapt to OCA standards

update manifest, add README, update requirements.txt
---
 auth_oidc/README.rst                    | 57 +++++++++++++++++++++++++
 auth_oidc/__init__.py                   |  2 +-
 auth_oidc/__manifest__.py               | 13 ++----
 auth_oidc/controllers/__init__.py       |  5 +--
 auth_oidc/controllers/main.py           | 13 ++++--
 auth_oidc/models/__init__.py            |  2 +-
 auth_oidc/models/auth_oauth_provider.py | 11 +++--
 auth_oidc/models/res_users.py           |  4 +-
 auth_oidc/readme/CONFIGURE.rst          | 28 ++++++++++++
 auth_oidc/readme/CONTRIBUTORS.rst       |  1 +
 auth_oidc/readme/DESCRIPTION.rst        |  6 +++
 auth_oidc/readme/HISTORY.rst            |  4 ++
 auth_oidc/readme/ROADMAP.rst            |  3 ++
 auth_oidc/readme/USAGE.rst              |  1 +
 14 files changed, 128 insertions(+), 22 deletions(-)
 create mode 100644 auth_oidc/README.rst
 create mode 100644 auth_oidc/readme/CONFIGURE.rst
 create mode 100644 auth_oidc/readme/CONTRIBUTORS.rst
 create mode 100644 auth_oidc/readme/DESCRIPTION.rst
 create mode 100644 auth_oidc/readme/HISTORY.rst
 create mode 100644 auth_oidc/readme/ROADMAP.rst
 create mode 100644 auth_oidc/readme/USAGE.rst

diff --git a/auth_oidc/README.rst b/auth_oidc/README.rst
new file mode 100644
index 0000000000..2bcb185e11
--- /dev/null
+++ b/auth_oidc/README.rst
@@ -0,0 +1,57 @@
+=================================
+Authentication via OpenID Connect
+=================================
+
+This module allows users to login through an OpenID Connect provider.
+
+This includes:
+
+- Keycloak with ClientID and secret + Implicit Flow
+- Microsoft Azure
+
+
+Usage
+=====
+
+Setup for Microsoft Azure
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# configure a new web application in Azure with OpenID and implicit flow (see
+  the `provider documentation
+  <https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-provider)>`_)
+# in this application the redirect url must be be "<url of your
+  server>/auth_oauth/signin" and of course this URL should be reachable from
+  Azure
+# create a new authentication provider in Odoo with the following
+  parameters (see the `portal documentation
+  <https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-settings>`_
+  for more information):
+
+* Provider Name: Azure
+* Auth Flow: OpenID Connect
+* Client ID: use the value of the OAuth2 autorization endoing (v2) from the Azure Endpoints list
+* Body: Azure SSO
+* Authentication URL: use the value of "OAuth2 autorization endpoint (v2)" from the Azure endpoints list
+* Scope: openid email
+* Validation URL: use the value of "OAuth2 token endpoint (v2)" from the Azure endpoints list
+* Allowed: yes
+
+
+Setup for Keycloak
+~~~~~~~~~~~~~~~~~~
+
+write me...
+
+
+Credits
+=======
+
+Authors
+~~~~~~~
+
+* ICTSTUDIO, André Schenkels <https://www.ictstudio.eu>
+
+Contributors
+~~~~~~~~~~~~
+
+* Alexandre Fayolle <alexandre.fayolle@camptocamp.com>
diff --git a/auth_oidc/__init__.py b/auth_oidc/__init__.py
index 000324e3e2..19700dee41 100644
--- a/auth_oidc/__init__.py
+++ b/auth_oidc/__init__.py
@@ -1,5 +1,5 @@
 # -*- coding: utf-8 -*-
-# Copyright© 2016 ICTSTUDIO <http://www.ictstudio.eu>
+# Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
 # License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
 
 from . import controllers
diff --git a/auth_oidc/__manifest__.py b/auth_oidc/__manifest__.py
index bb96a321f1..98e4966a01 100644
--- a/auth_oidc/__manifest__.py
+++ b/auth_oidc/__manifest__.py
@@ -1,19 +1,14 @@
 # -*- coding: utf-8 -*-
-# Copyright© 2016 ICTSTUDIO <http://www.ictstudio.eu>
+# Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
 # License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
 
 {
     'name': 'Authentication OpenID Connect',
     'version': '10.0.1.0.0',
     'license': 'AGPL-3',
-    'author': 'ICTSTUDIO, André Schenkels',
-    'website': 'https://www.ictstudio.eu',
-    'description': """
-Allow users to login through OpenID Connect Provider.
-=====================================================
-- Keycloak with ClientID and Secret + Implicit Flow
-
-""",
+    'author': 'ICTSTUDIO, André Schenkels, Odoo Community Association (OCA)',
+    'website': 'https://github.com/OCA/server-auth',
+    'summary': "Allow users to login through OpenID Connect Provider",
     'external_dependencies': {'python': [
         'jose',
         'cryptography'
diff --git a/auth_oidc/controllers/__init__.py b/auth_oidc/controllers/__init__.py
index 832d7f07a1..ed684a50f9 100644
--- a/auth_oidc/controllers/__init__.py
+++ b/auth_oidc/controllers/__init__.py
@@ -1,6 +1,5 @@
 # -*- coding: utf-8 -*-
-# Copyright© 2016 ICTSTUDIO <http://www.ictstudio.eu>
+# Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
 # License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
 
-import main
-
+from . import main
diff --git a/auth_oidc/controllers/main.py b/auth_oidc/controllers/main.py
index 7e99f1e930..135ea9a005 100644
--- a/auth_oidc/controllers/main.py
+++ b/auth_oidc/controllers/main.py
@@ -1,5 +1,5 @@
 # -*- coding: utf-8 -*-
-# Copyright© 2016 ICTSTUDIO <http://www.ictstudio.eu>
+# Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
 # License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
 
 import werkzeug.utils
@@ -15,11 +15,18 @@ def list_providers(self):
         for provider in providers:
             if provider.get('flow') == 'id_token':
                 provider['nonce'] = uuid.uuid1().hex
-                params = werkzeug.url_decode(provider['auth_link'].split('?')[-1])
+                params = werkzeug.url_decode(
+                    provider['auth_link'].split('?')[-1]
+                )
                 params.pop('response_type')
                 params.update(dict(response_type='id_token',
                                    nonce=provider['nonce']))
                 if provider.get('scope'):
                     params['scope'] = provider['scope']
-                provider['auth_link'] = "%s?%s" % (provider['auth_endpoint'], werkzeug.url_encode(params))
+                provider['auth_link'] = (
+                    "%s?%s" % (
+                        provider['auth_endpoint'],
+                        werkzeug.url_encode(params)
+                    )
+                )
         return providers
diff --git a/auth_oidc/models/__init__.py b/auth_oidc/models/__init__.py
index 37e1a690a6..b32fa1a4d3 100644
--- a/auth_oidc/models/__init__.py
+++ b/auth_oidc/models/__init__.py
@@ -1,5 +1,5 @@
 # -*- coding: utf-8 -*-
-# Copyright© 2016 ICTSTUDIO <http://www.ictstudio.eu>
+# Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
 # License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
 
 from . import auth_oauth_provider
diff --git a/auth_oidc/models/auth_oauth_provider.py b/auth_oidc/models/auth_oauth_provider.py
index a593736b9a..7d2a0040f0 100644
--- a/auth_oidc/models/auth_oauth_provider.py
+++ b/auth_oidc/models/auth_oauth_provider.py
@@ -1,11 +1,16 @@
 # -*- coding: utf-8 -*-
-# Copyright© 2016 ICTSTUDIO <http://www.ictstudio.eu>
+# Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
 # License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
 
 from odoo import models, fields, api
-from jose import jwt
 import urllib2
 import json
+import logging
+
+try:
+    from jose import jwt
+except ImportError:
+    logging.getLogger(__name__).debug('jose library not installed')
 
 
 class AuthOauthProvider(models.Model):
@@ -61,4 +66,4 @@ def _parse_id_token(self, id_token):
             audience=self.client_id))
 
         res.update(self.map_token_values(res))
-        return res
\ No newline at end of file
+        return res
diff --git a/auth_oidc/models/res_users.py b/auth_oidc/models/res_users.py
index 1c67ab2d43..7ebbce2446 100644
--- a/auth_oidc/models/res_users.py
+++ b/auth_oidc/models/res_users.py
@@ -1,5 +1,5 @@
 # -*- coding: utf-8 -*-
-# Copyright© 2016 ICTSTUDIO <http://www.ictstudio.eu>
+# Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
 # License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
 
 from odoo import models, api
@@ -16,7 +16,7 @@ def _auth_oauth_validate(self, provider, access_token):
             return oauth_provider._parse_id_token(access_token)
         else:
             return super(ResUsers, self)._auth_oauth_validate()
-    
+
     @api.model
     def auth_oauth(self, provider, params):
         id_token = params.get('id_token')
diff --git a/auth_oidc/readme/CONFIGURE.rst b/auth_oidc/readme/CONFIGURE.rst
new file mode 100644
index 0000000000..f2ac933218
--- /dev/null
+++ b/auth_oidc/readme/CONFIGURE.rst
@@ -0,0 +1,28 @@
+Setup for Microsoft Azure
+~~~~~~~~~~~~~~~~~~~~~~~~~
+
+# configure a new web application in Azure with OpenID and implicit flow (see
+  the `provider documentation
+  <https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-provider)>`_)
+# in this application the redirect url must be be "<url of your
+  server>/auth_oauth/signin" and of course this URL should be reachable from
+  Azure
+# create a new authentication provider in Odoo with the following
+  parameters (see the `portal documentation
+  <https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-settings>`_
+  for more information):
+
+* Provider Name: Azure
+* Auth Flow: OpenID Connect
+* Client ID: use the value of the OAuth2 autorization endoing (v2) from the Azure Endpoints list
+* Body: Azure SSO
+* Authentication URL: use the value of "OAuth2 autorization endpoint (v2)" from the Azure endpoints list
+* Scope: openid email
+* Validation URL: use the value of "OAuth2 token endpoint (v2)" from the Azure endpoints list
+* Allowed: yes
+
+
+Setup for Keycloak
+~~~~~~~~~~~~~~~~~~
+
+write me...
diff --git a/auth_oidc/readme/CONTRIBUTORS.rst b/auth_oidc/readme/CONTRIBUTORS.rst
new file mode 100644
index 0000000000..8785f72c06
--- /dev/null
+++ b/auth_oidc/readme/CONTRIBUTORS.rst
@@ -0,0 +1 @@
+* Alexandre Fayolle <alexandre.fayolle@camptocamp.com>
diff --git a/auth_oidc/readme/DESCRIPTION.rst b/auth_oidc/readme/DESCRIPTION.rst
new file mode 100644
index 0000000000..540c7c2c95
--- /dev/null
+++ b/auth_oidc/readme/DESCRIPTION.rst
@@ -0,0 +1,6 @@
+This module allows users to login through an OpenID Connect provider.
+
+This includes:
+
+- Keycloak with ClientID and secret + Implicit Flow
+- Microsoft Azure
diff --git a/auth_oidc/readme/HISTORY.rst b/auth_oidc/readme/HISTORY.rst
new file mode 100644
index 0000000000..5aee5128a7
--- /dev/null
+++ b/auth_oidc/readme/HISTORY.rst
@@ -0,0 +1,4 @@
+10.0.1.0.0 2018-10-05
+~~~~~~~~~~~~~~~~~~~~~
+
+* Initial implementation
diff --git a/auth_oidc/readme/ROADMAP.rst b/auth_oidc/readme/ROADMAP.rst
new file mode 100644
index 0000000000..c99e29f2c9
--- /dev/null
+++ b/auth_oidc/readme/ROADMAP.rst
@@ -0,0 +1,3 @@
+
+* When going to the login screen, check for a existing token and do a direct login without the clicking on the SSO link
+* When doing a logout an extra option to also logout at the SSO provider.
diff --git a/auth_oidc/readme/USAGE.rst b/auth_oidc/readme/USAGE.rst
new file mode 100644
index 0000000000..bb66969269
--- /dev/null
+++ b/auth_oidc/readme/USAGE.rst
@@ -0,0 +1 @@
+On the login page, click on the authentication provider you configured. 

From 4d337ff91810530b70750802308dea66665c2c62 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Bidoul?= <stephane.bidoul@acsone.eu>
Date: Wed, 24 Mar 2021 19:16:25 +0100
Subject: [PATCH 03/46] auth_oidc: improve docs

Add some install instructions and configuration instructions
for keycloak.
---
 auth_oidc/readme/CONFIGURE.rst | 20 +++++++++++++++++++-
 auth_oidc/readme/INSTALL.rst   |  2 ++
 2 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100644 auth_oidc/readme/INSTALL.rst

diff --git a/auth_oidc/readme/CONFIGURE.rst b/auth_oidc/readme/CONFIGURE.rst
index f2ac933218..c2ea288891 100644
--- a/auth_oidc/readme/CONFIGURE.rst
+++ b/auth_oidc/readme/CONFIGURE.rst
@@ -25,4 +25,22 @@ Setup for Microsoft Azure
 Setup for Keycloak
 ~~~~~~~~~~~~~~~~~~
 
-write me...
+In Keycloak:
+
+# configure a new Client
+# make sure Implicit Flow is Enabled.
+# configure the redirect url to be "<url of your server>/auth_oauth/signin"
+
+In Odoo, create a new Oauth Provider with the following parameters:
+
+* Provider name: Keycloak (or any name you like that identify your keycloak
+provider)
+* Auth Flow: OpenID Connect
+* Client ID: the same Client ID you entered when configuring the client in Keycloak
+* Allowed: yes
+* Body: the link text to appear on the login page, such as Login with Keycloak
+* Authentication URL: The "authorization_endpoint" URL found in the
+  OpenID Endpoint Configuration of your Keycloak realm
+* Scope: email
+* Validation URL: The "jwks_uri" URL found in the
+  OpenID Endpoint Configuration of your Keycloak realm
diff --git a/auth_oidc/readme/INSTALL.rst b/auth_oidc/readme/INSTALL.rst
new file mode 100644
index 0000000000..bccbbbad79
--- /dev/null
+++ b/auth_oidc/readme/INSTALL.rst
@@ -0,0 +1,2 @@
+This module depends on the `python-jose <https://pypi.org/project/python-jose/>`__
+library, not to be confused with ``jose`` which is also available on PyPI.

From 876a8a856c689cb0e790e5a5f60a5f5383f500af Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Bidoul?= <stephane.bidoul@acsone.eu>
Date: Fri, 9 Apr 2021 16:07:29 +0200
Subject: [PATCH 04/46] [MIG] auth_oidc: update dotfiles

---
 auth_oidc/__init__.py                   |  1 -
 auth_oidc/__manifest__.py               | 24 +++++------
 auth_oidc/controllers/__init__.py       |  1 -
 auth_oidc/controllers/main.py           | 29 +++++--------
 auth_oidc/models/__init__.py            |  1 -
 auth_oidc/models/auth_oauth_provider.py | 54 +++++++++++++------------
 auth_oidc/models/res_users.py           | 13 +++---
 auth_oidc/readme/CONFIGURE.rst          |  2 +-
 auth_oidc/readme/USAGE.rst              |  2 +-
 auth_oidc/views/auth_oauth_provider.xml |  9 +++--
 10 files changed, 63 insertions(+), 73 deletions(-)

diff --git a/auth_oidc/__init__.py b/auth_oidc/__init__.py
index 19700dee41..8b36099f76 100644
--- a/auth_oidc/__init__.py
+++ b/auth_oidc/__init__.py
@@ -1,4 +1,3 @@
-# -*- coding: utf-8 -*-
 # Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
 # License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
 
diff --git a/auth_oidc/__manifest__.py b/auth_oidc/__manifest__.py
index 98e4966a01..e96ca28480 100644
--- a/auth_oidc/__manifest__.py
+++ b/auth_oidc/__manifest__.py
@@ -1,20 +1,14 @@
-# -*- coding: utf-8 -*-
 # Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
 # License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
 
 {
-    'name': 'Authentication OpenID Connect',
-    'version': '10.0.1.0.0',
-    'license': 'AGPL-3',
-    'author': 'ICTSTUDIO, André Schenkels, Odoo Community Association (OCA)',
-    'website': 'https://github.com/OCA/server-auth',
-    'summary': "Allow users to login through OpenID Connect Provider",
-    'external_dependencies': {'python': [
-        'jose',
-        'cryptography'
-    ]},
-    'depends': ['auth_oauth'],
-    'data': [
-        'views/auth_oauth_provider.xml',
-    ],
+    "name": "Authentication OpenID Connect",
+    "version": "13.0.1.0.0",
+    "license": "AGPL-3",
+    "author": "ICTSTUDIO, André Schenkels, Odoo Community Association (OCA)",
+    "website": "https://github.com/OCA/server-auth",
+    "summary": "Allow users to login through OpenID Connect Provider",
+    "external_dependencies": {"python": ["jose", "cryptography"]},
+    "depends": ["auth_oauth"],
+    "data": ["views/auth_oauth_provider.xml"],
 }
diff --git a/auth_oidc/controllers/__init__.py b/auth_oidc/controllers/__init__.py
index ed684a50f9..eaa83817e9 100644
--- a/auth_oidc/controllers/__init__.py
+++ b/auth_oidc/controllers/__init__.py
@@ -1,4 +1,3 @@
-# -*- coding: utf-8 -*-
 # Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
 # License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
 
diff --git a/auth_oidc/controllers/main.py b/auth_oidc/controllers/main.py
index 135ea9a005..466a09c89a 100644
--- a/auth_oidc/controllers/main.py
+++ b/auth_oidc/controllers/main.py
@@ -1,32 +1,25 @@
-# -*- coding: utf-8 -*-
 # Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
 # License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
 
-import werkzeug.utils
 import uuid
 
+import werkzeug.utils
+
 from odoo.addons.auth_oauth.controllers.main import OAuthLogin
 
 
 class OpenIDLogin(OAuthLogin):
-
     def list_providers(self):
         providers = super(OpenIDLogin, self).list_providers()
         for provider in providers:
-            if provider.get('flow') == 'id_token':
-                provider['nonce'] = uuid.uuid1().hex
-                params = werkzeug.url_decode(
-                    provider['auth_link'].split('?')[-1]
-                )
-                params.pop('response_type')
-                params.update(dict(response_type='id_token',
-                                   nonce=provider['nonce']))
-                if provider.get('scope'):
-                    params['scope'] = provider['scope']
-                provider['auth_link'] = (
-                    "%s?%s" % (
-                        provider['auth_endpoint'],
-                        werkzeug.url_encode(params)
-                    )
+            if provider.get("flow") == "id_token":
+                provider["nonce"] = uuid.uuid1().hex
+                params = werkzeug.url_decode(provider["auth_link"].split("?")[-1])
+                params.pop("response_type")
+                params.update(dict(response_type="id_token", nonce=provider["nonce"]))
+                if provider.get("scope"):
+                    params["scope"] = provider["scope"]
+                provider["auth_link"] = "{}?{}".format(
+                    provider["auth_endpoint"], werkzeug.url_encode(params)
                 )
         return providers
diff --git a/auth_oidc/models/__init__.py b/auth_oidc/models/__init__.py
index b32fa1a4d3..ebc8e5bfda 100644
--- a/auth_oidc/models/__init__.py
+++ b/auth_oidc/models/__init__.py
@@ -1,4 +1,3 @@
-# -*- coding: utf-8 -*-
 # Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
 # License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
 
diff --git a/auth_oidc/models/auth_oauth_provider.py b/auth_oidc/models/auth_oauth_provider.py
index 7d2a0040f0..5ca62b58d6 100644
--- a/auth_oidc/models/auth_oauth_provider.py
+++ b/auth_oidc/models/auth_oauth_provider.py
@@ -1,57 +1,58 @@
-# -*- coding: utf-8 -*-
 # Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
 # License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
 
-from odoo import models, fields, api
-import urllib2
 import json
 import logging
+import urllib2
+
+from odoo import api, fields, models
 
 try:
     from jose import jwt
 except ImportError:
-    logging.getLogger(__name__).debug('jose library not installed')
+    logging.getLogger(__name__).debug("jose library not installed")
 
 
 class AuthOauthProvider(models.Model):
-    _inherit = 'auth.oauth.provider'
+    _inherit = "auth.oauth.provider"
 
-    flow = fields.Selection([
-        ('access_token', 'OAuth2'),
-        ('id_token', 'OpenID Connect')
-    ],
-        string='Auth Flow',
+    flow = fields.Selection(
+        [("access_token", "OAuth2"), ("id_token", "OpenID Connect")],
+        string="Auth Flow",
         required=True,
-        default='access_token')
+        default="access_token",
+    )
 
     token_map = fields.Char(
         help="Some Oauth providers don't map keys in their responses "
-             "exactly as required.  It is important to ensure user_id and "
-             "email at least are mapped. For OpenID Connect user_id is "
-             "the sub key in the standard.")
+        "exactly as required.  It is important to ensure user_id and "
+        "email at least are mapped. For OpenID Connect user_id is "
+        "the sub key in the standard."
+    )
 
     validation_endpoint = fields.Char(
-        help='For OpenID Connect this should be the location for public keys ')
+        help="For OpenID Connect this should be the location for public keys "
+    )
 
     @api.model
     def _get_key(self, header):
-        if self.flow != 'id_token':
+        if self.flow != "id_token":
             return False
         f = urllib2.urlopen(self.validation_endpoint)
         response = json.loads(f.read())
         rsa_key = {}
         for key in response["keys"]:
-            if key["kid"] == header.get('kid'):
+            if key["kid"] == header.get("kid"):
                 rsa_key = key
         return rsa_key
 
     @api.model
     def map_token_values(self, res):
         if self.token_map:
-            for pair in self.token_map.split(' '):
-                from_key, to_key = pair.split(':')
+            for pair in self.token_map.split(" "):
+                from_key, to_key = pair.split(":")
                 if to_key not in res:
-                    res[to_key] = res.get(from_key, '')
+                    res[to_key] = res.get(from_key, "")
         return res
 
     @api.multi
@@ -59,11 +60,14 @@ def _parse_id_token(self, id_token):
         self.ensure_one()
         res = {}
         header = jwt.get_unverified_header(id_token)
-        res.update(jwt.decode(
-            id_token,
-            self._get_key(header),
-            algorithms=['RS256'],
-            audience=self.client_id))
+        res.update(
+            jwt.decode(
+                id_token,
+                self._get_key(header),
+                algorithms=["RS256"],
+                audience=self.client_id,
+            )
+        )
 
         res.update(self.map_token_values(res))
         return res
diff --git a/auth_oidc/models/res_users.py b/auth_oidc/models/res_users.py
index 7ebbce2446..c72bcd2af8 100644
--- a/auth_oidc/models/res_users.py
+++ b/auth_oidc/models/res_users.py
@@ -1,25 +1,24 @@
-# -*- coding: utf-8 -*-
 # Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
 # License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
 
-from odoo import models, api
+from odoo import api, models
 
 
 class ResUsers(models.Model):
-    _inherit = 'res.users'
+    _inherit = "res.users"
 
     @api.model
     def _auth_oauth_validate(self, provider, access_token):
         """ return the validation data corresponding to the access token """
-        oauth_provider = self.env['auth.oauth.provider'].browse(provider)
-        if oauth_provider.flow == 'id_token':
+        oauth_provider = self.env["auth.oauth.provider"].browse(provider)
+        if oauth_provider.flow == "id_token":
             return oauth_provider._parse_id_token(access_token)
         else:
             return super(ResUsers, self)._auth_oauth_validate()
 
     @api.model
     def auth_oauth(self, provider, params):
-        id_token = params.get('id_token')
+        id_token = params.get("id_token")
         if id_token:
-            params['access_token'] = id_token
+            params["access_token"] = id_token
         return super(ResUsers, self).auth_oauth(provider, params)
diff --git a/auth_oidc/readme/CONFIGURE.rst b/auth_oidc/readme/CONFIGURE.rst
index c2ea288891..4993f4aea6 100644
--- a/auth_oidc/readme/CONFIGURE.rst
+++ b/auth_oidc/readme/CONFIGURE.rst
@@ -34,7 +34,7 @@ In Keycloak:
 In Odoo, create a new Oauth Provider with the following parameters:
 
 * Provider name: Keycloak (or any name you like that identify your keycloak
-provider)
+  provider)
 * Auth Flow: OpenID Connect
 * Client ID: the same Client ID you entered when configuring the client in Keycloak
 * Allowed: yes
diff --git a/auth_oidc/readme/USAGE.rst b/auth_oidc/readme/USAGE.rst
index bb66969269..0fa74256b4 100644
--- a/auth_oidc/readme/USAGE.rst
+++ b/auth_oidc/readme/USAGE.rst
@@ -1 +1 @@
-On the login page, click on the authentication provider you configured. 
+On the login page, click on the authentication provider you configured.
diff --git a/auth_oidc/views/auth_oauth_provider.xml b/auth_oidc/views/auth_oauth_provider.xml
index 0cfe735814..bf7b20ddc4 100644
--- a/auth_oidc/views/auth_oauth_provider.xml
+++ b/auth_oidc/views/auth_oauth_provider.xml
@@ -1,4 +1,4 @@
-<?xml version="1.0"?>
+<?xml version="1.0" ?>
 <odoo>
     <record model="ir.ui.view" id="view_oidc_provider_form">
         <field name="name">auth.oidc.provider.form</field>
@@ -6,8 +6,11 @@
         <field name="inherit_id" ref="auth_oauth.view_oauth_provider_form" />
         <field name="arch" type="xml">
             <field name="name" position="after">
-                <field name="flow"/>
-                <field name="token_map" placeholder="e.g from:to upn:email sub:user_id"/>
+                <field name="flow" />
+                <field
+                    name="token_map"
+                    placeholder="e.g from:to upn:email sub:user_id"
+                />
             </field>
         </field>
     </record>

From 0288419a9142fd6cc71f10b0c3900ed19df6cd96 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Bidoul?= <stephane.bidoul@acsone.eu>
Date: Fri, 9 Apr 2021 17:56:49 +0200
Subject: [PATCH 05/46] [MIG] auth_oidc from 10.0

---
 auth_oidc/__manifest__.py               |  2 +-
 auth_oidc/models/auth_oauth_provider.py | 14 +++++++-------
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/auth_oidc/__manifest__.py b/auth_oidc/__manifest__.py
index e96ca28480..78b15bf229 100644
--- a/auth_oidc/__manifest__.py
+++ b/auth_oidc/__manifest__.py
@@ -8,7 +8,7 @@
     "author": "ICTSTUDIO, André Schenkels, Odoo Community Association (OCA)",
     "website": "https://github.com/OCA/server-auth",
     "summary": "Allow users to login through OpenID Connect Provider",
-    "external_dependencies": {"python": ["jose", "cryptography"]},
+    "external_dependencies": {"python": ["python-jose"]},
     "depends": ["auth_oauth"],
     "data": ["views/auth_oauth_provider.xml"],
 }
diff --git a/auth_oidc/models/auth_oauth_provider.py b/auth_oidc/models/auth_oauth_provider.py
index 5ca62b58d6..93cf1820a5 100644
--- a/auth_oidc/models/auth_oauth_provider.py
+++ b/auth_oidc/models/auth_oauth_provider.py
@@ -1,9 +1,9 @@
 # Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
 # License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
 
-import json
 import logging
-import urllib2
+
+import requests
 
 from odoo import api, fields, models
 
@@ -38,8 +38,9 @@ class AuthOauthProvider(models.Model):
     def _get_key(self, header):
         if self.flow != "id_token":
             return False
-        f = urllib2.urlopen(self.validation_endpoint)
-        response = json.loads(f.read())
+        r = requests.get(self.validation_endpoint)
+        r.raise_for_status()
+        response = r.json()
         rsa_key = {}
         for key in response["keys"]:
             if key["kid"] == header.get("kid"):
@@ -47,7 +48,7 @@ def _get_key(self, header):
         return rsa_key
 
     @api.model
-    def map_token_values(self, res):
+    def _map_token_values(self, res):
         if self.token_map:
             for pair in self.token_map.split(" "):
                 from_key, to_key = pair.split(":")
@@ -55,7 +56,6 @@ def map_token_values(self, res):
                     res[to_key] = res.get(from_key, "")
         return res
 
-    @api.multi
     def _parse_id_token(self, id_token):
         self.ensure_one()
         res = {}
@@ -69,5 +69,5 @@ def _parse_id_token(self, id_token):
             )
         )
 
-        res.update(self.map_token_values(res))
+        res.update(self._map_token_values(res))
         return res

From de790553349c9710aeee6b14fa632ac91932bec4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Bidoul?= <stephane.bidoul@acsone.eu>
Date: Fri, 9 Apr 2021 20:03:21 +0200
Subject: [PATCH 06/46] auth_oidc: simplify and use "id_token token"

Avoid replacing the access token by the id token.
This may cause confusion.
Copy a little piece of code from auth_oauth() method,
to make the code easier to follow, and prepare for
implementing the authorization code flow.
---
 auth_oidc/controllers/main.py           |  7 ++++--
 auth_oidc/models/auth_oauth_provider.py |  6 +++--
 auth_oidc/models/res_users.py           | 29 +++++++++++++++----------
 3 files changed, 26 insertions(+), 16 deletions(-)

diff --git a/auth_oidc/controllers/main.py b/auth_oidc/controllers/main.py
index 466a09c89a..378b59c1af 100644
--- a/auth_oidc/controllers/main.py
+++ b/auth_oidc/controllers/main.py
@@ -1,4 +1,5 @@
 # Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
+# Copyright 2021 ACSONE SA/NV <https://acsone.eu>
 # License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
 
 import uuid
@@ -13,10 +14,12 @@ def list_providers(self):
         providers = super(OpenIDLogin, self).list_providers()
         for provider in providers:
             if provider.get("flow") == "id_token":
-                provider["nonce"] = uuid.uuid1().hex
+                provider["nonce"] = uuid.uuid1().hex  # TODO Better nonce
                 params = werkzeug.url_decode(provider["auth_link"].split("?")[-1])
                 params.pop("response_type")
-                params.update(dict(response_type="id_token", nonce=provider["nonce"]))
+                params.update(
+                    dict(response_type="id_token token", nonce=provider["nonce"])
+                )
                 if provider.get("scope"):
                     params["scope"] = provider["scope"]
                 provider["auth_link"] = "{}?{}".format(
diff --git a/auth_oidc/models/auth_oauth_provider.py b/auth_oidc/models/auth_oauth_provider.py
index 93cf1820a5..875600c6a8 100644
--- a/auth_oidc/models/auth_oauth_provider.py
+++ b/auth_oidc/models/auth_oauth_provider.py
@@ -1,4 +1,5 @@
 # Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
+# Copyright 2021 ACSONE SA/NV <https://acsone.eu>
 # License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
 
 import logging
@@ -17,7 +18,7 @@ class AuthOauthProvider(models.Model):
     _inherit = "auth.oauth.provider"
 
     flow = fields.Selection(
-        [("access_token", "OAuth2"), ("id_token", "OpenID Connect")],
+        [("access_token", "OAuth2"), ("id_token", "OpenID Connect (implicit flow")],
         string="Auth Flow",
         required=True,
         default="access_token",
@@ -56,7 +57,7 @@ def _map_token_values(self, res):
                     res[to_key] = res.get(from_key, "")
         return res
 
-    def _parse_id_token(self, id_token):
+    def _parse_id_token(self, id_token, access_token):
         self.ensure_one()
         res = {}
         header = jwt.get_unverified_header(id_token)
@@ -66,6 +67,7 @@ def _parse_id_token(self, id_token):
                 self._get_key(header),
                 algorithms=["RS256"],
                 audience=self.client_id,
+                access_token=access_token,
             )
         )
 
diff --git a/auth_oidc/models/res_users.py b/auth_oidc/models/res_users.py
index c72bcd2af8..571c115618 100644
--- a/auth_oidc/models/res_users.py
+++ b/auth_oidc/models/res_users.py
@@ -1,24 +1,29 @@
 # Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
+# Copyright 2021 ACSONE SA/NV <https://acsone.eu>
 # License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
 
 from odoo import api, models
+from odoo.exceptions import AccessDenied
 
 
 class ResUsers(models.Model):
     _inherit = "res.users"
 
     @api.model
-    def _auth_oauth_validate(self, provider, access_token):
-        """ return the validation data corresponding to the access token """
+    def auth_oauth(self, provider, params):
         oauth_provider = self.env["auth.oauth.provider"].browse(provider)
-        if oauth_provider.flow == "id_token":
-            return oauth_provider._parse_id_token(access_token)
-        else:
-            return super(ResUsers, self)._auth_oauth_validate()
+        if oauth_provider.flow != "id_token":
+            return super(ResUsers, self).auth_oauth(provider, params)
 
-    @api.model
-    def auth_oauth(self, provider, params):
-        id_token = params.get("id_token")
-        if id_token:
-            params["access_token"] = id_token
-        return super(ResUsers, self).auth_oauth(provider, params)
+        access_token = params.get('access_token')
+        id_token = params.get('id_token')
+        validation = oauth_provider._parse_id_token(id_token, access_token)
+        # required check
+        if not validation.get('user_id'):
+            raise AccessDenied()
+        # retrieve and sign in user
+        login = self._auth_oauth_signin(provider, validation, params)
+        if not login:
+            raise AccessDenied()
+        # return user credentials
+        return (self.env.cr.dbname, login, access_token)

From 6e587823a758c99cc43889c3a8aae083f63bd7ef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Bidoul?= <stephane.bidoul@acsone.eu>
Date: Fri, 9 Apr 2021 23:58:10 +0200
Subject: [PATCH 07/46] auth_oidc: _get_key and _map_token_values are not model
 methods

---
 auth_oidc/models/auth_oauth_provider.py | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/auth_oidc/models/auth_oauth_provider.py b/auth_oidc/models/auth_oauth_provider.py
index 875600c6a8..8af713d94c 100644
--- a/auth_oidc/models/auth_oauth_provider.py
+++ b/auth_oidc/models/auth_oauth_provider.py
@@ -6,7 +6,7 @@
 
 import requests
 
-from odoo import api, fields, models
+from odoo import fields, models
 
 try:
     from jose import jwt
@@ -35,7 +35,6 @@ class AuthOauthProvider(models.Model):
         help="For OpenID Connect this should be the location for public keys "
     )
 
-    @api.model
     def _get_key(self, header):
         if self.flow != "id_token":
             return False
@@ -48,7 +47,6 @@ def _get_key(self, header):
                 rsa_key = key
         return rsa_key
 
-    @api.model
     def _map_token_values(self, res):
         if self.token_map:
             for pair in self.token_map.split(" "):

From 2bf19a63ee10c0e44f3c77830d0f6e153a8230d2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Bidoul?= <stephane.bidoul@acsone.eu>
Date: Sat, 10 Apr 2021 00:42:10 +0200
Subject: [PATCH 08/46] auth_oidc: cache _get_key

---
 auth_oidc/models/auth_oauth_provider.py | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/auth_oidc/models/auth_oauth_provider.py b/auth_oidc/models/auth_oauth_provider.py
index 8af713d94c..38699aec8a 100644
--- a/auth_oidc/models/auth_oauth_provider.py
+++ b/auth_oidc/models/auth_oauth_provider.py
@@ -6,7 +6,7 @@
 
 import requests
 
-from odoo import fields, models
+from odoo import fields, models, tools
 
 try:
     from jose import jwt
@@ -35,17 +35,17 @@ class AuthOauthProvider(models.Model):
         help="For OpenID Connect this should be the location for public keys "
     )
 
-    def _get_key(self, header):
+    @tools.ormcache("self.validation_endpoint", "kid")
+    def _get_key(self, kid):
         if self.flow != "id_token":
             return False
         r = requests.get(self.validation_endpoint)
         r.raise_for_status()
         response = r.json()
-        rsa_key = {}
         for key in response["keys"]:
-            if key["kid"] == header.get("kid"):
-                rsa_key = key
-        return rsa_key
+            if key["kid"] == kid:
+                return key
+        return {}
 
     def _map_token_values(self, res):
         if self.token_map:
@@ -62,7 +62,7 @@ def _parse_id_token(self, id_token, access_token):
         res.update(
             jwt.decode(
                 id_token,
-                self._get_key(header),
+                self._get_key(header.get("kid")),
                 algorithms=["RS256"],
                 audience=self.client_id,
                 access_token=access_token,

From 755895a907b8ea43ed4e9373a42f7a3738b7750c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Bidoul?= <stephane.bidoul@acsone.eu>
Date: Sat, 10 Apr 2021 01:43:57 +0200
Subject: [PATCH 09/46] auth_oidc: add authorization code flow

---
 auth_oidc/controllers/main.py           | 21 +++++++++++-----
 auth_oidc/models/auth_oauth_provider.py | 11 ++++++---
 auth_oidc/models/res_users.py           | 32 +++++++++++++++++++++----
 auth_oidc/views/auth_oauth_provider.xml |  6 +++++
 4 files changed, 57 insertions(+), 13 deletions(-)

diff --git a/auth_oidc/controllers/main.py b/auth_oidc/controllers/main.py
index 378b59c1af..c4d4a610f7 100644
--- a/auth_oidc/controllers/main.py
+++ b/auth_oidc/controllers/main.py
@@ -2,25 +2,34 @@
 # Copyright 2021 ACSONE SA/NV <https://acsone.eu>
 # License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
 
+import logging
 import uuid
 
 import werkzeug.utils
 
 from odoo.addons.auth_oauth.controllers.main import OAuthLogin
 
+_logger = logging.getLogger(__name__)
+
 
 class OpenIDLogin(OAuthLogin):
     def list_providers(self):
         providers = super(OpenIDLogin, self).list_providers()
         for provider in providers:
-            if provider.get("flow") == "id_token":
-                provider["nonce"] = uuid.uuid1().hex  # TODO Better nonce
+            flow = provider.get("flow")
+            if flow in ("id_token", "id_token_code"):
                 params = werkzeug.url_decode(provider["auth_link"].split("?")[-1])
-                params.pop("response_type")
-                params.update(
-                    dict(response_type="id_token token", nonce=provider["nonce"])
-                )
+                params["nonce"] = uuid.uuid1().hex  # TODO Better nonce
+                if flow == "id_token":
+                    # https://openid.net/specs/openid-connect-core-1_0.html
+                    # #ImplicitAuthRequest
+                    params["response_type"] = "id_token token"
+                elif flow == "id_token_code":
+                    # https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
+                    params["response_type"] = "code"
                 if provider.get("scope"):
+                    if "openid" not in provider["scope"].split():
+                        _logger.error("openid connect scope must contain 'openid'")
                     params["scope"] = provider["scope"]
                 provider["auth_link"] = "{}?{}".format(
                     provider["auth_endpoint"], werkzeug.url_encode(params)
diff --git a/auth_oidc/models/auth_oauth_provider.py b/auth_oidc/models/auth_oauth_provider.py
index 38699aec8a..40df2f4d64 100644
--- a/auth_oidc/models/auth_oauth_provider.py
+++ b/auth_oidc/models/auth_oauth_provider.py
@@ -18,7 +18,11 @@ class AuthOauthProvider(models.Model):
     _inherit = "auth.oauth.provider"
 
     flow = fields.Selection(
-        [("access_token", "OAuth2"), ("id_token", "OpenID Connect (implicit flow")],
+        [
+            ("access_token", "OAuth2"),
+            ("id_token", "OpenID Connect (implicit flow)"),
+            ("id_token_code", "OpenID Connect (authorization code flow)"),
+        ],
         string="Auth Flow",
         required=True,
         default="access_token",
@@ -35,10 +39,11 @@ class AuthOauthProvider(models.Model):
         help="For OpenID Connect this should be the location for public keys "
     )
 
+    client_secret = fields.Char()
+    token_endpoint = fields.Char(string="Token URL")
+
     @tools.ormcache("self.validation_endpoint", "kid")
     def _get_key(self, kid):
-        if self.flow != "id_token":
-            return False
         r = requests.get(self.validation_endpoint)
         r.raise_for_status()
         response = r.json()
diff --git a/auth_oidc/models/res_users.py b/auth_oidc/models/res_users.py
index 571c115618..f0074ac23e 100644
--- a/auth_oidc/models/res_users.py
+++ b/auth_oidc/models/res_users.py
@@ -2,8 +2,11 @@
 # Copyright 2021 ACSONE SA/NV <https://acsone.eu>
 # License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
 
+import requests
+
 from odoo import api, models
 from odoo.exceptions import AccessDenied
+from odoo.http import request
 
 
 class ResUsers(models.Model):
@@ -12,16 +15,37 @@ class ResUsers(models.Model):
     @api.model
     def auth_oauth(self, provider, params):
         oauth_provider = self.env["auth.oauth.provider"].browse(provider)
-        if oauth_provider.flow != "id_token":
+        if oauth_provider.flow not in ("id_token", "id_token_code"):
             return super(ResUsers, self).auth_oauth(provider, params)
 
-        access_token = params.get('access_token')
-        id_token = params.get('id_token')
+        if oauth_provider.flow == "id_token":
+            # https://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthResponse
+            access_token = params.get("access_token")
+            id_token = params.get("id_token")
+        elif oauth_provider.flow == "id_token_code":
+            # https://openid.net/specs/openid-connect-core-1_0.html#AuthResponse
+            code = params.get("code")
+            # https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest
+            response = requests.post(
+                oauth_provider.token_endpoint,
+                data=dict(
+                    grant_type="authorization_code",
+                    code=code,
+                    redirect_uri=request.httprequest.url_root + "auth_oauth/signin",
+                ),
+                auth=(oauth_provider.client_id, oauth_provider.client_secret),
+            )
+            response.raise_for_status()
+            response_json = response.json()
+            # https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse
+            access_token = response_json.get("access_token")
+            id_token = response_json.get("id_token")
         validation = oauth_provider._parse_id_token(id_token, access_token)
         # required check
-        if not validation.get('user_id'):
+        if not validation.get("user_id"):
             raise AccessDenied()
         # retrieve and sign in user
+        params["access_token"] = access_token
         login = self._auth_oauth_signin(provider, validation, params)
         if not login:
             raise AccessDenied()
diff --git a/auth_oidc/views/auth_oauth_provider.xml b/auth_oidc/views/auth_oauth_provider.xml
index bf7b20ddc4..a86880ba2a 100644
--- a/auth_oidc/views/auth_oauth_provider.xml
+++ b/auth_oidc/views/auth_oauth_provider.xml
@@ -12,6 +12,12 @@
                     placeholder="e.g from:to upn:email sub:user_id"
                 />
             </field>
+            <field name="client_id" position="after">
+                <field name="client_secret" />
+            </field>
+            <field name="auth_endpoint" position="after">
+                <field name="token_endpoint" />
+            </field>
         </field>
     </record>
 </odoo>

From bc5ce0f09016350ed79e991e907fafeb2ad3560f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Bidoul?= <stephane.bidoul@acsone.eu>
Date: Sat, 10 Apr 2021 02:06:27 +0200
Subject: [PATCH 10/46] auth_oidc: separate field for jwks uri

---
 auth_oidc/models/auth_oauth_provider.py | 12 ++++--------
 auth_oidc/views/auth_oauth_provider.xml |  3 ++-
 2 files changed, 6 insertions(+), 9 deletions(-)

diff --git a/auth_oidc/models/auth_oauth_provider.py b/auth_oidc/models/auth_oauth_provider.py
index 40df2f4d64..d8d0b94a01 100644
--- a/auth_oidc/models/auth_oauth_provider.py
+++ b/auth_oidc/models/auth_oauth_provider.py
@@ -27,24 +27,20 @@ class AuthOauthProvider(models.Model):
         required=True,
         default="access_token",
     )
-
     token_map = fields.Char(
         help="Some Oauth providers don't map keys in their responses "
         "exactly as required.  It is important to ensure user_id and "
         "email at least are mapped. For OpenID Connect user_id is "
         "the sub key in the standard."
     )
-
-    validation_endpoint = fields.Char(
-        help="For OpenID Connect this should be the location for public keys "
-    )
-
     client_secret = fields.Char()
+    validation_endpoint = fields.Char(required=False)
     token_endpoint = fields.Char(string="Token URL")
+    jwks_uri = fields.Char(string="JWKS URL")
 
-    @tools.ormcache("self.validation_endpoint", "kid")
+    @tools.ormcache("self.jwks_uri", "kid")
     def _get_key(self, kid):
-        r = requests.get(self.validation_endpoint)
+        r = requests.get(self.jwks_uri)
         r.raise_for_status()
         response = r.json()
         for key in response["keys"]:
diff --git a/auth_oidc/views/auth_oauth_provider.xml b/auth_oidc/views/auth_oauth_provider.xml
index a86880ba2a..90c931b417 100644
--- a/auth_oidc/views/auth_oauth_provider.xml
+++ b/auth_oidc/views/auth_oauth_provider.xml
@@ -15,8 +15,9 @@
             <field name="client_id" position="after">
                 <field name="client_secret" />
             </field>
-            <field name="auth_endpoint" position="after">
+            <field name="validation_endpoint" position="after">
                 <field name="token_endpoint" />
+                <field name="jwks_uri" />
             </field>
         </field>
     </record>

From 5517ff235f420a3cd2258166afe1738c8bd2e069 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Bidoul?= <stephane.bidoul@acsone.eu>
Date: Sat, 10 Apr 2021 11:11:01 +0200
Subject: [PATCH 11/46] auth_oidc: additional error logging

---
 auth_oidc/models/res_users.py | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/auth_oidc/models/res_users.py b/auth_oidc/models/res_users.py
index f0074ac23e..b495ed87d2 100644
--- a/auth_oidc/models/res_users.py
+++ b/auth_oidc/models/res_users.py
@@ -2,12 +2,16 @@
 # Copyright 2021 ACSONE SA/NV <https://acsone.eu>
 # License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
 
+import logging
+
 import requests
 
 from odoo import api, models
 from odoo.exceptions import AccessDenied
 from odoo.http import request
 
+_logger = logging.getLogger(__name__)
+
 
 class ResUsers(models.Model):
     _inherit = "res.users"
@@ -40,9 +44,16 @@ def auth_oauth(self, provider, params):
             # https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse
             access_token = response_json.get("access_token")
             id_token = response_json.get("id_token")
+        if not access_token:
+            _logger.error("No access_token in response.")
+            raise AccessDenied()
+        if not id_token:
+            _logger.error("No id_token in response.")
+            raise AccessDenied()
         validation = oauth_provider._parse_id_token(id_token, access_token)
         # required check
         if not validation.get("user_id"):
+            _logger.error("user_id claim not found in id_token (after mapping).")
             raise AccessDenied()
         # retrieve and sign in user
         params["access_token"] = access_token

From d0ec070dbc819faed0a51bdf4680c069b976c66f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Bidoul?= <stephane.bidoul@acsone.eu>
Date: Sat, 10 Apr 2021 11:14:05 +0200
Subject: [PATCH 12/46] auth_oidc: add author and maintainer

---
 auth_oidc/__manifest__.py | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/auth_oidc/__manifest__.py b/auth_oidc/__manifest__.py
index 78b15bf229..a2ff5cae5e 100644
--- a/auth_oidc/__manifest__.py
+++ b/auth_oidc/__manifest__.py
@@ -1,14 +1,21 @@
 # Copyright 2016 ICTSTUDIO <http://www.ictstudio.eu>
+# Copyright 2021 ACSONE SA/NV <https://acsone.eu>
 # License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
 
 {
     "name": "Authentication OpenID Connect",
     "version": "13.0.1.0.0",
     "license": "AGPL-3",
-    "author": "ICTSTUDIO, André Schenkels, Odoo Community Association (OCA)",
+    "author": (
+        "ICTSTUDIO, André Schenkels, "
+        "ACSONE SA/NV, "
+        "Odoo Community Association (OCA)"
+    ),
+    "maintainers": ["sbidoul"],
     "website": "https://github.com/OCA/server-auth",
     "summary": "Allow users to login through OpenID Connect Provider",
     "external_dependencies": {"python": ["python-jose"]},
     "depends": ["auth_oauth"],
     "data": ["views/auth_oauth_provider.xml"],
+    "demo": ["demo/local_keycloak.xml"],
 }

From 1f074ec99998be816688934a7732839c850c529f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Bidoul?= <stephane.bidoul@acsone.eu>
Date: Sat, 10 Apr 2021 11:22:49 +0200
Subject: [PATCH 13/46] auth_oidc: improve docs, mention implicit flow is not
 recommended

---
 auth_oidc/models/auth_oauth_provider.py | 12 ++++++++----
 auth_oidc/readme/CONFIGURE.rst          | 18 ++++++++++++++----
 auth_oidc/readme/CONTRIBUTORS.rst       |  1 +
 auth_oidc/readme/DESCRIPTION.rst        |  9 ++++-----
 auth_oidc/readme/HISTORY.rst            |  5 +++++
 auth_oidc/readme/ROADMAP.rst            |  1 -
 6 files changed, 32 insertions(+), 14 deletions(-)

diff --git a/auth_oidc/models/auth_oauth_provider.py b/auth_oidc/models/auth_oauth_provider.py
index d8d0b94a01..43a0aa8781 100644
--- a/auth_oidc/models/auth_oauth_provider.py
+++ b/auth_oidc/models/auth_oauth_provider.py
@@ -20,8 +20,8 @@ class AuthOauthProvider(models.Model):
     flow = fields.Selection(
         [
             ("access_token", "OAuth2"),
-            ("id_token", "OpenID Connect (implicit flow)"),
             ("id_token_code", "OpenID Connect (authorization code flow)"),
+            ("id_token", "OpenID Connect (implicit flow, not recommended)"),
         ],
         string="Auth Flow",
         required=True,
@@ -33,10 +33,14 @@ class AuthOauthProvider(models.Model):
         "email at least are mapped. For OpenID Connect user_id is "
         "the sub key in the standard."
     )
-    client_secret = fields.Char()
+    client_secret = fields.Char(
+        help="Required for OpenID Connect authorization code flow."
+    )
     validation_endpoint = fields.Char(required=False)
-    token_endpoint = fields.Char(string="Token URL")
-    jwks_uri = fields.Char(string="JWKS URL")
+    token_endpoint = fields.Char(
+        string="Token URL", help="Required for OpenID Connect authorization code flow."
+    )
+    jwks_uri = fields.Char(string="JWKS URL", help="Required for OpenID Connect.")
 
     @tools.ormcache("self.jwks_uri", "kid")
     def _get_key(self, kid):
diff --git a/auth_oidc/readme/CONFIGURE.rst b/auth_oidc/readme/CONFIGURE.rst
index 4993f4aea6..74ef8ad38d 100644
--- a/auth_oidc/readme/CONFIGURE.rst
+++ b/auth_oidc/readme/CONFIGURE.rst
@@ -1,6 +1,10 @@
 Setup for Microsoft Azure
 ~~~~~~~~~~~~~~~~~~~~~~~~~
 
+Example configuration with OpenID Connect implicit flow.
+This configuration is not recommended because it exposes the access token
+to the client, and in logs.
+
 # configure a new web application in Azure with OpenID and implicit flow (see
   the `provider documentation
   <https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-provider)>`_)
@@ -25,22 +29,28 @@ Setup for Microsoft Azure
 Setup for Keycloak
 ~~~~~~~~~~~~~~~~~~
 
+Example configuration with OpenID Connect authorization code flow.
+
 In Keycloak:
 
 # configure a new Client
-# make sure Implicit Flow is Enabled.
+# make sure Authorization Code Flow is Enabled.
+# configure the client Access Type as "confidential" and take note of the client secret in the Credentials tab
 # configure the redirect url to be "<url of your server>/auth_oauth/signin"
 
 In Odoo, create a new Oauth Provider with the following parameters:
 
 * Provider name: Keycloak (or any name you like that identify your keycloak
   provider)
-* Auth Flow: OpenID Connect
+* Auth Flow: OpenID Connect (authorization code flow)
 * Client ID: the same Client ID you entered when configuring the client in Keycloak
+* Client Secret: found in keycloak on the client Credentials tab
 * Allowed: yes
 * Body: the link text to appear on the login page, such as Login with Keycloak
+* Scope: openid email
 * Authentication URL: The "authorization_endpoint" URL found in the
   OpenID Endpoint Configuration of your Keycloak realm
-* Scope: email
-* Validation URL: The "jwks_uri" URL found in the
+* Token URL: The "token_endpoint" URL found in the
+  OpenID Endpoint Configuration of your Keycloak realm
+* JWKS URL: The "jwks_uri" URL found in the
   OpenID Endpoint Configuration of your Keycloak realm
diff --git a/auth_oidc/readme/CONTRIBUTORS.rst b/auth_oidc/readme/CONTRIBUTORS.rst
index 8785f72c06..d721552d86 100644
--- a/auth_oidc/readme/CONTRIBUTORS.rst
+++ b/auth_oidc/readme/CONTRIBUTORS.rst
@@ -1 +1,2 @@
 * Alexandre Fayolle <alexandre.fayolle@camptocamp.com>
+* Stéphane Bidoul <stephane.bidoul@acsone.eu>
diff --git a/auth_oidc/readme/DESCRIPTION.rst b/auth_oidc/readme/DESCRIPTION.rst
index 540c7c2c95..ae89dd9d73 100644
--- a/auth_oidc/readme/DESCRIPTION.rst
+++ b/auth_oidc/readme/DESCRIPTION.rst
@@ -1,6 +1,5 @@
-This module allows users to login through an OpenID Connect provider.
+This module allows users to login through an OpenID Connect provider using the
+authorization code flow or implicit flow.
 
-This includes:
-
-- Keycloak with ClientID and secret + Implicit Flow
-- Microsoft Azure
+Note the implicit flow is not recommended because it exposes access tokens to
+the browser and in http logs.
diff --git a/auth_oidc/readme/HISTORY.rst b/auth_oidc/readme/HISTORY.rst
index 5aee5128a7..f831ce0e6d 100644
--- a/auth_oidc/readme/HISTORY.rst
+++ b/auth_oidc/readme/HISTORY.rst
@@ -1,3 +1,8 @@
+13.0.1.0.0 2020-04-10
+~~~~~~~~~~~~~~~~~~~~~
+
+* Odoo 13 migration, add authorization code flow.
+
 10.0.1.0.0 2018-10-05
 ~~~~~~~~~~~~~~~~~~~~~
 
diff --git a/auth_oidc/readme/ROADMAP.rst b/auth_oidc/readme/ROADMAP.rst
index c99e29f2c9..6a95f19054 100644
--- a/auth_oidc/readme/ROADMAP.rst
+++ b/auth_oidc/readme/ROADMAP.rst
@@ -1,3 +1,2 @@
-
 * When going to the login screen, check for a existing token and do a direct login without the clicking on the SSO link
 * When doing a logout an extra option to also logout at the SSO provider.

From 68dcb6ebd8c2b31a1fab3880345b6ec1283ce7e1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Bidoul?= <stephane.bidoul@acsone.eu>
Date: Sat, 10 Apr 2021 11:30:10 +0200
Subject: [PATCH 14/46] auth_oidc: better nonce

---
 auth_oidc/controllers/main.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/auth_oidc/controllers/main.py b/auth_oidc/controllers/main.py
index c4d4a610f7..9673cac151 100644
--- a/auth_oidc/controllers/main.py
+++ b/auth_oidc/controllers/main.py
@@ -3,7 +3,7 @@
 # License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
 
 import logging
-import uuid
+import secrets
 
 import werkzeug.utils
 
@@ -19,7 +19,7 @@ def list_providers(self):
             flow = provider.get("flow")
             if flow in ("id_token", "id_token_code"):
                 params = werkzeug.url_decode(provider["auth_link"].split("?")[-1])
-                params["nonce"] = uuid.uuid1().hex  # TODO Better nonce
+                params["nonce"] = secrets.token_urlsafe()
                 if flow == "id_token":
                     # https://openid.net/specs/openid-connect-core-1_0.html
                     # #ImplicitAuthRequest

From 16a4fd73c8154893e59ab598daeef4ce5386d4a2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Bidoul?= <stephane.bidoul@acsone.eu>
Date: Sat, 10 Apr 2021 12:01:44 +0200
Subject: [PATCH 15/46] auth_oidc: make client secret optional

This is not a recommended scenario, but this prepares
the code for using PKCE
---
 auth_oidc/models/res_users.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/auth_oidc/models/res_users.py b/auth_oidc/models/res_users.py
index b495ed87d2..43ab713887 100644
--- a/auth_oidc/models/res_users.py
+++ b/auth_oidc/models/res_users.py
@@ -30,14 +30,18 @@ def auth_oauth(self, provider, params):
             # https://openid.net/specs/openid-connect-core-1_0.html#AuthResponse
             code = params.get("code")
             # https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest
+            auth = None
+            if oauth_provider.client_secret:
+                auth = (oauth_provider.client_id, oauth_provider.client_secret)
             response = requests.post(
                 oauth_provider.token_endpoint,
                 data=dict(
+                    client_id=oauth_provider.client_id,
                     grant_type="authorization_code",
                     code=code,
                     redirect_uri=request.httprequest.url_root + "auth_oauth/signin",
                 ),
-                auth=(oauth_provider.client_id, oauth_provider.client_secret),
+                auth=auth,
             )
             response.raise_for_status()
             response_json = response.json()

From 0590e0b11ba36ea4d6a0b60fd8f926a491964813 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Bidoul?= <stephane.bidoul@acsone.eu>
Date: Sat, 10 Apr 2021 13:12:02 +0200
Subject: [PATCH 16/46] auth_oidc: add PKCE support

---
 auth_oidc/controllers/main.py           | 13 +++++++++++++
 auth_oidc/models/auth_oauth_provider.py |  6 +++++-
 auth_oidc/models/res_users.py           |  1 +
 3 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/auth_oidc/controllers/main.py b/auth_oidc/controllers/main.py
index 9673cac151..dbc7dac69c 100644
--- a/auth_oidc/controllers/main.py
+++ b/auth_oidc/controllers/main.py
@@ -2,6 +2,8 @@
 # Copyright 2021 ACSONE SA/NV <https://acsone.eu>
 # License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
 
+import base64
+import hashlib
 import logging
 import secrets
 
@@ -19,7 +21,9 @@ def list_providers(self):
             flow = provider.get("flow")
             if flow in ("id_token", "id_token_code"):
                 params = werkzeug.url_decode(provider["auth_link"].split("?")[-1])
+                # nonce
                 params["nonce"] = secrets.token_urlsafe()
+                # response_type
                 if flow == "id_token":
                     # https://openid.net/specs/openid-connect-core-1_0.html
                     # #ImplicitAuthRequest
@@ -27,10 +31,19 @@ def list_providers(self):
                 elif flow == "id_token_code":
                     # https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest
                     params["response_type"] = "code"
+                # PKCE (https://tools.ietf.org/html/rfc7636)
+                code_verifier = provider["code_verifier"]
+                code_challenge = base64.urlsafe_b64encode(
+                    hashlib.sha256(code_verifier.encode("ascii")).digest()
+                ).rstrip(b"=")
+                params["code_challenge"] = code_challenge
+                params["code_challenge_method"] = "S256"
+                # scope
                 if provider.get("scope"):
                     if "openid" not in provider["scope"].split():
                         _logger.error("openid connect scope must contain 'openid'")
                     params["scope"] = provider["scope"]
+                # auth link that the user will click
                 provider["auth_link"] = "{}?{}".format(
                     provider["auth_endpoint"], werkzeug.url_encode(params)
                 )
diff --git a/auth_oidc/models/auth_oauth_provider.py b/auth_oidc/models/auth_oauth_provider.py
index 43a0aa8781..06f0dae545 100644
--- a/auth_oidc/models/auth_oauth_provider.py
+++ b/auth_oidc/models/auth_oauth_provider.py
@@ -3,6 +3,7 @@
 # License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
 
 import logging
+import secrets
 
 import requests
 
@@ -34,7 +35,10 @@ class AuthOauthProvider(models.Model):
         "the sub key in the standard."
     )
     client_secret = fields.Char(
-        help="Required for OpenID Connect authorization code flow."
+        help="Used in OpenID Connect authorization code flow for confidential clients.",
+    )
+    code_verifier = fields.Char(
+        default=lambda self: secrets.token_urlsafe(32), help="Used for PKCE."
     )
     validation_endpoint = fields.Char(required=False)
     token_endpoint = fields.Char(
diff --git a/auth_oidc/models/res_users.py b/auth_oidc/models/res_users.py
index 43ab713887..8a0328c26a 100644
--- a/auth_oidc/models/res_users.py
+++ b/auth_oidc/models/res_users.py
@@ -39,6 +39,7 @@ def auth_oauth(self, provider, params):
                     client_id=oauth_provider.client_id,
                     grant_type="authorization_code",
                     code=code,
+                    code_verifier=oauth_provider.code_verifier,  # PKCE
                     redirect_uri=request.httprequest.url_root + "auth_oauth/signin",
                 ),
                 auth=auth,

From b7bbd3c328aa2e132561b2c7029b15691789c129 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Bidoul?= <stephane.bidoul@acsone.eu>
Date: Sun, 11 Apr 2021 14:44:16 +0200
Subject: [PATCH 17/46] auth_oidc: demo data and basic test

---
 auth_oidc/demo/local_keycloak.xml             |   20 +
 auth_oidc/tests/__init__.py                   |    1 +
 auth_oidc/tests/keycloak/keycloak-config.json | 1997 +++++++++++++++++
 auth_oidc/tests/keycloak/keycloak.sh          |   10 +
 auth_oidc/tests/test_auth_oidc_auth_code.py   |   52 +
 5 files changed, 2080 insertions(+)
 create mode 100644 auth_oidc/demo/local_keycloak.xml
 create mode 100644 auth_oidc/tests/__init__.py
 create mode 100644 auth_oidc/tests/keycloak/keycloak-config.json
 create mode 100755 auth_oidc/tests/keycloak/keycloak.sh
 create mode 100644 auth_oidc/tests/test_auth_oidc_auth_code.py

diff --git a/auth_oidc/demo/local_keycloak.xml b/auth_oidc/demo/local_keycloak.xml
new file mode 100644
index 0000000000..919754db99
--- /dev/null
+++ b/auth_oidc/demo/local_keycloak.xml
@@ -0,0 +1,20 @@
+<odoo>
+    <record id="local_keycloak" model="auth.oauth.provider">
+        <field name="name">keycloak:8080 on localhost</field>
+        <field name="flow">id_token_code</field>
+        <field name="client_id">auth_oidc-test</field>
+        <field name="token_map">preferred_username:user_id</field>
+        <field name="body">keycloak:8080 on localhost</field>
+        <field name="enabled" eval="True" />
+        <field name="scope">openid email</field>
+        <field
+            name="auth_endpoint"
+        >http://localhost:8080/auth/realms/master/protocol/openid-connect/auth</field>
+        <field
+            name="token_endpoint"
+        >http://localhost:8080/auth/realms/master/protocol/openid-connect/token</field>
+        <field
+            name="jwks_uri"
+        >http://localhost:8080/auth/realms/master/protocol/openid-connect/certs</field>
+    </record>
+</odoo>
diff --git a/auth_oidc/tests/__init__.py b/auth_oidc/tests/__init__.py
new file mode 100644
index 0000000000..e603d993b8
--- /dev/null
+++ b/auth_oidc/tests/__init__.py
@@ -0,0 +1 @@
+from . import test_auth_oidc_auth_code
diff --git a/auth_oidc/tests/keycloak/keycloak-config.json b/auth_oidc/tests/keycloak/keycloak-config.json
new file mode 100644
index 0000000000..5a0456b55c
--- /dev/null
+++ b/auth_oidc/tests/keycloak/keycloak-config.json
@@ -0,0 +1,1997 @@
+{
+  "id": "master",
+  "realm": "master",
+  "displayName": "Keycloak",
+  "displayNameHtml": "<div class=\"kc-logo-text\"><span>Keycloak</span></div>",
+  "notBefore": 0,
+  "revokeRefreshToken": false,
+  "refreshTokenMaxReuse": 0,
+  "accessTokenLifespan": 60,
+  "accessTokenLifespanForImplicitFlow": 900,
+  "ssoSessionIdleTimeout": 1800,
+  "ssoSessionMaxLifespan": 36000,
+  "ssoSessionIdleTimeoutRememberMe": 0,
+  "ssoSessionMaxLifespanRememberMe": 0,
+  "offlineSessionIdleTimeout": 2592000,
+  "offlineSessionMaxLifespanEnabled": false,
+  "offlineSessionMaxLifespan": 5184000,
+  "clientSessionIdleTimeout": 0,
+  "clientSessionMaxLifespan": 0,
+  "clientOfflineSessionIdleTimeout": 0,
+  "clientOfflineSessionMaxLifespan": 0,
+  "accessCodeLifespan": 60,
+  "accessCodeLifespanUserAction": 300,
+  "accessCodeLifespanLogin": 1800,
+  "actionTokenGeneratedByAdminLifespan": 43200,
+  "actionTokenGeneratedByUserLifespan": 300,
+  "enabled": true,
+  "sslRequired": "external",
+  "registrationAllowed": false,
+  "registrationEmailAsUsername": false,
+  "rememberMe": false,
+  "verifyEmail": false,
+  "loginWithEmailAllowed": true,
+  "duplicateEmailsAllowed": false,
+  "resetPasswordAllowed": false,
+  "editUsernameAllowed": false,
+  "bruteForceProtected": false,
+  "permanentLockout": false,
+  "maxFailureWaitSeconds": 900,
+  "minimumQuickLoginWaitSeconds": 60,
+  "waitIncrementSeconds": 60,
+  "quickLoginCheckMilliSeconds": 1000,
+  "maxDeltaTimeSeconds": 43200,
+  "failureFactor": 30,
+  "roles": {
+    "realm": [
+      {
+        "id": "39f27ebe-139e-435b-840a-beb824d5d355",
+        "name": "admin",
+        "description": "${role_admin}",
+        "composite": true,
+        "composites": {
+          "realm": ["create-realm"],
+          "client": {
+            "master-realm": [
+              "create-client",
+              "view-realm",
+              "view-events",
+              "manage-clients",
+              "query-clients",
+              "view-identity-providers",
+              "impersonation",
+              "manage-events",
+              "query-realms",
+              "query-groups",
+              "manage-authorization",
+              "query-users",
+              "view-authorization",
+              "manage-identity-providers",
+              "manage-users",
+              "view-clients",
+              "view-users",
+              "manage-realm"
+            ]
+          }
+        },
+        "clientRole": false,
+        "containerId": "master",
+        "attributes": {}
+      },
+      {
+        "id": "3fd38fac-f708-4783-b8e9-4e47963fc4bf",
+        "name": "offline_access",
+        "description": "${role_offline-access}",
+        "composite": false,
+        "clientRole": false,
+        "containerId": "master",
+        "attributes": {}
+      },
+      {
+        "id": "4ac4a81b-0a30-41db-94ce-dbd621c331d2",
+        "name": "uma_authorization",
+        "description": "${role_uma_authorization}",
+        "composite": false,
+        "clientRole": false,
+        "containerId": "master",
+        "attributes": {}
+      },
+      {
+        "id": "20b16986-2361-454c-af0b-81f403152ef8",
+        "name": "create-realm",
+        "description": "${role_create-realm}",
+        "composite": false,
+        "clientRole": false,
+        "containerId": "master",
+        "attributes": {}
+      }
+    ],
+    "client": {
+      "auth_oidc-test": [],
+      "security-admin-console": [],
+      "admin-cli": [],
+      "account-console": [],
+      "broker": [
+        {
+          "id": "5fa108a0-2e5e-4e2e-8ee3-1317592517f8",
+          "name": "read-token",
+          "description": "${role_read-token}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "d1dd5ade-20bf-4d53-a371-a33f10bc1087",
+          "attributes": {}
+        }
+      ],
+      "master-realm": [
+        {
+          "id": "0d062a1c-5165-4ea5-b550-55d02ca86226",
+          "name": "create-client",
+          "description": "${role_create-client}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "4e03d0f9-4c56-42c8-958c-337f6eede3ac",
+          "attributes": {}
+        },
+        {
+          "id": "f5795bcb-ab2d-4a74-b954-51f335c21198",
+          "name": "view-realm",
+          "description": "${role_view-realm}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "4e03d0f9-4c56-42c8-958c-337f6eede3ac",
+          "attributes": {}
+        },
+        {
+          "id": "1c0e3231-db03-4b03-961f-32308318f4f1",
+          "name": "view-events",
+          "description": "${role_view-events}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "4e03d0f9-4c56-42c8-958c-337f6eede3ac",
+          "attributes": {}
+        },
+        {
+          "id": "ed9949d1-b11d-4742-b259-ee260f62f111",
+          "name": "manage-clients",
+          "description": "${role_manage-clients}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "4e03d0f9-4c56-42c8-958c-337f6eede3ac",
+          "attributes": {}
+        },
+        {
+          "id": "b29b494a-9cd4-4410-8d16-207a3bb2e528",
+          "name": "query-clients",
+          "description": "${role_query-clients}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "4e03d0f9-4c56-42c8-958c-337f6eede3ac",
+          "attributes": {}
+        },
+        {
+          "id": "8afdd284-070b-4d6f-9d21-d9917d8827af",
+          "name": "view-identity-providers",
+          "description": "${role_view-identity-providers}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "4e03d0f9-4c56-42c8-958c-337f6eede3ac",
+          "attributes": {}
+        },
+        {
+          "id": "b5807416-f8f3-41ae-a29e-298ec3aae028",
+          "name": "impersonation",
+          "description": "${role_impersonation}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "4e03d0f9-4c56-42c8-958c-337f6eede3ac",
+          "attributes": {}
+        },
+        {
+          "id": "6400b20c-a72b-4228-87d1-01b0d1315026",
+          "name": "manage-events",
+          "description": "${role_manage-events}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "4e03d0f9-4c56-42c8-958c-337f6eede3ac",
+          "attributes": {}
+        },
+        {
+          "id": "6c3b14c3-0797-4e39-b5fa-b07d0e073e0e",
+          "name": "query-realms",
+          "description": "${role_query-realms}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "4e03d0f9-4c56-42c8-958c-337f6eede3ac",
+          "attributes": {}
+        },
+        {
+          "id": "3fbf2279-9661-4cfc-b381-c7e4a8c459dc",
+          "name": "query-groups",
+          "description": "${role_query-groups}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "4e03d0f9-4c56-42c8-958c-337f6eede3ac",
+          "attributes": {}
+        },
+        {
+          "id": "1b9e5572-34d5-4284-897c-0471544cf813",
+          "name": "manage-authorization",
+          "description": "${role_manage-authorization}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "4e03d0f9-4c56-42c8-958c-337f6eede3ac",
+          "attributes": {}
+        },
+        {
+          "id": "a226e0fa-aa45-490d-9d64-78e88c3152cb",
+          "name": "query-users",
+          "description": "${role_query-users}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "4e03d0f9-4c56-42c8-958c-337f6eede3ac",
+          "attributes": {}
+        },
+        {
+          "id": "d78736d4-250c-4012-a8ad-55b5c718a57a",
+          "name": "manage-identity-providers",
+          "description": "${role_manage-identity-providers}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "4e03d0f9-4c56-42c8-958c-337f6eede3ac",
+          "attributes": {}
+        },
+        {
+          "id": "68e9559f-d467-46c3-ae48-d67c74582ca8",
+          "name": "view-authorization",
+          "description": "${role_view-authorization}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "4e03d0f9-4c56-42c8-958c-337f6eede3ac",
+          "attributes": {}
+        },
+        {
+          "id": "908beec6-d8d1-441a-a5ad-f45d39df6b43",
+          "name": "manage-users",
+          "description": "${role_manage-users}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "4e03d0f9-4c56-42c8-958c-337f6eede3ac",
+          "attributes": {}
+        },
+        {
+          "id": "5c5d56a2-e2ea-4b4f-9bb1-f40e18082932",
+          "name": "view-clients",
+          "description": "${role_view-clients}",
+          "composite": true,
+          "composites": {
+            "client": {
+              "master-realm": ["query-clients"]
+            }
+          },
+          "clientRole": true,
+          "containerId": "4e03d0f9-4c56-42c8-958c-337f6eede3ac",
+          "attributes": {}
+        },
+        {
+          "id": "561ec0f4-bd97-4c41-a825-918002afb307",
+          "name": "view-users",
+          "description": "${role_view-users}",
+          "composite": true,
+          "composites": {
+            "client": {
+              "master-realm": ["query-groups", "query-users"]
+            }
+          },
+          "clientRole": true,
+          "containerId": "4e03d0f9-4c56-42c8-958c-337f6eede3ac",
+          "attributes": {}
+        },
+        {
+          "id": "8ae350ac-19cd-431b-80fb-aee88316219e",
+          "name": "manage-realm",
+          "description": "${role_manage-realm}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "4e03d0f9-4c56-42c8-958c-337f6eede3ac",
+          "attributes": {}
+        }
+      ],
+      "account": [
+        {
+          "id": "0a6ac4dd-afdc-4b7b-b16a-ef2ca3b8e396",
+          "name": "delete-account",
+          "description": "${role_delete-account}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "45ef915f-ca72-4bcc-a79b-d2b83ca4be2f",
+          "attributes": {}
+        },
+        {
+          "id": "1a30b2d0-9d49-4a09-9769-ea7f3142e715",
+          "name": "manage-consent",
+          "description": "${role_manage-consent}",
+          "composite": true,
+          "composites": {
+            "client": {
+              "account": ["view-consent"]
+            }
+          },
+          "clientRole": true,
+          "containerId": "45ef915f-ca72-4bcc-a79b-d2b83ca4be2f",
+          "attributes": {}
+        },
+        {
+          "id": "e065f4ba-d97c-4219-b56e-edbe945e14bf",
+          "name": "view-consent",
+          "description": "${role_view-consent}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "45ef915f-ca72-4bcc-a79b-d2b83ca4be2f",
+          "attributes": {}
+        },
+        {
+          "id": "6e5b9a43-0f82-4669-a821-a1d449e4a2be",
+          "name": "view-applications",
+          "description": "${role_view-applications}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "45ef915f-ca72-4bcc-a79b-d2b83ca4be2f",
+          "attributes": {}
+        },
+        {
+          "id": "c386c8c5-bdee-4d52-b124-94379799d5d9",
+          "name": "manage-account-links",
+          "description": "${role_manage-account-links}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "45ef915f-ca72-4bcc-a79b-d2b83ca4be2f",
+          "attributes": {}
+        },
+        {
+          "id": "bcff49f4-7f83-4ec6-9a51-271fc9cbb302",
+          "name": "view-profile",
+          "description": "${role_view-profile}",
+          "composite": false,
+          "clientRole": true,
+          "containerId": "45ef915f-ca72-4bcc-a79b-d2b83ca4be2f",
+          "attributes": {}
+        },
+        {
+          "id": "4e36a4bf-80ab-404b-854e-7d593e9248ca",
+          "name": "manage-account",
+          "description": "${role_manage-account}",
+          "composite": true,
+          "composites": {
+            "client": {
+              "account": ["manage-account-links"]
+            }
+          },
+          "clientRole": true,
+          "containerId": "45ef915f-ca72-4bcc-a79b-d2b83ca4be2f",
+          "attributes": {}
+        }
+      ]
+    }
+  },
+  "groups": [],
+  "defaultRoles": ["offline_access", "uma_authorization"],
+  "requiredCredentials": ["password"],
+  "otpPolicyType": "totp",
+  "otpPolicyAlgorithm": "HmacSHA1",
+  "otpPolicyInitialCounter": 0,
+  "otpPolicyDigits": 6,
+  "otpPolicyLookAheadWindow": 1,
+  "otpPolicyPeriod": 30,
+  "otpSupportedApplications": ["FreeOTP", "Google Authenticator"],
+  "webAuthnPolicyRpEntityName": "keycloak",
+  "webAuthnPolicySignatureAlgorithms": ["ES256"],
+  "webAuthnPolicyRpId": "",
+  "webAuthnPolicyAttestationConveyancePreference": "not specified",
+  "webAuthnPolicyAuthenticatorAttachment": "not specified",
+  "webAuthnPolicyRequireResidentKey": "not specified",
+  "webAuthnPolicyUserVerificationRequirement": "not specified",
+  "webAuthnPolicyCreateTimeout": 0,
+  "webAuthnPolicyAvoidSameAuthenticatorRegister": false,
+  "webAuthnPolicyAcceptableAaguids": [],
+  "webAuthnPolicyPasswordlessRpEntityName": "keycloak",
+  "webAuthnPolicyPasswordlessSignatureAlgorithms": ["ES256"],
+  "webAuthnPolicyPasswordlessRpId": "",
+  "webAuthnPolicyPasswordlessAttestationConveyancePreference": "not specified",
+  "webAuthnPolicyPasswordlessAuthenticatorAttachment": "not specified",
+  "webAuthnPolicyPasswordlessRequireResidentKey": "not specified",
+  "webAuthnPolicyPasswordlessUserVerificationRequirement": "not specified",
+  "webAuthnPolicyPasswordlessCreateTimeout": 0,
+  "webAuthnPolicyPasswordlessAvoidSameAuthenticatorRegister": false,
+  "webAuthnPolicyPasswordlessAcceptableAaguids": [],
+  "users": [
+    {
+      "id": "ad01a4d9-c919-4bc6-8b48-b3e3bcbb4149",
+      "createdTimestamp": 1618140941731,
+      "username": "admin",
+      "enabled": true,
+      "totp": false,
+      "emailVerified": false,
+      "credentials": [
+        {
+          "id": "596b17bb-199c-4a23-9c48-4620c0ecfd7a",
+          "type": "password",
+          "createdDate": 1618140941876,
+          "secretData": "{\"value\":\"PXx46hQETQuXQRUl9FvzEJdZtoL57qsad1dFQyOLzj/pNEmwldN54oxQh5p+QB0rNNJPI9ZiaAfZS90ZzJa6pQ==\",\"salt\":\"kiFQwyPm53MgwAByqTw5qQ==\",\"additionalParameters\":{}}",
+          "credentialData": "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}"
+        }
+      ],
+      "disableableCredentialTypes": [],
+      "requiredActions": [],
+      "realmRoles": ["offline_access", "admin", "uma_authorization"],
+      "clientRoles": {
+        "account": ["view-profile", "manage-account"]
+      },
+      "notBefore": 0,
+      "groups": []
+    },
+    {
+      "id": "3752dfb8-d3b5-4597-b83c-fed005d2671c",
+      "createdTimestamp": 1618141153912,
+      "username": "demo",
+      "enabled": true,
+      "totp": false,
+      "emailVerified": false,
+      "credentials": [
+        {
+          "id": "4e5b5a38-3fcb-4703-8b9c-075164dde145",
+          "type": "password",
+          "createdDate": 1618141311783,
+          "secretData": "{\"value\":\"upShAwzTaS89elSkEgK0Phs+XUP3Ya1pOUYtE8k4JmZEJnXWjdOy9brn4cpLKwjF6pZ3glxkJgjdLmDeWm9WwQ==\",\"salt\":\"RnaXCbRf4bw1lZmQX43cMg==\",\"additionalParameters\":{}}",
+          "credentialData": "{\"hashIterations\":27500,\"algorithm\":\"pbkdf2-sha256\",\"additionalParameters\":{}}"
+        }
+      ],
+      "disableableCredentialTypes": [],
+      "requiredActions": [],
+      "realmRoles": ["offline_access", "uma_authorization"],
+      "clientRoles": {
+        "account": ["view-profile", "manage-account"]
+      },
+      "notBefore": 0,
+      "groups": []
+    }
+  ],
+  "scopeMappings": [
+    {
+      "clientScope": "offline_access",
+      "roles": ["offline_access"]
+    }
+  ],
+  "clientScopeMappings": {
+    "account": [
+      {
+        "client": "account-console",
+        "roles": ["manage-account"]
+      }
+    ]
+  },
+  "clients": [
+    {
+      "id": "45ef915f-ca72-4bcc-a79b-d2b83ca4be2f",
+      "clientId": "account",
+      "name": "${client_account}",
+      "rootUrl": "${authBaseUrl}",
+      "baseUrl": "/realms/master/account/",
+      "surrogateAuthRequired": false,
+      "enabled": true,
+      "alwaysDisplayInConsole": false,
+      "clientAuthenticatorType": "client-secret",
+      "secret": "055c06d1-ffcc-4762-b8eb-e9814a6995df",
+      "defaultRoles": ["view-profile", "manage-account"],
+      "redirectUris": ["/realms/master/account/*"],
+      "webOrigins": [],
+      "notBefore": 0,
+      "bearerOnly": false,
+      "consentRequired": false,
+      "standardFlowEnabled": true,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": false,
+      "serviceAccountsEnabled": false,
+      "publicClient": false,
+      "frontchannelLogout": false,
+      "protocol": "openid-connect",
+      "attributes": {},
+      "authenticationFlowBindingOverrides": {},
+      "fullScopeAllowed": false,
+      "nodeReRegistrationTimeout": 0,
+      "defaultClientScopes": ["web-origins", "role_list", "roles", "profile", "email"],
+      "optionalClientScopes": ["address", "phone", "offline_access", "microprofile-jwt"]
+    },
+    {
+      "id": "4308a071-7dbf-4d08-a987-b7dc2f42b86e",
+      "clientId": "account-console",
+      "name": "${client_account-console}",
+      "rootUrl": "${authBaseUrl}",
+      "baseUrl": "/realms/master/account/",
+      "surrogateAuthRequired": false,
+      "enabled": true,
+      "alwaysDisplayInConsole": false,
+      "clientAuthenticatorType": "client-secret",
+      "secret": "ec31839f-7ffb-400d-9373-26be6706e619",
+      "redirectUris": ["/realms/master/account/*"],
+      "webOrigins": [],
+      "notBefore": 0,
+      "bearerOnly": false,
+      "consentRequired": false,
+      "standardFlowEnabled": true,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": false,
+      "serviceAccountsEnabled": false,
+      "publicClient": true,
+      "frontchannelLogout": false,
+      "protocol": "openid-connect",
+      "attributes": {
+        "pkce.code.challenge.method": "S256"
+      },
+      "authenticationFlowBindingOverrides": {},
+      "fullScopeAllowed": false,
+      "nodeReRegistrationTimeout": 0,
+      "protocolMappers": [
+        {
+          "id": "e36bba2d-7a07-4c83-a40e-14b4a8316ae9",
+          "name": "audience resolve",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-audience-resolve-mapper",
+          "consentRequired": false,
+          "config": {}
+        }
+      ],
+      "defaultClientScopes": ["web-origins", "role_list", "roles", "profile", "email"],
+      "optionalClientScopes": ["address", "phone", "offline_access", "microprofile-jwt"]
+    },
+    {
+      "id": "0915d9fc-102f-4033-b37e-832b89fee932",
+      "clientId": "admin-cli",
+      "name": "${client_admin-cli}",
+      "surrogateAuthRequired": false,
+      "enabled": true,
+      "alwaysDisplayInConsole": false,
+      "clientAuthenticatorType": "client-secret",
+      "secret": "175303e4-f2d4-4ae9-8fb0-27a1337d3208",
+      "redirectUris": [],
+      "webOrigins": [],
+      "notBefore": 0,
+      "bearerOnly": false,
+      "consentRequired": false,
+      "standardFlowEnabled": false,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": true,
+      "serviceAccountsEnabled": false,
+      "publicClient": true,
+      "frontchannelLogout": false,
+      "protocol": "openid-connect",
+      "attributes": {},
+      "authenticationFlowBindingOverrides": {},
+      "fullScopeAllowed": false,
+      "nodeReRegistrationTimeout": 0,
+      "defaultClientScopes": ["web-origins", "role_list", "roles", "profile", "email"],
+      "optionalClientScopes": ["address", "phone", "offline_access", "microprofile-jwt"]
+    },
+    {
+      "id": "8bf21eb5-63da-4da5-8c12-7a5bafda1bf5",
+      "clientId": "auth_oidc-test",
+      "rootUrl": "http://localhost:8069",
+      "adminUrl": "http://localhost:8069",
+      "surrogateAuthRequired": false,
+      "enabled": true,
+      "alwaysDisplayInConsole": false,
+      "clientAuthenticatorType": "client-secret",
+      "secret": "20c0ad33-0200-43cd-9bd1-5dd1b22918e3",
+      "redirectUris": ["http://localhost:8069/*"],
+      "webOrigins": ["http://localhost:8069"],
+      "notBefore": 0,
+      "bearerOnly": false,
+      "consentRequired": false,
+      "standardFlowEnabled": true,
+      "implicitFlowEnabled": true,
+      "directAccessGrantsEnabled": false,
+      "serviceAccountsEnabled": false,
+      "publicClient": true,
+      "frontchannelLogout": false,
+      "protocol": "openid-connect",
+      "attributes": {
+        "saml.assertion.signature": "false",
+        "saml.force.post.binding": "false",
+        "saml.multivalued.roles": "false",
+        "saml.encrypt": "false",
+        "backchannel.logout.revoke.offline.tokens": "false",
+        "saml.server.signature": "false",
+        "saml.server.signature.keyinfo.ext": "false",
+        "exclude.session.state.from.auth.response": "false",
+        "backchannel.logout.session.required": "true",
+        "client_credentials.use_refresh_token": "false",
+        "saml_force_name_id_format": "false",
+        "saml.client.signature": "false",
+        "tls.client.certificate.bound.access.tokens": "false",
+        "saml.authnstatement": "false",
+        "display.on.consent.screen": "false",
+        "saml.onetimeuse.condition": "false"
+      },
+      "authenticationFlowBindingOverrides": {},
+      "fullScopeAllowed": true,
+      "nodeReRegistrationTimeout": -1,
+      "defaultClientScopes": ["web-origins", "role_list", "roles", "profile", "email"],
+      "optionalClientScopes": ["address", "phone", "offline_access", "microprofile-jwt"]
+    },
+    {
+      "id": "d1dd5ade-20bf-4d53-a371-a33f10bc1087",
+      "clientId": "broker",
+      "name": "${client_broker}",
+      "surrogateAuthRequired": false,
+      "enabled": true,
+      "alwaysDisplayInConsole": false,
+      "clientAuthenticatorType": "client-secret",
+      "secret": "52aab659-5f2d-445a-a93e-6ab04de9db42",
+      "redirectUris": [],
+      "webOrigins": [],
+      "notBefore": 0,
+      "bearerOnly": false,
+      "consentRequired": false,
+      "standardFlowEnabled": true,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": false,
+      "serviceAccountsEnabled": false,
+      "publicClient": false,
+      "frontchannelLogout": false,
+      "protocol": "openid-connect",
+      "attributes": {},
+      "authenticationFlowBindingOverrides": {},
+      "fullScopeAllowed": false,
+      "nodeReRegistrationTimeout": 0,
+      "defaultClientScopes": ["web-origins", "role_list", "roles", "profile", "email"],
+      "optionalClientScopes": ["address", "phone", "offline_access", "microprofile-jwt"]
+    },
+    {
+      "id": "4e03d0f9-4c56-42c8-958c-337f6eede3ac",
+      "clientId": "master-realm",
+      "name": "master Realm",
+      "surrogateAuthRequired": false,
+      "enabled": true,
+      "alwaysDisplayInConsole": false,
+      "clientAuthenticatorType": "client-secret",
+      "secret": "15ca5d76-d964-4761-85d1-8343748481ab",
+      "redirectUris": [],
+      "webOrigins": [],
+      "notBefore": 0,
+      "bearerOnly": true,
+      "consentRequired": false,
+      "standardFlowEnabled": true,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": false,
+      "serviceAccountsEnabled": false,
+      "publicClient": false,
+      "frontchannelLogout": false,
+      "attributes": {},
+      "authenticationFlowBindingOverrides": {},
+      "fullScopeAllowed": true,
+      "nodeReRegistrationTimeout": 0,
+      "defaultClientScopes": ["web-origins", "role_list", "roles", "profile", "email"],
+      "optionalClientScopes": ["address", "phone", "offline_access", "microprofile-jwt"]
+    },
+    {
+      "id": "983b74a1-e7a0-4bc4-8481-0eb8ca4f12e0",
+      "clientId": "security-admin-console",
+      "name": "${client_security-admin-console}",
+      "rootUrl": "${authAdminUrl}",
+      "baseUrl": "/admin/master/console/",
+      "surrogateAuthRequired": false,
+      "enabled": true,
+      "alwaysDisplayInConsole": false,
+      "clientAuthenticatorType": "client-secret",
+      "secret": "121beec3-2388-475b-b989-1ff85d25b4fd",
+      "redirectUris": ["/admin/master/console/*"],
+      "webOrigins": ["+"],
+      "notBefore": 0,
+      "bearerOnly": false,
+      "consentRequired": false,
+      "standardFlowEnabled": true,
+      "implicitFlowEnabled": false,
+      "directAccessGrantsEnabled": false,
+      "serviceAccountsEnabled": false,
+      "publicClient": true,
+      "frontchannelLogout": false,
+      "protocol": "openid-connect",
+      "attributes": {
+        "pkce.code.challenge.method": "S256"
+      },
+      "authenticationFlowBindingOverrides": {},
+      "fullScopeAllowed": false,
+      "nodeReRegistrationTimeout": 0,
+      "protocolMappers": [
+        {
+          "id": "21a0f25a-a2b7-415e-95a7-23886f00c83b",
+          "name": "locale",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "locale",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "locale",
+            "jsonType.label": "String"
+          }
+        }
+      ],
+      "defaultClientScopes": ["web-origins", "role_list", "roles", "profile", "email"],
+      "optionalClientScopes": ["address", "phone", "offline_access", "microprofile-jwt"]
+    }
+  ],
+  "clientScopes": [
+    {
+      "id": "07bff9f2-498f-4f07-9fb9-019152141a0f",
+      "name": "address",
+      "description": "OpenID Connect built-in scope: address",
+      "protocol": "openid-connect",
+      "attributes": {
+        "include.in.token.scope": "true",
+        "display.on.consent.screen": "true",
+        "consent.screen.text": "${addressScopeConsentText}"
+      },
+      "protocolMappers": [
+        {
+          "id": "46333a31-1e88-4191-8d25-2f4d975af4db",
+          "name": "address",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-address-mapper",
+          "consentRequired": false,
+          "config": {
+            "user.attribute.formatted": "formatted",
+            "user.attribute.country": "country",
+            "user.attribute.postal_code": "postal_code",
+            "userinfo.token.claim": "true",
+            "user.attribute.street": "street",
+            "id.token.claim": "true",
+            "user.attribute.region": "region",
+            "access.token.claim": "true",
+            "user.attribute.locality": "locality"
+          }
+        }
+      ]
+    },
+    {
+      "id": "8c30d3a8-af56-407a-a622-df16e7c2b04b",
+      "name": "email",
+      "description": "OpenID Connect built-in scope: email",
+      "protocol": "openid-connect",
+      "attributes": {
+        "include.in.token.scope": "true",
+        "display.on.consent.screen": "true",
+        "consent.screen.text": "${emailScopeConsentText}"
+      },
+      "protocolMappers": [
+        {
+          "id": "db1117e1-6174-4934-99d0-ff51f319c6f5",
+          "name": "email",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-property-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "email",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "email",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "c1a7d21e-7f45-4559-b314-913cbb560967",
+          "name": "email verified",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-property-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "emailVerified",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "email_verified",
+            "jsonType.label": "boolean"
+          }
+        }
+      ]
+    },
+    {
+      "id": "3d9f47ed-d2f0-474c-baa4-75e0e6619385",
+      "name": "microprofile-jwt",
+      "description": "Microprofile - JWT built-in scope",
+      "protocol": "openid-connect",
+      "attributes": {
+        "include.in.token.scope": "true",
+        "display.on.consent.screen": "false"
+      },
+      "protocolMappers": [
+        {
+          "id": "e7c49c89-b513-4512-9410-bc0f39d4b4e5",
+          "name": "upn",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-property-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "username",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "upn",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "7b65fe0b-2974-445f-a7cd-ccec5141f560",
+          "name": "groups",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-realm-role-mapper",
+          "consentRequired": false,
+          "config": {
+            "multivalued": "true",
+            "user.attribute": "foo",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "groups",
+            "jsonType.label": "String"
+          }
+        }
+      ]
+    },
+    {
+      "id": "a9ed1a18-0e05-4eeb-a247-c84296cfa653",
+      "name": "offline_access",
+      "description": "OpenID Connect built-in scope: offline_access",
+      "protocol": "openid-connect",
+      "attributes": {
+        "consent.screen.text": "${offlineAccessScopeConsentText}",
+        "display.on.consent.screen": "true"
+      }
+    },
+    {
+      "id": "52f62f87-f914-4771-b79c-46a387797be7",
+      "name": "phone",
+      "description": "OpenID Connect built-in scope: phone",
+      "protocol": "openid-connect",
+      "attributes": {
+        "include.in.token.scope": "true",
+        "display.on.consent.screen": "true",
+        "consent.screen.text": "${phoneScopeConsentText}"
+      },
+      "protocolMappers": [
+        {
+          "id": "d8c485dc-7b8a-4469-8868-5bb73a6abafa",
+          "name": "phone number verified",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "phoneNumberVerified",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "phone_number_verified",
+            "jsonType.label": "boolean"
+          }
+        },
+        {
+          "id": "b1b21cd7-06f7-4469-b11e-22bf9de1a3ce",
+          "name": "phone number",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "phoneNumber",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "phone_number",
+            "jsonType.label": "String"
+          }
+        }
+      ]
+    },
+    {
+      "id": "311bf186-6cb2-4bdd-9da5-8ac30ff8b296",
+      "name": "profile",
+      "description": "OpenID Connect built-in scope: profile",
+      "protocol": "openid-connect",
+      "attributes": {
+        "include.in.token.scope": "true",
+        "display.on.consent.screen": "true",
+        "consent.screen.text": "${profileScopeConsentText}"
+      },
+      "protocolMappers": [
+        {
+          "id": "eda5d01f-6841-441e-b7d0-8fa48365a501",
+          "name": "middle name",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "middleName",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "middle_name",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "e131db35-e08b-4805-b11b-59a90650ee2a",
+          "name": "picture",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "picture",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "picture",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "6e311016-71e1-450a-8011-6f6ce9f7e365",
+          "name": "full name",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-full-name-mapper",
+          "consentRequired": false,
+          "config": {
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "userinfo.token.claim": "true"
+          }
+        },
+        {
+          "id": "e0fc1d75-2b19-4fc8-8ea3-778c96b47321",
+          "name": "website",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "website",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "website",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "a94d4acf-0a46-44b0-a739-ed329dfa9f41",
+          "name": "profile",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "profile",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "profile",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "57d4c1ad-4507-4545-8efc-5f83c0dc0be6",
+          "name": "username",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-property-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "username",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "preferred_username",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "0b42528f-d116-4217-9fbe-fe469c80914d",
+          "name": "given name",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-property-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "firstName",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "given_name",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "f698a281-a28c-4b3e-ad73-524c556d1cc5",
+          "name": "locale",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "locale",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "locale",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "50b2c4f9-b4a3-470a-a8e4-af7384bd9536",
+          "name": "zoneinfo",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "zoneinfo",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "zoneinfo",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "12a21276-1f49-4b34-8bf7-df4dd7929ebf",
+          "name": "updated at",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "updatedAt",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "updated_at",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "4abce20a-c47d-430a-85c0-f65cb9ae7aa0",
+          "name": "birthdate",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "birthdate",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "birthdate",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "fa7c99b6-9cdf-4f8f-96af-45df5f2497e2",
+          "name": "nickname",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "nickname",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "nickname",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "983d7499-e23c-4971-9501-d404b405b484",
+          "name": "family name",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-property-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "lastName",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "family_name",
+            "jsonType.label": "String"
+          }
+        },
+        {
+          "id": "f42b6bcb-4bac-44a8-8073-c3194b56029c",
+          "name": "gender",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-attribute-mapper",
+          "consentRequired": false,
+          "config": {
+            "userinfo.token.claim": "true",
+            "user.attribute": "gender",
+            "id.token.claim": "true",
+            "access.token.claim": "true",
+            "claim.name": "gender",
+            "jsonType.label": "String"
+          }
+        }
+      ]
+    },
+    {
+      "id": "6acc2950-2bbe-49d8-b266-42e3c518f46f",
+      "name": "role_list",
+      "description": "SAML role list",
+      "protocol": "saml",
+      "attributes": {
+        "consent.screen.text": "${samlRoleListScopeConsentText}",
+        "display.on.consent.screen": "true"
+      },
+      "protocolMappers": [
+        {
+          "id": "8b0f3195-f1c2-4188-8045-5d48ba0aeb30",
+          "name": "role list",
+          "protocol": "saml",
+          "protocolMapper": "saml-role-list-mapper",
+          "consentRequired": false,
+          "config": {
+            "single": "false",
+            "attribute.nameformat": "Basic",
+            "attribute.name": "Role"
+          }
+        }
+      ]
+    },
+    {
+      "id": "437e71e0-7728-4763-82af-29fd14b1fa12",
+      "name": "roles",
+      "description": "OpenID Connect scope for add user roles to the access token",
+      "protocol": "openid-connect",
+      "attributes": {
+        "include.in.token.scope": "false",
+        "display.on.consent.screen": "true",
+        "consent.screen.text": "${rolesScopeConsentText}"
+      },
+      "protocolMappers": [
+        {
+          "id": "d255020d-b385-417d-bf27-b3a8c5911579",
+          "name": "client roles",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-client-role-mapper",
+          "consentRequired": false,
+          "config": {
+            "user.attribute": "foo",
+            "access.token.claim": "true",
+            "claim.name": "resource_access.${client_id}.roles",
+            "jsonType.label": "String",
+            "multivalued": "true"
+          }
+        },
+        {
+          "id": "5adb2a9c-5dbb-430c-89c0-9b464677245f",
+          "name": "realm roles",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-usermodel-realm-role-mapper",
+          "consentRequired": false,
+          "config": {
+            "user.attribute": "foo",
+            "access.token.claim": "true",
+            "claim.name": "realm_access.roles",
+            "jsonType.label": "String",
+            "multivalued": "true"
+          }
+        },
+        {
+          "id": "667e731f-4375-489f-bf03-566a7292719b",
+          "name": "audience resolve",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-audience-resolve-mapper",
+          "consentRequired": false,
+          "config": {}
+        }
+      ]
+    },
+    {
+      "id": "359211aa-1a6d-4441-a9bb-610acc6350db",
+      "name": "web-origins",
+      "description": "OpenID Connect scope for add allowed web origins to the access token",
+      "protocol": "openid-connect",
+      "attributes": {
+        "include.in.token.scope": "false",
+        "display.on.consent.screen": "false",
+        "consent.screen.text": ""
+      },
+      "protocolMappers": [
+        {
+          "id": "6646f9a5-0a1e-4bcc-b1d1-35b035b5aa55",
+          "name": "allowed web origins",
+          "protocol": "openid-connect",
+          "protocolMapper": "oidc-allowed-origins-mapper",
+          "consentRequired": false,
+          "config": {}
+        }
+      ]
+    }
+  ],
+  "defaultDefaultClientScopes": [
+    "role_list",
+    "profile",
+    "email",
+    "roles",
+    "web-origins"
+  ],
+  "defaultOptionalClientScopes": [
+    "offline_access",
+    "address",
+    "phone",
+    "microprofile-jwt"
+  ],
+  "browserSecurityHeaders": {
+    "contentSecurityPolicyReportOnly": "",
+    "xContentTypeOptions": "nosniff",
+    "xRobotsTag": "none",
+    "xFrameOptions": "SAMEORIGIN",
+    "xXSSProtection": "1; mode=block",
+    "contentSecurityPolicy": "frame-src 'self'; frame-ancestors 'self'; object-src 'none';",
+    "strictTransportSecurity": "max-age=31536000; includeSubDomains"
+  },
+  "smtpServer": {},
+  "eventsEnabled": false,
+  "eventsListeners": ["jboss-logging"],
+  "enabledEventTypes": [],
+  "adminEventsEnabled": false,
+  "adminEventsDetailsEnabled": false,
+  "identityProviders": [],
+  "identityProviderMappers": [],
+  "components": {
+    "org.keycloak.services.clientregistration.policy.ClientRegistrationPolicy": [
+      {
+        "id": "070f65ee-8d8f-4fff-ae32-a27016e7bf5c",
+        "name": "Allowed Client Scopes",
+        "providerId": "allowed-client-templates",
+        "subType": "authenticated",
+        "subComponents": {},
+        "config": {
+          "allow-default-scopes": ["true"]
+        }
+      },
+      {
+        "id": "81bc44f5-9bbd-4325-9f63-fc332e30e0e7",
+        "name": "Allowed Protocol Mapper Types",
+        "providerId": "allowed-protocol-mappers",
+        "subType": "anonymous",
+        "subComponents": {},
+        "config": {
+          "allowed-protocol-mapper-types": [
+            "oidc-usermodel-property-mapper",
+            "saml-user-property-mapper",
+            "oidc-full-name-mapper",
+            "oidc-sha256-pairwise-sub-mapper",
+            "oidc-usermodel-attribute-mapper",
+            "oidc-address-mapper",
+            "saml-user-attribute-mapper",
+            "saml-role-list-mapper"
+          ]
+        }
+      },
+      {
+        "id": "f7d673f4-10ef-486d-a168-925b139abbc5",
+        "name": "Consent Required",
+        "providerId": "consent-required",
+        "subType": "anonymous",
+        "subComponents": {},
+        "config": {}
+      },
+      {
+        "id": "c103a051-9371-4021-8a34-8196a78c3638",
+        "name": "Allowed Client Scopes",
+        "providerId": "allowed-client-templates",
+        "subType": "anonymous",
+        "subComponents": {},
+        "config": {
+          "allow-default-scopes": ["true"]
+        }
+      },
+      {
+        "id": "a71eaf13-3e55-4aa6-9cf8-c1b74198d63a",
+        "name": "Trusted Hosts",
+        "providerId": "trusted-hosts",
+        "subType": "anonymous",
+        "subComponents": {},
+        "config": {
+          "host-sending-registration-request-must-match": ["true"],
+          "client-uris-must-match": ["true"]
+        }
+      },
+      {
+        "id": "fb7bdacb-46bc-4266-b217-a1705e87f957",
+        "name": "Allowed Protocol Mapper Types",
+        "providerId": "allowed-protocol-mappers",
+        "subType": "authenticated",
+        "subComponents": {},
+        "config": {
+          "allowed-protocol-mapper-types": [
+            "saml-user-attribute-mapper",
+            "oidc-sha256-pairwise-sub-mapper",
+            "oidc-usermodel-attribute-mapper",
+            "saml-user-property-mapper",
+            "oidc-full-name-mapper",
+            "oidc-usermodel-property-mapper",
+            "oidc-address-mapper",
+            "saml-role-list-mapper"
+          ]
+        }
+      },
+      {
+        "id": "ec4f12ef-2fef-42b2-9cb8-9f251d8c3344",
+        "name": "Full Scope Disabled",
+        "providerId": "scope",
+        "subType": "anonymous",
+        "subComponents": {},
+        "config": {}
+      },
+      {
+        "id": "99778abc-51f8-4480-a778-59ef73a60f56",
+        "name": "Max Clients Limit",
+        "providerId": "max-clients",
+        "subType": "anonymous",
+        "subComponents": {},
+        "config": {
+          "max-clients": ["200"]
+        }
+      }
+    ],
+    "org.keycloak.keys.KeyProvider": [
+      {
+        "id": "052d41cb-6938-40f0-8872-8ab171ec27e9",
+        "name": "fallback-HS256",
+        "providerId": "hmac-generated",
+        "subComponents": {},
+        "config": {
+          "kid": ["489fe44c-d70f-42f7-9a19-e3dc2a0df076"],
+          "secret": [
+            "6dqvUhGU5rhuMOKNuOI4U7nPTcA9jeJJLpmoewnkw_PdFDSjy73iQkPt5hw_8qU34IIFGOM-LkJJ8VWihvwEwQ"
+          ],
+          "priority": ["-100"],
+          "algorithm": ["HS256"]
+        }
+      },
+      {
+        "id": "53901ca8-2f9d-4f2e-804f-756204b9c1c5",
+        "name": "fallback-RS256",
+        "providerId": "rsa-generated",
+        "subComponents": {},
+        "config": {
+          "privateKey": [
+            "MIIEpAIBAAKCAQEAgYNR3Pgh/f1+DUcMBc9T6uT1MwC4oTthGbtJhmqQiawSWzUO8icSM4hFjiN2zqsKx7ofWmP3+ZRTq6fSEref+0tRRWafTq6LtDySa4DilqnQ/WBznnXML9hmsPBW3gNiZAKYbwvb/YE36L+a4nWcEc13jcXgMqLXUD7K/3YIYNT/S7xGgNKYfBmbTfS0A08ZITtyakaGYwLK6zwLYVAeUj1hZjVcz1926Zhhu4YznD6qMgCmBwlSD9lc6v0/RUNjo1NKSU0LXAeUEk1ynxFKJ+cUikHuvsIQvuXY5Sj+Y2tcWFpU51J01com69kdyYeelQv1n41yOB/U4bGmbhUctwIDAQABAoIBAH+RgwwdmRXeH9AiQBRk8Gq5lU/kkPe3TmCTGsv8oVwKEpamP4+Drqj1vFVSV08gKOEsUn+tYm8CjBvTlNd86WcT+/xZJefRg6hH1Y1wiUAQCtvYqmnV7Abgp933Dglm2f5alB0lWE5ufkySlpQjdlQOx4js9HXL8juHblqMv5noJNaDQSDh4UxtET+fVT8pvCL/MImG4C6BtULLDXLdH4pIvn0OIS788Xpc87uc3dSIfVxL1Oa0U1Qrxma5P8p9imremKLdA4iOzopyVsLo0uP2PrSLWD04I9kSwO0MHNDzbkMJiWXX5a7afzRY4g+zQL2STYsbD4B9KQnIpsQNrVkCgYEA4LbUejeexUBsjs3Whkn1BlUvxvDf2Vtudws1XSNmd5lneitfseDXCcH6p1TLHn0xoOmJDFGjLPEYFhqL0I5IyZP6zfiCJL88zFWVXlY8NsAoQeqvgnu5wHpIXEXCaJAAksWy/dmUZwTUyfIIxnLUQMPpJ1stu35e8DyNO4VadPMCgYEAk4teFNWkFBZmjSBUyo8Tw4TmJuCIRVH4FSaspUeVNhToKI3e5R/duz8rvqBj4tul5lyWq9FmcDaawE94jIa17XQnj/O767G72lHRuIlI+qftIca3r4/kDvy730yAOWl/1Su4SrX3t7WSBHIG2j7HMYIsj5xgBUvnbRQUtxByui0CgYEAsLe3YyHoj3D5rlg708HHmqJVf1sgfxvDRIUhA0z6oSWX1eDUUdvi4H6XMw6g6ipEZCokJ/bvn0E+0usvduTeYwAn5eD/4AwwsPTBEb45fkkhn60DN1c7nh3MWBxYJcjRWpt1BuMcLOQEv4fC1OWq+//VlKjEz0UzPjQwUVWu7HcCgYAo6uqhfootY/T2yHObZUiG3ZFyUKyaBNx3CS2x/IMd53hm3slk44x7hE5eZF6vKFj+5MiIR99P2WTbVm7JEgbcHm1mV6LS/4xoRG6T7cbGdNGnn1OLpa0Klv6HM9EPmvlvpdtLJOHZGcqv3uuVlPlq+n3fKe/bKCy7LGl+R1p51QKBgQCEmPS9A9y6YF7zRo8u7vUmJzGktdrSw65zYZVMzXY9A7uKU/OfpZ+papKDr1D9ApFgi5Ip1imirR7K9m4GImowZOTe/E6dT6nmrUtWUkaS4ghhwZ9Gh6kAOWoBYRB/Z4XIzJoSiet+PJ3p8SLhM7nETj7IDaeQgNudSK8/ohNPWQ=="
+          ],
+          "certificate": [
+            "MIICmzCCAYMCBgF4wLeSOTANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZtYXN0ZXIwHhcNMjEwNDExMTEzNDE5WhcNMzEwNDExMTEzNTU5WjARMQ8wDQYDVQQDDAZtYXN0ZXIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCBg1Hc+CH9/X4NRwwFz1Pq5PUzALihO2EZu0mGapCJrBJbNQ7yJxIziEWOI3bOqwrHuh9aY/f5lFOrp9ISt5/7S1FFZp9Orou0PJJrgOKWqdD9YHOedcwv2Gaw8FbeA2JkAphvC9v9gTfov5ridZwRzXeNxeAyotdQPsr/dghg1P9LvEaA0ph8GZtN9LQDTxkhO3JqRoZjAsrrPAthUB5SPWFmNVzPX3bpmGG7hjOcPqoyAKYHCVIP2Vzq/T9FQ2OjU0pJTQtcB5QSTXKfEUon5xSKQe6+whC+5djlKP5ja1xYWlTnUnTVyibr2R3Jh56VC/WfjXI4H9ThsaZuFRy3AgMBAAEwDQYJKoZIhvcNAQELBQADggEBAHEq+7bncqOh0RJJj+6fSHsIlkRGOeX6djVIKi1/eAJCD61Et3MHKh4kbu4U6phNlnhW5IFYinchGXe1uoG18fWkUS6QJoxHIDLR+tub7NSMraYxK85VgyLHCHaaGX7Bz+sIM628th4LlQd/M2zL45rqlMvB1XLxsMpi9Pb0Zc7qWwrvE5Jfi99UDAi6ZV3OojR6YC79HVHyOVmBIdLrVtn5mQYKJ5tF5F8xSs4ng96IO8Sn8pbUuYG8SlEz6KMmGH1sczlPE/3kAdm9IF+fXpYywuhsRNJyDBVDGpcqHTW+UW+V5TWa/ucZ6cpr1dQP5/FpcHylSWoXJpCk01PXl/M="
+          ],
+          "priority": ["-100"],
+          "algorithm": ["RS256"]
+        }
+      }
+    ]
+  },
+  "internationalizationEnabled": false,
+  "supportedLocales": [],
+  "authenticationFlows": [
+    {
+      "id": "815c3100-241b-4298-8039-54253c2c7e70",
+      "alias": "Account verification options",
+      "description": "Method with which to verity the existing account",
+      "providerId": "basic-flow",
+      "topLevel": false,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "idp-email-verification",
+          "requirement": "ALTERNATIVE",
+          "priority": 10,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "requirement": "ALTERNATIVE",
+          "priority": 20,
+          "flowAlias": "Verify Existing Account by Re-authentication",
+          "userSetupAllowed": false,
+          "autheticatorFlow": true
+        }
+      ]
+    },
+    {
+      "id": "e6a85d70-dc13-4705-9ba3-a980d548a430",
+      "alias": "Authentication Options",
+      "description": "Authentication options.",
+      "providerId": "basic-flow",
+      "topLevel": false,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "basic-auth",
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "authenticator": "basic-auth-otp",
+          "requirement": "DISABLED",
+          "priority": 20,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "authenticator": "auth-spnego",
+          "requirement": "DISABLED",
+          "priority": 30,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        }
+      ]
+    },
+    {
+      "id": "96b14b20-7305-4018-8e75-86b572e3ace0",
+      "alias": "Browser - Conditional OTP",
+      "description": "Flow to determine if the OTP is required for the authentication",
+      "providerId": "basic-flow",
+      "topLevel": false,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "conditional-user-configured",
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "authenticator": "auth-otp-form",
+          "requirement": "REQUIRED",
+          "priority": 20,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        }
+      ]
+    },
+    {
+      "id": "a51abcaa-7495-4526-997f-55cd82f152e2",
+      "alias": "Direct Grant - Conditional OTP",
+      "description": "Flow to determine if the OTP is required for the authentication",
+      "providerId": "basic-flow",
+      "topLevel": false,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "conditional-user-configured",
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "authenticator": "direct-grant-validate-otp",
+          "requirement": "REQUIRED",
+          "priority": 20,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        }
+      ]
+    },
+    {
+      "id": "54fa7607-f4e5-4fe7-a8c3-4fad6ee376b8",
+      "alias": "First broker login - Conditional OTP",
+      "description": "Flow to determine if the OTP is required for the authentication",
+      "providerId": "basic-flow",
+      "topLevel": false,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "conditional-user-configured",
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "authenticator": "auth-otp-form",
+          "requirement": "REQUIRED",
+          "priority": 20,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        }
+      ]
+    },
+    {
+      "id": "31de3d9e-2f81-43cc-a4ad-1112cd4e9d71",
+      "alias": "Handle Existing Account",
+      "description": "Handle what to do if there is existing account with same email/username like authenticated identity provider",
+      "providerId": "basic-flow",
+      "topLevel": false,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "idp-confirm-link",
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "requirement": "REQUIRED",
+          "priority": 20,
+          "flowAlias": "Account verification options",
+          "userSetupAllowed": false,
+          "autheticatorFlow": true
+        }
+      ]
+    },
+    {
+      "id": "f499a904-41cc-41c1-bb43-688672d1533b",
+      "alias": "Reset - Conditional OTP",
+      "description": "Flow to determine if the OTP should be reset or not. Set to REQUIRED to force.",
+      "providerId": "basic-flow",
+      "topLevel": false,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "conditional-user-configured",
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "authenticator": "reset-otp",
+          "requirement": "REQUIRED",
+          "priority": 20,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        }
+      ]
+    },
+    {
+      "id": "7cee4451-5b17-4742-8736-8fce85639409",
+      "alias": "User creation or linking",
+      "description": "Flow for the existing/non-existing user alternatives",
+      "providerId": "basic-flow",
+      "topLevel": false,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticatorConfig": "create unique user config",
+          "authenticator": "idp-create-user-if-unique",
+          "requirement": "ALTERNATIVE",
+          "priority": 10,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "requirement": "ALTERNATIVE",
+          "priority": 20,
+          "flowAlias": "Handle Existing Account",
+          "userSetupAllowed": false,
+          "autheticatorFlow": true
+        }
+      ]
+    },
+    {
+      "id": "dafe7404-bce7-4ab6-9e35-fd1aecb93545",
+      "alias": "Verify Existing Account by Re-authentication",
+      "description": "Reauthentication of existing account",
+      "providerId": "basic-flow",
+      "topLevel": false,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "idp-username-password-form",
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "requirement": "CONDITIONAL",
+          "priority": 20,
+          "flowAlias": "First broker login - Conditional OTP",
+          "userSetupAllowed": false,
+          "autheticatorFlow": true
+        }
+      ]
+    },
+    {
+      "id": "d34ac568-3793-4864-8df8-733fa2cd3554",
+      "alias": "browser",
+      "description": "browser based authentication",
+      "providerId": "basic-flow",
+      "topLevel": true,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "auth-cookie",
+          "requirement": "ALTERNATIVE",
+          "priority": 10,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "authenticator": "auth-spnego",
+          "requirement": "DISABLED",
+          "priority": 20,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "authenticator": "identity-provider-redirector",
+          "requirement": "ALTERNATIVE",
+          "priority": 25,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "requirement": "ALTERNATIVE",
+          "priority": 30,
+          "flowAlias": "forms",
+          "userSetupAllowed": false,
+          "autheticatorFlow": true
+        }
+      ]
+    },
+    {
+      "id": "15a43900-948a-487d-a97a-444502dce766",
+      "alias": "clients",
+      "description": "Base authentication for clients",
+      "providerId": "client-flow",
+      "topLevel": true,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "client-secret",
+          "requirement": "ALTERNATIVE",
+          "priority": 10,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "authenticator": "client-jwt",
+          "requirement": "ALTERNATIVE",
+          "priority": 20,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "authenticator": "client-secret-jwt",
+          "requirement": "ALTERNATIVE",
+          "priority": 30,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "authenticator": "client-x509",
+          "requirement": "ALTERNATIVE",
+          "priority": 40,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        }
+      ]
+    },
+    {
+      "id": "1865917e-f56d-453c-bb66-578e1955d199",
+      "alias": "direct grant",
+      "description": "OpenID Connect Resource Owner Grant",
+      "providerId": "basic-flow",
+      "topLevel": true,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "direct-grant-validate-username",
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "authenticator": "direct-grant-validate-password",
+          "requirement": "REQUIRED",
+          "priority": 20,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "requirement": "CONDITIONAL",
+          "priority": 30,
+          "flowAlias": "Direct Grant - Conditional OTP",
+          "userSetupAllowed": false,
+          "autheticatorFlow": true
+        }
+      ]
+    },
+    {
+      "id": "3e151380-0869-4bdb-b9d1-65a7bcfcb6ab",
+      "alias": "docker auth",
+      "description": "Used by Docker clients to authenticate against the IDP",
+      "providerId": "basic-flow",
+      "topLevel": true,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "docker-http-basic-authenticator",
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        }
+      ]
+    },
+    {
+      "id": "79369bf2-9434-4b93-94d9-74a08a361701",
+      "alias": "first broker login",
+      "description": "Actions taken after first broker login with identity provider account, which is not yet linked to any Keycloak account",
+      "providerId": "basic-flow",
+      "topLevel": true,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticatorConfig": "review profile config",
+          "authenticator": "idp-review-profile",
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "requirement": "REQUIRED",
+          "priority": 20,
+          "flowAlias": "User creation or linking",
+          "userSetupAllowed": false,
+          "autheticatorFlow": true
+        }
+      ]
+    },
+    {
+      "id": "322d8eb9-a9cc-422a-a6a2-065b3b863967",
+      "alias": "forms",
+      "description": "Username, password, otp and other auth forms.",
+      "providerId": "basic-flow",
+      "topLevel": false,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "auth-username-password-form",
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "requirement": "CONDITIONAL",
+          "priority": 20,
+          "flowAlias": "Browser - Conditional OTP",
+          "userSetupAllowed": false,
+          "autheticatorFlow": true
+        }
+      ]
+    },
+    {
+      "id": "0cf68f4f-332e-4f7d-a7a9-907189914191",
+      "alias": "http challenge",
+      "description": "An authentication flow based on challenge-response HTTP Authentication Schemes",
+      "providerId": "basic-flow",
+      "topLevel": true,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "no-cookie-redirect",
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "requirement": "REQUIRED",
+          "priority": 20,
+          "flowAlias": "Authentication Options",
+          "userSetupAllowed": false,
+          "autheticatorFlow": true
+        }
+      ]
+    },
+    {
+      "id": "d412906e-1aad-4707-ac40-95406aeed8d0",
+      "alias": "registration",
+      "description": "registration flow",
+      "providerId": "basic-flow",
+      "topLevel": true,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "registration-page-form",
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "flowAlias": "registration form",
+          "userSetupAllowed": false,
+          "autheticatorFlow": true
+        }
+      ]
+    },
+    {
+      "id": "d11ddacf-4fe8-4614-a9f1-fe5dcf621330",
+      "alias": "registration form",
+      "description": "registration form",
+      "providerId": "form-flow",
+      "topLevel": false,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "registration-user-creation",
+          "requirement": "REQUIRED",
+          "priority": 20,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "authenticator": "registration-profile-action",
+          "requirement": "REQUIRED",
+          "priority": 40,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "authenticator": "registration-password-action",
+          "requirement": "REQUIRED",
+          "priority": 50,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "authenticator": "registration-recaptcha-action",
+          "requirement": "DISABLED",
+          "priority": 60,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        }
+      ]
+    },
+    {
+      "id": "48093169-4a24-499b-aad7-b87dcd32269d",
+      "alias": "reset credentials",
+      "description": "Reset credentials for a user if they forgot their password or something",
+      "providerId": "basic-flow",
+      "topLevel": true,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "reset-credentials-choose-user",
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "authenticator": "reset-credential-email",
+          "requirement": "REQUIRED",
+          "priority": 20,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "authenticator": "reset-password",
+          "requirement": "REQUIRED",
+          "priority": 30,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        },
+        {
+          "requirement": "CONDITIONAL",
+          "priority": 40,
+          "flowAlias": "Reset - Conditional OTP",
+          "userSetupAllowed": false,
+          "autheticatorFlow": true
+        }
+      ]
+    },
+    {
+      "id": "f0a1d44c-2bab-408c-91b4-bb730bd65bc4",
+      "alias": "saml ecp",
+      "description": "SAML ECP Profile Authentication Flow",
+      "providerId": "basic-flow",
+      "topLevel": true,
+      "builtIn": true,
+      "authenticationExecutions": [
+        {
+          "authenticator": "http-basic-authenticator",
+          "requirement": "REQUIRED",
+          "priority": 10,
+          "userSetupAllowed": false,
+          "autheticatorFlow": false
+        }
+      ]
+    }
+  ],
+  "authenticatorConfig": [
+    {
+      "id": "173229da-6a52-4d54-8e88-cba503234cb4",
+      "alias": "create unique user config",
+      "config": {
+        "require.password.update.after.registration": "false"
+      }
+    },
+    {
+      "id": "a72c2a36-a48a-440d-b52f-831c385287fc",
+      "alias": "review profile config",
+      "config": {
+        "update.profile.on.first.login": "missing"
+      }
+    }
+  ],
+  "requiredActions": [
+    {
+      "alias": "CONFIGURE_TOTP",
+      "name": "Configure OTP",
+      "providerId": "CONFIGURE_TOTP",
+      "enabled": true,
+      "defaultAction": false,
+      "priority": 10,
+      "config": {}
+    },
+    {
+      "alias": "terms_and_conditions",
+      "name": "Terms and Conditions",
+      "providerId": "terms_and_conditions",
+      "enabled": false,
+      "defaultAction": false,
+      "priority": 20,
+      "config": {}
+    },
+    {
+      "alias": "UPDATE_PASSWORD",
+      "name": "Update Password",
+      "providerId": "UPDATE_PASSWORD",
+      "enabled": true,
+      "defaultAction": false,
+      "priority": 30,
+      "config": {}
+    },
+    {
+      "alias": "UPDATE_PROFILE",
+      "name": "Update Profile",
+      "providerId": "UPDATE_PROFILE",
+      "enabled": true,
+      "defaultAction": false,
+      "priority": 40,
+      "config": {}
+    },
+    {
+      "alias": "VERIFY_EMAIL",
+      "name": "Verify Email",
+      "providerId": "VERIFY_EMAIL",
+      "enabled": true,
+      "defaultAction": false,
+      "priority": 50,
+      "config": {}
+    },
+    {
+      "alias": "delete_account",
+      "name": "Delete Account",
+      "providerId": "delete_account",
+      "enabled": false,
+      "defaultAction": false,
+      "priority": 60,
+      "config": {}
+    },
+    {
+      "alias": "update_user_locale",
+      "name": "Update User Locale",
+      "providerId": "update_user_locale",
+      "enabled": true,
+      "defaultAction": false,
+      "priority": 1000,
+      "config": {}
+    }
+  ],
+  "browserFlow": "browser",
+  "registrationFlow": "registration",
+  "directGrantFlow": "direct grant",
+  "resetCredentialsFlow": "reset credentials",
+  "clientAuthenticationFlow": "clients",
+  "dockerAuthenticationFlow": "docker auth",
+  "attributes": {},
+  "keycloakVersion": "12.0.4",
+  "userManagedAccessAllowed": false
+}
diff --git a/auth_oidc/tests/keycloak/keycloak.sh b/auth_oidc/tests/keycloak/keycloak.sh
new file mode 100755
index 0000000000..7c81d562e7
--- /dev/null
+++ b/auth_oidc/tests/keycloak/keycloak.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+set -x
+$(which docker || which podman) run --rm \
+  -v $(dirname $0)/keycloak-config.json:/tmp/keycloak-config.json \
+  -p 8080:8080 \
+  quay.io/keycloak/keycloak:12.0.4 \
+  -Dkeycloak.migration.action=import \
+  -Dkeycloak.migration.provider=singleFile \
+  -Dkeycloak.migration.file=/tmp/keycloak-config.json \
+  -Dkeycloak.migration.strategy=OVERWRITE_EXISTING
diff --git a/auth_oidc/tests/test_auth_oidc_auth_code.py b/auth_oidc/tests/test_auth_oidc_auth_code.py
new file mode 100644
index 0000000000..623fa4b2cf
--- /dev/null
+++ b/auth_oidc/tests/test_auth_oidc_auth_code.py
@@ -0,0 +1,52 @@
+# Copyright 2021 ACSONE SA/NV <https://acsone.eu>
+# License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
+
+import contextlib
+from urllib.parse import parse_qs, urlparse
+
+import odoo
+from odoo.tests import common
+
+from odoo.addons.auth_oidc.controllers.main import OpenIDLogin
+from odoo.addons.website.tools import MockRequest as _MockRequest
+
+BASE_URL = "http://localhost:%s" % odoo.tools.config["http_port"]
+
+
+@contextlib.contextmanager
+def MockRequest(env):
+    with _MockRequest(env) as request:
+        request.httprequest.url_root = BASE_URL + "/"
+        request.params = {}
+        yield request
+
+
+class TestAuthOIDCAuthorizationCodeFlow(common.HttpCase):
+    def setUp(self):
+        super().setUp()
+        # search our test provider and bind the demo user to it
+        self.provider_rec = self.env["auth.oauth.provider"].search(
+            [("client_id", "=", "auth_oidc-test")]
+        )
+        self.assertEqual(len(self.provider_rec), 1)
+
+    def test_auth_link(self):
+        """Test that the authentication link is correct."""
+        # disable existing providers except our test provider
+        self.env["auth.oauth.provider"].search(
+            [("client_id", "!=", "auth_oidc-test")]
+        ).write(dict(enabled=False))
+        with MockRequest(self.env):
+            providers = OpenIDLogin().list_providers()
+            self.assertEqual(len(providers), 1)
+            auth_link = providers[0]["auth_link"]
+            assert auth_link.startswith(self.provider_rec.auth_endpoint)
+            params = parse_qs(urlparse(auth_link).query)
+            self.assertEqual(params["response_type"], ["code"])
+            self.assertEqual(params["client_id"], [self.provider_rec.client_id])
+            self.assertEqual(params["scope"], ["openid email"])
+            self.assertTrue(params["code_challenge"])
+            self.assertEqual(params["code_challenge_method"], ["S256"])
+            self.assertTrue(params["nonce"])
+            self.assertTrue(params["state"])
+            self.assertEqual(params["redirect_uri"], [BASE_URL + "/auth_oauth/signin"])

From 952d6a7d17675a3bd73bfeab5540ba6fa8c4ff4b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Bidoul?= <stephane.bidoul@acsone.eu>
Date: Fri, 25 Jun 2021 16:03:09 +0200
Subject: [PATCH 18/46] auth_oidc: slightly more robust parsing of claim
 mapping

---
 auth_oidc/models/auth_oauth_provider.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/auth_oidc/models/auth_oauth_provider.py b/auth_oidc/models/auth_oauth_provider.py
index 06f0dae545..6a40e87ed6 100644
--- a/auth_oidc/models/auth_oauth_provider.py
+++ b/auth_oidc/models/auth_oauth_provider.py
@@ -59,7 +59,7 @@ def _get_key(self, kid):
     def _map_token_values(self, res):
         if self.token_map:
             for pair in self.token_map.split(" "):
-                from_key, to_key = pair.split(":")
+                from_key, to_key = [k.strip() for k in pair.split(":", 1)]
                 if to_key not in res:
                     res[to_key] = res.get(from_key, "")
         return res

From 677f17398e4225c5c64e8c0a698260030323d645 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Bidoul?= <stephane.bidoul@acsone.eu>
Date: Fri, 25 Jun 2021 16:03:22 +0200
Subject: [PATCH 19/46] auth_oidc: split long method

---
 auth_oidc/models/res_users.py | 61 +++++++++++++++++++----------------
 1 file changed, 34 insertions(+), 27 deletions(-)

diff --git a/auth_oidc/models/res_users.py b/auth_oidc/models/res_users.py
index 8a0328c26a..c487504e2a 100644
--- a/auth_oidc/models/res_users.py
+++ b/auth_oidc/models/res_users.py
@@ -16,39 +16,46 @@
 class ResUsers(models.Model):
     _inherit = "res.users"
 
+    def _auth_oauth_get_tokens_implicit_flow(self, oauth_provider, params):
+        # https://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthResponse
+        return params.get("access_token"), params.get("id_token")
+
+    def _auth_oauth_get_tokens_auth_code_flow(self, oauth_provider, params):
+        # https://openid.net/specs/openid-connect-core-1_0.html#AuthResponse
+        code = params.get("code")
+        # https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest
+        auth = None
+        if oauth_provider.client_secret:
+            auth = (oauth_provider.client_id, oauth_provider.client_secret)
+        response = requests.post(
+            oauth_provider.token_endpoint,
+            data=dict(
+                client_id=oauth_provider.client_id,
+                grant_type="authorization_code",
+                code=code,
+                code_verifier=oauth_provider.code_verifier,  # PKCE
+                redirect_uri=request.httprequest.url_root + "auth_oauth/signin",
+            ),
+            auth=auth,
+        )
+        response.raise_for_status()
+        response_json = response.json()
+        # https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse
+        return response_json.get("access_token"), response_json.get("id_token")
+
     @api.model
     def auth_oauth(self, provider, params):
         oauth_provider = self.env["auth.oauth.provider"].browse(provider)
-        if oauth_provider.flow not in ("id_token", "id_token_code"):
-            return super(ResUsers, self).auth_oauth(provider, params)
-
         if oauth_provider.flow == "id_token":
-            # https://openid.net/specs/openid-connect-core-1_0.html#ImplicitAuthResponse
-            access_token = params.get("access_token")
-            id_token = params.get("id_token")
+            access_token, id_token = self._auth_oauth_get_tokens_implicit_flow(
+                oauth_provider, params
+            )
         elif oauth_provider.flow == "id_token_code":
-            # https://openid.net/specs/openid-connect-core-1_0.html#AuthResponse
-            code = params.get("code")
-            # https://openid.net/specs/openid-connect-core-1_0.html#TokenRequest
-            auth = None
-            if oauth_provider.client_secret:
-                auth = (oauth_provider.client_id, oauth_provider.client_secret)
-            response = requests.post(
-                oauth_provider.token_endpoint,
-                data=dict(
-                    client_id=oauth_provider.client_id,
-                    grant_type="authorization_code",
-                    code=code,
-                    code_verifier=oauth_provider.code_verifier,  # PKCE
-                    redirect_uri=request.httprequest.url_root + "auth_oauth/signin",
-                ),
-                auth=auth,
+            access_token, id_token = self._auth_oauth_get_tokens_auth_code_flow(
+                oauth_provider, params
             )
-            response.raise_for_status()
-            response_json = response.json()
-            # https://openid.net/specs/openid-connect-core-1_0.html#TokenResponse
-            access_token = response_json.get("access_token")
-            id_token = response_json.get("id_token")
+        else:
+            return super(ResUsers, self).auth_oauth(provider, params)
         if not access_token:
             _logger.error("No access_token in response.")
             raise AccessDenied()

From e028d28fa462c156973c2b8b1d4ae54320db913a Mon Sep 17 00:00:00 2001
From: oca-travis <oca+oca-travis@odoo-community.org>
Date: Fri, 25 Jun 2021 14:19:32 +0000
Subject: [PATCH 20/46] [UPD] Update auth_oidc.pot

---
 auth_oidc/README.rst                    | 143 ++++++-
 auth_oidc/__manifest__.py               |   2 +-
 auth_oidc/i18n/auth_oidc.pot            | 113 +++++
 auth_oidc/static/description/index.html | 526 ++++++++++++++++++++++++
 4 files changed, 772 insertions(+), 12 deletions(-)
 create mode 100644 auth_oidc/i18n/auth_oidc.pot
 create mode 100644 auth_oidc/static/description/index.html

diff --git a/auth_oidc/README.rst b/auth_oidc/README.rst
index 2bcb185e11..932ffea7b0 100644
--- a/auth_oidc/README.rst
+++ b/auth_oidc/README.rst
@@ -1,21 +1,57 @@
-=================================
-Authentication via OpenID Connect
-=================================
+=============================
+Authentication OpenID Connect
+=============================
 
-This module allows users to login through an OpenID Connect provider.
+.. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! This file is generated by oca-gen-addon-readme !!
+   !! changes will be overwritten.                   !!
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 
-This includes:
+.. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
+    :target: https://odoo-community.org/page/development-status
+    :alt: Beta
+.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png
+    :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
+    :alt: License: AGPL-3
+.. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
+    :target: https://github.com/OCA/server-auth/tree/13.0/auth_oidc
+    :alt: OCA/server-auth
+.. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
+    :target: https://translation.odoo-community.org/projects/server-auth-13-0/server-auth-13-0-auth_oidc
+    :alt: Translate me on Weblate
+.. |badge5| image:: https://img.shields.io/badge/runbot-Try%20me-875A7B.png
+    :target: https://runbot.odoo-community.org/runbot/251/13.0
+    :alt: Try me on Runbot
 
-- Keycloak with ClientID and secret + Implicit Flow
-- Microsoft Azure
+|badge1| |badge2| |badge3| |badge4| |badge5| 
 
+This module allows users to login through an OpenID Connect provider using the
+authorization code flow or implicit flow.
 
-Usage
-=====
+Note the implicit flow is not recommended because it exposes access tokens to
+the browser and in http logs.
+
+**Table of contents**
+
+.. contents::
+   :local:
+
+Installation
+============
+
+This module depends on the `python-jose <https://pypi.org/project/python-jose/>`__
+library, not to be confused with ``jose`` which is also available on PyPI.
+
+Configuration
+=============
 
 Setup for Microsoft Azure
 ~~~~~~~~~~~~~~~~~~~~~~~~~
 
+Example configuration with OpenID Connect implicit flow.
+This configuration is not recommended because it exposes the access token
+to the client, and in logs.
+
 # configure a new web application in Azure with OpenID and implicit flow (see
   the `provider documentation
   <https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-provider)>`_)
@@ -40,8 +76,65 @@ Setup for Microsoft Azure
 Setup for Keycloak
 ~~~~~~~~~~~~~~~~~~
 
-write me...
+Example configuration with OpenID Connect authorization code flow.
+
+In Keycloak:
+
+# configure a new Client
+# make sure Authorization Code Flow is Enabled.
+# configure the client Access Type as "confidential" and take note of the client secret in the Credentials tab
+# configure the redirect url to be "<url of your server>/auth_oauth/signin"
+
+In Odoo, create a new Oauth Provider with the following parameters:
+
+* Provider name: Keycloak (or any name you like that identify your keycloak
+  provider)
+* Auth Flow: OpenID Connect (authorization code flow)
+* Client ID: the same Client ID you entered when configuring the client in Keycloak
+* Client Secret: found in keycloak on the client Credentials tab
+* Allowed: yes
+* Body: the link text to appear on the login page, such as Login with Keycloak
+* Scope: openid email
+* Authentication URL: The "authorization_endpoint" URL found in the
+  OpenID Endpoint Configuration of your Keycloak realm
+* Token URL: The "token_endpoint" URL found in the
+  OpenID Endpoint Configuration of your Keycloak realm
+* JWKS URL: The "jwks_uri" URL found in the
+  OpenID Endpoint Configuration of your Keycloak realm
+
+Usage
+=====
+
+On the login page, click on the authentication provider you configured.
 
+Known issues / Roadmap
+======================
+
+* When going to the login screen, check for a existing token and do a direct login without the clicking on the SSO link
+* When doing a logout an extra option to also logout at the SSO provider.
+
+Changelog
+=========
+
+13.0.1.0.0 2020-04-10
+~~~~~~~~~~~~~~~~~~~~~
+
+* Odoo 13 migration, add authorization code flow.
+
+10.0.1.0.0 2018-10-05
+~~~~~~~~~~~~~~~~~~~~~
+
+* Initial implementation
+
+Bug Tracker
+===========
+
+Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-auth/issues>`_.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us smashing it by providing a detailed and welcomed
+`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_oidc%0Aversion:%2013.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+
+Do not contact contributors directly about support or help with technical issues.
 
 Credits
 =======
@@ -49,9 +142,37 @@ Credits
 Authors
 ~~~~~~~
 
-* ICTSTUDIO, André Schenkels <https://www.ictstudio.eu>
+* ICTSTUDIO
+* André Schenkels
+* ACSONE SA/NV
 
 Contributors
 ~~~~~~~~~~~~
 
 * Alexandre Fayolle <alexandre.fayolle@camptocamp.com>
+* Stéphane Bidoul <stephane.bidoul@acsone.eu>
+
+Maintainers
+~~~~~~~~~~~
+
+This module is maintained by the OCA.
+
+.. image:: https://odoo-community.org/logo.png
+   :alt: Odoo Community Association
+   :target: https://odoo-community.org
+
+OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.
+
+.. |maintainer-sbidoul| image:: https://github.com/sbidoul.png?size=40px
+    :target: https://github.com/sbidoul
+    :alt: sbidoul
+
+Current `maintainer <https://odoo-community.org/page/maintainer-role>`__:
+
+|maintainer-sbidoul| 
+
+This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/13.0/auth_oidc>`_ project on GitHub.
+
+You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.
diff --git a/auth_oidc/__manifest__.py b/auth_oidc/__manifest__.py
index a2ff5cae5e..b30efbb0ca 100644
--- a/auth_oidc/__manifest__.py
+++ b/auth_oidc/__manifest__.py
@@ -4,7 +4,7 @@
 
 {
     "name": "Authentication OpenID Connect",
-    "version": "13.0.1.0.0",
+    "version": "13.0.1.0.1",
     "license": "AGPL-3",
     "author": (
         "ICTSTUDIO, André Schenkels, "
diff --git a/auth_oidc/i18n/auth_oidc.pot b/auth_oidc/i18n/auth_oidc.pot
new file mode 100644
index 0000000000..4150f1a674
--- /dev/null
+++ b/auth_oidc/i18n/auth_oidc.pot
@@ -0,0 +1,113 @@
+# Translation of Odoo Server.
+# This file contains the translation of the following modules:
+# 	* auth_oidc
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: Odoo Server 13.0\n"
+"Report-Msgid-Bugs-To: \n"
+"Last-Translator: \n"
+"Language-Team: \n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: \n"
+"Plural-Forms: \n"
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__flow
+msgid "Auth Flow"
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__client_secret
+msgid "Client Secret"
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__code_verifier
+msgid "Code Verifier"
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__jwks_uri
+msgid "JWKS URL"
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__access_token
+msgid "OAuth2"
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model,name:auth_oidc.model_auth_oauth_provider
+msgid "OAuth2 provider"
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__id_token_code
+msgid "OpenID Connect (authorization code flow)"
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__id_token
+msgid "OpenID Connect (implicit flow, not recommended)"
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__token_endpoint
+msgid "Required for OpenID Connect authorization code flow."
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__jwks_uri
+msgid "Required for OpenID Connect."
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__token_map
+msgid ""
+"Some Oauth providers don't map keys in their responses exactly as required."
+"  It is important to ensure user_id and email at least are mapped. For "
+"OpenID Connect user_id is the sub key in the standard."
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__token_map
+msgid "Token Map"
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__token_endpoint
+msgid "Token URL"
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__code_verifier
+msgid "Used for PKCE."
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__client_secret
+msgid ""
+"Used in OpenID Connect authorization code flow for confidential clients."
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model,name:auth_oidc.model_res_users
+msgid "Users"
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__validation_endpoint
+msgid "Validation URL"
+msgstr ""
+
+#. module: auth_oidc
+#: model_terms:ir.ui.view,arch_db:auth_oidc.view_oidc_provider_form
+msgid "e.g from:to upn:email sub:user_id"
+msgstr ""
+
+#. module: auth_oidc
+#: model:auth.oauth.provider,body:auth_oidc.local_keycloak
+msgid "keycloak:8080 on localhost"
+msgstr ""
diff --git a/auth_oidc/static/description/index.html b/auth_oidc/static/description/index.html
new file mode 100644
index 0000000000..a820198809
--- /dev/null
+++ b/auth_oidc/static/description/index.html
@@ -0,0 +1,526 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+<meta name="generator" content="Docutils 0.15.1: http://docutils.sourceforge.net/" />
+<title>Authentication OpenID Connect</title>
+<style type="text/css">
+
+/*
+:Author: David Goodger (goodger@python.org)
+:Id: $Id: html4css1.css 7952 2016-07-26 18:15:59Z milde $
+:Copyright: This stylesheet has been placed in the public domain.
+
+Default cascading style sheet for the HTML output of Docutils.
+
+See http://docutils.sf.net/docs/howto/html-stylesheets.html for how to
+customize this style sheet.
+*/
+
+/* used to remove borders from tables and images */
+.borderless, table.borderless td, table.borderless th {
+  border: 0 }
+
+table.borderless td, table.borderless th {
+  /* Override padding for "table.docutils td" with "! important".
+     The right padding separates the table cells. */
+  padding: 0 0.5em 0 0 ! important }
+
+.first {
+  /* Override more specific margin styles with "! important". */
+  margin-top: 0 ! important }
+
+.last, .with-subtitle {
+  margin-bottom: 0 ! important }
+
+.hidden {
+  display: none }
+
+.subscript {
+  vertical-align: sub;
+  font-size: smaller }
+
+.superscript {
+  vertical-align: super;
+  font-size: smaller }
+
+a.toc-backref {
+  text-decoration: none ;
+  color: black }
+
+blockquote.epigraph {
+  margin: 2em 5em ; }
+
+dl.docutils dd {
+  margin-bottom: 0.5em }
+
+object[type="image/svg+xml"], object[type="application/x-shockwave-flash"] {
+  overflow: hidden;
+}
+
+/* Uncomment (and remove this text!) to get bold-faced definition list terms
+dl.docutils dt {
+  font-weight: bold }
+*/
+
+div.abstract {
+  margin: 2em 5em }
+
+div.abstract p.topic-title {
+  font-weight: bold ;
+  text-align: center }
+
+div.admonition, div.attention, div.caution, div.danger, div.error,
+div.hint, div.important, div.note, div.tip, div.warning {
+  margin: 2em ;
+  border: medium outset ;
+  padding: 1em }
+
+div.admonition p.admonition-title, div.hint p.admonition-title,
+div.important p.admonition-title, div.note p.admonition-title,
+div.tip p.admonition-title {
+  font-weight: bold ;
+  font-family: sans-serif }
+
+div.attention p.admonition-title, div.caution p.admonition-title,
+div.danger p.admonition-title, div.error p.admonition-title,
+div.warning p.admonition-title, .code .error {
+  color: red ;
+  font-weight: bold ;
+  font-family: sans-serif }
+
+/* Uncomment (and remove this text!) to get reduced vertical space in
+   compound paragraphs.
+div.compound .compound-first, div.compound .compound-middle {
+  margin-bottom: 0.5em }
+
+div.compound .compound-last, div.compound .compound-middle {
+  margin-top: 0.5em }
+*/
+
+div.dedication {
+  margin: 2em 5em ;
+  text-align: center ;
+  font-style: italic }
+
+div.dedication p.topic-title {
+  font-weight: bold ;
+  font-style: normal }
+
+div.figure {
+  margin-left: 2em ;
+  margin-right: 2em }
+
+div.footer, div.header {
+  clear: both;
+  font-size: smaller }
+
+div.line-block {
+  display: block ;
+  margin-top: 1em ;
+  margin-bottom: 1em }
+
+div.line-block div.line-block {
+  margin-top: 0 ;
+  margin-bottom: 0 ;
+  margin-left: 1.5em }
+
+div.sidebar {
+  margin: 0 0 0.5em 1em ;
+  border: medium outset ;
+  padding: 1em ;
+  background-color: #ffffee ;
+  width: 40% ;
+  float: right ;
+  clear: right }
+
+div.sidebar p.rubric {
+  font-family: sans-serif ;
+  font-size: medium }
+
+div.system-messages {
+  margin: 5em }
+
+div.system-messages h1 {
+  color: red }
+
+div.system-message {
+  border: medium outset ;
+  padding: 1em }
+
+div.system-message p.system-message-title {
+  color: red ;
+  font-weight: bold }
+
+div.topic {
+  margin: 2em }
+
+h1.section-subtitle, h2.section-subtitle, h3.section-subtitle,
+h4.section-subtitle, h5.section-subtitle, h6.section-subtitle {
+  margin-top: 0.4em }
+
+h1.title {
+  text-align: center }
+
+h2.subtitle {
+  text-align: center }
+
+hr.docutils {
+  width: 75% }
+
+img.align-left, .figure.align-left, object.align-left, table.align-left {
+  clear: left ;
+  float: left ;
+  margin-right: 1em }
+
+img.align-right, .figure.align-right, object.align-right, table.align-right {
+  clear: right ;
+  float: right ;
+  margin-left: 1em }
+
+img.align-center, .figure.align-center, object.align-center {
+  display: block;
+  margin-left: auto;
+  margin-right: auto;
+}
+
+table.align-center {
+  margin-left: auto;
+  margin-right: auto;
+}
+
+.align-left {
+  text-align: left }
+
+.align-center {
+  clear: both ;
+  text-align: center }
+
+.align-right {
+  text-align: right }
+
+/* reset inner alignment in figures */
+div.align-right {
+  text-align: inherit }
+
+/* div.align-center * { */
+/*   text-align: left } */
+
+.align-top    {
+  vertical-align: top }
+
+.align-middle {
+  vertical-align: middle }
+
+.align-bottom {
+  vertical-align: bottom }
+
+ol.simple, ul.simple {
+  margin-bottom: 1em }
+
+ol.arabic {
+  list-style: decimal }
+
+ol.loweralpha {
+  list-style: lower-alpha }
+
+ol.upperalpha {
+  list-style: upper-alpha }
+
+ol.lowerroman {
+  list-style: lower-roman }
+
+ol.upperroman {
+  list-style: upper-roman }
+
+p.attribution {
+  text-align: right ;
+  margin-left: 50% }
+
+p.caption {
+  font-style: italic }
+
+p.credits {
+  font-style: italic ;
+  font-size: smaller }
+
+p.label {
+  white-space: nowrap }
+
+p.rubric {
+  font-weight: bold ;
+  font-size: larger ;
+  color: maroon ;
+  text-align: center }
+
+p.sidebar-title {
+  font-family: sans-serif ;
+  font-weight: bold ;
+  font-size: larger }
+
+p.sidebar-subtitle {
+  font-family: sans-serif ;
+  font-weight: bold }
+
+p.topic-title {
+  font-weight: bold }
+
+pre.address {
+  margin-bottom: 0 ;
+  margin-top: 0 ;
+  font: inherit }
+
+pre.literal-block, pre.doctest-block, pre.math, pre.code {
+  margin-left: 2em ;
+  margin-right: 2em }
+
+pre.code .ln { color: grey; } /* line numbers */
+pre.code, code { background-color: #eeeeee }
+pre.code .comment, code .comment { color: #5C6576 }
+pre.code .keyword, code .keyword { color: #3B0D06; font-weight: bold }
+pre.code .literal.string, code .literal.string { color: #0C5404 }
+pre.code .name.builtin, code .name.builtin { color: #352B84 }
+pre.code .deleted, code .deleted { background-color: #DEB0A1}
+pre.code .inserted, code .inserted { background-color: #A3D289}
+
+span.classifier {
+  font-family: sans-serif ;
+  font-style: oblique }
+
+span.classifier-delimiter {
+  font-family: sans-serif ;
+  font-weight: bold }
+
+span.interpreted {
+  font-family: sans-serif }
+
+span.option {
+  white-space: nowrap }
+
+span.pre {
+  white-space: pre }
+
+span.problematic {
+  color: red }
+
+span.section-subtitle {
+  /* font-size relative to parent (h1..h6 element) */
+  font-size: 80% }
+
+table.citation {
+  border-left: solid 1px gray;
+  margin-left: 1px }
+
+table.docinfo {
+  margin: 2em 4em }
+
+table.docutils {
+  margin-top: 0.5em ;
+  margin-bottom: 0.5em }
+
+table.footnote {
+  border-left: solid 1px black;
+  margin-left: 1px }
+
+table.docutils td, table.docutils th,
+table.docinfo td, table.docinfo th {
+  padding-left: 0.5em ;
+  padding-right: 0.5em ;
+  vertical-align: top }
+
+table.docutils th.field-name, table.docinfo th.docinfo-name {
+  font-weight: bold ;
+  text-align: left ;
+  white-space: nowrap ;
+  padding-left: 0 }
+
+/* "booktabs" style (no vertical lines) */
+table.docutils.booktabs {
+  border: 0px;
+  border-top: 2px solid;
+  border-bottom: 2px solid;
+  border-collapse: collapse;
+}
+table.docutils.booktabs * {
+  border: 0px;
+}
+table.docutils.booktabs th {
+  border-bottom: thin solid;
+  text-align: left;
+}
+
+h1 tt.docutils, h2 tt.docutils, h3 tt.docutils,
+h4 tt.docutils, h5 tt.docutils, h6 tt.docutils {
+  font-size: 100% }
+
+ul.auto-toc {
+  list-style-type: none }
+
+</style>
+</head>
+<body>
+<div class="document" id="authentication-openid-connect">
+<h1 class="title">Authentication OpenID Connect</h1>
+
+<!-- !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!! This file is generated by oca-gen-addon-readme !!
+!! changes will be overwritten.                   !!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->
+<p><a class="reference external" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/licence-AGPL--3-blue.png" /></a> <a class="reference external" href="https://github.com/OCA/server-auth/tree/13.0/auth_oidc"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external" href="https://translation.odoo-community.org/projects/server-auth-13-0/server-auth-13-0-auth_oidc"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external" href="https://runbot.odoo-community.org/runbot/251/13.0"><img alt="Try me on Runbot" src="https://img.shields.io/badge/runbot-Try%20me-875A7B.png" /></a></p>
+<p>This module allows users to login through an OpenID Connect provider using the
+authorization code flow or implicit flow.</p>
+<p>Note the implicit flow is not recommended because it exposes access tokens to
+the browser and in http logs.</p>
+<p><strong>Table of contents</strong></p>
+<div class="contents local topic" id="contents">
+<ul class="simple">
+<li><a class="reference internal" href="#installation" id="id3">Installation</a></li>
+<li><a class="reference internal" href="#configuration" id="id4">Configuration</a><ul>
+<li><a class="reference internal" href="#setup-for-microsoft-azure" id="id5">Setup for Microsoft Azure</a></li>
+<li><a class="reference internal" href="#setup-for-keycloak" id="id6">Setup for Keycloak</a></li>
+</ul>
+</li>
+<li><a class="reference internal" href="#usage" id="id7">Usage</a></li>
+<li><a class="reference internal" href="#known-issues-roadmap" id="id8">Known issues / Roadmap</a></li>
+<li><a class="reference internal" href="#changelog" id="id9">Changelog</a><ul>
+<li><a class="reference internal" href="#id1" id="id10">13.0.1.0.0 2020-04-10</a></li>
+<li><a class="reference internal" href="#id2" id="id11">10.0.1.0.0 2018-10-05</a></li>
+</ul>
+</li>
+<li><a class="reference internal" href="#bug-tracker" id="id12">Bug Tracker</a></li>
+<li><a class="reference internal" href="#credits" id="id13">Credits</a><ul>
+<li><a class="reference internal" href="#authors" id="id14">Authors</a></li>
+<li><a class="reference internal" href="#contributors" id="id15">Contributors</a></li>
+<li><a class="reference internal" href="#maintainers" id="id16">Maintainers</a></li>
+</ul>
+</li>
+</ul>
+</div>
+<div class="section" id="installation">
+<h1><a class="toc-backref" href="#id3">Installation</a></h1>
+<p>This module depends on the <a class="reference external" href="https://pypi.org/project/python-jose/">python-jose</a>
+library, not to be confused with <tt class="docutils literal">jose</tt> which is also available on PyPI.</p>
+</div>
+<div class="section" id="configuration">
+<h1><a class="toc-backref" href="#id4">Configuration</a></h1>
+<div class="section" id="setup-for-microsoft-azure">
+<h2><a class="toc-backref" href="#id5">Setup for Microsoft Azure</a></h2>
+<p>Example configuration with OpenID Connect implicit flow.
+This configuration is not recommended because it exposes the access token
+to the client, and in logs.</p>
+<dl class="docutils">
+<dt># configure a new web application in Azure with OpenID and implicit flow (see</dt>
+<dd>the <a class="reference external" href="https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-provider)">provider documentation</a>)</dd>
+<dt># in this application the redirect url must be be “&lt;url of your</dt>
+<dd>server&gt;/auth_oauth/signin” and of course this URL should be reachable from
+Azure</dd>
+<dt># create a new authentication provider in Odoo with the following</dt>
+<dd>parameters (see the <a class="reference external" href="https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-settings">portal documentation</a>
+for more information):</dd>
+</dl>
+<ul class="simple">
+<li>Provider Name: Azure</li>
+<li>Auth Flow: OpenID Connect</li>
+<li>Client ID: use the value of the OAuth2 autorization endoing (v2) from the Azure Endpoints list</li>
+<li>Body: Azure SSO</li>
+<li>Authentication URL: use the value of “OAuth2 autorization endpoint (v2)” from the Azure endpoints list</li>
+<li>Scope: openid email</li>
+<li>Validation URL: use the value of “OAuth2 token endpoint (v2)” from the Azure endpoints list</li>
+<li>Allowed: yes</li>
+</ul>
+</div>
+<div class="section" id="setup-for-keycloak">
+<h2><a class="toc-backref" href="#id6">Setup for Keycloak</a></h2>
+<p>Example configuration with OpenID Connect authorization code flow.</p>
+<p>In Keycloak:</p>
+<p># configure a new Client
+# make sure Authorization Code Flow is Enabled.
+# configure the client Access Type as “confidential” and take note of the client secret in the Credentials tab
+# configure the redirect url to be “&lt;url of your server&gt;/auth_oauth/signin”</p>
+<p>In Odoo, create a new Oauth Provider with the following parameters:</p>
+<ul class="simple">
+<li>Provider name: Keycloak (or any name you like that identify your keycloak
+provider)</li>
+<li>Auth Flow: OpenID Connect (authorization code flow)</li>
+<li>Client ID: the same Client ID you entered when configuring the client in Keycloak</li>
+<li>Client Secret: found in keycloak on the client Credentials tab</li>
+<li>Allowed: yes</li>
+<li>Body: the link text to appear on the login page, such as Login with Keycloak</li>
+<li>Scope: openid email</li>
+<li>Authentication URL: The “authorization_endpoint” URL found in the
+OpenID Endpoint Configuration of your Keycloak realm</li>
+<li>Token URL: The “token_endpoint” URL found in the
+OpenID Endpoint Configuration of your Keycloak realm</li>
+<li>JWKS URL: The “jwks_uri” URL found in the
+OpenID Endpoint Configuration of your Keycloak realm</li>
+</ul>
+</div>
+</div>
+<div class="section" id="usage">
+<h1><a class="toc-backref" href="#id7">Usage</a></h1>
+<p>On the login page, click on the authentication provider you configured.</p>
+</div>
+<div class="section" id="known-issues-roadmap">
+<h1><a class="toc-backref" href="#id8">Known issues / Roadmap</a></h1>
+<ul class="simple">
+<li>When going to the login screen, check for a existing token and do a direct login without the clicking on the SSO link</li>
+<li>When doing a logout an extra option to also logout at the SSO provider.</li>
+</ul>
+</div>
+<div class="section" id="changelog">
+<h1><a class="toc-backref" href="#id9">Changelog</a></h1>
+<div class="section" id="id1">
+<h2><a class="toc-backref" href="#id10">13.0.1.0.0 2020-04-10</a></h2>
+<ul class="simple">
+<li>Odoo 13 migration, add authorization code flow.</li>
+</ul>
+</div>
+<div class="section" id="id2">
+<h2><a class="toc-backref" href="#id11">10.0.1.0.0 2018-10-05</a></h2>
+<ul class="simple">
+<li>Initial implementation</li>
+</ul>
+</div>
+</div>
+<div class="section" id="bug-tracker">
+<h1><a class="toc-backref" href="#id12">Bug Tracker</a></h1>
+<p>Bugs are tracked on <a class="reference external" href="https://github.com/OCA/server-auth/issues">GitHub Issues</a>.
+In case of trouble, please check there if your issue has already been reported.
+If you spotted it first, help us smashing it by providing a detailed and welcomed
+<a class="reference external" href="https://github.com/OCA/server-auth/issues/new?body=module:%20auth_oidc%0Aversion:%2013.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**">feedback</a>.</p>
+<p>Do not contact contributors directly about support or help with technical issues.</p>
+</div>
+<div class="section" id="credits">
+<h1><a class="toc-backref" href="#id13">Credits</a></h1>
+<div class="section" id="authors">
+<h2><a class="toc-backref" href="#id14">Authors</a></h2>
+<ul class="simple">
+<li>ICTSTUDIO</li>
+<li>André Schenkels</li>
+<li>ACSONE SA/NV</li>
+</ul>
+</div>
+<div class="section" id="contributors">
+<h2><a class="toc-backref" href="#id15">Contributors</a></h2>
+<ul class="simple">
+<li>Alexandre Fayolle &lt;<a class="reference external" href="mailto:alexandre.fayolle&#64;camptocamp.com">alexandre.fayolle&#64;camptocamp.com</a>&gt;</li>
+<li>Stéphane Bidoul &lt;<a class="reference external" href="mailto:stephane.bidoul&#64;acsone.eu">stephane.bidoul&#64;acsone.eu</a>&gt;</li>
+</ul>
+</div>
+<div class="section" id="maintainers">
+<h2><a class="toc-backref" href="#id16">Maintainers</a></h2>
+<p>This module is maintained by the OCA.</p>
+<a class="reference external image-reference" href="https://odoo-community.org"><img alt="Odoo Community Association" src="https://odoo-community.org/logo.png" /></a>
+<p>OCA, or the Odoo Community Association, is a nonprofit organization whose
+mission is to support the collaborative development of Odoo features and
+promote its widespread use.</p>
+<p>Current <a class="reference external" href="https://odoo-community.org/page/maintainer-role">maintainer</a>:</p>
+<p><a class="reference external" href="https://github.com/sbidoul"><img alt="sbidoul" src="https://github.com/sbidoul.png?size=40px" /></a></p>
+<p>This module is part of the <a class="reference external" href="https://github.com/OCA/server-auth/tree/13.0/auth_oidc">OCA/server-auth</a> project on GitHub.</p>
+<p>You are welcome to contribute. To learn how please visit <a class="reference external" href="https://odoo-community.org/page/Contribute">https://odoo-community.org/page/Contribute</a>.</p>
+</div>
+</div>
+</div>
+</body>
+</html>

From f6ae2a48d303fc6b11be7d5d07f33310a9c6a48f Mon Sep 17 00:00:00 2001
From: Chafique <chafique.delli@akretion.com>
Date: Fri, 10 Dec 2021 16:07:12 +0100
Subject: [PATCH 21/46] [MIG] auth_oidc: Migration to 14.0

---
 auth_oidc/README.rst                        | 15 +++--
 auth_oidc/__manifest__.py                   |  2 +-
 auth_oidc/i18n/auth_oidc.pot                | 20 +++++-
 auth_oidc/readme/HISTORY.rst                |  5 ++
 auth_oidc/static/description/index.html     | 71 +++++++++++----------
 auth_oidc/tests/test_auth_oidc_auth_code.py |  3 +-
 6 files changed, 76 insertions(+), 40 deletions(-)

diff --git a/auth_oidc/README.rst b/auth_oidc/README.rst
index 932ffea7b0..04ab9a1a2e 100644
--- a/auth_oidc/README.rst
+++ b/auth_oidc/README.rst
@@ -14,13 +14,13 @@ Authentication OpenID Connect
     :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
     :alt: License: AGPL-3
 .. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
-    :target: https://github.com/OCA/server-auth/tree/13.0/auth_oidc
+    :target: https://github.com/OCA/server-auth/tree/14.0/auth_oidc
     :alt: OCA/server-auth
 .. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
-    :target: https://translation.odoo-community.org/projects/server-auth-13-0/server-auth-13-0-auth_oidc
+    :target: https://translation.odoo-community.org/projects/server-auth-14-0/server-auth-14-0-auth_oidc
     :alt: Translate me on Weblate
 .. |badge5| image:: https://img.shields.io/badge/runbot-Try%20me-875A7B.png
-    :target: https://runbot.odoo-community.org/runbot/251/13.0
+    :target: https://runbot.odoo-community.org/runbot/251/14.0
     :alt: Try me on Runbot
 
 |badge1| |badge2| |badge3| |badge4| |badge5| 
@@ -116,6 +116,11 @@ Known issues / Roadmap
 Changelog
 =========
 
+14.0.1.0.0 2021-12-10
+~~~~~~~~~~~~~~~~~~~~~
+
+* Odoo 14 migration
+
 13.0.1.0.0 2020-04-10
 ~~~~~~~~~~~~~~~~~~~~~
 
@@ -132,7 +137,7 @@ Bug Tracker
 Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-auth/issues>`_.
 In case of trouble, please check there if your issue has already been reported.
 If you spotted it first, help us smashing it by providing a detailed and welcomed
-`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_oidc%0Aversion:%2013.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_oidc%0Aversion:%2014.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
 
 Do not contact contributors directly about support or help with technical issues.
 
@@ -173,6 +178,6 @@ Current `maintainer <https://odoo-community.org/page/maintainer-role>`__:
 
 |maintainer-sbidoul| 
 
-This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/13.0/auth_oidc>`_ project on GitHub.
+This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/14.0/auth_oidc>`_ project on GitHub.
 
 You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.
diff --git a/auth_oidc/__manifest__.py b/auth_oidc/__manifest__.py
index b30efbb0ca..ebf94f0bbb 100644
--- a/auth_oidc/__manifest__.py
+++ b/auth_oidc/__manifest__.py
@@ -4,7 +4,7 @@
 
 {
     "name": "Authentication OpenID Connect",
-    "version": "13.0.1.0.1",
+    "version": "14.0.1.0.1",
     "license": "AGPL-3",
     "author": (
         "ICTSTUDIO, André Schenkels, "
diff --git a/auth_oidc/i18n/auth_oidc.pot b/auth_oidc/i18n/auth_oidc.pot
index 4150f1a674..a687a98816 100644
--- a/auth_oidc/i18n/auth_oidc.pot
+++ b/auth_oidc/i18n/auth_oidc.pot
@@ -4,7 +4,7 @@
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: Odoo Server 13.0\n"
+"Project-Id-Version: Odoo Server 14.0\n"
 "Report-Msgid-Bugs-To: \n"
 "Last-Translator: \n"
 "Language-Team: \n"
@@ -28,11 +28,29 @@ msgstr ""
 msgid "Code Verifier"
 msgstr ""
 
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__display_name
+#: model:ir.model.fields,field_description:auth_oidc.field_res_users__display_name
+msgid "Display Name"
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__id
+#: model:ir.model.fields,field_description:auth_oidc.field_res_users__id
+msgid "ID"
+msgstr ""
+
 #. module: auth_oidc
 #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__jwks_uri
 msgid "JWKS URL"
 msgstr ""
 
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider____last_update
+#: model:ir.model.fields,field_description:auth_oidc.field_res_users____last_update
+msgid "Last Modified on"
+msgstr ""
+
 #. module: auth_oidc
 #: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__access_token
 msgid "OAuth2"
diff --git a/auth_oidc/readme/HISTORY.rst b/auth_oidc/readme/HISTORY.rst
index f831ce0e6d..33b336582e 100644
--- a/auth_oidc/readme/HISTORY.rst
+++ b/auth_oidc/readme/HISTORY.rst
@@ -1,3 +1,8 @@
+14.0.1.0.0 2021-12-10
+~~~~~~~~~~~~~~~~~~~~~
+
+* Odoo 14 migration
+
 13.0.1.0.0 2020-04-10
 ~~~~~~~~~~~~~~~~~~~~~
 
diff --git a/auth_oidc/static/description/index.html b/auth_oidc/static/description/index.html
index a820198809..c744fd4f07 100644
--- a/auth_oidc/static/description/index.html
+++ b/auth_oidc/static/description/index.html
@@ -367,7 +367,7 @@ <h1 class="title">Authentication OpenID Connect</h1>
 !! This file is generated by oca-gen-addon-readme !!
 !! changes will be overwritten.                   !!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->
-<p><a class="reference external" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/licence-AGPL--3-blue.png" /></a> <a class="reference external" href="https://github.com/OCA/server-auth/tree/13.0/auth_oidc"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external" href="https://translation.odoo-community.org/projects/server-auth-13-0/server-auth-13-0-auth_oidc"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external" href="https://runbot.odoo-community.org/runbot/251/13.0"><img alt="Try me on Runbot" src="https://img.shields.io/badge/runbot-Try%20me-875A7B.png" /></a></p>
+<p><a class="reference external" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/licence-AGPL--3-blue.png" /></a> <a class="reference external" href="https://github.com/OCA/server-auth/tree/14.0/auth_oidc"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external" href="https://translation.odoo-community.org/projects/server-auth-14-0/server-auth-14-0-auth_oidc"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external" href="https://runbot.odoo-community.org/runbot/251/14.0"><img alt="Try me on Runbot" src="https://img.shields.io/badge/runbot-Try%20me-875A7B.png" /></a></p>
 <p>This module allows users to login through an OpenID Connect provider using the
 authorization code flow or implicit flow.</p>
 <p>Note the implicit flow is not recommended because it exposes access tokens to
@@ -375,37 +375,38 @@ <h1 class="title">Authentication OpenID Connect</h1>
 <p><strong>Table of contents</strong></p>
 <div class="contents local topic" id="contents">
 <ul class="simple">
-<li><a class="reference internal" href="#installation" id="id3">Installation</a></li>
-<li><a class="reference internal" href="#configuration" id="id4">Configuration</a><ul>
-<li><a class="reference internal" href="#setup-for-microsoft-azure" id="id5">Setup for Microsoft Azure</a></li>
-<li><a class="reference internal" href="#setup-for-keycloak" id="id6">Setup for Keycloak</a></li>
+<li><a class="reference internal" href="#installation" id="id4">Installation</a></li>
+<li><a class="reference internal" href="#configuration" id="id5">Configuration</a><ul>
+<li><a class="reference internal" href="#setup-for-microsoft-azure" id="id6">Setup for Microsoft Azure</a></li>
+<li><a class="reference internal" href="#setup-for-keycloak" id="id7">Setup for Keycloak</a></li>
 </ul>
 </li>
-<li><a class="reference internal" href="#usage" id="id7">Usage</a></li>
-<li><a class="reference internal" href="#known-issues-roadmap" id="id8">Known issues / Roadmap</a></li>
-<li><a class="reference internal" href="#changelog" id="id9">Changelog</a><ul>
-<li><a class="reference internal" href="#id1" id="id10">13.0.1.0.0 2020-04-10</a></li>
-<li><a class="reference internal" href="#id2" id="id11">10.0.1.0.0 2018-10-05</a></li>
+<li><a class="reference internal" href="#usage" id="id8">Usage</a></li>
+<li><a class="reference internal" href="#known-issues-roadmap" id="id9">Known issues / Roadmap</a></li>
+<li><a class="reference internal" href="#changelog" id="id10">Changelog</a><ul>
+<li><a class="reference internal" href="#id1" id="id11">14.0.1.0.0 2021-12-10</a></li>
+<li><a class="reference internal" href="#id2" id="id12">13.0.1.0.0 2020-04-10</a></li>
+<li><a class="reference internal" href="#id3" id="id13">10.0.1.0.0 2018-10-05</a></li>
 </ul>
 </li>
-<li><a class="reference internal" href="#bug-tracker" id="id12">Bug Tracker</a></li>
-<li><a class="reference internal" href="#credits" id="id13">Credits</a><ul>
-<li><a class="reference internal" href="#authors" id="id14">Authors</a></li>
-<li><a class="reference internal" href="#contributors" id="id15">Contributors</a></li>
-<li><a class="reference internal" href="#maintainers" id="id16">Maintainers</a></li>
+<li><a class="reference internal" href="#bug-tracker" id="id14">Bug Tracker</a></li>
+<li><a class="reference internal" href="#credits" id="id15">Credits</a><ul>
+<li><a class="reference internal" href="#authors" id="id16">Authors</a></li>
+<li><a class="reference internal" href="#contributors" id="id17">Contributors</a></li>
+<li><a class="reference internal" href="#maintainers" id="id18">Maintainers</a></li>
 </ul>
 </li>
 </ul>
 </div>
 <div class="section" id="installation">
-<h1><a class="toc-backref" href="#id3">Installation</a></h1>
+<h1><a class="toc-backref" href="#id4">Installation</a></h1>
 <p>This module depends on the <a class="reference external" href="https://pypi.org/project/python-jose/">python-jose</a>
 library, not to be confused with <tt class="docutils literal">jose</tt> which is also available on PyPI.</p>
 </div>
 <div class="section" id="configuration">
-<h1><a class="toc-backref" href="#id4">Configuration</a></h1>
+<h1><a class="toc-backref" href="#id5">Configuration</a></h1>
 <div class="section" id="setup-for-microsoft-azure">
-<h2><a class="toc-backref" href="#id5">Setup for Microsoft Azure</a></h2>
+<h2><a class="toc-backref" href="#id6">Setup for Microsoft Azure</a></h2>
 <p>Example configuration with OpenID Connect implicit flow.
 This configuration is not recommended because it exposes the access token
 to the client, and in logs.</p>
@@ -431,7 +432,7 @@ <h2><a class="toc-backref" href="#id5">Setup for Microsoft Azure</a></h2>
 </ul>
 </div>
 <div class="section" id="setup-for-keycloak">
-<h2><a class="toc-backref" href="#id6">Setup for Keycloak</a></h2>
+<h2><a class="toc-backref" href="#id7">Setup for Keycloak</a></h2>
 <p>Example configuration with OpenID Connect authorization code flow.</p>
 <p>In Keycloak:</p>
 <p># configure a new Client
@@ -458,43 +459,49 @@ <h2><a class="toc-backref" href="#id6">Setup for Keycloak</a></h2>
 </div>
 </div>
 <div class="section" id="usage">
-<h1><a class="toc-backref" href="#id7">Usage</a></h1>
+<h1><a class="toc-backref" href="#id8">Usage</a></h1>
 <p>On the login page, click on the authentication provider you configured.</p>
 </div>
 <div class="section" id="known-issues-roadmap">
-<h1><a class="toc-backref" href="#id8">Known issues / Roadmap</a></h1>
+<h1><a class="toc-backref" href="#id9">Known issues / Roadmap</a></h1>
 <ul class="simple">
 <li>When going to the login screen, check for a existing token and do a direct login without the clicking on the SSO link</li>
 <li>When doing a logout an extra option to also logout at the SSO provider.</li>
 </ul>
 </div>
 <div class="section" id="changelog">
-<h1><a class="toc-backref" href="#id9">Changelog</a></h1>
+<h1><a class="toc-backref" href="#id10">Changelog</a></h1>
 <div class="section" id="id1">
-<h2><a class="toc-backref" href="#id10">13.0.1.0.0 2020-04-10</a></h2>
+<h2><a class="toc-backref" href="#id11">14.0.1.0.0 2021-12-10</a></h2>
 <ul class="simple">
-<li>Odoo 13 migration, add authorization code flow.</li>
+<li>Odoo 14 migration</li>
 </ul>
 </div>
 <div class="section" id="id2">
-<h2><a class="toc-backref" href="#id11">10.0.1.0.0 2018-10-05</a></h2>
+<h2><a class="toc-backref" href="#id12">13.0.1.0.0 2020-04-10</a></h2>
+<ul class="simple">
+<li>Odoo 13 migration, add authorization code flow.</li>
+</ul>
+</div>
+<div class="section" id="id3">
+<h2><a class="toc-backref" href="#id13">10.0.1.0.0 2018-10-05</a></h2>
 <ul class="simple">
 <li>Initial implementation</li>
 </ul>
 </div>
 </div>
 <div class="section" id="bug-tracker">
-<h1><a class="toc-backref" href="#id12">Bug Tracker</a></h1>
+<h1><a class="toc-backref" href="#id14">Bug Tracker</a></h1>
 <p>Bugs are tracked on <a class="reference external" href="https://github.com/OCA/server-auth/issues">GitHub Issues</a>.
 In case of trouble, please check there if your issue has already been reported.
 If you spotted it first, help us smashing it by providing a detailed and welcomed
-<a class="reference external" href="https://github.com/OCA/server-auth/issues/new?body=module:%20auth_oidc%0Aversion:%2013.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**">feedback</a>.</p>
+<a class="reference external" href="https://github.com/OCA/server-auth/issues/new?body=module:%20auth_oidc%0Aversion:%2014.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**">feedback</a>.</p>
 <p>Do not contact contributors directly about support or help with technical issues.</p>
 </div>
 <div class="section" id="credits">
-<h1><a class="toc-backref" href="#id13">Credits</a></h1>
+<h1><a class="toc-backref" href="#id15">Credits</a></h1>
 <div class="section" id="authors">
-<h2><a class="toc-backref" href="#id14">Authors</a></h2>
+<h2><a class="toc-backref" href="#id16">Authors</a></h2>
 <ul class="simple">
 <li>ICTSTUDIO</li>
 <li>André Schenkels</li>
@@ -502,14 +509,14 @@ <h2><a class="toc-backref" href="#id14">Authors</a></h2>
 </ul>
 </div>
 <div class="section" id="contributors">
-<h2><a class="toc-backref" href="#id15">Contributors</a></h2>
+<h2><a class="toc-backref" href="#id17">Contributors</a></h2>
 <ul class="simple">
 <li>Alexandre Fayolle &lt;<a class="reference external" href="mailto:alexandre.fayolle&#64;camptocamp.com">alexandre.fayolle&#64;camptocamp.com</a>&gt;</li>
 <li>Stéphane Bidoul &lt;<a class="reference external" href="mailto:stephane.bidoul&#64;acsone.eu">stephane.bidoul&#64;acsone.eu</a>&gt;</li>
 </ul>
 </div>
 <div class="section" id="maintainers">
-<h2><a class="toc-backref" href="#id16">Maintainers</a></h2>
+<h2><a class="toc-backref" href="#id18">Maintainers</a></h2>
 <p>This module is maintained by the OCA.</p>
 <a class="reference external image-reference" href="https://odoo-community.org"><img alt="Odoo Community Association" src="https://odoo-community.org/logo.png" /></a>
 <p>OCA, or the Odoo Community Association, is a nonprofit organization whose
@@ -517,7 +524,7 @@ <h2><a class="toc-backref" href="#id16">Maintainers</a></h2>
 promote its widespread use.</p>
 <p>Current <a class="reference external" href="https://odoo-community.org/page/maintainer-role">maintainer</a>:</p>
 <p><a class="reference external" href="https://github.com/sbidoul"><img alt="sbidoul" src="https://github.com/sbidoul.png?size=40px" /></a></p>
-<p>This module is part of the <a class="reference external" href="https://github.com/OCA/server-auth/tree/13.0/auth_oidc">OCA/server-auth</a> project on GitHub.</p>
+<p>This module is part of the <a class="reference external" href="https://github.com/OCA/server-auth/tree/14.0/auth_oidc">OCA/server-auth</a> project on GitHub.</p>
 <p>You are welcome to contribute. To learn how please visit <a class="reference external" href="https://odoo-community.org/page/Contribute">https://odoo-community.org/page/Contribute</a>.</p>
 </div>
 </div>
diff --git a/auth_oidc/tests/test_auth_oidc_auth_code.py b/auth_oidc/tests/test_auth_oidc_auth_code.py
index 623fa4b2cf..f608d02dde 100644
--- a/auth_oidc/tests/test_auth_oidc_auth_code.py
+++ b/auth_oidc/tests/test_auth_oidc_auth_code.py
@@ -7,9 +7,10 @@
 import odoo
 from odoo.tests import common
 
-from odoo.addons.auth_oidc.controllers.main import OpenIDLogin
 from odoo.addons.website.tools import MockRequest as _MockRequest
 
+from ..controllers.main import OpenIDLogin
+
 BASE_URL = "http://localhost:%s" % odoo.tools.config["http_port"]
 
 

From 0bb0e1ec31d9320f34c3d53468d95840c37fabef Mon Sep 17 00:00:00 2001
From: Florian Mounier <paradoxxx.zero@gmail.com>
Date: Mon, 14 Mar 2022 10:43:33 +0100
Subject: [PATCH 22/46] [FIX] auth_oidc: Fix werkzeug deprecated warning for
 url_encode, url decode

---
 auth_oidc/__manifest__.py     | 2 +-
 auth_oidc/controllers/main.py | 6 +++---
 auth_oidc/i18n/auth_oidc.pot  | 8 ++++----
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/auth_oidc/__manifest__.py b/auth_oidc/__manifest__.py
index ebf94f0bbb..dcb25ec54f 100644
--- a/auth_oidc/__manifest__.py
+++ b/auth_oidc/__manifest__.py
@@ -4,7 +4,7 @@
 
 {
     "name": "Authentication OpenID Connect",
-    "version": "14.0.1.0.1",
+    "version": "14.0.1.0.2",
     "license": "AGPL-3",
     "author": (
         "ICTSTUDIO, André Schenkels, "
diff --git a/auth_oidc/controllers/main.py b/auth_oidc/controllers/main.py
index dbc7dac69c..0c0861e6da 100644
--- a/auth_oidc/controllers/main.py
+++ b/auth_oidc/controllers/main.py
@@ -7,7 +7,7 @@
 import logging
 import secrets
 
-import werkzeug.utils
+from werkzeug.urls import url_decode, url_encode
 
 from odoo.addons.auth_oauth.controllers.main import OAuthLogin
 
@@ -20,7 +20,7 @@ def list_providers(self):
         for provider in providers:
             flow = provider.get("flow")
             if flow in ("id_token", "id_token_code"):
-                params = werkzeug.url_decode(provider["auth_link"].split("?")[-1])
+                params = url_decode(provider["auth_link"].split("?")[-1])
                 # nonce
                 params["nonce"] = secrets.token_urlsafe()
                 # response_type
@@ -45,6 +45,6 @@ def list_providers(self):
                     params["scope"] = provider["scope"]
                 # auth link that the user will click
                 provider["auth_link"] = "{}?{}".format(
-                    provider["auth_endpoint"], werkzeug.url_encode(params)
+                    provider["auth_endpoint"], url_encode(params)
                 )
         return providers
diff --git a/auth_oidc/i18n/auth_oidc.pot b/auth_oidc/i18n/auth_oidc.pot
index a687a98816..256f1ca81b 100644
--- a/auth_oidc/i18n/auth_oidc.pot
+++ b/auth_oidc/i18n/auth_oidc.pot
@@ -111,13 +111,13 @@ msgid ""
 msgstr ""
 
 #. module: auth_oidc
-#: model:ir.model,name:auth_oidc.model_res_users
-msgid "Users"
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__validation_endpoint
+msgid "UserInfo URL"
 msgstr ""
 
 #. module: auth_oidc
-#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__validation_endpoint
-msgid "Validation URL"
+#: model:ir.model,name:auth_oidc.model_res_users
+msgid "Users"
 msgstr ""
 
 #. module: auth_oidc

From dc8f4510d62601580d243dfe191ab5b4c44cb060 Mon Sep 17 00:00:00 2001
From: Karl Southern <karl@theangryangel.co.uk>
Date: Thu, 7 Jul 2022 12:07:09 +0100
Subject: [PATCH 23/46] [MIG] auth_oidc: Migration to 15.0

---
 auth_oidc/README.rst                    | 10 +++++-----
 auth_oidc/__manifest__.py               |  2 +-
 auth_oidc/i18n/auth_oidc.pot            | 20 +-------------------
 auth_oidc/static/description/index.html |  6 +++---
 4 files changed, 10 insertions(+), 28 deletions(-)

diff --git a/auth_oidc/README.rst b/auth_oidc/README.rst
index 04ab9a1a2e..3c6265151c 100644
--- a/auth_oidc/README.rst
+++ b/auth_oidc/README.rst
@@ -14,13 +14,13 @@ Authentication OpenID Connect
     :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
     :alt: License: AGPL-3
 .. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
-    :target: https://github.com/OCA/server-auth/tree/14.0/auth_oidc
+    :target: https://github.com/OCA/server-auth/tree/15.0/auth_oidc
     :alt: OCA/server-auth
 .. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
-    :target: https://translation.odoo-community.org/projects/server-auth-14-0/server-auth-14-0-auth_oidc
+    :target: https://translation.odoo-community.org/projects/server-auth-15-0/server-auth-15-0-auth_oidc
     :alt: Translate me on Weblate
 .. |badge5| image:: https://img.shields.io/badge/runbot-Try%20me-875A7B.png
-    :target: https://runbot.odoo-community.org/runbot/251/14.0
+    :target: https://runbot.odoo-community.org/runbot/251/15.0
     :alt: Try me on Runbot
 
 |badge1| |badge2| |badge3| |badge4| |badge5| 
@@ -137,7 +137,7 @@ Bug Tracker
 Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-auth/issues>`_.
 In case of trouble, please check there if your issue has already been reported.
 If you spotted it first, help us smashing it by providing a detailed and welcomed
-`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_oidc%0Aversion:%2014.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_oidc%0Aversion:%2015.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
 
 Do not contact contributors directly about support or help with technical issues.
 
@@ -178,6 +178,6 @@ Current `maintainer <https://odoo-community.org/page/maintainer-role>`__:
 
 |maintainer-sbidoul| 
 
-This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/14.0/auth_oidc>`_ project on GitHub.
+This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/15.0/auth_oidc>`_ project on GitHub.
 
 You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.
diff --git a/auth_oidc/__manifest__.py b/auth_oidc/__manifest__.py
index dcb25ec54f..cdbf492ec0 100644
--- a/auth_oidc/__manifest__.py
+++ b/auth_oidc/__manifest__.py
@@ -4,7 +4,7 @@
 
 {
     "name": "Authentication OpenID Connect",
-    "version": "14.0.1.0.2",
+    "version": "15.0.1.0.0",
     "license": "AGPL-3",
     "author": (
         "ICTSTUDIO, André Schenkels, "
diff --git a/auth_oidc/i18n/auth_oidc.pot b/auth_oidc/i18n/auth_oidc.pot
index 256f1ca81b..a6146631d4 100644
--- a/auth_oidc/i18n/auth_oidc.pot
+++ b/auth_oidc/i18n/auth_oidc.pot
@@ -4,7 +4,7 @@
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: Odoo Server 14.0\n"
+"Project-Id-Version: Odoo Server 15.0\n"
 "Report-Msgid-Bugs-To: \n"
 "Last-Translator: \n"
 "Language-Team: \n"
@@ -28,29 +28,11 @@ msgstr ""
 msgid "Code Verifier"
 msgstr ""
 
-#. module: auth_oidc
-#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__display_name
-#: model:ir.model.fields,field_description:auth_oidc.field_res_users__display_name
-msgid "Display Name"
-msgstr ""
-
-#. module: auth_oidc
-#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__id
-#: model:ir.model.fields,field_description:auth_oidc.field_res_users__id
-msgid "ID"
-msgstr ""
-
 #. module: auth_oidc
 #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__jwks_uri
 msgid "JWKS URL"
 msgstr ""
 
-#. module: auth_oidc
-#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider____last_update
-#: model:ir.model.fields,field_description:auth_oidc.field_res_users____last_update
-msgid "Last Modified on"
-msgstr ""
-
 #. module: auth_oidc
 #: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__access_token
 msgid "OAuth2"
diff --git a/auth_oidc/static/description/index.html b/auth_oidc/static/description/index.html
index c744fd4f07..737081829c 100644
--- a/auth_oidc/static/description/index.html
+++ b/auth_oidc/static/description/index.html
@@ -367,7 +367,7 @@ <h1 class="title">Authentication OpenID Connect</h1>
 !! This file is generated by oca-gen-addon-readme !!
 !! changes will be overwritten.                   !!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->
-<p><a class="reference external" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/licence-AGPL--3-blue.png" /></a> <a class="reference external" href="https://github.com/OCA/server-auth/tree/14.0/auth_oidc"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external" href="https://translation.odoo-community.org/projects/server-auth-14-0/server-auth-14-0-auth_oidc"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external" href="https://runbot.odoo-community.org/runbot/251/14.0"><img alt="Try me on Runbot" src="https://img.shields.io/badge/runbot-Try%20me-875A7B.png" /></a></p>
+<p><a class="reference external" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/licence-AGPL--3-blue.png" /></a> <a class="reference external" href="https://github.com/OCA/server-auth/tree/15.0/auth_oidc"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external" href="https://translation.odoo-community.org/projects/server-auth-15-0/server-auth-15-0-auth_oidc"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external" href="https://runbot.odoo-community.org/runbot/251/15.0"><img alt="Try me on Runbot" src="https://img.shields.io/badge/runbot-Try%20me-875A7B.png" /></a></p>
 <p>This module allows users to login through an OpenID Connect provider using the
 authorization code flow or implicit flow.</p>
 <p>Note the implicit flow is not recommended because it exposes access tokens to
@@ -495,7 +495,7 @@ <h1><a class="toc-backref" href="#id14">Bug Tracker</a></h1>
 <p>Bugs are tracked on <a class="reference external" href="https://github.com/OCA/server-auth/issues">GitHub Issues</a>.
 In case of trouble, please check there if your issue has already been reported.
 If you spotted it first, help us smashing it by providing a detailed and welcomed
-<a class="reference external" href="https://github.com/OCA/server-auth/issues/new?body=module:%20auth_oidc%0Aversion:%2014.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**">feedback</a>.</p>
+<a class="reference external" href="https://github.com/OCA/server-auth/issues/new?body=module:%20auth_oidc%0Aversion:%2015.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**">feedback</a>.</p>
 <p>Do not contact contributors directly about support or help with technical issues.</p>
 </div>
 <div class="section" id="credits">
@@ -524,7 +524,7 @@ <h2><a class="toc-backref" href="#id18">Maintainers</a></h2>
 promote its widespread use.</p>
 <p>Current <a class="reference external" href="https://odoo-community.org/page/maintainer-role">maintainer</a>:</p>
 <p><a class="reference external" href="https://github.com/sbidoul"><img alt="sbidoul" src="https://github.com/sbidoul.png?size=40px" /></a></p>
-<p>This module is part of the <a class="reference external" href="https://github.com/OCA/server-auth/tree/14.0/auth_oidc">OCA/server-auth</a> project on GitHub.</p>
+<p>This module is part of the <a class="reference external" href="https://github.com/OCA/server-auth/tree/15.0/auth_oidc">OCA/server-auth</a> project on GitHub.</p>
 <p>You are welcome to contribute. To learn how please visit <a class="reference external" href="https://odoo-community.org/page/Contribute">https://odoo-community.org/page/Contribute</a>.</p>
 </div>
 </div>

From fe89a44ebadc3eda37259716077091cb6699e964 Mon Sep 17 00:00:00 2001
From: djaen <djaen@ontinet.com>
Date: Fri, 27 Jan 2023 17:54:08 +0100
Subject: [PATCH 24/46] [16.0][MIG] auth_oidc: Migration to 16.0

---
 auth_oidc/README.rst                    | 24 ++++---
 auth_oidc/__manifest__.py               |  2 +-
 auth_oidc/i18n/auth_oidc.pot            | 10 +--
 auth_oidc/models/auth_oauth_provider.py |  2 +-
 auth_oidc/models/res_users.py           |  1 +
 auth_oidc/readme/CONTRIBUTORS.rst       |  1 +
 auth_oidc/static/description/index.html | 87 +++++++++++++------------
 7 files changed, 68 insertions(+), 59 deletions(-)

diff --git a/auth_oidc/README.rst b/auth_oidc/README.rst
index 3c6265151c..6cafbe6c07 100644
--- a/auth_oidc/README.rst
+++ b/auth_oidc/README.rst
@@ -2,10 +2,13 @@
 Authentication OpenID Connect
 =============================
 
-.. !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+.. 
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
    !! This file is generated by oca-gen-addon-readme !!
    !! changes will be overwritten.                   !!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+   !! source digest: sha256:0e77943e35a7d7c6fb3b6f9e5753d5870e6023f5614e17f7bc0c32522086c49a
+   !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 
 .. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
     :target: https://odoo-community.org/page/development-status
@@ -14,16 +17,16 @@ Authentication OpenID Connect
     :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
     :alt: License: AGPL-3
 .. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
-    :target: https://github.com/OCA/server-auth/tree/15.0/auth_oidc
+    :target: https://github.com/OCA/server-auth/tree/16.0/auth_oidc
     :alt: OCA/server-auth
 .. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
-    :target: https://translation.odoo-community.org/projects/server-auth-15-0/server-auth-15-0-auth_oidc
+    :target: https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-auth_oidc
     :alt: Translate me on Weblate
-.. |badge5| image:: https://img.shields.io/badge/runbot-Try%20me-875A7B.png
-    :target: https://runbot.odoo-community.org/runbot/251/15.0
-    :alt: Try me on Runbot
+.. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png
+    :target: https://runboat.odoo-community.org/builds?repo=OCA/server-auth&target_branch=16.0
+    :alt: Try me on Runboat
 
-|badge1| |badge2| |badge3| |badge4| |badge5| 
+|badge1| |badge2| |badge3| |badge4| |badge5|
 
 This module allows users to login through an OpenID Connect provider using the
 authorization code flow or implicit flow.
@@ -136,8 +139,8 @@ Bug Tracker
 
 Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-auth/issues>`_.
 In case of trouble, please check there if your issue has already been reported.
-If you spotted it first, help us smashing it by providing a detailed and welcomed
-`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_oidc%0Aversion:%2015.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_oidc%0Aversion:%2016.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
 
 Do not contact contributors directly about support or help with technical issues.
 
@@ -156,6 +159,7 @@ Contributors
 
 * Alexandre Fayolle <alexandre.fayolle@camptocamp.com>
 * Stéphane Bidoul <stephane.bidoul@acsone.eu>
+* David Jaen <david.jaen.revert@gmail.com>
 
 Maintainers
 ~~~~~~~~~~~
@@ -178,6 +182,6 @@ Current `maintainer <https://odoo-community.org/page/maintainer-role>`__:
 
 |maintainer-sbidoul| 
 
-This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/15.0/auth_oidc>`_ project on GitHub.
+This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/16.0/auth_oidc>`_ project on GitHub.
 
 You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.
diff --git a/auth_oidc/__manifest__.py b/auth_oidc/__manifest__.py
index cdbf492ec0..845d7a27db 100644
--- a/auth_oidc/__manifest__.py
+++ b/auth_oidc/__manifest__.py
@@ -4,7 +4,7 @@
 
 {
     "name": "Authentication OpenID Connect",
-    "version": "15.0.1.0.0",
+    "version": "16.0.1.0.0",
     "license": "AGPL-3",
     "author": (
         "ICTSTUDIO, André Schenkels, "
diff --git a/auth_oidc/i18n/auth_oidc.pot b/auth_oidc/i18n/auth_oidc.pot
index a6146631d4..0dc7d5e576 100644
--- a/auth_oidc/i18n/auth_oidc.pot
+++ b/auth_oidc/i18n/auth_oidc.pot
@@ -4,7 +4,7 @@
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: Odoo Server 15.0\n"
+"Project-Id-Version: Odoo Server 16.0\n"
 "Report-Msgid-Bugs-To: \n"
 "Last-Translator: \n"
 "Language-Team: \n"
@@ -93,13 +93,13 @@ msgid ""
 msgstr ""
 
 #. module: auth_oidc
-#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__validation_endpoint
-msgid "UserInfo URL"
+#: model:ir.model,name:auth_oidc.model_res_users
+msgid "User"
 msgstr ""
 
 #. module: auth_oidc
-#: model:ir.model,name:auth_oidc.model_res_users
-msgid "Users"
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__validation_endpoint
+msgid "UserInfo URL"
 msgstr ""
 
 #. module: auth_oidc
diff --git a/auth_oidc/models/auth_oauth_provider.py b/auth_oidc/models/auth_oauth_provider.py
index 6a40e87ed6..b969fa3e8d 100644
--- a/auth_oidc/models/auth_oauth_provider.py
+++ b/auth_oidc/models/auth_oauth_provider.py
@@ -48,7 +48,7 @@ class AuthOauthProvider(models.Model):
 
     @tools.ormcache("self.jwks_uri", "kid")
     def _get_key(self, kid):
-        r = requests.get(self.jwks_uri)
+        r = requests.get(self.jwks_uri, timeout=10)
         r.raise_for_status()
         response = r.json()
         for key in response["keys"]:
diff --git a/auth_oidc/models/res_users.py b/auth_oidc/models/res_users.py
index c487504e2a..a1be73ec88 100644
--- a/auth_oidc/models/res_users.py
+++ b/auth_oidc/models/res_users.py
@@ -37,6 +37,7 @@ def _auth_oauth_get_tokens_auth_code_flow(self, oauth_provider, params):
                 redirect_uri=request.httprequest.url_root + "auth_oauth/signin",
             ),
             auth=auth,
+            timeout=10,
         )
         response.raise_for_status()
         response_json = response.json()
diff --git a/auth_oidc/readme/CONTRIBUTORS.rst b/auth_oidc/readme/CONTRIBUTORS.rst
index d721552d86..303011adb2 100644
--- a/auth_oidc/readme/CONTRIBUTORS.rst
+++ b/auth_oidc/readme/CONTRIBUTORS.rst
@@ -1,2 +1,3 @@
 * Alexandre Fayolle <alexandre.fayolle@camptocamp.com>
 * Stéphane Bidoul <stephane.bidoul@acsone.eu>
+* David Jaen <david.jaen.revert@gmail.com>
diff --git a/auth_oidc/static/description/index.html b/auth_oidc/static/description/index.html
index 737081829c..384f6ddcff 100644
--- a/auth_oidc/static/description/index.html
+++ b/auth_oidc/static/description/index.html
@@ -1,20 +1,20 @@
-<?xml version="1.0" encoding="utf-8" ?>
+<?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
-<meta name="generator" content="Docutils 0.15.1: http://docutils.sourceforge.net/" />
+<meta name="generator" content="Docutils: https://docutils.sourceforge.io/" />
 <title>Authentication OpenID Connect</title>
 <style type="text/css">
 
 /*
 :Author: David Goodger (goodger@python.org)
-:Id: $Id: html4css1.css 7952 2016-07-26 18:15:59Z milde $
+:Id: $Id: html4css1.css 8954 2022-01-20 10:10:25Z milde $
 :Copyright: This stylesheet has been placed in the public domain.
 
 Default cascading style sheet for the HTML output of Docutils.
 
-See http://docutils.sf.net/docs/howto/html-stylesheets.html for how to
+See https://docutils.sourceforge.io/docs/howto/html-stylesheets.html for how to
 customize this style sheet.
 */
 
@@ -366,8 +366,10 @@ <h1 class="title">Authentication OpenID Connect</h1>
 <!-- !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !! This file is generated by oca-gen-addon-readme !!
 !! changes will be overwritten.                   !!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!! source digest: sha256:0e77943e35a7d7c6fb3b6f9e5753d5870e6023f5614e17f7bc0c32522086c49a
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->
-<p><a class="reference external" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/licence-AGPL--3-blue.png" /></a> <a class="reference external" href="https://github.com/OCA/server-auth/tree/15.0/auth_oidc"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external" href="https://translation.odoo-community.org/projects/server-auth-15-0/server-auth-15-0-auth_oidc"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external" href="https://runbot.odoo-community.org/runbot/251/15.0"><img alt="Try me on Runbot" src="https://img.shields.io/badge/runbot-Try%20me-875A7B.png" /></a></p>
+<p><a class="reference external image-reference" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external image-reference" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/licence-AGPL--3-blue.png" /></a> <a class="reference external image-reference" href="https://github.com/OCA/server-auth/tree/16.0/auth_oidc"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external image-reference" href="https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-auth_oidc"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external image-reference" href="https://runboat.odoo-community.org/builds?repo=OCA/server-auth&amp;target_branch=16.0"><img alt="Try me on Runboat" src="https://img.shields.io/badge/runboat-Try%20me-875A7B.png" /></a></p>
 <p>This module allows users to login through an OpenID Connect provider using the
 authorization code flow or implicit flow.</p>
 <p>Note the implicit flow is not recommended because it exposes access tokens to
@@ -375,38 +377,38 @@ <h1 class="title">Authentication OpenID Connect</h1>
 <p><strong>Table of contents</strong></p>
 <div class="contents local topic" id="contents">
 <ul class="simple">
-<li><a class="reference internal" href="#installation" id="id4">Installation</a></li>
-<li><a class="reference internal" href="#configuration" id="id5">Configuration</a><ul>
-<li><a class="reference internal" href="#setup-for-microsoft-azure" id="id6">Setup for Microsoft Azure</a></li>
-<li><a class="reference internal" href="#setup-for-keycloak" id="id7">Setup for Keycloak</a></li>
+<li><a class="reference internal" href="#installation" id="toc-entry-1">Installation</a></li>
+<li><a class="reference internal" href="#configuration" id="toc-entry-2">Configuration</a><ul>
+<li><a class="reference internal" href="#setup-for-microsoft-azure" id="toc-entry-3">Setup for Microsoft Azure</a></li>
+<li><a class="reference internal" href="#setup-for-keycloak" id="toc-entry-4">Setup for Keycloak</a></li>
 </ul>
 </li>
-<li><a class="reference internal" href="#usage" id="id8">Usage</a></li>
-<li><a class="reference internal" href="#known-issues-roadmap" id="id9">Known issues / Roadmap</a></li>
-<li><a class="reference internal" href="#changelog" id="id10">Changelog</a><ul>
-<li><a class="reference internal" href="#id1" id="id11">14.0.1.0.0 2021-12-10</a></li>
-<li><a class="reference internal" href="#id2" id="id12">13.0.1.0.0 2020-04-10</a></li>
-<li><a class="reference internal" href="#id3" id="id13">10.0.1.0.0 2018-10-05</a></li>
+<li><a class="reference internal" href="#usage" id="toc-entry-5">Usage</a></li>
+<li><a class="reference internal" href="#known-issues-roadmap" id="toc-entry-6">Known issues / Roadmap</a></li>
+<li><a class="reference internal" href="#changelog" id="toc-entry-7">Changelog</a><ul>
+<li><a class="reference internal" href="#section-1" id="toc-entry-8">14.0.1.0.0 2021-12-10</a></li>
+<li><a class="reference internal" href="#section-2" id="toc-entry-9">13.0.1.0.0 2020-04-10</a></li>
+<li><a class="reference internal" href="#section-3" id="toc-entry-10">10.0.1.0.0 2018-10-05</a></li>
 </ul>
 </li>
-<li><a class="reference internal" href="#bug-tracker" id="id14">Bug Tracker</a></li>
-<li><a class="reference internal" href="#credits" id="id15">Credits</a><ul>
-<li><a class="reference internal" href="#authors" id="id16">Authors</a></li>
-<li><a class="reference internal" href="#contributors" id="id17">Contributors</a></li>
-<li><a class="reference internal" href="#maintainers" id="id18">Maintainers</a></li>
+<li><a class="reference internal" href="#bug-tracker" id="toc-entry-11">Bug Tracker</a></li>
+<li><a class="reference internal" href="#credits" id="toc-entry-12">Credits</a><ul>
+<li><a class="reference internal" href="#authors" id="toc-entry-13">Authors</a></li>
+<li><a class="reference internal" href="#contributors" id="toc-entry-14">Contributors</a></li>
+<li><a class="reference internal" href="#maintainers" id="toc-entry-15">Maintainers</a></li>
 </ul>
 </li>
 </ul>
 </div>
 <div class="section" id="installation">
-<h1><a class="toc-backref" href="#id4">Installation</a></h1>
+<h1><a class="toc-backref" href="#toc-entry-1">Installation</a></h1>
 <p>This module depends on the <a class="reference external" href="https://pypi.org/project/python-jose/">python-jose</a>
 library, not to be confused with <tt class="docutils literal">jose</tt> which is also available on PyPI.</p>
 </div>
 <div class="section" id="configuration">
-<h1><a class="toc-backref" href="#id5">Configuration</a></h1>
+<h1><a class="toc-backref" href="#toc-entry-2">Configuration</a></h1>
 <div class="section" id="setup-for-microsoft-azure">
-<h2><a class="toc-backref" href="#id6">Setup for Microsoft Azure</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-3">Setup for Microsoft Azure</a></h2>
 <p>Example configuration with OpenID Connect implicit flow.
 This configuration is not recommended because it exposes the access token
 to the client, and in logs.</p>
@@ -432,7 +434,7 @@ <h2><a class="toc-backref" href="#id6">Setup for Microsoft Azure</a></h2>
 </ul>
 </div>
 <div class="section" id="setup-for-keycloak">
-<h2><a class="toc-backref" href="#id7">Setup for Keycloak</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-4">Setup for Keycloak</a></h2>
 <p>Example configuration with OpenID Connect authorization code flow.</p>
 <p>In Keycloak:</p>
 <p># configure a new Client
@@ -459,49 +461,49 @@ <h2><a class="toc-backref" href="#id7">Setup for Keycloak</a></h2>
 </div>
 </div>
 <div class="section" id="usage">
-<h1><a class="toc-backref" href="#id8">Usage</a></h1>
+<h1><a class="toc-backref" href="#toc-entry-5">Usage</a></h1>
 <p>On the login page, click on the authentication provider you configured.</p>
 </div>
 <div class="section" id="known-issues-roadmap">
-<h1><a class="toc-backref" href="#id9">Known issues / Roadmap</a></h1>
+<h1><a class="toc-backref" href="#toc-entry-6">Known issues / Roadmap</a></h1>
 <ul class="simple">
 <li>When going to the login screen, check for a existing token and do a direct login without the clicking on the SSO link</li>
 <li>When doing a logout an extra option to also logout at the SSO provider.</li>
 </ul>
 </div>
 <div class="section" id="changelog">
-<h1><a class="toc-backref" href="#id10">Changelog</a></h1>
-<div class="section" id="id1">
-<h2><a class="toc-backref" href="#id11">14.0.1.0.0 2021-12-10</a></h2>
+<h1><a class="toc-backref" href="#toc-entry-7">Changelog</a></h1>
+<div class="section" id="section-1">
+<h2><a class="toc-backref" href="#toc-entry-8">14.0.1.0.0 2021-12-10</a></h2>
 <ul class="simple">
 <li>Odoo 14 migration</li>
 </ul>
 </div>
-<div class="section" id="id2">
-<h2><a class="toc-backref" href="#id12">13.0.1.0.0 2020-04-10</a></h2>
+<div class="section" id="section-2">
+<h2><a class="toc-backref" href="#toc-entry-9">13.0.1.0.0 2020-04-10</a></h2>
 <ul class="simple">
 <li>Odoo 13 migration, add authorization code flow.</li>
 </ul>
 </div>
-<div class="section" id="id3">
-<h2><a class="toc-backref" href="#id13">10.0.1.0.0 2018-10-05</a></h2>
+<div class="section" id="section-3">
+<h2><a class="toc-backref" href="#toc-entry-10">10.0.1.0.0 2018-10-05</a></h2>
 <ul class="simple">
 <li>Initial implementation</li>
 </ul>
 </div>
 </div>
 <div class="section" id="bug-tracker">
-<h1><a class="toc-backref" href="#id14">Bug Tracker</a></h1>
+<h1><a class="toc-backref" href="#toc-entry-11">Bug Tracker</a></h1>
 <p>Bugs are tracked on <a class="reference external" href="https://github.com/OCA/server-auth/issues">GitHub Issues</a>.
 In case of trouble, please check there if your issue has already been reported.
-If you spotted it first, help us smashing it by providing a detailed and welcomed
-<a class="reference external" href="https://github.com/OCA/server-auth/issues/new?body=module:%20auth_oidc%0Aversion:%2015.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**">feedback</a>.</p>
+If you spotted it first, help us to smash it by providing a detailed and welcomed
+<a class="reference external" href="https://github.com/OCA/server-auth/issues/new?body=module:%20auth_oidc%0Aversion:%2016.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**">feedback</a>.</p>
 <p>Do not contact contributors directly about support or help with technical issues.</p>
 </div>
 <div class="section" id="credits">
-<h1><a class="toc-backref" href="#id15">Credits</a></h1>
+<h1><a class="toc-backref" href="#toc-entry-12">Credits</a></h1>
 <div class="section" id="authors">
-<h2><a class="toc-backref" href="#id16">Authors</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-13">Authors</a></h2>
 <ul class="simple">
 <li>ICTSTUDIO</li>
 <li>André Schenkels</li>
@@ -509,22 +511,23 @@ <h2><a class="toc-backref" href="#id16">Authors</a></h2>
 </ul>
 </div>
 <div class="section" id="contributors">
-<h2><a class="toc-backref" href="#id17">Contributors</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-14">Contributors</a></h2>
 <ul class="simple">
 <li>Alexandre Fayolle &lt;<a class="reference external" href="mailto:alexandre.fayolle&#64;camptocamp.com">alexandre.fayolle&#64;camptocamp.com</a>&gt;</li>
 <li>Stéphane Bidoul &lt;<a class="reference external" href="mailto:stephane.bidoul&#64;acsone.eu">stephane.bidoul&#64;acsone.eu</a>&gt;</li>
+<li>David Jaen &lt;<a class="reference external" href="mailto:david.jaen.revert&#64;gmail.com">david.jaen.revert&#64;gmail.com</a>&gt;</li>
 </ul>
 </div>
 <div class="section" id="maintainers">
-<h2><a class="toc-backref" href="#id18">Maintainers</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-15">Maintainers</a></h2>
 <p>This module is maintained by the OCA.</p>
 <a class="reference external image-reference" href="https://odoo-community.org"><img alt="Odoo Community Association" src="https://odoo-community.org/logo.png" /></a>
 <p>OCA, or the Odoo Community Association, is a nonprofit organization whose
 mission is to support the collaborative development of Odoo features and
 promote its widespread use.</p>
 <p>Current <a class="reference external" href="https://odoo-community.org/page/maintainer-role">maintainer</a>:</p>
-<p><a class="reference external" href="https://github.com/sbidoul"><img alt="sbidoul" src="https://github.com/sbidoul.png?size=40px" /></a></p>
-<p>This module is part of the <a class="reference external" href="https://github.com/OCA/server-auth/tree/15.0/auth_oidc">OCA/server-auth</a> project on GitHub.</p>
+<p><a class="reference external image-reference" href="https://github.com/sbidoul"><img alt="sbidoul" src="https://github.com/sbidoul.png?size=40px" /></a></p>
+<p>This module is part of the <a class="reference external" href="https://github.com/OCA/server-auth/tree/16.0/auth_oidc">OCA/server-auth</a> project on GitHub.</p>
 <p>You are welcome to contribute. To learn how please visit <a class="reference external" href="https://odoo-community.org/page/Contribute">https://odoo-community.org/page/Contribute</a>.</p>
 </div>
 </div>

From 796868ccddb00b93580bd271163c62214dbc02ab Mon Sep 17 00:00:00 2001
From: Christopher Rogos <christopher.rogos@glueckkanja-gab.com>
Date: Tue, 22 Aug 2023 14:14:09 +0000
Subject: [PATCH 25/46] [IMP] add AzureAD code flow provider

---
 auth_oidc/README.rst                          |  36 ++++++++++------
 auth_oidc/__manifest__.py                     |   4 +-
 auth_oidc/data/auth_oauth_data.xml            |  39 ++++++++++++++++++
 auth_oidc/i18n/auth_oidc.pot                  |   6 +++
 auth_oidc/readme/CONFIGURE.rst                |  34 ++++++++++-----
 auth_oidc/static/description/index.html       |  32 ++++++++------
 .../oauth-microsoft_azure-api_permissions.png | Bin 0 -> 59625 bytes
 .../oauth-microsoft_azure-optional_claims.png | Bin 0 -> 43656 bytes
 .../description/odoo-azure_ad_multitenant.png | Bin 0 -> 37344 bytes
 9 files changed, 114 insertions(+), 37 deletions(-)
 create mode 100644 auth_oidc/data/auth_oauth_data.xml
 create mode 100644 auth_oidc/static/description/oauth-microsoft_azure-api_permissions.png
 create mode 100644 auth_oidc/static/description/oauth-microsoft_azure-optional_claims.png
 create mode 100644 auth_oidc/static/description/odoo-azure_ad_multitenant.png

diff --git a/auth_oidc/README.rst b/auth_oidc/README.rst
index 6cafbe6c07..a0ca767c5e 100644
--- a/auth_oidc/README.rst
+++ b/auth_oidc/README.rst
@@ -7,7 +7,7 @@ Authentication OpenID Connect
    !! This file is generated by oca-gen-addon-readme !!
    !! changes will be overwritten.                   !!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-   !! source digest: sha256:0e77943e35a7d7c6fb3b6f9e5753d5870e6023f5614e17f7bc0c32522086c49a
+   !! source digest: sha256:bdea2939597996bddfbd2c7949c8da2ad701b61203c3fd62c0c640bb5721eaf1
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 
 .. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
@@ -51,11 +51,9 @@ Configuration
 Setup for Microsoft Azure
 ~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Example configuration with OpenID Connect implicit flow.
-This configuration is not recommended because it exposes the access token
-to the client, and in logs.
+Example configuration with OpenID Connect authorization code flow.
 
-# configure a new web application in Azure with OpenID and implicit flow (see
+# configure a new web application in Azure with OpenID and code flow (see
   the `provider documentation
   <https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-provider)>`_)
 # in this application the redirect url must be be "<url of your
@@ -66,15 +64,29 @@ to the client, and in logs.
   <https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-settings>`_
   for more information):
 
-* Provider Name: Azure
-* Auth Flow: OpenID Connect
-* Client ID: use the value of the OAuth2 autorization endoing (v2) from the Azure Endpoints list
-* Body: Azure SSO
-* Authentication URL: use the value of "OAuth2 autorization endpoint (v2)" from the Azure endpoints list
-* Scope: openid email
-* Validation URL: use the value of "OAuth2 token endpoint (v2)" from the Azure endpoints list
+.. image:: https://raw.githubusercontent.com/OCA/server-auth/16.0/auth_oidc/..static/description/oauth-microsoft_azure-api_permissions.png
+
+.. image:: https://raw.githubusercontent.com/OCA/server-auth/16.0/auth_oidc/..static/description/oauth-microsoft_azure-optional_claims.png
+
+Single tenant provider limits the access to user of your tenant,
+while Multitenants allow access for all AzureAD users, so user of foreign companies can use their AzureAD login
+without an guest account.
+
+* Provider Name: Azure AD Single Tenant
+* Client ID: Application (client) id
+* Client Secret: Client secret
 * Allowed: yes
 
+or
+
+* Provider Name: Azure AD Multitenant
+* Client ID: Application (client) id
+* Client Secret: Client secret
+* Allowed: yes
+* replace {tenant_id} in urls with your Azure tenant id
+
+.. image:: https://raw.githubusercontent.com/OCA/server-auth/16.0/auth_oidc/..static/description/odoo-azure_ad_multitenant.png
+
 
 Setup for Keycloak
 ~~~~~~~~~~~~~~~~~~
diff --git a/auth_oidc/__manifest__.py b/auth_oidc/__manifest__.py
index 845d7a27db..1d4a3e1a7a 100644
--- a/auth_oidc/__manifest__.py
+++ b/auth_oidc/__manifest__.py
@@ -4,7 +4,7 @@
 
 {
     "name": "Authentication OpenID Connect",
-    "version": "16.0.1.0.0",
+    "version": "16.0.1.0.1",
     "license": "AGPL-3",
     "author": (
         "ICTSTUDIO, André Schenkels, "
@@ -16,6 +16,6 @@
     "summary": "Allow users to login through OpenID Connect Provider",
     "external_dependencies": {"python": ["python-jose"]},
     "depends": ["auth_oauth"],
-    "data": ["views/auth_oauth_provider.xml"],
+    "data": ["views/auth_oauth_provider.xml", "data/auth_oauth_data.xml"],
     "demo": ["demo/local_keycloak.xml"],
 }
diff --git a/auth_oidc/data/auth_oauth_data.xml b/auth_oidc/data/auth_oauth_data.xml
new file mode 100644
index 0000000000..bdeea59a5c
--- /dev/null
+++ b/auth_oidc/data/auth_oauth_data.xml
@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="utf-8" ?>
+<odoo noupdate="1">
+    <record id="provider_azuread_multi" model="auth.oauth.provider">
+        <field name="name">Azure AD Multitenant</field>
+        <field name="flow">id_token_code</field>
+        <field name="enabled">False</field>
+        <field name="token_map">upn:user_id upn:email</field>
+        <field
+            name="auth_endpoint"
+        >https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize</field>
+        <field name="scope">profile openid</field>
+        <field
+            name="token_endpoint"
+        >https://login.microsoftonline.com/organizations/oauth2/v2.0/token</field>
+        <field
+            name="jwks_uri"
+        >https://login.microsoftonline.com/organizations/discovery/v2.0/keys</field>
+        <field name="css_class">fa fa-fw fa-windows</field>
+        <field name="body">Log in with Microsoft</field>
+    </record>
+    <record id="provider_azuread_single" model="auth.oauth.provider">
+        <field name="name">Azure AD Single Tenant</field>
+        <field name="flow">id_token_code</field>
+        <field name="enabled">False</field>
+        <field name="token_map">upn:user_id upn:email</field>
+        <field
+            name="auth_endpoint"
+        >https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/authorize</field>
+        <field name="scope">profile openid</field>
+        <field
+            name="token_endpoint"
+        >https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token</field>
+        <field
+            name="jwks_uri"
+        >https://login.microsoftonline.com/{tenant_id}/discovery/v2.0/keys</field>
+        <field name="css_class">fa fa-fw fa-windows</field>
+        <field name="body">Log in with Microsoft</field>
+    </record>
+</odoo>
diff --git a/auth_oidc/i18n/auth_oidc.pot b/auth_oidc/i18n/auth_oidc.pot
index 0dc7d5e576..560fb4d168 100644
--- a/auth_oidc/i18n/auth_oidc.pot
+++ b/auth_oidc/i18n/auth_oidc.pot
@@ -33,6 +33,12 @@ msgstr ""
 msgid "JWKS URL"
 msgstr ""
 
+#. module: auth_oidc
+#: model:auth.oauth.provider,body:auth_oidc.provider_azuread_multi
+#: model:auth.oauth.provider,body:auth_oidc.provider_azuread_single
+msgid "Log in with Microsoft"
+msgstr ""
+
 #. module: auth_oidc
 #: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__access_token
 msgid "OAuth2"
diff --git a/auth_oidc/readme/CONFIGURE.rst b/auth_oidc/readme/CONFIGURE.rst
index 74ef8ad38d..64734fe209 100644
--- a/auth_oidc/readme/CONFIGURE.rst
+++ b/auth_oidc/readme/CONFIGURE.rst
@@ -1,11 +1,9 @@
 Setup for Microsoft Azure
 ~~~~~~~~~~~~~~~~~~~~~~~~~
 
-Example configuration with OpenID Connect implicit flow.
-This configuration is not recommended because it exposes the access token
-to the client, and in logs.
+Example configuration with OpenID Connect authorization code flow.
 
-# configure a new web application in Azure with OpenID and implicit flow (see
+# configure a new web application in Azure with OpenID and code flow (see
   the `provider documentation
   <https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-provider)>`_)
 # in this application the redirect url must be be "<url of your
@@ -16,15 +14,29 @@ to the client, and in logs.
   <https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-settings>`_
   for more information):
 
-* Provider Name: Azure
-* Auth Flow: OpenID Connect
-* Client ID: use the value of the OAuth2 autorization endoing (v2) from the Azure Endpoints list
-* Body: Azure SSO
-* Authentication URL: use the value of "OAuth2 autorization endpoint (v2)" from the Azure endpoints list
-* Scope: openid email
-* Validation URL: use the value of "OAuth2 token endpoint (v2)" from the Azure endpoints list
+.. image:: ..static/description/oauth-microsoft_azure-api_permissions.png
+
+.. image:: ..static/description/oauth-microsoft_azure-optional_claims.png
+
+Single tenant provider limits the access to user of your tenant,
+while Multitenants allow access for all AzureAD users, so user of foreign companies can use their AzureAD login
+without an guest account.
+
+* Provider Name: Azure AD Single Tenant
+* Client ID: Application (client) id
+* Client Secret: Client secret
 * Allowed: yes
 
+or
+
+* Provider Name: Azure AD Multitenant
+* Client ID: Application (client) id
+* Client Secret: Client secret
+* Allowed: yes
+* replace {tenant_id} in urls with your Azure tenant id
+
+.. image:: ..static/description/odoo-azure_ad_multitenant.png
+
 
 Setup for Keycloak
 ~~~~~~~~~~~~~~~~~~
diff --git a/auth_oidc/static/description/index.html b/auth_oidc/static/description/index.html
index 384f6ddcff..6ff3594f3c 100644
--- a/auth_oidc/static/description/index.html
+++ b/auth_oidc/static/description/index.html
@@ -367,7 +367,7 @@ <h1 class="title">Authentication OpenID Connect</h1>
 !! This file is generated by oca-gen-addon-readme !!
 !! changes will be overwritten.                   !!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-!! source digest: sha256:0e77943e35a7d7c6fb3b6f9e5753d5870e6023f5614e17f7bc0c32522086c49a
+!! source digest: sha256:bdea2939597996bddfbd2c7949c8da2ad701b61203c3fd62c0c640bb5721eaf1
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->
 <p><a class="reference external image-reference" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external image-reference" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/licence-AGPL--3-blue.png" /></a> <a class="reference external image-reference" href="https://github.com/OCA/server-auth/tree/16.0/auth_oidc"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external image-reference" href="https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-auth_oidc"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external image-reference" href="https://runboat.odoo-community.org/builds?repo=OCA/server-auth&amp;target_branch=16.0"><img alt="Try me on Runboat" src="https://img.shields.io/badge/runboat-Try%20me-875A7B.png" /></a></p>
 <p>This module allows users to login through an OpenID Connect provider using the
@@ -409,11 +409,9 @@ <h1><a class="toc-backref" href="#toc-entry-1">Installation</a></h1>
 <h1><a class="toc-backref" href="#toc-entry-2">Configuration</a></h1>
 <div class="section" id="setup-for-microsoft-azure">
 <h2><a class="toc-backref" href="#toc-entry-3">Setup for Microsoft Azure</a></h2>
-<p>Example configuration with OpenID Connect implicit flow.
-This configuration is not recommended because it exposes the access token
-to the client, and in logs.</p>
+<p>Example configuration with OpenID Connect authorization code flow.</p>
 <dl class="docutils">
-<dt># configure a new web application in Azure with OpenID and implicit flow (see</dt>
+<dt># configure a new web application in Azure with OpenID and code flow (see</dt>
 <dd>the <a class="reference external" href="https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-provider)">provider documentation</a>)</dd>
 <dt># in this application the redirect url must be be “&lt;url of your</dt>
 <dd>server&gt;/auth_oauth/signin” and of course this URL should be reachable from
@@ -422,16 +420,26 @@ <h2><a class="toc-backref" href="#toc-entry-3">Setup for Microsoft Azure</a></h2
 <dd>parameters (see the <a class="reference external" href="https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-settings">portal documentation</a>
 for more information):</dd>
 </dl>
+<img alt="https://raw.githubusercontent.com/OCA/server-auth/16.0/auth_oidc/..static/description/oauth-microsoft_azure-api_permissions.png" src="https://raw.githubusercontent.com/OCA/server-auth/16.0/auth_oidc/..static/description/oauth-microsoft_azure-api_permissions.png" />
+<img alt="https://raw.githubusercontent.com/OCA/server-auth/16.0/auth_oidc/..static/description/oauth-microsoft_azure-optional_claims.png" src="https://raw.githubusercontent.com/OCA/server-auth/16.0/auth_oidc/..static/description/oauth-microsoft_azure-optional_claims.png" />
+<p>Single tenant provider limits the access to user of your tenant,
+while Multitenants allow access for all AzureAD users, so user of foreign companies can use their AzureAD login
+without an guest account.</p>
 <ul class="simple">
-<li>Provider Name: Azure</li>
-<li>Auth Flow: OpenID Connect</li>
-<li>Client ID: use the value of the OAuth2 autorization endoing (v2) from the Azure Endpoints list</li>
-<li>Body: Azure SSO</li>
-<li>Authentication URL: use the value of “OAuth2 autorization endpoint (v2)” from the Azure endpoints list</li>
-<li>Scope: openid email</li>
-<li>Validation URL: use the value of “OAuth2 token endpoint (v2)” from the Azure endpoints list</li>
+<li>Provider Name: Azure AD Single Tenant</li>
+<li>Client ID: Application (client) id</li>
+<li>Client Secret: Client secret</li>
+<li>Allowed: yes</li>
+</ul>
+<p>or</p>
+<ul class="simple">
+<li>Provider Name: Azure AD Multitenant</li>
+<li>Client ID: Application (client) id</li>
+<li>Client Secret: Client secret</li>
 <li>Allowed: yes</li>
+<li>replace {tenant_id} in urls with your Azure tenant id</li>
 </ul>
+<img alt="https://raw.githubusercontent.com/OCA/server-auth/16.0/auth_oidc/..static/description/odoo-azure_ad_multitenant.png" src="https://raw.githubusercontent.com/OCA/server-auth/16.0/auth_oidc/..static/description/odoo-azure_ad_multitenant.png" />
 </div>
 <div class="section" id="setup-for-keycloak">
 <h2><a class="toc-backref" href="#toc-entry-4">Setup for Keycloak</a></h2>
diff --git a/auth_oidc/static/description/oauth-microsoft_azure-api_permissions.png b/auth_oidc/static/description/oauth-microsoft_azure-api_permissions.png
new file mode 100644
index 0000000000000000000000000000000000000000..7f28000a955b9b65f95375434bb005df292dface
GIT binary patch
literal 59625
zcmdSBcT`i|*DgwrihzoWiWEgb1p$#FHJ~6OO{r2sqSC9B5L$}zS`ZPH-jUu*=%EB&
zQJQoDLMV##l1LyR2_bhY`a9n@?zn&4GtRx|-i*N@dnbF9xz>8tGv|C(!tNO9@*FsI
zfQ5yHNAH%l2@4CC0SgP8<vuRpPJdCrN#Gxcla`?t3rl$<_s)Gz;Cla~TUNd-EJuF-
zvA#N62Lf&$@zc5IXX@qXhq&+Kz@qEp;Na=&?B!=?z7Ke0!9!15%Phcdg~3cRA3=WI
zo&-Ng%}tx%<hwdp&W;oEb_vRocu7POiu<#2YX>bC3X&YhC;Cn)Y3u1^{*x{t*0FfJ
zR@cwmy>FG{P7zF%P356zx$PHh+0!$MTy5tC<hVxV?!_M1ulF?U0(ZVWe`)>5nA>W_
zuv0N()-1($X-JtovR(x0*~M<suv;4RBIDIYrq{1d|9-*R56iOty|@vH+5h+bi69QZ
z8hfwiJ~0^E--~C$to(o9%Wmw8|N9>EUbmU!@5MoNHu1mjVGI9LRS0dNk?Sw5>%W7R
zB*2Wi6s&v-%Ef|F5t(Kw)3}?Og56kX`Z>|tR5XcXdaWM)Q`<!dU;GfyHQs+Q_DVbR
zy-*W8tq);HKPac3UIH4XrhDQ~Mr$$s7m-HfV3aGO8F_`+BczH-B<~V>w)JWvJtgW^
zaSy*#)kq_h4*j)E;u#p0MW!jhPJKIHVkNhyKlC#b)yqkh0dI$v@MLU;Z*v&<CHdhX
zCV`v5%~^x=G{GOnLXkL+#Dlx4;r;%e(07cyu9Z!h8iT<gd3EsOtcez1W2zng672oR
z_5z8U+p`pl`;V1=Ri~Loi;_?gmhbn-09}hjl2=ptRAe}VFjl+<GG<DYm8V7|G;Y_N
zo+KRL6;vdBvpK6nvFphJhs5MG+dHkC4(DpRhjz2)7r*9B8mZ3SzE~*uchu5PvWW}z
zb!fS5S?&hCshDV)xZfY~^(IhejL{0(vk&hI^`$#T`CGrjgh^XMVCfSN3p%#*JN&yS
zYoRB(CqVoE4mtN=4J*I;L?gRq?vR`(rXM<dd7g`JVq-`%%g#uK9Bb8{{vh{>IL?4}
z*S4etH=gfPhZ`ZZ@Wk5DI_O%#@+Uw0FQc|%mK_DLd>fk(luE~AYeQ+@ne9SHqKa2H
zHHu!;(KM(xe|c+vimkeB{UUZrZaGlem{E#<4UH^NqXv<f8VPB(pJJf%t1^;A<0zuB
zM`_qo650VCW73tq*<y@d?RHjfgyNdK^~fR@;U3A;V<ya`vs*eTJFCk(RR3``2D%ZS
zL+kclUZ7a$U7jENU^qA%OZ4f=8q+f#T;Gs0hYxNq&(0`|#z^c<G1<>FIamgWG9#~q
zS>k(!)4HzoW1dTZ+FU2%*T-Di*=f0*5}B4}Gs2_Uqbu=5-1E_3%=;pSUkY3Zyg6Tb
zybGsgg+`{N*%^U1+jy?k<CYvIDv#Eb;CZ@>WxA|JQcFUDlt%=7M6FQ6eyP$>!;uMU
zT_#aC&K%GEua_k7;IIsSS86%6(=@IH+C#WlRWhYp!i!Q@sGBgGLe05(aRt^qJVQ^D
zPMWfGuuq^m;inWJPU_vIg?4tO^EKse66ktEV(lwCBd_`*Y0o57pn|1F-PB@3LG|)*
z)V5xU9g0E4?FM$nbj#duRo69MU$(NSDcJo{^9uoi*TMQ!4ucIC#GC>;H!GT9%zJ35
z*9S)MFy`f;Eywa)$7!|VT6!;WpRDwsrF5m9(k7U|N9=_*f>3l7hizKtFd;BEhwf1n
zmwzdZSR(a26*|m(J!xb$Wlm_*^AL;4?ddALVU;qoJF{eFaTD)l8w~FZ*#bj`#U0k@
z8dZ1|6)?Vd!)a7F(LE~1!&YbhThC>zQHj_1W-^wth^wRJv{T~rV!#AuP!qVgVA5w4
zi;E#>mGJ#-epCI2EZ0L;(uJU%8O;ZyEIHt7d2xC?o%O73LoAO}6`3UVrDZhLa?{k;
z!6W9>7Xtz$3Vy-Om|<mXJo{|{ZW=n`K-`QQSvMud%u3Re$4a8cP*!-=Ae^8!q64ZJ
zlUsy#J=q2wCTPWeG(^DR4wt%oo8~H*i*i{s{Q(Dms+8*MO7YeA9gH#;L8WhFBTxzR
z*aFI;Oa8-wd?NX@rSZs?XA-GGti}?a+^Hd1_<Ztaffv!kc&`VrJ}RVHo0pAd($)F6
z70YS>hN}09T#M7=eNcUa`4n%o{=O^zQlvgA1u*=Kru!%?f43+%m-5JD8Amml9n|xp
zR~3@u<}P=|ow^oFyhY9aY_k>Y`eSmHZ@2l8tBBrge%H)!p_>fa%2L9LWCnp)*%IsI
zdPaaz!0(uE_;{xEQP(4N)6$>?jY4<`(dB!NZBo73gcDxMe73M4bB?l3m)G&MWG-)#
z&3tByUHR3!sZV1IlIFG&yfjw-Y%&MsNV1FRPdW4pxa=m>@Fn>;H=n-BB6X^hx_Xs*
zuKNVmLsgnwK&e}`AlM8JQdzKIa23NWEjC81Dl&^QL>zJ$bQm(}y0(kO@+BAGa99f=
zN%(OrGkZ+?9o?XyJLQ*&HC)F&t>#JUn{RJa;xzha3GhDn#mx1!F1xDNsS<I9Rbihq
zi-d8z`5xUh>U&!uMvH)8jVhR(Wx4Mvdbc$0)KBUNoIO0Kxy<yq+`VE#Rn+P6A*vpa
ze`m->P<}|)SVzs9$HQ2Mjm;gFTTxAK7*b$2oQ5I0c#sY5AZo%iuu~<Ppy$~}(5v=<
zK)QzA9=xZg<#eSLq=_v<Eks6yJx8&qz8Tb)$_V27^`Ye@HQNM+Vo9fsaiNN|g5`4@
z3clVo*8SEaqw8xYxmImwF(2oGVjzQXz>5CGK!8^|AG^4<>l+h3Qg&=qXtGaP|J%^l
zDqv;jl6fS}&Fdz6IQ+QEz2chOuGmvUe)f%i$Q|7+XU~)9#6l-mSe0wA^{A%XC=KUc
z5@ODdGiT+8JQwSQDlkW8LJXNu018hx+AVp4CXVl7OCs#2aw*Y+e(HY686O`(8k8~G
z3-uj@K>XAhl%?5OjY(~ZC+8Cjp#=wVuk#mi()raxgFA}et0Zz#iTaL<A@Q1yj2O`t
zz1cNS*{aE}o3)*C_Oy=D@b2miF{KU@^Eypqub3;U8ygRHEzVY9af{TQ+0*KcC5C?n
z=>9+)E59M%+#;)1oC$ky5bO>wFOKzgN~y7o1c+xsGb?Q-2(EJF-fHIx-;3LxvO|Ox
z0;D?X^9}Uy@@e`cvBd{FVKR>MNjLYMU0aXt!m)ZQL7B|waZ^{BI3JwDxYNjSR1?++
z)dY0Tsx<CEe7nyQ6Af%u{TlB&O}$1KQ@O;R*?Ecq!G@&oi7SlU9qE;TpB`E?D{GBY
zkuKO2u;ODV6Z}hdeMX~kibijj7ouHF@hDWIeIr#(z1Rhx^?H9@iA_$41`e_VcMx3m
zS)_D?n7{{@bE@N(#P$Xi77tg4$+g>stcA3J3X=vx-|xb_60j`;A5D%MXwr}SGTHaO
zh|#*yY#(M_z#8Sh`#@yx9t*|}AQIZt;AU-*_U=Mg+-h!eYEI~R+<$o820xp)z8M~5
zU_vhJ3)A)fO9W|$|B?k3mj5Ry-k)~<Z>YllVr|GB59=m_3HyPY@C9tj>z;IEy^~M9
z#|Wu<_4BugZN*QyD}PC)GaqYIHinf!%0SjX$Lyzlq+YCAFFCf9LmVzpcbZ#i6|R?m
zPr`d7SO?M_6<Pv+IS{~#Bp;GZh^%u_fCrS0DdKKUAn7lMF+V)SmPo-$g(=UC^TRDy
zu_?06>@?rFp8PO&8v<ji=&p#}>{8y~Wml^DG9k8YGoL>Wr&c=}vDtVfH%Ef6pfU1w
zK|PuF#`@wi^`{n`Hmy+qD9JIh;Ia-%rP!PfEnlZ~oAAabPZX0X9q_&*%BtmdcVq1b
z7~q0xp=%}5J!8j?SO>aW{)16@IM?o6D02K_nPSy)Y{tPP-rg_ydqc7yz+o`v{qSbW
zWR=~-64%5fpgkW-OkL-mK@exSuE2a4PgFL_73@UctHF`5@(-)3zCJZ$k8JKe$NDWd
z))N*L3ze4ncE<d+Oa)fPH7e}c#eJ7H+8SXC1;tB#A8H}+=2rc};XK{cgle~^`{Mny
zyq|XjRc(FLY5Fiz@|@7GbuDslW*<DkCT`fB+6f}gq&pc}Z@-;b+JPsvh45H6xANEq
zt(wJ{utwEc_T=+FN90}JdYz{p<v$$)FF<<Pn&ygl9p^YOP*COCJDS5@dv&SrleRFz
zo^B=a#Mf|9)wxI5^11L-k>aZrX^|l)uy*RcyV~3(sd)tEj0$NL!`dw1(@P2pHd!a(
z-g0ggYY~$ZW@4`Ha-`tD&W$Gdu&m28E&7z8H+!<;M73SSqOKRDDQ9j&lNzC{5WM|F
z1sM?RhiK`f^A;>VJ?O}HuX$#NUrdX>P%mY4PS{vMsZa!24T%tX%NkV#ZlJc&&cft!
zb3T0tN~nMJiJDpCI8-FWpEeje2Mm3AuubIL6&LgB3H@!k7`xHj;X3#*xJbCJZPxqw
znD4OkAh(ui)`L6fFfN0a^#K+h=0xGDSv2grxtdO4--R#U7m4$>edi9ZoQ1LZ4U6ow
zv<(TQqQ+2ruH7v$n2DQ_p}H{dKcx*`X}Ejvk#;J#D--!m=;-osN_*Dh1M$hG!6fIZ
zE<?A9YIoK6Av9pJtExk;r3NZ2z^+?Re{*i=W3J*eM5erR_`31<T`BZD|NPKUfE(Cm
zd(G6UL|v|rHOi$5?P2FQku&&FtS_-qGRLJXlj>ZhI+QA~svVBm-=`ckwOdVV6WP^u
zC4leg_3b&8W@lk0ZOm{~%FXJ+eDTOHIMnTk?Z=N5Cm$a=nTOFku@XPUg1~bcShKGL
z-Ud5fRLnI34<EpcSB5+t^T$4D6hxJE@M4WUy*MGqv5{47Z`j2@UcsN8s%eN@Q3|v)
z_zr8!4s{Lfw$vc~Zbb0ripBTu55@0Y|J#5wFq03=@LhkA;B(L(2#xn2!I7bl4}-hu
z*T%VLEhn2SJOT%r<eO4h8HEBvd#kyUG7$O98rhpS=Kr-8_hlyGx^*rk%pgDIBV7<X
z^hrp(SZk&r`UH$*PtR$nwVALg!W&G~Ehne+Hxu^5@iipFq{vwCW(VKvg|=&pE?S4O
zN$P?;?1oywKf7WYz&he!=etK_6O>PGwiSyl+c2*1r5ub;o^puXp1x}}$^BKZK{Cg?
z?1P)rc53QVE`yv;>mlKrwO2BY!1+^3--S7At|Nbz+*R<ONlx?_n6vE7-@o2;s(klb
zK1D-v$%zh$yFZd=?IB_nuv}u%ok6kF$llbbZK_(il~Gh-mGDWIFi}HnvZ9`;BDFLw
z`7N#y$C&zC46ESD`sEwN4_B)X!?zav;S27xFNuu-wyWqNN!?gaA*)Q12sp0?TE(r5
zHSGL68!7gx2fyWMp;|bmX1by($mgi*F1|!pOKZ&ij<~^zrRJ;zXS|fN_Xw%6+iLYA
zlN@c*M@OxyNYG+)JYAJ9zL&%BH*RSjV-t^&&SQL3J&X10)qwZ+xM(+BqxFAZ6CI@b
zy7ub++lJuOo9d^Sgt9V#(Hn|dZfvP~SLqrNG}B%Qx%l36JDS3k=3&iP`yRp7Ie$!c
z(Tr|U`*Y}&Os|3~I#@MK<=f=j`vVs6v&u(KRwtoO$C)1dv23=T8lkZ--WHc*q)QHR
z$=+@v=RRbO60{N=#iXK@I>tMS{aG64q|<>(_8jrNL$QBRh$r4wr9k*C8AciCtoJvY
zR8V4k{;=c;ZofEqtGYMm(<I|-bG8fomRe39SrXsi8>M=?riS)DGw@I|8e|aNN%~R1
z8*k<@lI1)#5b0*iuVG=F<*drXCVo|-+A{7&F7c+m$o4$QAjb(yP9JE3zE>2IR(=jm
zyt5UK@aF8`d`L^?j@>D&Vh-#~opIhnfX+j*`P1qzb#r4PYgGM|i+PK;xDxD}XKy|@
zbeG9VR(GS=Gam%bw!c7tZn&mjUi;S@EW#|!HoPQwVcASWLE5-AG=+Aarhs16P^~jw
z4GGbWRRl%q*=(h!&JFYz5sF_|dBwObEjWUiLLPjNjM1J*HwG4?e<*~X+;DAq>YIuA
zE-*_=^7GlNQ$%cSK97($znD~_W1FT|`L&wQEq`yLw2a5pl-?B-9zVT%9&bqT3>Q~9
zChNj^vz30kK{aq`^4OsKmwsz$QpIad1L1Dk!*i1B5Wd12PEJF~s!b)vg@g6hkNab`
z49|g@o$!=0h~rc1t)Jd-?@z-!pOO=MUbme+lnI)jEnnsYefm^Ed$k~!MIN}&NpE(n
zav)q@+Lg#1s+<@a|EvsOID@dWeqSx5T=HqdpRr>Q=wH(#DVDGL_!67AWrc4e1VOz4
zA_Q9YejX>dz;|!OZt>qY{;W|kN|F>?di!DCto*h`>?p8vg+T-fsaO3IP5EUL0&!Hk
zOdIk<v61Zt&E4}RM6KG!<I&?+=2pUSD{98&<f5sPPl}F6`dgvm5G=MkS$%=C?+AIe
zpN>l@9Z_ez964TLb<&7rN)$FE%P_K}?oA((-=lRGISdM3JpR6Ya3&R1RMm8P$DQZp
zQswpH;0Kouo*1vq=@B_`3=!PQ?os@>UhO>jORd!IKmfrJZl)%kW4bMWWow{m11h_$
zYRPK`_Q_dnM(2*zB-SoJ&_D+w$M`N~E%U2QcB{YcIvhD`jYyYzQPqbDli2r<*})}H
z*J9=M3C7R-bdfo%!xMqI-b|kGCc8V$Gl_`-=?w>q+twor!d@bq?v{P1zwy9f`igr5
zCGQT0sNe1}#HxW4u_JO@6^ruZc_pZG=>1t)m8*B9_$LBQS9B$ZI^VS*+hoYNq2LFe
zw)>{|&E8Fo?-%&-5}E})Cfon`K$KUgZpp0UP%ARf&O`l4=_S}S$m7$8hvy!t7e429
zHY2H8-R8u~H!?>ZcIpYQuBy5VT9D@%H$gh$O+PrPt*Pou&AW{3mLrU91bPcGB=S14
zkU0Y0Eu)2kf5xZmkrd75ENc*(_^u}G+Ru|3BuRxIF@p%?Px9Tj>>l5^+ayI?W_aE$
z9_1}UTuM{?oND@9!-8@vi8x%Sp56P!OYX;1{$}yuV@%k-ORd!XHHUc~IX-FgiP2Cg
z;bRl;V71+juigyh5ZWIfK#r<o-kLUgG41e!Ko2o5dq|>i!fBYT7lr161nmdtW!vU+
z-XN`X_;~424<%&tq>fpIv2g^kDJt^x#%3li{rcTWa~p!oVTAXNrlt!$81cX($T}8x
z7B)?ZZD}_tekcc5i!Im}e{>b8J3N2h<7*|`4R4KN|AL_TScFq@Lw(*gN2S8d#VE(A
zgq_VA!yh+5w>G*asPx;NPtHrf$$)b7PMqJvVqm|{W@n8WP&JUQnuMk^+3Nj%SaaK5
zlICh3>(C9`a`>tBkJ0Q^K3aB1FezN5JFBaFF`xUJXi-1xE8cX~rVxaP4`8P*;*)zh
zB4+`Nf$U(yLM)$Wl0987k9dj%gtl@64P_tBCcj;K^3rXqN|+)3lbs&pGIL+y?vc;V
zv*pbgy--GZ0H~K1YL{Xi$zP;OKIXtP+#5je|Kg%rtbKQ~z*nza#=KD?@7RTiE{L$K
zix4<Wwg2`}txj_{LTblG=BKmStWg%hN(Y()9>2fb`wvl?mN~bE(ZP2iTe(k{pq#Hm
ziuO-#up{GM@WzKQ=~FeP4^U;=Tqd|xx3<?hK!BnT(b|q(nBAcKHVe#q!@PN>cvPAC
zv7)q)d2LNSYWE|*L^u9nZ&TiD=2ye3_*_TvCy&2Z@4owzcfx>=>z&)~JEarN$Jsqr
zXQK8`#(iTdz;h{9m^yt^SF~SS$IDLq(UE+VCYlwn8P!=hYOeqIH<sWA#@B3$!*+O^
zPc}0HUCu7P+$GX=RI26#Ym_7Tf{Xg8;+@j154*1hJBdmK<sS%<DQ<fP+q~r^Ic}MF
z{_gMtaKQqi@NQr@GRu|eoZ?G75O1$8+<;%Ku5#^);$Payen~z}?!Tupf%C5z3!brE
zBgJG5VDt*z9kf2)2~-c?E!rPzet9Iw%qG?XdCTJzIL`>`e&VS0IdiS3j|XF&X^@M|
z-ArZ@BU&=}`Aa(^<Gol$c%}@SIJtr8OHJ_FZRfaEF!0P6t&jAim{){&0py9)udHIe
zV;*SoBZK7dP5*lm?=`mwc5!NG;Wt=GO-L?f5i@$Vo}hxC$ZXq?Kk<`nMpu-j)-tc<
z<8(#!ragtWEx(;TG;r;_h{sU+L}dx5!KJb4MW6F88Qx8-QD1pe9Q8E*?Q{_mv>}8Q
zjtmv0CBAy<WF7dK{AH;WqlZLGqnght{c?Ex>d|V;aiw0C{4z0q;}Iv}K_fS*_n9G8
zJIAZ;hg^p=c*d<M?2C^Uj$@TMAv0FA(96kTP&q2VSK#61)e%?jG7Cu}Ob+Otmu|wQ
zhw(;BS(Ir@)_>3j>DPYv&3ZAr*ag<8xYCA9)OxeMoTf=^^=XyC%zDF_`eQc-B5zze
z+>jSs7jV%>R?~KKpJ<_XbC!6T!6T;^%#v`U*}*f#TDB<`c_~gS2Qw!y9c*JYkL#jH
zNVY)hiJp{Oli$7kUXncH+ccZ>*PsRbvU*W%fgj8$O%Z-98S32K5A6VBT=PV*fbZ|;
zGC0kMZ*Jr(F|Qe$rPeXuI$ipAR;eUEylu1KG758l=04nP(rQo?Ho%97|GANZe*TG(
z{s!efTK7YZpt~V-O3pcB$_0yNYS8zBf9c~HTn2t++EWT=+0WwZ&;x4E^rs9nn1r-U
z2VR5CIU{~$SY!FL!$Q+??od4134@A$ho4LkniLK02)-!AcrtZXM7hu3I}Jzd&D}VU
zPpnO9LF@SfV;>D;f$%<3+#B}86P)j6@2>C57*AGV#54a593?#vMH8M6O>7nA8?-=i
zVA(U1pu^QRJ9$?nzX&`Ng-uWF_uq;#{U&rK-!Dkl+vrx~Y1I1`UXS;IM_FHtJsebx
z4Rx>~vyJ|!t0on?S^diz_3ujb*!tn%gBA^MCg-Ql2yklZ6SD}D2r#_GsPK^(9d%{9
zl{MA~WN<(!htPV1RPL}ksW&1>x?)+VyE`xHoB{n&vX@cQOwr+qU%=ct#4!raZ`v9o
z`g<;vLU;9!Uh5|-Ej9tvY3@g9FE#v;WT^PAXp){}hQNBkXr^m;+<Z!8OoP(5Pkzh&
zlHy^H6|daGQ<`34da{4?JWe-A>C7FDPQ3Q0WHY-{Ak9bS>u^4eH)>{6mC(eq7#9m7
z+vNwmukrq#m>BfHqpaul_P=gxw`w+m^{&sS{a}~Pbe%3px&J~#I?%FhTcQD>Y@e?I
zGg*5bfBulH%f$X+ze8W#+AdtE`T=`BT#nJ35M>fpu9b(<<$hjO@a(<6s`0Y#<Ug3O
z*c7s2Jar~8&(<518q#W~lXO((ZCneLLujVES7@z#qzV%@$LV^Ty(GL9E%5^NIR?cM
z$DO#q>_R-<3rl24xi-(ZfdeY`p>`(UU#&vCTG$R!20Lf0FW`V_Qca|2osHWFPuf}#
z*um+BPQ;s5#L46hf`ly)pxz4OgZ~Ipu4qaQ<>YFMe*5%FWo_-z4;6*J;ZwHVgG-Sj
zk<bgs?b@-q#`K>#Zv*a>m~NYOfi8Df{D9Lt=68C#^VXk>SQJ8bRR|3q>>Vhj3#ubc
z-3zNvd+ACt`jZOpd+<Jn-J`2L-935X5?lGYqywRkl#0iSUURkZphcm%xO$Y7H=-TK
zzI&&p_Nw#ti&LsXyzhEX6HiqmW0%;)B|AmLhPHnD$Hfz#g6wUBAX`ltUTo#-Ou)Oa
zcYzO!cTCoK7sH>MUMe#ghr|h~nj;e8zfLvPCbJ93T4io3g>1qO%f5}2EOL!{kV>jB
zoz-$6JFFLqMAECjAaJK;T{aiWCVzyUe=Q=v{ma1)-`qX&+q7ksQZ!YAjTAB6CVJ2z
zsX*UN-KE8RW|0OXV#)#<a{qY{eZu07Hoo4Tk!vi#%Fob<O05NAUIJQC;)}zeOQf6q
z2-o(novW0!+kk=FY6RF_Ivy(`<64nEER(?@gAkDeWYoPXi&f;6D_;otA(x)EyjGjY
zu$a0!-6$iPywz?wBXq7<>u#K<khjD5#Hrd<0JO73tkyC666N)30Dib|*lq;d(BQBE
zO(7~18dxw!(<Dq?$Le&-1<9f3WUPnWyEsNqgy6DB$1D$NPH*dd_xygZzWOP4@zNF3
z<rRO^$dOC4jlnl3w+Ag*qpI8t85ZD5W5dP=k>*0<$l2&I-%_F_Kce}hua$;$dM&_M
zucYWo{>&}uoguHvw&1mu<L)%uyN*~_&34Gv=65&BWpCE{KJb@<NX<D6j*O*~&B>?Z
zt5!E=NYf1!MjCd7IfgkED8&4iJwl)C660i4v*lUUg5-;^_ec#W-?`2%e%08^BIy%f
z!Qf~$!}4i&x9uH%>E;I4LY22c`HZu-IQ35p$p4~Re=^({*KlFkw>fs(?`RQVI=(O>
zjiIVTO94Z3?1H{WL$2o=r|sN*6sPB9$C8$yp394LH#{MK;diW!cLW^d>gl8Fr+Ztn
z_zq$jFUrf6tIx&lWl)%D*y&Hq8)KU21j8?-nV7mdxgd3L9>u3r-wIO(*_jlh7iv%0
zYlPgUay)IXBHE+9291Lb(b84YXdj%sfVr(o40s#jRtAyS-aU>!q-G=u#@eKyFCKiB
z#XN;SD}wH;?*-y558q_8#S!`=mnvqDMc%P?F1umlEL_aedQpL~;jAZXl4~=>cwR^n
z?&tx143_L1TzdZcQ|P+>Mc8yTG&Vz^HkS>5f577iXO|n%-Uy<0hX4iqrO8Iuf|+Mw
zSj`t^)wXU^l6r-|g0jIIDK?px?(I3YvLX<k_=X=#6-)W1_z{a!6U-@4%aOQh!}0sR
z-O%G?kb%bT$MvN!JnmkiIC_V_-qGnZL?u_8*WG+e0C91qW4uuoXTA#df3JAwNUd5n
zZ$xB4y;lvoqlmn8VxmOct`be1_=MSA`S{(HnQ3LW>B$=9Dd<vfo6;$<_(=i2HltOw
zRo?9y>U;y4+x`qxqcrwuC7j>YeaL32lGySS$t~nQ^=U4Luq{R(sxAuo=s!_SK50(m
zJ#8r<$+ch;88VQ+oryU}CV^5+$QlXCb(S7=HE_#bAm~Ggl`x)-gmI5$POs^xT=TQ9
z$4%9*-x6VOVF>|)3_K0;uhfu-nog@LA_f|DAN&f2Rc&4m6&ky~{)Tm5U{O2@pk+Cy
zs@GRW_gAgAP+hAKaVZ)WWVBzJig)=;PxASrvI)Vn(JC7O{u&f=#$el0V-lg~gXvo4
z{)$Ei71ig9iffTx6D5F8{+`z`_Mc0M)nOV=9TfZdsm_MtU&DeMe?>>FlWBv9H>2wo
zBI=_{2=qMblRZBnJrgG^tH%kROUfy&=0Y(rdXOc*W)4ksf@QNkM&W?w9`v*9lgh_*
zL^`I{DD%s*_FZp2r~OxL;tU;O7v~e+K`R>Jx9XCj9v?{|fq$@4Yw+!9;Tcm_(?IrP
zb<!(8!WdaE4~Q(d1X-gF{Y`MBBavGJTQbQf^|=gQH~!25R!}M9Yquy2pet;!fWxx;
z|0By78v%e1+4h3m%BNAdJNTBV$LL9uF=cKiFm;g2y3bdW$Gu2tQcup)m@Lo!dmZ7Y
zWVa{Xyb5{Jc4PO4gv=#@v8IKL{t?tY4t+n`_)MWcFXq0^f9=!MZ+i5B54E#4g36l=
zWX}70-ZCCpXUvYEX?}|omS>><){9>?EXSdbaA^7sAd(mA4L2HmOQBbpOPXQz{2z@Q
z>i;9n@%uLe|3SN{xlwNb5xYSBV_p^(mG?4sw2~=@X?%O*B?hp)j$8dl^P^G#F!I+;
zZuTpq0)TzhQ|fR3eNIyeaA;b$hF6m7*0q`3e{c60A_f1-X8;it5SaV>$^WDr=+EQ-
z8*)YevE2UxQPcnbdtqk@>{(uo*_&kgRfTE>^W588=X^E#=Kp9zSQeB3tX*j7C#x|V
z7#y%Ki|dayWd3wp6Tj%%tj*L>X8Czd26m{Cxl0${3r@inft*Bo?ytLypR*zfdp5^p
z1EF|K>U2Zdqcqx*;F6^X&GXHM{9<dJ+fwVc+a^CQA4mg_Zmpi%s~{SXsr@QMYJAyp
z%CeWaAXN3eefgtiz$KW^FICZG;u<;W>waAB2x}A=to(5EagLsh@gE#XKLucd`p3Zc
zS8dC*LAQ6i(Sa9F%J!pZlM&Oeqb1UU2aR-csVcCHP|?-CE&zmn*O_+{z$#;JyL+|8
z&vOXOT5598B6aKYJY54`E)SbtVD)Y6sdk6>*~zer<Cs*)%~jDqQo1{(UhLwuyK?yL
z{BTE%E+0j`mfYsS)VYk=1#-Ff#~)Vjtly8qgypbH1wn*+34x6V<3EG`;1(tbDInV)
z8QK5%9Vm_Fy*4tKDExIWGNnKCss7}w*wRB0M!bs8D2nUZKGvwGb#5y<>(@%Q2Ob|2
z`p3@9YbTqwiY_xL?i`TFU8&>^zV8&v>=9VWB`uo+xnhlR5&nfN@(EX;nvMbPc-y;Z
z<wUaB#A;iJDxR?s^R5>nM-40TOuN%ayz$!zn*6^S6B<bK7Q3htp8?_~ZZ9v4NND6}
z(E1~T^7+_~aTv(9;!etL?{48s9i5z3B^-8{RS(-%a<h%o=ze84(zxgKOAFVXRe!E<
zD(?)Tn!j^WI|7SGQne1o*Vcz`AhLKd3k<C(NEW?9+8O%>(-D)an~5TC!q8+|sWH1a
zB|wnTRb>BrNYaV4OTPqK8yF)3EL~W30FfrYwv!rJ5UJs#y^RiM&|0P0#GB79Spc2Y
z|I`LFL+u`g45r}|7DKP6(L32XSNj6x)gzC8W+CO#^qCz{$G)2Guez7gq)$|0!gyaS
zG`FXvC6}98`$3oLjS4=?z}|ssOhTzLE6K(piafE@3(og9oSJ8zrtCH}7&MNj{WjAH
z3nUPdWLKe;IxNczZUow`E{&vfu<{=)_vA2mcIIBj;`&1gVg0;yXL`Bq`NzCM@y>3K
z5-=SN3z~XXX?2Lfh4hz3QyoqE@PQ2x(FNu*mB=0MC-w-4KK9Lt)qRF&{84N!;F`GO
z<+lsx=UAhFUK<X9m#4<VOxD^<9_{K9O2}VMCUT=fbeV<o<j!h$q?2Wtop+7?VcCwZ
zg*l~*l4V116_}h<%Mrsg`bMD7`#E@xmR#T4Q?}KJ^R+V*DTlyg7e!?KTX@#J6eoIn
z4ZBQ(==s~yy^oT*L3u>NDkcnN>p&1WT8q3PlgliP;*DKEpzC^76ci&7?%IrHz8}Q;
zw>!}Xlj9jh_R7jKhc)vip>k&<r%<$~K=f#$No+ak05-Zh%pGc3GL%{Ku1)y&xGp?v
zIuO5re?=f)$j@NDv*2S<m}Wa3{PNJvR*oAx+m1pq&OX~O#%4isN7fC~&joG7p%5=c
zLINQ|qu)UWes8q7EO%xfw+wY)I%GNZ<<-AV7_&x&$bJ#I^_nay%l>6o^wC)nrS{99
zK1g3Cj4R=L`U~ILMdN?gv1+rL0j_Tv`Ef$B-eeg)b*u@#OS{*Xe8rnlh?k^7F4BT4
zAa{u)?L^{~fO{~A6~j4x|H!J6H+pzgM*70x)wF!Zx%k)usD%L9COa^$h@ZoN;;+YP
zo6)={#9b(83SJDJ5OdlPx{&Ww8@EoHe)E{0zxKzI<DZt7+QrNf!86;(5D8zt>OL9?
zv%Pt{#IyzilLhnzU?j?&yc3txTMlnod?9p55q;h(>hxCy)}zYp(jZ*sV=vV*DJFJO
zN&@tf@pz*(9Ve0CBmhdQ7XqT=M<$$zt*Y+hkaN5B9=6T)O~9DfK(Xk?U708BVHyg+
zjO2^Y>g3;WTHSrHwZ9I1lh_Gv>mtNJW=x00jqYx$O$7uerdqz;i`y;K0`qPGA8pw9
z#e(m^;^Pc)@-;o*$5AhJ9Rn}!vptIVr_$tv>|w;SbL>}Ahg1MiIHv+2?6Zr`1Nm`H
z<ZF~5`t}RfuOUCwPJdQlAMlq|H<<JZdpt9vS$*<O?DkCliD>EAuu#$2K<RD(7ehs8
zbnot;TZE|IMi<&$^e`(wvxi?u*6LQ7wmwMU^kKEW)x@CaXr8l`PY$m0#D5Wew#t+p
z-7T7c+FK=WR9mN|4EYJJyr_=3=)vC=jWA<Wmsnb<N`z|e!AR0?7(r}6`<8&<+^Yqx
z_n<AtJ%-~ZTK#7x==t%R9OwO-wbgFxcTPd4K}sfwct9|m2#{B8!PxY$V5{Jzas$If
zI9!;fMvUcp%*#*~c0N9~Ki-VzTCg=jqmnBQbQzXGH$;PQs=5Hg8IdZOx?Hq+zcVdI
zx+`5==rTslSw4+pjBKgMjp}K}wPey}odxPaBaRY}?B_CY?L>Z5wfNmuO$61jxs_9Y
zM@yKY=Ff=3s$90m^a(UnoI6?jBU`wbAPReD+k2y#<3<sn1NON0M4YBp_vUN4UCnBn
zw@a9&u12wfv#ol&rvguWR<-5D)2~FbFk!p9gNU~a=hz`ZslXae4-2s!`PYn7skH&y
z^fISc31%{o)-=XA-+Q%3Ovcos`CL1=>Q%gjW$FWH<!phf=U&T<HvnFHOv<Wuo=`HQ
zs=uRoQ#k7lB0&w`HX(EbbcLd7w8SPpnph=+lz=_?HdOp;V8vAKOfN9et6#3rU1Vzo
zLM$7X^Irvf2M`f)&ga>ix1nQ1(SNLN@}9%L2~hTrHx80jQ-8DbuaUry_Bry#{L|32
z(4(^bh<EL6o_aL8DacTRN*H*dMK=gO{{)m#tS~sKMI77ZrfG5<yL~>k!eRfD%cD&j
z9S;(4jPp_LVlp-O%Spy%w#hZ)_;Dc#RKj<~wbxH!P=mM$DH+NhHJPXa0<$Cz{mLC_
zK4zoXeU=a9TKryhqR#h2r93A~$ntd`&c%TYk8B^2Z8@~;*ld4qVJmW>WzGMIxb!_a
zG9o>C_hX1gp3OmFVtSacT2IuyT<>OWHy*qC=u=<(FP_>L7bx9=2@4hpYx<6T&7GrQ
zRb5w`Vt9Kaj$5NP`t(AL7I(^%uezdBj+IR{o~iawi&dG}_U}=qJ~pIv?)!G<TMjBs
zU6!elAZF$HR?6UZb{>ZQ5%)J%=K)RU)Mwd{WE1DkCCm3c=2O2`BJ#mZL9-+dPHtLg
z<^KM5xEP~XFGCxd%HO5`5sdZyirH>JyN^h*KI3MM>gh)uU10SQxYo};JGI@fD!#~E
z)(q3=U2>SCo{*ORT>vtdZVR&dJrh{^nwkO^RWaY11K+Q2e6QXRt>aEz$YPd~4dQ$2
zjry8AISqjQw9Q8$d+L71RN$WTf!PH7uRhac0ofOmXeKghuc$J=KX>;oSvJG~|03w+
z`X7e{g94nxU##rU$9<8wQ?jFYa_<l#6+MY!lU>=^)=U%l^J)5&p8`y7eb~nFkr}{E
z!?e%-pE&E@m;>L3UHnVmfQ$dRlMomk|J|LyBS19(bN<i2%J#7T51qaEW10W%Y>f~w
z9WzgB2<vu<$gTPQ$`Q0&F6zgaYQOxSuLFWZfZxx=c2Dhl#~a)3f~KrUx(=39{MRp>
z`M*9$vJu*`x|B03NO<41dG&9R3;AaP7wOTbYyhd=Ol|~-@G7N#;eQ-DDa+&9<&8@C
zAZUoOcONh+%lQQV`j6;eUxekv2Bu>+)YbItz3F(^ZSaK4e>~dbI#3P+Mbd5wZk@UF
zjK<ty8Wr$?2kJ0kb>a3Qov7O#A_NDvOX9WfYQMLtNxKDCXE}t*e#~rqvg0)LKB8+V
z=Y#1S)Yqx2pKH6*!#SJiP5kjeEl~Z5iz8!ob1y9n^daw8{)QRwvw;>D+?4+-(-*#x
zWQ^2pRH*OUiqB%>eup=34ZL#sK*7wqgREG{kY#8{lvV;|RU7dso?5XzDPME&uPO3s
zoMn*AwIp(ZkS_WV$L*cU-N9Ue6Y?FQ2OT26`)oiiNIyEvc~<-DztHMK9IF2|KQoOh
zJs3aa**2+uL<-!bo+`fnw=5RDaR28WuVwH>sDN3V${M3)2+tVw;%s>b{<*U?6oZ(w
zG>t16O`a2jJ3T)a*B@E!$|+}%E`|#}7xOPhuc5mj<Z6Dp{;Yq4Zdk%Bd~!QzyYf-+
z-_p~^GB^!(2jip*K(9lfjK!Jr)F=cx=XJ;yTw!x1d}&saoLAwsW2R0IJxQIFy8KU5
z*Y(NO!xVPDy5W?QD3<F{X{Hnh6Rku_$ki~69@W1Aw^(nuG9jrWdUJk$s{cQuc<FLb
zb8Gf@Fs`7aY3nMLAYymr@sYUW=Yj-oT?jIZoqNJFU2bWOWXVy3nZ$UVkafYPyz2J4
zRCuFYT~KX*&Yla$!h*3z^2=_^<l32on`oYgq^uq_pL_V^?6mZeZjSTsT8;{Be98Ot
ziC+uE|K(61L?iFh%UM9=QMDbU6+O1<yghN{zR-9jP1Wpg|26eTpfr-i)&L?!gHf!n
zzCZrNT*+&-H+QmLs$Qdr>UX4ERE+Pxy*qK%oHgoYh(oh>;kZ!`2eMU2E>QG>-SNNW
zL@&EGXLZ(t={8l&&$ARvhrZ<ypJNFz`)|Wpa8CVf;yu}JzT)?$K?Y3<jOvvC5rRPi
zp<-{puiE$x$X_@GO77DKI{Tjj?n(V`KIZkOum2rt{@0!)(+pFFul=y7B2_y8_#!#f
zbM<yNYW6;Sxj@0SH$l1n^AW^$`dDR1!kAycC!-T;6H68A#wB+py#&qq<5u^uA9MaS
zfX^FAfNE@8Om!$WSa+zn3tskb4)NyDgt5`+Q=HdkLbvNI<(TWlcmAb~a^%v2{_XD5
zC(pyMt$w+^b3;Rb)A_rzurh!rVo;RMe}e3_LAN~b7V6d%q!<gENf;UBF(S!#R7Hf$
z3lY>yFu6=|QdejB8f+8Kst9<Bd$y7XcpMAuBcN6sEO2n0g%Am0I?O@_pl=iE8Z!Le
zSfA-|_wUg)3_*Z3Dy@Njl}hT}9Y(QX?#pNLdf4W8o*FI5DIw~GyWWmiY{UGGaW=oX
z2OuUiIoMR4Hm*azxHZuQK96C8)&7zb+csVIQ0<=!7We#|H)!l>A$ZfXoUBr(Q{03A
zvj5gxEEJX(`w!Xz8o^g%TbV_GM0soBpTws70$m0X%OUn-sk3hq##0&SOqFwF43L`;
z2lRuk>rZ|<EDcvB5q7VR47o(bK}LRbo;goRRc^QfWzsm|3;k7r2@FvqMfESF_PkT7
zK3dt<-g7f{RkLCuCX#Srt45^=5zE0+d4S(zVkiB}x{ob=5Yekbc+UCNcEkBd=05!e
zD#zFTz+@j{LpH&wWur)HYxOn7cr#(#%U~3%w(9Od%HFR42(*y_F+HkYMD?hV728tx
zP2V#_{4crV0zZS4!V?x$Q(=6Hr*jXE%MPgnt`18(G&R_i(VuVGji*)c#;QG<q0d2e
zjhWz7q~0&sQ_Y?V2z4}!e_YUtIl>Yktx+YeYUyt7@ln6TI6nnZd`GF+I<s0$`Mpt^
zTDFmhYThRjfxQz*pncfA<D+q{@mu+->)`4#AysS?J4)e?EL8~ImIR{;_Q`#2%9>v_
z-&)pM1Z~c3r#7TJQa=xU4YqiFg)tceD2vKJv~^P?c)ctIJq7O;cGK_e_<jvx6VG(*
zx{>M13@>g8`rv`EH(P~MN2?|e;!07|$&d?5DYKbS7<y~2(e>XUr|YW|4L2uL<T6N7
zlE%%cbf9^>6I*Ah?%U#R#JhBBwsf%?_cSs-iGS$vCECUnN6FM1t3RN*Rj33Jq@(i-
z9%_*9D<}f8*e@|#<%Qo<zPAy=)`}uT#^UDD_Rp<zLj}d^34!1*hpLtp;C{XquZ!^G
zsC2s9;Hs)MV`JL0%DQHx&3zKrC~R9u+8VofOg15D{5?rAGKOfoq1Pm1KWiNmbLOY3
zSCg^gr9HyX%tk#2n|>mya&7t@(+d2qYZN`_bA>Tb<$sg6a3)l4PR0b1xE1~iIKsG~
z=4;uePB#m{Lt^UOQ&f+H_9dn&y-NwcNzlF`>(v|DPw`!9%?xTrSE#t2J^LDBm%5zM
zvh~vE3j!;p2E!UmptU*l$NkA)N{qsF;|<Y9rQZo{8vbr@3xVxoA5@%Yt|FUw7x~V^
zTpej8K$PlM5r|l^m|xABz6(v`-vZl$vp<pU<&ZYmRA%As-8Nf8oT@q%@ZOx#1~TlC
z#HW?FcTGR3%Z%+$bRS9BZ(7ZRb>D^Dj9f;Zbt5iF^U=M;55#|VKqe6kV>=$T6obSm
z%}M>AG)B`u@4*B&AqvxR6&!!@iKtuzgV5!lzXK6x&JGodGj`*ka?6*a1>N6;-rwGM
z1S^p|enfWBx$L~iN}<S6j<OR5%~>g$q;c=6%c?aKb&?HH8DF_p()^XjS{B=kMtd(;
z^t$)-C@e>z8Bjsly0@2W3K~x5igZ!#J!;mDz5H+)jW~3xOj^iH5F7X~YP)T*x44(`
zBUD$o-u*j9Pw$R?^?icSjU2;<Ch6jbIqs9=Va1~x4r^lL?#ODj@0?Kk`koXM;s!)C
zzxkO066R6e^D9>l@=k7WFK+7Y^7|!rH##)FMbhpc@>q%b&!W5o?6hjztNI<VFr%qN
z6j7Q$`5-yc-M|SlSi!s(l#iN$8CwF-*r&M&-H0onuc07PXF~fWMG#JJaGFomEXP__
za2P#9Wy;ojDS6mCXMuVMgoK@`z8kppnp+BRj?Zyz@$^4i+-m-rPY}<Be~v~OpQlSj
z6&Pnga?=98sHsSz<GQpI;CdTVfZ(_^u+nB%BeAhfI?w8^hE?^B@5hI;2Fkw`IrC%4
zGeuC3guR{kc-}IQRKHfTh7VFc5MArH8Ie}NZCR2uE6+F~y;UpCXyR8wYAi7ysEQO_
z<g(vjF|2I3mvipN8@{7;kISU$v~FHq_|D^Br`7a8)&Ee*JtdK$m%olon7O4&g<B~R
zo4OtjP8#d7hf_mCS%NMy!)X+JPvj8CrSZB#AQ@ghxLNTg?fDKXaQG>UT|DFHM}IO}
z4()XNQXMPY^cfX2C<8L)Jn?R&&bs>f!_LW|qp_oNOe~>E=6uYG>V3Iimgv#nv=TQ@
z)2=_|JGiv*xEKH~m3uYUCsI}=eY_IYRp0w-I77A3#Jt2GB)_)~U0{R^?1B7+KMOYm
zt^ms*AAL)f);rJmdAWE6BC#GErx&Gqsg)&OI6XnP`JA$7{K5Fv&>M~rFBZ?aADhGJ
z7G)*hXN&7vZhPIiC=+?w*>yme<+x#e<Z0KRw@QXH6UKy+d*VugodKbLP9(x%Qs?b8
zuwz#ZoATvtOz;Ox$I9KRY`^;V>&6RP$moMJ(D7VS4<#S0G)4}8CmOQ5uVh$N=~B(b
z=;14-Dl(%^3H|`rif~)naoX^=Xx&zhi!AU!{6md%aNE2k&4ehglA=<@9rh0YIGX}_
zl3nic!U146t)LhkO);h?a_)PAc`BUlq6B-um3xUR<8ykX@SWQ{8pF}$_iAn@KhHNc
zi*#INg{^&7YrI?hxre_{B+>bhe1d5%xalkdOLb2Le4&EwrM!T}V9Mz?r<09RD&!ok
zn8`{W&;Vh42&A#nvUo6%W4;_Xx1l~-Sw$bx!M`SbTm+6HF8$Kl+Si*{I8K!GbAR!&
zt&kD$^6~uK`(EiXv~Y9o%5Lm(+d6DyF0)u5F%8)64Lq*CpJ(NtAo(!gku~&I&~p=#
zli{nGSaVLsivConV&|}XgR$bpzsUQ008i_2YTEnA1RHk`x-9#4Nc4_49}zv&wZNL_
z&o15pSMyJIjS_Z_VvkG|I(kXukUmew=wkz!ZE7^4cn0w57+yeHUp5iEdkdfYtzXEM
zd6@AtXMYuQO~`cxNKI3v$zQ5N`~Ga2Z^288U$hh)C)KaKOR3o*3XYvfR$K|pQG~sV
zp?&79vX)VmE7(k=q?+&pYy~k@1&L6PHWZk@B5(pw4NPo{75XKBeZt2!7d`;0*cJ|T
zSd$)paJri6x>6P_KjIBv=l~}1+<tO{+Akg^@~x6o9=fF6Z$yKfAQFQY>7Q0YP{dQz
zcGmhvU?+P<#4g_b+R0VC@i0@7?4h2x+}>0qGE$&!XS1aS%ZRH(W{x=WyGBkr0S9v=
z+<&;Z0xCgLi$$IB>GmlRY)^frgn4zHyG;=EUf{^w1L!sHYi<uGZUQ^M)}z7*Bv$J$
zR1_4lM(L*2#~;M})C1jK0zh#4vo6hu8>(^7^k6$+YELeMOR-&`RII~Ji$sOzwG*?k
zl9!F2VfL4`LI8FKRw*DUl3jq5T?)WG$yTM+rw=2fY||_x`~$m6Xm3s~Xso>qIc~Pa
zCO$T<52zIUvi5B*$R+nEI`ruFW0=XffPg}4r>+LdW`t{`-L<y}bJ>>mF;{Y^8{s+p
ztF{;Y@41gxdGmlMlGf4vQPE52r1?W#>AX5K%$W{A`4`;aV;cdm3I2_><x~BU5h_^7
z1o$0Z4FWRO2(cV~ZY*p$I4O!Y7t)^x0Cw;kOb%hRI?|#f)Y>=OIp+Q$lRgw()A>29
zXdE%BlIRmzpx%~Kk?M9)l4v`u5qxvxC=yHAth$@x```A5U#Ur5k8CzkR6)?027Q&Z
zz;bq=OYe^HY{s*my7H5M_6!@JBT6mc-UUi!sK+YTqbHQCC&Fv;0ClH54SY3NAoMK|
zu7{ofu`s?DxyNYr6M%$=j2<DgI`Ld%Q;$;<CH>ZE`3~li6_?5kw0?{gTY%96pkPT#
zL@Dn$hq^mTr|%qHjRd-*-F)uwtG6wOEb%mq-nJjh!b`#VAz?<wkFSl#^pE|`^l1Tc
zm#}q!h@1EBz;afzMwa&l$Gr%ArTgXx;@OurOyyj-=rbYtD1_^bR+Pmhy#BdfnO-7q
zbM|nB^)^mzoE8YUHJ5~%^>~&7S4F${SW*;`_wa@GA2AKlNq=Ha&FRZ}%~{ZGEnc>L
zEVAIMx{8JLaDgEwV0~5juAf@p4JYskQArs#oqt0w2XXItf!~2R?n(N%zskeUaQW#t
zjgtx-;t7s~+^JAnxvu~BXF@Pq|7*Ru{}&v_|Jzky-Yfies}zM&_iIeaYdC-rZ9@Uo
z5fPw@;``t1Mf_W4{NaO?h^0OUdYz!Oh*=V@F~UgB0}DB(`*KI^7OmVXc5L^_`Ee&9
znw>lqn)69~b^hbO<yX-uuJx!<0j`8?qn_8qYFZ&^#8h*nrzLznsU%vxckz3fOb@(8
z`TkpCj*vceODDH!-he@;Cw_e8w($t+TG_}&H*9Nrs1oS8oXJT2<-rOD-yLCafBslk
zD-Ijb!}8Uq3kVcK=&YmXDc4I<xK-(58AZL0yk7Ec=r=QK16`X-ZB16Lbne(kY4C;M
ze&H<+gX59PHPTrkssw)qR_0(q;Fc+0Nv>?)XR;u3?D8%Dw3RXC0B_V_wqbsGQ4iAh
zb@*7w6=IGdQvT6+tP!%8I<2(8c38IjzclJta7(@SWAKXL;%4Lr&v~%B30RXWD<a9(
zo;n!GWfiN~nIm(jdky0A)|HF;ByjV23b@z}T+1I+R~&6dl=e?}rXvxlOe+E(^Z+lA
zdpU=bkhS_MYPDkv4GPU8rjX;%OwsJh6r8`XRr@aS8xlX&6O+;qyI7TNyLqPEj9px4
zq~m*2<mRt~oqfii;|w=B`=i3UJ(<^L+MJvY%PuB~@L;7Py5_i6J3%krfw2zsjhP)7
z)yL*yel=u8jwjqm*muJUePS5ZN2go|1&%(i{|D1ya=keV__Y<JU&+c$l|kv{SuEdv
zHgOAyNV>)tnXUr!SzXm%%9q(mIK^D~b=vrZ`y3k)wLcNB9Vu;RBT(fyx&nfxw#MCF
z(}`kU@auZI-N8Mx!RcF@A{7W7nA0aFS?>IlhbDegi}Rv{PezZ}H2F2x7HFJIFrMYq
ziMMnS#HlsPbtvXD-pdfh@}QF>xyY|=u|<}#lvx|(@eQ3NUF$)`R6mER)o)`hQs;=D
z&okNdq@ph9e?fUB%?eogfVt_Hyx7qw5A+H1WrcC2m9_=nla0w9e1lwJjH?S<*X>d>
zLc+oa1|D8{qw;CJA=E`2ZIhPMW+yHcx?ntVbNXK1QsDr~%T~NU(yl(SA#>BX%J`Nr
z{TtSkk^f-o0KKTnj#}4oWVtrPhA1^<SK$+zrgWP)dBMvvcjBR~B&~HtauV0CLLefx
zYgK08k;L1%4UPZq{EL(;H|Ch_dN&e>o%nY*4t|(=YluKN?{4f}@|JFq0Y0FkObI%+
z+^!Ok<{Re!Bc9R$KLVHb5P7J<u#U@(jZ=@GOz(Exx^Ib}RyCC%Dz#|5TPoGoXl!UI
z_ZUbd$4Cq;(K{KkrlSIPgB_N;R65}2>Ox#a^5eatJuA$6Mbor}zxfx8m7I64m*Qkt
zBBY(~RVOm6W6z9&v+3{0ov_ia(BgLeBC##2L4irs*ICO6J0p0#`Bqd>BpB~%cQt1x
zf72zX!D)=xYfZmJtN7fziU0N3CH-*sq(|VFw9DS9&iOrsqyVphSZq(Aus6{euo~Vy
zW@^Zg^jzm;s}obr$w|i}<xB2z=OH(s@AOuc7{E?1mOJt^R7M*@cMty`<h@s16WjL(
z3I_!Xh{{n^q*y?u1*uXaHl$0hAt*#@K)M7-P;7{T(gFksg7n@JdO%T1C?cIuJW41D
z0Zky7guoq6`TZa6<9)pI#0Q3%*?acvwf9=zLQ10DWB4n~J#Z=67M}nKrkm4GyY=80
zI4`!m6CTH{y=1dk8rhaP);sqWThH7SOE>ocAD|m$ee9irG8<hK9l`!F->wX*$`V#$
zO13FEZGvf$Ytwe4UCgaw_UQ9ApRe1o;MyP_*Eg}CxASNSHTP_r)OxByTVIP8Gp?ZC
zg-X24)qGp2n8$hCOBZ9L_T!gPLtQMdzeIy^$&Ky%K!<Z_$DxTe@v{he+!V;?L*HMt
zU+P>?==ig<!d5OQO(%60c@1-Flk|mo_pSf7Lxm*VVEn>Ve7{^;HfRwa;RKfl`6Y7R
zog@B<w!rzg90wC3vwnZDxSjg3g1Y&({Q30Swb+fCEl4AVCg$QGOX@z-b-j+T@EtkW
z4g0j{DPE~)>FrR9CF%uYXOKrmHLAg}Ou^JkBr`~J`bMYn>t5?xQ0ju%m|QYBePY~^
z^q?!R`&_SGHs8_Q7C5Wct30aNJ>oTS*_=p{yW(dFcSp;?$4#aySy};_*DH|7=J{|I
zb<}^3`~#HaU8=J-qDoj{A;?|u((?W$7tLVKG1wdGq+TpZ+XC;Z*|^rt>|RKSfV}|#
z%W%he%>=iPBQtZ0s?}yN&W(+#kjmw8ijIO+e3jnlT#x!(Q`AH~tU3yxAYH(MpCf%G
z|L`ANf8_kxe`gGdw%ioIuP3k}gch!+kk=~1Q4e7Qz4qazC+g86n^8uy7m#A-dvo%c
zbGN-Q<p^BCBJt)1ljJg{az?Rm9EF3F4DL1Um7yk=|HwL+>-NbHZ$G<XK8j3>r5j$N
zALW!~AFt0!ON}KF$G{dy!ps)8p#nR<RT5H~kWlwE)O%tegq%Qzk9a5i46@Fa2REYj
za$GHQg+;h;%u8iUQ)eZe(@%-736Yes$Jfk}>87)>Tq1NZxd&7!L#2!*MM>7j&J?z8
zWh9@u&*({wqlnboj4~m5xwKq%9Zu9Vju~g`5{UAPY>927P9Tre8{oifvamJQi9zGg
zpkor>uUv*DE(Q;6pPba|8HBHCC}V92&&d0Ur}2dG<29xs-1&gR^{|h018$1v55?uu
z=$^sZZ0p7N?Vyk@$xOw^(pt;fraZ3SZi)u~LL0F}pV-^FoUs3EZ%{UR>oG{r0BRQE
z9uC`X{CQBz#=z7B56v#dU8E;WRhkBJ-Nh(@pWtUfE|m9deVl&7t5omONJt~?!OYXT
zfPy;64>*R_8@i8~msq1ZIewJ<f^^YNeWn;AX}BtO3~QCERgjR-;2VzFOOvI0`|PMt
zalIwuGpaxt=Xj>TR}Q4%RT;tlbKTpOA2m_KN!}!WSjn6ygUr=Qq*^CNrJ+*8_t2I{
zR#cYt;J8-%+Kt>Oki}<qXx7eUKgwxw^xa7+eoh|i>@qe|XUqD8IL1v~Rgts#+*uQd
zs8K|oJXPn@E{|Qp=D36dczg9zo5qF`4BB{!j(DrdMAzk7?%B0xoChT|Q|*F+aE^(x
zWMk_B2XZcUyWA%!HImhkMID&ChpfqVgy=a=D#tFro{~+0Hf49T-K9t|D!c|qkl!zn
zo_}06CEDV|A#)F1s$R=*?#k%c8YOSkuZS@ml1s}Z?jgv)%BY-DSfW?DJowCrRBWg{
zo(jG>APly{*}-QUYqV|-6WL#^S|!zVW-)d7$FoE_m0{##)O2N{dNNgpn2bk_v>~^J
zh=+;Pqnq#v+j<g+c)>=o*2O!+Zosv*gj?$EBGZkJ;oO8bBYN4NmAg`>(KokYUC=9#
z@pH5B&KkdU*0{G8FsnO1uPFGSj8ku-&uD$Nin4(sA!8ISK7uXdO4k5wr8aG?2#odx
zN#2=beXlIl-o7rO%9;VQD?|4KfxQ^S$C7qH-W~dRO)5>1VKi@nxa>0-ca(vaQLk^i
zJq&wISQ>_g>PMU>+!-d1!`_hO-4ypcrboaG>+j~a-8?FKGO-v>h#bO&H<I_>-f}w|
z@-ETuhwIGV`hWs=XfH`IQ)0CGw)$L6O){K>zG!d<3B8$B|8+wLP7{-c&#SO(TwW}E
zr^)onl8BLG#Id?}f2|oHc7~|GIXMlk=FHa<YbM-}%FTZ&o+A}4e0MS~AI~wV=iHN7
z5g`bb%)^)r-;D%M(R0`Z(3}yBW8&c8zFkbyq@}80WH-BRkir-zG{P?o<ZZ9Za5Dxj
z*es3!T<Lt0v%iY>X2}nwB2>0PAaoeMx}jgAm<xTWZdeC-UnbeP9-8p_LAbGBX>QcQ
zOy#lgg<w>{;!RQ+XTW64U_MI=+T&$PuZGWh66B7c&<|lsu%p99JvCQimkSiP)mynT
z4(19Wrw`np33dnp^TTd$=%26e57v!g+#B)>kfn*X#{bUt@4-8u6g}_YOqLs^hCnw1
ziRx3rKj1Pc8}*sl!19DiCza&R)X8wI<&!4tN*2_tr_4;J8Vy<JYAQPy?@8Vkj|rTq
zTe1%_nRRhW*&r0Ef=m|{_mBB}P0jE!2NP~Y6ta!VJlJ(Zo6b!p#oO|9fBR?l4s)zw
zF<*i_);h`(mN-0*xZg(5HK*xl&&;RW%M5QLhrE*-X!r6L$6lphC={T*^)KDl!M3@)
zWeH$oHgr3f!yh7txssV(vQu-nH^Qyef6b7Jw#wUHT7`&f-yPzU(U^@eZAGrzjZg=-
z68ERJaP1_m$IU@jR)bqjjl=U!R)dq$M{2drzqdn-`Z_YS?nK|c*XF(j;sLXu*~_3h
zPsF4s?EAsnE;@U{txsbXCWLxrP|*d%Q<3^%>)*S2i0?>>*^3jfEq0H(asAzyPuE^j
zoz|Six8L+q&w$>4mvpL$st*=ZZEY|1|6$^#-AUwU<tL})`;yvjXd2<|EIi7aG8q#Z
zmheA4X-UQNn_kmv`%|Lw8D)OP5L7Lg61jrw3*Au7dQRZZ<EFIjPV}f7(T1;iw*phy
zjHnt4{A()rl~-O)3;nmTcmk`gSL;^qm{(1!FQui|Yn(xn8e-1qe2(K<{w&m39uL+l
z)+%IzH5F!T{WNC=hIEGg5ZQKfIosjcJyF+A8}~GwPsrCXubsIecD$FZZ??&?*dg>(
zpTRrf%5QM`2+(qCj7Kl=*ut?D4ss@{Mz5Hi&%R~mlbApo#4(#6Lkbq`$EF+4s#WHf
z$^R8R4A$4}tWGW~lu2mZQ|s6CYN*Z1a{P`rW*NcHc{b3zVE@9pBFVpY+xbh5@6*W1
zZ_amykWZg+?jkVP9H7MI;x<`0h)^y&W$KfMEs1}0zstbUOIyurQN4HWEJt=#`(s_B
zj;(R(F{8oZz#UmC%ABkT{dd$k)?w9r{j0N=hnv<KUn<*V|2UO;#&#@hd!7I9*$r!*
zK40gq?e65Y`H;a-3;#^@VoZTv$;=g-Wk0`^hnHM}8*pxZkvK-HM9Z-uXlXx{bkt8x
z`?+(Rb7%TAX7oD3%W}CwldC;7v1_xp$d#T13Hy=go(O-WMJuyUd4nQ~G;C$R-hr56
z5%!SnUZag+e?==h^T<0<JB=tmbY@{9U&w=r7+Z-P<5!yYRssi<ZWw{eXrji{gYw*`
zsauIgk;OJB&6k5Ii(f_(Of?lCV^xC1k*b$<9a0l<RlOwDByUMgg~?|yvI1Jx;7WOJ
z*5eIJl3AtL0^yDNzzy1++0_(yMLPU^?>(FaBPwetp@ue^k{5_9nIqRV4O%X5wJ31c
zeod*5$R_kteth^s?!jG7ftT8wEnX`0GL3KTrQ7$Ydp^*~AM?3WaEq2U)RjKl=F(Qv
zpGcDh<}E#)MYXq!B9%#ayA9?7bfBpJC>%<vDDYnhdsRrfG;NTv?xTgZ&a&cQGgJNK
z3R`sU=~fS>(nJCgfsOOk?l%3yM)9N8y6ZTMxR^BU&gA0V-7ywbQ%N5TgqpzR(#C=%
z&FWz#T(WATOO5$L^BfFV=iCXCP`qS(XO+Lp5(u3$%=#K&zLTR;-qVf8Rc19TLyGRy
zn$-sB$J7|=YpZ(x0LBwpJu6YmfLg#VDQoRq?`7zlV!BGE3iV0S$vCT|P`~D_jFr-L
zy(Axx$<*C&DV9t?fMtDxF1H#wc@H6FQZF-p&@+?~RB598xI%FRZPV_fa;Fj7EIE(6
zW-e!g9SM*tv{~hYpZ3>p6Q2d?jB@g%C>g#a8KV1#<zhCO%p4aQyG%+SM4rQE`C+Rd
zC2WOrB*>~rhQlqUe-w*2RVj)%uEhE@U4~ejUL4gf3@xV4g&VbUenfe*y9N5Pq${%<
z?D_`=GE}43cSAOQ3yfl*+#EKmzGl|5h<;UJe2jNkMNNC@&C>n3bq|8ul{$vBAK^+2
z<5AYa8e!q!MP1X1@hLy&LyW!0A}3*sXBkgzaJ~<-jiNewyjbXa4=dD(zhVA?zmi4=
z=R(Ps#mQ)_TTD|y+mcEEW(jW7a@cag4Rm~~h76a&D@<J-8^3KDN7dU=A9z7Gpt5{t
zKF}MYWJK{;A5JGOs)s%q!j0-neaGe~S7(z@xir-Yjd_ob5r@+Pd#nA(Na_pa0vA{L
z&Dc97{WGdVp*^8!Qa6|wC_pyCS+w={wi&?*hUtCEqnzA#L^Y(6lih-75;slKE<pPR
z+@B(W_xbtQ{Zh3Va%IHdzm5Eg+4>cSraq%-&AI7RK+jedkkH)BvLNrBq~T741K~H3
z1Gf!7-HS6B{kR@JajT~(jl6=ZiTo}KC;sSj!#m9toXoQO==PC3<c(<<q>>C$-?c&I
z7$ao!EMu5hqx!GZ*Gz55aSLpu?vQ#h)7-C8273e2%WS@#jFoGayPk^Q{NSho);Saz
z?(l)}Hp@0yKUpIQ{|;{kjL{Z9Bc#N^aShTN+8as?u#s2}d;(XXW*yx8Xdj3Q<kWbH
zRzs`=2o*xTsbs4V#TUe!@y!YdX63nK60<(!K&o81N2Z;#EopW87q+|72HS+}T|i6l
z*)ZrkMC9#Dy0^sYgCH!cui*{AWYPP|D~JUV>7imN&%bTGEz3*pmLo|z>%ETOyai8>
zW!45eeG2y&KFWDeT7f%+JlRX}>phIOqNc&^pS^&9y0zcheWVG{3i2sQT7Kj@*H-zp
zaB=^WZ~eQNaq>`tf>DB<f@k5Yi&pdrL!5y(p{&B#Wlm}5K}2jDj`Wg!`!@L;2Z}SE
z-geo!Nz2}Z1!uCj)Pm8JxjLKCZIUife{@D|4~{sYA~6U?5+Sj$6$Ld#{o<q0(cqkl
z)0~`)ZOYCxAf$z`Z`~LbF7oj}5i44GEDF`E!rSFf1<+4e&a7azSHc9Jc8cC_M+VGy
z5jfW{vTea8iJS^fE)J@s_;m3wi+mBh*eB{OoACW$zo~g<VGGQ;t@vQv*1?7pyWqdx
z>R{vOFPp~12mexsIQ4)Q*FQb;O)6@+RuyTh$hF(L%UanRgND*G=SMG3OMb{G7|Vi+
zd2EHgfjgh~*R6)WXVR*;H7!J(LfsgHBR#iPf<w!U`;aG@ZD+t7--st&*`Ssj6K3=I
zDdW|IK-BHa)EBgQ)(gaWj!gYrY?OWKxyf7o74Tf7zoQI^Sq>0og_<QtPJe8CfDKsu
zYfOE(EANQ7wlpWsyi7&?5(7k<-Re!B+Dz<njtLdo?D3s($3E@Tasc0;PO+Y5(3&H!
z{S(_w%Pw$+d@8G^?>QB-4K`j-Gs@yn@@n1ZzV%){S#e?Wsk3(1vl-M&ogaFYzLE+h
z#!&=Ya`9q5ReFrbR@yd84e#18WO`9_E)=Tu6u#yv=Cifs2T6mK?9(f~mO(R@*q|mE
zld)ks#m*+R%EiHmhAGy&9g9oXGMIq#hrA|L`hpofQEEknp3MzgLcO*a1LtQs+>Djy
z&+K+;xL?RNVcEq?at>qeVni*C)xw7^rQnhUGAFo3{#whNJ;TcbQ-YUc>;sSE3dd7N
zN!4=)ZyKE*?$IjfZut=Pj``4kDs>1smeU$CC(RtJGMUtIcvjLBv6y);N?UHcOz?~y
zI)hPb+sL)XxLa-*rWl$X9242-wXFT2kThXyz&tp4yqFnif}E|%)mfNGgx#*UFx6}P
znf8U8!s;T4z$ZKjZ&~j-;1G!<8nn!+sj>mKp%VacRh1{K)Ml_li~uGjm^;O^%{g!E
zzcn;xSE<V&0%I3t2+?HnhR~=4-_?uZ8;z)UF5J&tN=o5QHsVJkwAu&sW~J_XP|LZ6
z?|kYL`txRr!mmtz!;(XCS9~`oLms|GeG<J@2jnfw?sYNIAnoXzQ6I!L^v9s5bpkj&
zxXp!d>MeoRvdVP38I8NmaZP=-bC0%@^;XZVUcpQ9@?0v8+eD83+#=lg1pcGCA@ytZ
znKU0%#Um}ZszL3g$KUaIuAux)<L`LYMUNZ|fc0$*ps9tBdv-1frk#eon|-KGsGX-T
zZf7GlE78T1Nko$`^W~M1S0Q>$(=Gej&dsAkE_;Gvj{GHxkWD;}`bE+YU3;Fzdbe0<
z*VOu3;9X><ak3rVz&P@8AD_T>>`dzLATgx_lPcg)LO5)R54^RpsfVYWCuWyZXAq)g
zqV+*Izc(ID{@+RSS|e*$=VB8$=W7$}B!>Yt&D5`r%1yUU$<wut#`*4t8dQNoEI(4s
z+E4ymlNEfP|4a7+>*P{Fwoan4fZ2MMjK6MBTx;!o3?-#?r=0zn!15pQ!Ez!f7oeOR
z1Y-$QJf6+U2|p6q)eZ8|e&8Y+d|N1!Dsn&gEFE<_8FHdqQfwh8=HQDZ1EZK|Lx+>|
z>+UC~cI0ZRvSiK1VC0&|puD2lclY&$EYN$`wZEWFxtth1ZOjw>Y;pM0o2-u?1Igp+
zF*^JDq{6_<Kiv3qKet7zk8Uvq*l~JYPYLP$4PO!`o@;{nW=3k!ZG?!0{Ts};YLp9I
zsl|3+?p%rg7Io)VD|>QBQ8+b{%txvB(95aV`DqopeCRE7tOvCA`@D#7<|1)Vg0F0%
zZX>0mXT-JnbY0nr&OY<L*p}D)yh%066Xcg6NifgjN|(X+xyo#k3adA8@#V%*@RN^{
z-Q_s5tl!2lr_?W6Cd(P$ZFkq>9$L?PIA>aNWt^wIO0J@j9TKe<08v@$*z<=B_uX28
z(7OF@e;aNy`Pp`=pX=S3(1F3L8US#JKD)^*mNVZ5kC-#JUn0l}sQx|1E-VuX`S2f0
z0wZJ(bTK}g{hX5Jzg-Q<yFQQJXb~7-z+_|g!#WOVdO92_dl4hN9T<07DF8g(DrpYm
zefIsiZQbjZ({uxSwm=O$N#17jH3Yn5XMqmi)c&{1<Z2(R>q=*&i;niKlD!wq{Vc(V
z6*S$oM{?)fMpC7MN?2-3$cki%#?HJg1DUifl$I<+i7+{QZ2`_G0eD^+V*t6M40_89
z3t%KhWkz|Qz1-?#mQLCFotwSyt^I%SPTDe}eVzuIt(@J;gWCGj94p#3h6rwtW$b{~
zvN5sEBPo?Twcnop<Q`SJB<%X)5lfyhMg$}SAM=LQ>PBtGpzUPWikw-|s0QcU%vdkh
z%<*3c{j2vRc#}NE?eMv6lc6o5jRLH_wB#e<dwG+5v!Tx}zBrQ7S|&6F(1=L?p|X_(
zcfZhI%u)(nayt>h_ys)7_E61tvm`kbdvmnegPFz?E2%UDdcJm1^UiGWw`nt#g!q^I
zR9bM-{I@22wv*kV4`{(&OnWre-&@n46Rsp>!?bO0m(~PBo@D^V)^3eblJ()f!y%iD
zz>bu&Pf4k~BH)A^?&}+KFSfd57Q>#$_KE#h<kJD3CVY{EDsVxq5H$3YG$eL%_Gh%z
zM>HZfSM*eNM1yK?R?SbLCDn)d%?zXeM+I0<sNgpN^1E>eI0;qgGPk`sLI!U|H!<@$
z{o1CHc3^zRd2yYSH#%ni#ccwLu%HkHS9%<FuvlYf9a>z9-O&vyj793$^$yM*;Javy
zMrK+)ykNMUrog&*ktgl>t%MW4t`n;Wl?}-6@QFQyJcB*VSk~&ns9W2Q^g&ZCm7MyI
zzxm?x*H#{_l|XfWHgTVLqw=z6h8{5yRM-YbILa=HoypaCVIn?Q>@iof%R`JlGd`+q
z68yzIEv;kU8syX-W1e6^-Xs<v73|*4%XO&>hi>{j?_omr@vn*s&}I+)A@lklc<3KM
z^&Fsyy90&YAT;K*;6kgBu~W$ozpCq32e#rDnD_8sclW)1e?-ZFjhI`lEHxKKRPlTi
zRnpwNzELX7y^~cBOyxX0yF3SZKnE%3h*J86KV<fpr0V@4vvlBZaO~CS-4f+~m7HbW
zF@N8$17D^Nq|L{CM7rGk)+yA0*>GaSz)xCv_hF!%iQHVBd!$(2sV%NqIV^D_Gnic4
z!E5KosDzBCUh1w?yn3D@E)Ts7Qk#&c9vQ8_>tx4lHc+%1DfQ%34SxT26%&>5Hbju&
zyZ6ioatm|pCEaFCtmZWd&iERd%*~LtOBhk7BN?e^+DJnyuy4PfgiNH}!5G+f6;;$g
zPOS)=aoeNxzHFB&(jGcMs)GXWwViGW=F3=^8)N%5+r?+eLG1!#Iu_{$a(k%_TgHs)
zgb-PPy(Um$vM}eny(Y;K)9xCO8-puJ!6kRB%g#-edv4}T7e`Wivj%~9M5EwN`kqU9
z-nD^VvLh&D_NoW48sM0kc^H@LRw)qDOFZfavgyhZtTEfxb5;kPH1TYMTCbHVV<}PR
z`;2k^rEU6R23^^G7f1z~>Lqx1xB3D4ss*Oot#j=oKm712N-IBp7qKs>y<7AY28z;d
z+tH;bokwG8m_e6sJJB^e1WS7L?`WJ@F&z|ua`jgut41ZCsKu1q@RfY}RtlBT_M{4Z
zy#=eG-i#r^$cl72|C3L3uHUAFEHT10E`Z!_1IcW(#kb;w?|{G}SG~4_hcGQPrRAOA
zoAvM~Nn`}bY|Uc)QsX$e<$9yk^ZXMr>NUKF3H^CEuLl3~q=uUQRyvGSq=WQzfZe(7
zcWw>)vq84f+$Q2e8mwkRmMLIW=$l@GEYW@DD}jVCXum^JNc%T8wfw%RD749S$gc@G
zx@a;#x*oP30P)}dq(1HH;gd6Qs3J90`Uk&#+*T{EgQh}v*P+jxVPBW+tMzhLliwb6
zj1(j8uvd6dKh+hJNU2~2$w(#xZn>)C?{Gf}JtrL7W+Kb~wUv&px3R&T=ge%_`81A2
zH)kHlL#v~#B!<lVv}prLF!@p+rSkXS)<Js1zHr#r6?LbmA5%TpRP-pwZrTi|r!VgI
z3z-UEizeA2Mr16Y-5Z#C{Wk28i@+yxRde@^pgW@rPX4*U?@nHP;^}H*d}!qv39!G2
z>Ap3?%++@y`VI>1qtZIV_r#37ruTe`>5tXoP;Exv6(9pniV%C3g{B-2O^h4WU2p3D
zz|+yfRy`YYNZs{l3b=l4Y_r%m?iSp|DEW+RgyM98bC;JTHhB9HKj(TBU{3NQ^e6R*
zIN#WZDV0BkA|v|ROEN`;f)51pSRH!rbicVH8d>1?Q>C6}y?s{FO1QE7Rc5w)(qw_W
zm0p^d;PjYhox)rH+Q3C>FmSs~yEo7zb;E@uZ+xfJL+df?S!s^ps802cs?VGZ$GgOZ
z_J+EMC0C24mc9p5;|DXiId<^e@q`8Gu}Z%f6C2bnl?JGx^LzoVTrFc6Kfrv@cl3|0
z?TGdW{HCh*O_3ko-(GUjAX^q^XDfk1<RWjDh;^GLYugY!9lh_&&Se*dW@9QCCW5y;
zoHSw<ZerCuskRvFP1u<fkDC4uyj$TL#c$E$Py>FG?^2J_T*eCTA-;T0zYkx%G*y%G
zGF0)BPnA$@+e&4oOGT3&4E~o_6?lYcl^cJvW@BG3Wj`h35{_)@(<>O6y2qri<+<gh
z({I#b(mEpjd1~FSsx;03Rv2HSW9<!0j1LWX-}^>rF+t8a7W+l(c!M>+WqO985I|q?
z5wierDZ3pz``$E>^`3void?ckt)U|r74h_C_`Myku{P-_X{ueFVJ<C^uGJKJkcjcV
zFjScPYOh7t?MZ~K|J3_Yg8(42?a8Om_&48N0f_uL!t*icZ7E-G*BK1<be)jGc~?u#
zpBPJ^r<zzO#MP!dsph%UjQwfz^bXp(YXHJUX~G#OnO8ckJH+4=(_kB+r5x4te>#e_
zUhGB8DO0{E1=hZYNQycq0@Se_FpGUP9qR7dg~U_7dG~e%rz-U$E~rgNKBm35P9C~M
zJXhp%1{Bu(C~3aE&_?T_V^vI>4PTlxU&d>G=ll`Z2j1eB;T<vU`rqF1Ci$nKPcJF>
z{MRMAfR#_Zp)z(v>NfygH<MfX;+Z{xI^F_3Kh;y$Jn5G!q<}YpT)myDuw-TN`Eilk
zdtcpB4S3?L$918pt8$aObc=7hT#K9NQ#VA1=cV9*U({9Sq74IEwWP`W8AhX47fbDO
z0biP1!-*U9Q)!~YWfyuc7HW7>zvu|eBmt**6U?n(Z-<R~<%m{aU204MuM#XUVnXrQ
z#F}R$d8*ju)_+<{;S`s>QYbL9kO*fP#hkV2x^^w_+we>N3qTX|Gi{Y~CI_N@&ZwQ3
z&Jl!dycte{m54=~-G)~V;cn#QI5ZCP5oLB<XRKY%zB5Frc_q2)71tE>N*Cq>t^xH)
z$NNOceq(KnNxRZ1EgMlFSvuFC7z<AewAnD-Kz=DzH(c9k<A>+i`0cJVb_t46QWCyu
zG1)dTbt!z^w%&*9dZgNVoDOZ@CngKwyhF33)^6y9w|<}vo}P7qR^DhN9ZGW#?*j4r
zD}h7~l@(Ino_OQ;Wz6bFfJ92nYBAFgm)=d3A9lg^YGH6f^r{dh#ma=iY4_9ijJpw@
z2zQ=bsMrc<CKI1M+MAA*DI|volD^7|j20HOS^<&Llzquh0OA)e_%ytsO^%YGU=<?2
zw86zC$qFdaa(u6NvJhP3IxcTtB5yxaz*(jE5qm^yNYzOZ6%ot380<99hYvig8Cl#c
zh4;rF6S@+I>o2T_`l-BFsr0~sh?x@6@$bj#haE}2Ut}yKJ&To}@GWa<nwFu-;-hmZ
z`Q9#*+ge!e*&?WI+xPrs#}YFIWkSo&R;b}-is13&RZt4A2woR;lCY)gEmB+NndhsG
z^{W;7uD82jy|()mNlxe+sT6tf%USUi&q|eVWsaQsqR1bK5uEbQ)u~T-8AwhS95)t{
zYVKG$%ZizRZ5Sm-=<z01nYkcs7|QuEv{@|+h*(_+Tw;HD$QA-9rwD#C2q`0>=ry=r
zb!mDqsk=~=^-}LruU)Nwx4Pfg1?4YaGF)2Co8g5xi#?*wM;T&x{78qJIqrJXt8!M8
zvpysb-r05Sj?5X!;FKP*=(?Evp74_z6PQBDlG=_OuUkkQMZj6aGA6G$B$3t7;g0^U
zKjxnPD)J|;-cRR^++JGK4_Ju0+C&yy&UeRphDsDq0TDG$*^ikt&jW*GK@`5IfN^On
zFinhlb83$$-}19enK2RAL5hPKNV7q2aJM_BkLS~To{+YH^+;T(VLiaId=tyWKI47z
zv%z%J&<Ba0y1}%mBJ>ps&2R6bqIXG2!Pf#0pNuKje{<Dsj)&h#X-Nq91CQ~pJ5~FK
z%NO;Y006`8f7nY(S9igN$K&;Xo!O=H0{B(n%xK<g0Q;%xf#6HwGeA^O{%3n5co_Kk
z-{b$c`a&*1^2X{1Kmj9$G+n1@`dl#b2rJd@SKj5Ss)U~XuYa!kuPXucmGZ6Mm()B8
z@qNX^l28lzT~67*$GT&}A2QU@g4bFXYizRK97)<$m^_s1JAM2A&XIp9vDZYs<hlX9
z%WnoXpOKY>(N)gqm$VTvz!?Cp0LERTvjXEK!j-*idW|6f&q$ND*IH&qOLXMZN2k#y
z(t04iC?r9`W>{lIIejX!&Q4|omk@coyl<hhB?^$8yPSUrK0@@jvkE=(gMO*rBlyNl
zhC<kIi7<?$Rix;GXZ-iD?TI7J0LORNQ-HYx;N9!83Tt+jy%sDWH-F|G>rT_uDN)yH
zGB?fK<yVmkB~A{7|Lu}-a3W;&v_sxllrJE2wvuy-b9?(?Wr%>IQ*r+y#iIVEfR$~z
zg;RFsox+3_8>iK#o8_v!$3d=v%Q;iYrp*9+Jlw?~v?ye95zrF9xEl8liv!??FH`Qe
zcg~o8Z{3<{S(!na?J-FXL%&cDyI1OPpQyrAJk~tWYmk7SeH{o;4uLCqF)Y-4E{u|c
zeif?~IJ*_LE<S~TD{y;xMK~2H+M%Tk7bL66XJk7r^navR`#{7gC5xa!lf!3GtY)FB
z4ccaa2gc+<O6MbSZ_?7KkWC2dN6llHCAH|1S^=8$uqtHS0H!xSGSnaLIv;%4KK)3-
ze1;_eY?03TEYpAOzpixMPXR<6f{^3llZ)k)&iwr$JArFiGRnU%YvhMg3_M=HDrq$^
zD<1YJ99^m28hC@-rNDN#zfjo~iZ3KZj;~oQR=QZ#p6!oqw*T*<?O%r&(Xj{^))60>
z?x?Gr>*rW+bIiOWu_NJzlKaBX&r`5mK&3gd;PXa=d5ghQFLso)78cN>UcJ#n3G6ZX
z?>anuxtqKqA*QA}Ifab|K@Q4QzjBcTLtGy~e|(oz2>2}smzsvXenM2;pQhS#!Rdaz
zi^r&=TIlZvt$>HkQx7<f^{Wz)fw8O$K^~#=#2MVIe3%x||9iV_{c`Nj+5engcmN^H
zYwb6R8<U(yjlvBK{@hBl5*7BfE%hI!&gG8jBCJiZ$N#;DN)TdK0=RA1J-sP}W*f4U
zf3U|Oq(6JI5Et3mDgb-R{t3zRUU@=@`mYgHBS5OBCU_Fv!T}`+MC)y`M>j`}D+wOp
zf5(sK%V@*cMiDl!@}dkt76C};66$Z|t2T2;9roYLsNQV9(X8_h_sY*EqCdh=W@Ou7
zywqvq9NrdgEi#+e$&)j8M5#lHvmBwZvh&aXXeC6)s%rzp%nA$1v4n45A0+~`)n@{m
zCBwk>U;Z+n#8MPoH9xn7MvvgG4~PB(ZNCZtUwQwYZ)3Xm8Y4H}t(5?dQ1w>-JgXKU
z&BY`5rcEf#B<fl@TL60pG?CzCHv)~Xum)tJj&Z`@kV7E#wM{p@TYsS`_?-@;jh;)K
zaGoRbUJFmN#3!(-L1pnJgvgJ`TTUim_pbSpAwpj~{ZrMI#i1r{r5nd1MNdbP`F?h{
z30g1zz8l~>*B9-LiLu;c0%Y?{gSG4}1@CjbhWK&XrEYw+drTH+y~BA?Rp28^{|F7Z
zo&jP=JI^w*z4OrL*YP-weLyIIQ#`9W5551)DVtrSFo|Z%tK0qUzIfF&{Pt4JC(Q)r
z&Gz@g0nWQ0oUt$vm`+Fmrjluo7R`%9`v~x@V_Li-b?<6{v|Ntfq$n!Htliz~tn1f3
zyh*C@#=!r$F7MvkxN}#7%v^8tK8)RO4zc$6Ou%L?7A~UJ<NND%7v8Fb{xlHYlOoic
zu77s3`<(bi!@VZcP%demWKQ_vnFH!;MoP7us8WVKpyof;Wwj%!Up=ggCw9TXphB_C
zKH}<FKk?56(NvYoMJJO1{aGm|udJj;0KRaZo?05WJb15hb;j#mjD#tlB(iFL(0pK`
zm@z))mN<>1uygIrSHx<{rxEwChd4b@pdJjOtv$Y&KmxT!$&|$HZchnBTmW@4;ozj*
zhY)(CqdTTx({08~Kcbu7i#x`EoqUXwkH=QY-<(rj)o>6+HL`zHM-q$=!(I+z=+n8x
z<Jh%auC&#p?X7T#J5mv37vIDR5PKQbSO2yM)dZ$3zACfwi4YpWh1^;_m%H{7!Rfl2
z3*LRx>wxAxPt}c<b#}zU>f4gw@rgJJY8s)aIcUz{lyW1lmY&Et%2yhHQi?9{`X#Tl
zzk_za<ccyCHY_VpSF@qFJg5OHl86jseU1s)M&$aPbPz_HD_yk{l)}-yg}(H7A)R9N
zO@}3Nb#N{BAq3r8Em7F*@(UEo)Rg~tLpfY`YeUPE`p!#)XEI<uL|eLFICUxHxY;3z
z@dq&(x#AT%-2IiWe?;Zk4`OUdi!kraUo8pT$d^$ApfGFEX8-dAdtu7d`d;0+C~4?m
zCCUeDMoX$_DgQzAyO1VB#Gnq1O<rP41t=a!khB;mYQ?NwFBs5oo>1Q`v>5^X&GP6T
zz3dCV=LmY54r5a|qfu!&JVtU}wEix4EB>@wLEm@#Uqp;2!SeN#qj_9H0O9qtmW9&=
z_HOjPirQWK^Sv)km{;bry~ksHNbe?}ZK}P-2^~3A$uwWXWc?TXv#%aF-RCh*H5kb^
z)N5=pDfTK4e7TW}gB#*gq<c>YAslz{f5%`;dqh<yZIA9-j;y*tBsr`~7HlI951;o(
zslmUvN?GA-0$Vfm{N?)!%M$Xq=ZCPYtMGdnSggIj3&&_Oyj_-5_;EQrqKEvLZtG`&
zchUh(Jad4qO4eXAHZf&(4$yp33zA@rcY=hA)m@K)^-{k7Nz7<UJ{@$7aV}8O829$d
zXK!Y61H4zwhnnVlA<2Biub;R(_2g{+^GV-tzahNU&719c$57ZipMUgmM`dKyMF}OJ
zD=*vyG@bZnM`Qe#A5}hRViCGk%*#9Q06<7NPG9G`SrV0u-B8bCi*A?-?s>_34f5HY
zlTPlGYAB04owM?|CdV-Bv9x2qp0t3y+*G^ZlMLho!$S+b8x(fSwNH93V_g<lncn16
z>t@2U_%Y0QTkc}v0N<_ILp^Tl_MjP;9$v4RTQ#p@)#VeNY?*{Jcv8!pJAfNY(UI^W
z4PW%ZH_^ugu4mNQctPZo=9Y?jE{x(s81;K4-FmkB(7zZ$q|eyJG5FM&rj-U*vJurA
zrDCNn4z#@eJD>;Q9vGMiNXIm#9;Q0BzxTdsdgw|azfnv_1(QE7lGUCJmXZ<3cQfTL
zTi+?gmF6=HQ#5U4G|S5>%6VHnv%Ricpe|pvcND&S6;o!Mr%!sCq`#{L6u6A6o#*lS
zl;c|kC6Z;wO4k@~F8Tk{SX~j=sm^FaMd;XR$%?XjSo1`#e>Y8?s$q(=ae&^0mHL?H
zmCaCkOE)DQ3@pa@;Wmz<#CZ?Cv&H0+#jvFlBHZOalxPw$uSrwBpp~FT6hCd{66O%l
zAlF|3&v%0ep#1YSCfQNX)kaV%UBCR{14YS(z!(TC$4bZkJpJX1j?3rN6p|&<4vfoH
zLIKv+2#<48psnz93i^VY>jnOOBGjJco+i~(bu>Y+=huGM*fUcXr55w2a(e3AN%iB4
zjqIqdb;w9ptedPw!N~RzQxR&v546~uVZydg93H0GAbs5*2j)*%-cGgh!y6LF?yVUT
z3H3Cu^X!Rks)Ng{wRU$4g;Y{AqjGb`6!V#8qX`DkOA3>>a;NoC1?+M!sJai;8q@8y
z9M#&^x;skcC4gy6>1vaRQn7^l0f84QSChcNxa|JkQTd>~TTnhc#-h66v|m=qqeAO8
zmTIL=kA9ozV^RJ>fi_Ec(ka2ep&fwB69=AwD1K1wqI9*0OxoY;MLk|$UuGP5wI;&(
z%lp!fqr^Iokqaj$k;Up4eSUbNQsJU&0?Sd|<F1nCE2R}k{n=RMo(^Y)44E;^T3aHT
z1eNgt=EK}W;n_&-!gvLXS$XX5y{z073$ceF(FC@w+;U7WlK6?JrY(V~E4-U(yke#A
zl$tz8{V}p_NwO_&awiAC_EWN#=6YEc;6BC)5!N13Uju?emK}Xx4omlK-NMC>^~?{S
zTGs%&A^N61uxa4GZTE-F{X4f0$s$&yEPPxqNmi-w1^WHGs5Su;c<;=fw?;&(e&c`t
zGNd!w;jx%%5T9MRk)UmC3oHww_s%-q3cycxB61Zh`TP|3l8*8{(bSk&vYZa<X?o8t
zA_nKYCv_wqpHvJ#Fjf0r=q2y{q#70g!a~Gy+euwUn+zFFgZ-_=V;f$%CKeCQivVw5
z!5#XR<7XrOee3IDOioLEcqeQh<=z;&%ivz~Y^V`OA<4J2>_$kJ+b~nLucmzKJL5h}
zv!^_7F~8Sw()L-I@h9Z>UN26GAJQPcx(Ezwh2CDZ%J(KsjS&@+M#*~vbQ%%Q;iRg{
zzlXwZZ37qztgoB-vZsppq946IBrhZ_qO^Qp=`n71WBiQw?^VVglY78+R<LXyqI_L8
zT+~QlXbkvc`<=gM^?8<LYhJt#Y83exkQ{Bln#O+8(A=RH_>$pN@G%Va<?mC!04l0H
zCp>qrvS$q<d-D`K2(y`;XolMh-`!^mDgaON@A3b2n+#OVSd@7=Z!QXPzr%3xe~L$6
z6o4|(*3e&<LWT+3b!<sJb~1u~&<bAYq_L_(rAGdDf1aj%58fm>yPX1>Y87wN-_lPc
z8w)u`c%D}9B=Ymwbc^TeidGu0MRNYVcJ$q0K+)jZa0{OdTDZiNh%UxFp5H5b+!ze3
z3e}xxHOoI=WnJ#uO&a`tv{zAp>GFI3=BR&WlmYkiW=&l*DnyTQ?+=-~Qun+g)0@10
z=+_th#d}g|x$%-3E;9WTrcP3XruzHFf5kzbXO6(88Z)qM&ApX+obG>tPli=@vyJEu
z_^DWk&4<|v+Wp)uS^ab5<m1EA8b%ft<M~b8t3D{G6z>R0PQq4iT^^?YDOe#IzR0&`
zlYl$G=%J%w7dgJTAx8~~X<>Z1q%;g?!?}Iwi2Q9hfv%XT)1FJ!3VP_~!$C?o-XtxM
zf~hb=ze-OiCruvjT;i9T^#SJWQ1~+PGcyiO^(s(s+@L?@USM8mHe>zQ!R?k`xY{Od
z+NGfcdNw;N2yBCGRV|cYZ)-2i4Vn-<RwagZDB6ahJHH_+5YXB-_Z1f(#GBL!+3Q!O
zd)XDdAe@QeMS?2ty>a2^{lLpuI^qhzXddsMMTEP45WYPh@=IVd?%U0zum^vV50i)2
zndG{wa<{+vgN5ZE!sNY3Et#>QM&+0#LJso2ChDXU?%qkeu?G=~l}h`L37F*aBrmyX
zq85IJR_{i(-Q%AJHsP7q6*(Nf`5Dwl@TlNA>uNCC*z*Y$rP!?%|9(PY#de>`&ip6p
zeNFD#q6=1q3X%u3UWu*e`FKOqf3FG|3RYbh7vWnSa&1cyeA7KR%C{x6^k$#;4Zf{Q
zGCM7qirr^p_G~Yv2^w87ow|6e=u1W!<_J7R-lxjsW6i1JZ3g?(PxKMuf5SPoY?a?+
zHq8p-(oi6Q_*Ll5ZWW`bRJQqSbEkdQiW3Oy@$3$5jgeJ!CB};l)!i8lW02Pgh?Bca
zU>8f?gC}2IJm~Ei`ejzQ;Rzo*Q1^0l1wN(8>bf9%9I5_+ce^I%7O?4dSk+n60dsc}
znHQ7y9<byUc#BS#p{5?BB+Glqq-FaLu3>EhNf+gOVxnW0pIgrs!@h?6mk*E^(%qNV
z0{^N}*;a{Mj2IsYQVF8G6ZPn?QyE7d-zr_ClDE9HLVzl*`yH^`AHp5Mm)mCnm{;1Y
z2T;g0FbqUy6Habb9%wiL1D1zypMw0DgMeD*6Mf<0vN9n)nc{8ZixSUoefuvzl=>d1
zd$;{$H&f=oJ4uPb(wF<q%UJ-G+Uw}ZZN;QhCRmU5^Ou*f!WAGL*Q3G<izGmSA$bpP
zZeWV+{%hUpUeh=L`S+R#6_t`z@Toa%%6u&g3;D0Z*PDT>XCrCi05kz<%;oqKVB6dx
zE`DYZxPzh4L!#8Jz&kn;?izfIdZ0gBw}KAmC{dSNjvrSFVEu;4uLc$!kU9?_xY%$z
zx1Ou7+^J-AVO>Q)`x%hO72N|o`BRr{LWgb7-hK=C65T~jqZ>zpH5Duh`$ih%tkhA{
z0Eps$4J`p4MQ?|qwz1ZBxqMYOym({H@K<9;WY%EIpE0Y*qmN!B>PI!MPPiv&OZ5u;
z6-T3XY&P*20-DV-y+wE@RM*qgMVsWF3Tnf*JI?%Fqd~G27|4f<J|vSP(*cI5ljYhc
z$1mTDktv@?YmZ(?#k<T_2(dxN<*Z*i|BB=D@KmV+x(f8IK5a^M@i-jO&p}0CL-afg
z9NOLA$v!@uWqHK+pZz$nFdhcxWc|tw%G*2tWJPzss+gw$4K<(dKu6Yj=C3>SYJ13T
zK>p`Yvfq~`@9-<)HbO*x=zr5D5C1_R8vS?5`v3ht`rZHa4bT5u3tcc}*9#QTb{ly%
zXiB=oPzAC^@$y!3<C4|~`}Xr3hdv+l64xI8gXdZ2KXQI`zj89FtrmP1mR|$9SxzGp
z%bMDId7>9~m-m($VMcJL6mCN|(sg<_zqo_}!odO~E|~P92^D!Q3tJ!OnMCSuF@28N
zzR_49BhgK7a>Hw(KAO=1fi`s(sqbs~IUxJet*M4_Y%^FGSg{SOY?AgV-MjrK24fkq
z>iEtt%Jp6cm=bLk7a#r>AY4CQdfOTPkhSZ)JE{5WXL5!^XVATO9~bN5vwV1Yj0e^q
z)w9ANlWR}j9|F7rUX?i6m0Ls%99GiD{GTA!rHV<w-?EZPa9`v*aR7J?uCW;HMw@a#
zJF9#|KdGK`6m@cipE6dWu&eV`tBMOZ#hIzYJ2^*&{o3bKqP!uvttLKcl<vwOGCmp@
z_-bTi^HkvYf!f!j=9#qzd6%9Q^RcQchEwa=zX{jj?1w&6Lv|~`lmFIfVO(D8`V9xn
zdJ-YQ`!lkpOL5cMxy-{a_;}n2x0qC)1e?jVq!o=`T#{+b@vMVsIelts8z-Z<)!IJr
z8-6CG*Eg5vN_VYPNRG}L3AzooG)*^j4|6SV*Kt?_&k>NR)2&M0t*1%%&yoWM_0)ci
zoKiV~2cOy(!WTk{iK~q>C!<*Pv?tsn!}kH7+Y0R(vcYJljkbOuZ&HANsfOY_I49NL
z#;=yA$;aDSGH6%oG4zk)`fQ!D{?nuqTWSz_DvELsJnf|{tnyqVV@-G!$ifuWHjiep
zH9o)HU$4LkBX^k>-$!%zm^4*xA@-z;GNLvIAU3FJjX7>IP9XItu)?WIp3LdYV#mLZ
z<BZJo9BfI9Q#mQ+b;0$XB%dvd@8U6~o*Oav+QpG~20(@y)AbUtp-EV^Eo?peCtm<o
zy98H0ih7+@2_&V;cX|O1i;X`OFg#nifunC6lrh(UlT>CQO0kH6%-K?0<otCOM59#i
z{a6$|InZ2A4vTKH&(>U4@Tb&5Ok3vhmOia<Ao02o#{xe{vyJ%1&Ig^+kDb4Z9HTG;
z7f_j#@4hzwacV(RquflV(V@IqmoVI=lK~&Uv=(sHMbBfi#Poh6AZUi!ERGuwaa!>+
zZT7F!!kRMrGpEZ}@u<rLI<ss>80z_(@8ry%0wxP1%L!DZa~=~~mn6s$eaHNDvfOP2
zuyqP_3wTu#p-KWTanx;gZV&K%2`k#wmU8TG4ES69Oe+z)*thj_=3Fi4{^H|^R@UbI
zuIlt3@eDu;Y@<}uoEYR-+E?gNI5Nvw2{*-B#chWWpY-f8vz)sG*nlw%aH5=-nuU4|
z8bx+Ktp_RJ|0?&+(iEU@SBo-Sa(ShBP5`9|_9?eoEiLUrGo6ybzm~yO8M?LR@PP5M
zbAb9AIv$M@h6ED$);DOO`Jl~3*^2PItJ~MwoYv1}guX6mrfo2KN#jNEu9hw-D4=4Z
zx71e2@L^V;+YWhSmymAdoxs(DgmZ4yZ<dACTZhrGaE}De?D!nEW5YfMeqI9Y915{S
zmcJRABR2`bBbEYJ_qTO_1k|LYIJPc9^T)Xfkt=J<DG3th(5@-&#oM?;LFjk`j{cD1
zF*vp?2t%;r4c?Wsu>U|`<ZIT){jIRG*LuC|+t}VZl)es-;cq-lqQ7eWW-jEHk_J>m
z{5Q+8-XsD7_L63718e3lL}+yxR5^0|qxVj=)!zz%Z&w(mfS6!%t5FE}p`T+4<Te6)
zYI=PXaCJE+5ML^?Yg~mnIP%)tih1tt$BO+S?CwML115~smbV*`0eBX5bu@2M_;HfM
z$@mqUO|Uy?wsb*SalNosc{y&^bg1GGY(sN5{hfnaU#bxWe_ug_y((%RrywK&=W8bn
zbnAG6b#p<y-vIJSnPchaLy~rd<_p9Xc`lVE6Mnx&uW@I#+<WJ3nW6(A|90v!d<apN
zfgWttuF*0t(%oDDhpx8x=S{h?i|ex`m55ZN@$9ODlc`Pxo^TD0XhNc{h2<k(kQ3-m
z1*=HP<E+FZ36nux6HWEh(Wb6LB_fmCRpWXC{^W(cPYJ5*w%GOXh6j$BXv)BAJHXI<
zvJp-;pa=CYy9ta=7}SKbrdYM45b#XB18rpSu<nlD=DvLqnI2vn51DS-N0j=F|LSeA
zEqC%Cyg8|<gsS^~fHMPFrVqMDZKt(;3`lR<QDIL98bL<*+=jw>opB&aP}hNw&4sN@
ztzYvCTP?bY^>JeB)zlfynp@?Z3B8aHBMOqqm!kHZ=g9##gvm`&_iRR-Lk#A&er{XF
zZ7gs;IjhW7NdA?=mN*5-=+uwrNY*ACn@xkP&9%AEdMdma)Og>FuzsiGN?x4iPi=F?
z0(L+ts`B^h)WYmw$R$o|9@U3>x6Qx5J}6W?xZ$E{sl=pO$|XipUO3kdZo`UL_Nm~~
zLj799@LbcxozD*8*a&&+7<iv)Y4M7qpUIAkvt9|45^3gg@nkTl*|utqTsoFE2Q8ly
zIp<v%0X4~MOBp}icvCoS3Hh*_|F4?4AQ6vG$cT+=wu>v9If@+J$;g>!9tHht@6tc!
zebTdZ#y8I89D~nYbhTt*{=BNOJJsh?K5N!5#;^QgEO2|}J)o3DuuL615HCPkhqn6;
ziw2acm*%a4+HyO}m6?@aB-4tvOOKyaY6Lo-mgh0;>Lc-U{|=>(TNRjaAPD^M@uL}&
z%UqT6Wzl}Oo|>)JN0E4E2UpL9<;d-G&|iu#XbF!?!iS!=aUNZiEOnDKuBzF0dUB&i
z5_BP#aG>_ld*Addt;z`IvkuVC&Ld!i&a;CikvZdX{Dhf=yys4=2G~~4@M~X9h#r1z
zvgvu4#w5?I?rP;!wS6MEbDH&$irxC{C7!T4v7a-l$Nz<9w;px<SNIjF0pt3`&nnt|
z?H^~%5wz8K|1d>*%wgWJOrpWLspX-oDf{A~S=|B$T5=pzmGXPm{uFzYgsM*$_|{5Z
zL39MJaym&eJUKfJL5P4E-3V*=(4zm2@WYzgh;0Gu$@+ZMy9bwdvR@FMj}^6kI*6yK
z-TE1Ep>5%H8+w5?lZcY!bO>Xc-Rwp_Lfp!G+n)D_)yhE|oRJseIUn&QKB#8#Uj_lJ
z5KOaELyx*D-nnPv_Pcq<4kTKDS83C!qpqClw3F~j*<!BOCw>}`fmL2ObZYbY!%4j$
zV6OQ<7%qIjLJzZD?~0X%&jA1+?*HCx@1afsz7){HF#Vuy7bG(lFv6bFT!!!xfwy_T
zS;*zv67tE5I(mh8=wbg`rqiN>VZ{wsO@umOmcui3-&^G~%FtVpqx=aqT2a4&Nqp8#
z)Dd;lM$Ozsp2XWHgiQh$&EE{EmE0#<E9toas$O@i1&q#$dnFGEp@QAPJc<&e!cdCn
zvDw;!23SjzZ>XcvZw1BQ@EKDVixQ6hGe0@buXN!*8YHJec|II`k}4iCjCI1ALf?f_
z(9o}&LN>y8o`6flGQ~DHIV;f583w4++1|R2gGk|SsUTx^<Pmd_9HUOFP7l-8+ngs|
zUzxl$A*l`5!*zc{(3^|O`go$Z|JpA4ApD!EePLa7=W>qvl`6f+WcS*&Ga3q~yV2uX
zLz`b)+MJvx$&x3o0KgrxAqv~8oC@WTXiMR-$(3`yVld*Tukasj#H1d1Ql0-W3k|7N
zJP>8~BI2<=#fvwPklvbOc6#C+?sbJl*c@46aAhrM8D~D$m^D|*)ASg~9mpH5f->j_
ztFN%Y*3+LR0e3k-?QAiLJ*2fbQrGg+eEZFtuc*J0=lMIv0E_fm+Uh7Cjm@$R`h=)(
zo=kYNYfx%}i-g7CikEv}uvW_r)kjZS%ROkbXvlnXVCsN~C{g@Snr9HYVB}rE=IV>L
zWiCBXpLCh<f#TvWhSS0t$`Y(~i6pT8DGWYoIo!FI03Q}I&x+&x@^(lclFJ9{(X#%y
z?>eJXt0}nq4p>>fq2FTK{ENJ!ukEN6=wX`~p|wGIjXwUCU~l5~#jvpC2EEvUn`ZyK
zfS|}Q%cLOCZi4FpbCoaZka_-?WVph7#6|AR`O1*owfyiXd>t-Ci`86M%PXP~Me`>%
zBC%T72E}faliJKJM5BEZ+!@IhSFAZ*yYNT8*IWTwuJt~|WOX$S5To25TQdmbJU-<4
z3Mfyrhq@;HXD8iQk{|1sjrTbfZ>ON8$jU#KuIw%g|7>)^+LhZREJ?jU<7Ns4faJlz
z*&fNGkHuZ#>!-st_ocoOZkc`enf`oJMq1#z@;@Cq?-B4$bE9FCPA&<j-<#A8l;WIr
zZfUEtYk5WZOLz}BA^rD}EAM2&Wl{s8tWAu`Nf|QC;+m#BQ1Z_2I+SK(C^q9uSMI(i
zO+UP{P=$}%YW2a1gSx^Ppa<u5$|N~It+!Y6Mib1Bh4GJNi`{e@)S>DA@hM`<@aMz!
zYrB0I1~UUIOK&WF><y}HWsnED{vX!f1RTou?H?vezC=+;g|dvwHYCb6DTQoB+4m)6
z%R1H>q#`jQ`&QOuU&lVO?>mFR*kv8YI>wmy*7ALx=YRa3_xQiZ@!m&=EOTGib)WZj
zo%?xybXTmMTiC@qE+F<4U@Vc5tUz+)c&eio!k!Tpzv}JnEHkw#opK8mA>zHAR^=sg
z#EwTv4q!9!y1WO5af?u;&GOkf0nj>-(@}Lan^|O&UUQH)F;jWVVBy=xBdFW!HKU@$
z`we!V`C0g^<HK?Is0<$)oaUMJNk<DMgW}!RSfC}}BV3_YoY#5lP3re@817vm^lq;8
zQdtjfoFO^vY%X8kVm&sEqSEhpgUhZH>ZZM@`1jBTO~w9K3@`D*6#~?IhJ*lEiWEV$
zIiV-|rH}1|q0&ED(s57q*j<Idwg%u+RF1KO+jB)lhBL(;ve@$4m1Zwl?DzLwx5Kg*
z(gmY>AhD=G5zi%}-KfN)_;k2$>r``hmDnQuE6@O;rqgLBVolnVw{t*R%_HQpr0t3`
zHtsO}W0Pl=xB9@G%>25c^$=;hZIz}a^~w-CX#~Xo9q+3+?7T3K15m|R?|xonhDzmj
z?y@>-sc&*>Kms3N#b-lVy)u(k5q6p@_C2`s`lQ}I@YHjteZu&&>bnNWJ=HDuyiYT%
zxW(jFBG7evB0)ZMRRc4pgl!^lCat$8tZ_i+;lerz19E4Zq}6Tbfeex$v#Ozhb>dIS
z`8c0XuMYe7BB35VwrYP~E6cc-WH^d>JaIEuQpYlR)D{<N>x0VCLy3{kF#9kP060XH
zP2~mfvtxZ}!5*Qv>fk@S+&ep|gf$umK;~`&<Pn%8g8D5OI<$S(Akdfc8=S7ioyXld
znFU)wnBH;8$C^MUj@mb7HD&4!<mb{5hQK)=9sT#_KvVZA%{wNT$(`J)Q;K_bZn;HD
zj0Y<e@!ddYV74xpd~Dfno{kFfC1%Wm{EZvavpboduQcxZ(2cE9DIfWGZB1^YZk6|!
zK{-~bc^fT#lz6l*Ey1<WwD+Fj>WkZAVSs2^)xB#IajfXZueawn=@Ru7F;&Ll(igWo
z4qOvSuG#R26F*NKA71KM)W$HC<`24`SN9I5Bv*qy2UvPP%`ws<NZ04cFC5cBl+0_9
zvp}~(xry)5U4ZouKqFEuez4<ybM5aw+FG5ncO@&xoX&xd|3rO=cW*n2$&QIWx-Oh4
z$UZu$YY6}YR~~0Y$VOzqeFGrd0ABAKn_%e293Uxa3_q7OEcp+o3cmBnUcXFfQ`FjU
zsoqeZQfA|?J;g*E46%8&eBXvb8%<izsZlNGkkS?f8oUov$a~A&49zrSIkq?#T7KHu
z43#x3)-Qqv_Rf@>H7g-QzMWxQfBGIoN*&g4wfDAoU`Gh_k}2~^a($h0ZjrMlSH75I
z`=#MAGjL#A<TaG|RyHbs|EF`ybpkpX02O}bz%iOnC7y-*eC77?cEn_@Y0`kqSHT0J
z%)c9n5f7>Rwx2k4>TNJI-2$ue9y#{IO8S0{WR+nQIz0;uUc%lnpo_86so1@Up4ZXY
z;W$@4@_im?|2Vnlx-5CmV4>jS4*ICrvS`JfTm|848KFfcf-pdj-<{e467>ARtuYX>
z8zL<8T{FJ6BfJ7gg6U>a=}&XGjh^3`f6H%F)6IEGxkyCC+_g$ie?T>GC8?s=YY0@V
ztcj9GSQ1?Tl~nhxLxkR7<!YSGfs1LfQdtew&~xI=@=W2vvF&w?e0HCUz<8Y{fD(LG
zzpl}1v?}88Q^@sjc5lD~X2l5Kr!clY&b+Xyn=DnATA-`D785_72ed8cgzvq*UuQn@
ztBfV_J`g?WKTaZ~FmCNkNO<~woOq*%BR`9!j2X=8cI-L3&kJb21tq{23W`f29$-0$
zmS?^M4h5+PfZ6{0C`C7bzy+N{HpFB1MT882z!3{i?)ev0fP(*B(kW$z!y%jHWEm&j
zi6X+4wzNey!fw2q^<V#*@8nO#I`iF$<ZOhu=`B`nMV^`*!{2C1z(>BYcrt-UOIB>p
zo+a=yCaaS-QMGADbE8_y{bcmOp~dOAf5$OgQmmUxh96=cT?2Z`tNWdmUSm!sKRYW*
zs8K^%E$$X}&<y>-)^P3_WpN6H?ztvt%vOK-3l{(`2j(LDu))O`w{8||t)5Rm%16QE
zNYlkOMR3T=%(-nZ)x$4AFj;STWqU24XY8*Yg{uFB=TR4q9*C|b=Ap=CV+U{H-^F0N
zxNkk)voOg!i;#LHNS@6!{!4vE$Q720+F;q}wOg%UGbtl(-Wd-0qE=TnWb%OP&%^jm
z7g|v==ki;n;N%=BBj5+E){?H2%1_Oz;&iQE|3$F@K1`LBP07r5Hummq!`N-E3IKTN
zl!|_xT;|)jd*hYGauD5H45xnHm%F+RMtsE&4<NQ*@m#rk^90BP+|Z?V@@l<Q<E}oq
zc@C|ccRF-L{sZA=ax}y17ztvB7j(F_@;v4&X1HyB1^GxeN>QdLJEZKdqt#gW*eCm@
zgE!b%VIU3Ncj((zKWWCf-mWmg(|^s_^z)=i3Kiv~OR;{8k%W)~D~tDrKZ8ea12*Yf
z@HrY~yl<d(kDVkRE{3BZusx2Ut`)y%p)}ZswQu;ZDGFUlpY$at)FW#>kAgV0o$&R^
zm{JM%_d%>*^64ai2IT6jjo^;JojH-V`~LjLae+}yNlMyS%Lre^?^okuCe!Tx?v0;R
z!2sH~7Tifwdcz2Q@1Ll{sZ!_%<2H!L{^vvqi02oS=Z4V$6^V{ErqxyB$624uM+x;7
z=1(7;0;&6bXe^scE#$t^y3x_sUMyS3%}UXJa%}<_{abQpwc`K4usKdkNLc0v(h~T!
zQ%Ei31NC#@K5{Zr&iG5@q2D1pweqt6CFy@+Vk929@&X6-_jSo0sG9#N`S|$!WX)RU
zkKAmR`mjQ0**r9uZB(S;#0)3BJjdT>eH|wxj2l%r#fZNqYtvgRb++#lkjc;bRf963
z-7bANdf+m(ayY@t6v)o{GjbhM9}qBvkoS?n6s^fp#P7$rHEyau>x^nHQY*n6a2}GD
zGT&(yEWl0F)YUx%rLJSBDhjLf=YehwQ(c4QEZ3~hgB6EvCPiT%%`8UFn=L;pv%Pe9
z`VH5;d%4@`I2aqyNdC_i6$m7!iLFUop?+{gfFG1q%*xTIx%@t-M`$(W$Wxk^g(*+p
z)5ZzEA;7*|V^l4dcUz()_1F37G@s(WOmh-%EeJ=3JV^CbZ03*7PgYZ-xu!e69o;qJ
ziOk?Fn--YGtCT)E_uNUb^S_9veG53XeSVCrqFGPq7^40zhN9$arjQRB$9v2+o}5y2
z>EGHmtN8b?o>`fc%<`yKl3J1vj{==X#ot;~in<5<PyUS$P<%=L#RGre_Ym=Kpp)W~
z=YK^Q>Usgx&A&tcze6I0Rb<qbtUW4qYUo%#DarFPdQ>boZ{((scbR=+6Lg+W$igDQ
z=$_t+=Tfo5Sj7ZB<KTH&qMA<+%=XO^BN}ph;FYst#hdxxlNleoCwNwET0%$3cf=(n
zvuiiD2X-T7Pk@BJcNtZ@%%sJ7-Q#dKdP239(P{Ffky`fE8+OOnH}-&0(JPQ1-=I93
zXJQ60)TD<G;EjbRsXaZ8#RFoYcCrR$Aib3?6qiO88tOtPk?^-cu2jFAe@9b{G8sn=
z@O>&`7J!PDL)5bA^1LqTd!z&Jl}^Jw8L3`NPiFz2o3~>E3qy@vNUGr?TL4sqh*lmK
zhO<xX_u41$%~zs_@*qcCrPJ6Wn}}_)50C+rC@J%-6HUe)cN;EfymKb*GmVlcv_-bf
zxW=P;03exgtGz#?Y3~H}mF>hEpqjK=(bUXJ?=3i~N@mV1e~wLX+B-U#heML5W1)w*
zT9TCt5%3TXY16RfZJQ|F%;-YrMyNU1@%m)S_o~XiZZ3ThqvlHSD4%&!kvZrDw`U?~
z=XYr6Cq2vRYen6khi{Mb38=mZTB)<~_vzPh`_McV&IK8p`coWzIo!(txQ@4!W=XX{
z-f8onYlM~a1ONieW7-#9?Ze8gfEEhV=IuHuI&-Z%v-<wWn;L~RnrG84P!tY)u+Y~l
z#dp1dT%i1P3Q$eImL6RFMVK#`W00?%O*_QJ9}Fb8(S&!1Bp{GOKA%*1Y4e6B4&p9|
zliH98_9I*aGK3!pJ9D2q-PgW8w}E_i`E+Z?73_7+_9ShTpmBIyG7UfezC7RS>r`w!
z{vw}qQloF;RZ1cgH7}3%uAql*_K8abG9j=3n)W`l8sCl>VnHa!{C?x^Kw8q5bF8AV
zcIWx~>Z{K9`?<jDjHs_2`Ua87+NO1o(@gIEbxO5{hYH_|C?04t>KF=KIJ@~`nCpg~
zPA|x8dEo@V&MiEj4)3$YmpffAhT6t;!e1@Y|6xtO7lAhnHrDSoFLNxAWA=MzN`aD~
zICoO{3Dr3s$_Stg=rp_b%Q(nJ{+7~sV!t22=ZLCcA-2Q76X#`Fft(^?OyKfohwSfp
ze~+Q=anOvSUpAb)xBTfH0OLq~d3-THa7y-3U1KL7ooL#rLzS>E3!n5K*!ZHjH?C3L
z461%b1xoj@1il8{SAF^}y!wsB0xS63P7dR{5gEab-%Ql_xE8~ga_4Pkav9l%Q`kL^
zW?DQ@7Ag$ppjNhJmjyql-Zo(9j;|8-_d9xB!Dr+#N+%O&{N|?7r35hHBnCl6YZ9vz
zQ>QSq{&CDVC?N{X`zrOzc#)mDU8FtgqBNFH^W;2#Dq4{`=l98YcOIb8eGo@0f@Z1d
zix&Wm<V;B!J$^7xbp&dC#xE3AD0?M3MH19_c%$yq>6r2&?k&33%DJo;GOSk%^$VKP
za*kwK$0Zz2dA#>X8~a{Ox;hcsbohnd<W`ho*{@m?in@*CU46gjGqsMy*IWt(!_e;(
z^uK1WD>znX?)SI|8;1vRI7SV--23%=Uz1~f(Kl(y{x5IbLRta1Iz}+nnyuCRENJba
z&BC8lYv6`pi)SZ55ct~Ga$>4@HdJjQb&|9|)~ea+>{_-QNCwg@em^S(g=hBS@i0f#
zl`zw{o_l&I`^+0V>*8>OnytwAp&p@gqW^xh20Z|Dr^N09A63Wdgr_@@;|`iabasGh
z^6yYJa-8Sle%EqhKGT1{qu93%TT4POPYg&rbt?A65iTs(;LOP|%eS6Tk@#KoC<<Gx
zV?fT1ACl~u$g!`kD8X8b+yRi*euZX}Lw@Ouqucx;DpCA@1N0OZAN8C7IWLk8*ssR6
z_luKZe2Ja?=wg=#@LC-MNK$$}k{vi+p!+6N7X_E<9*H;p2)lU)REBf`aHE%dAEVfi
zmZg6NyVwUge9z64#nI1%2C6uqz;i=izV*bd{<E|0EdF+hPdsbIsQYLLv3&53;hPKC
z*c7)q;-Vb@0wG%l#-eB#Uu_9njC^A-C`+y~25JeCsEy~`l&37cv)(IT-u<Ib9%#Ip
zijw2pkr8kNFnh+`iT8FUp$?k3M3hdA^IY_hq#7Ko03mfS0%Rn8s66V59}0<8l@8~t
zElw?dCuE#L#VzZ@ixldUwDA6W+@eY-S#wTC@t**#Rc(qVYdJ4!aSwQ5hj4dvzS>t0
zRYcb!FUW073Y)6GMh9GZnk+(&Yw=*a&|%qjrkn^hh!LUgm`4;mnT-7kG>j-R9JP?i
z{Xwd>J*xiF9l6uqYBxMCz*Lq+FFKdJa^iW$`lMLH{MI!sVaO2NVr}k(MnqnBZp+)Y
zUB0rL7+$4EK6BO2|6nW@>;sG-IM}!Cu>4C<?ZBKg(SaRYp)*n5Utz2$6=U?{ObH9r
zcjTJfIjPsOv>wq4o>!iMx!WOzAdX%Zi%U?dZH-s_?LzdT0e<w^d4_%7g^5hCIxc#*
zIfB+n<rF7X`@N`qI9ka<a@6h9+F85XuTak+?M3?}O8OgnO^=sVerW<O45(7yraRYK
zjC-g+V<E^{NfmqjHS+?wY>sN^_80H-+QLxba>?`f>X|Abb*eSDFvvfzpPy8oxi4Gl
zUX|smXjkJeA!dU4krNRObfp_CmOy>8lgeOlGVFD`vv&UE1JN4QkzHNwP&o+bfc}#E
zdT_{K{4de<^D4}SGT7#R=#NLVF;)aNkVhQx2Sfu^E^M>t@<bx$oU^R&bEh|C3y<_n
zBpcZJtkvruCs5u;ZU8RLmgkc7&f4d1S|HRcSC0_uMwsnWu3Ej81&+@HJXN*^lIi|e
zn|7J9ZW)K)Y}e4@HTDDX@)9{Kgvth`)EAl7l>bW^PE<P_=KOR~Tp-e{pnK+|a(C`i
zoD4ML*Up}dy|BEPk1KMP;Js7F(LvLZjaye>{HDcFLd2-h&(U-YQlG$o2{3AQud<+w
zcnQrd@fV)=i`Y)Q9LHyL>$LiJcSc1Uwh7QYrl(WVSiLax*)U3122n@*&YxuZFuJe%
zn7Q<N91fqji1xkuCio)Q1G@aul{7lPJb@d}nM|zKA(^h<k<5J4`Nf-b4d!E<ZhK!^
zx(2{)KBJxX=1P`b<G_rsVua^gb&rzgk-~scboV*!%Cj1u-0$?U&+F3c*-~@h(sqzq
zdTsym^3^kAtj9A-Ah5c1Gnd26UT>ZNVF6YEUjXf_8)0)MrAr@>RwKIsP|u1gjugtR
zwzXVJCokl~f=&RMG3U~KA&#eNCwYJtA>~d79p;!4Ay&X|-yU(fH$PiT44bUQQUIP0
z!+>2o+C`E|Ex#we&9c3h4>GB$toC<H`o~btXh=27ZCHICzznM?g7~}jtFO_~UltVf
zdgFGi(D`=HA}<z{pPIX*U*g-g;{cF=Q19eQS`p7);kDO9?R#WmO=b$IHWvz?JbFUI
z(!a&Get!e+wx#g~=Ss=kb@GA!E1*-OQpz2lThEfJKfYvz{CxI8=w3d4Jv4#eEX*iH
zAWh1>?@6E2GovQTuzt5ECB<AwK8(yQujdT@JeN-B>+hag`z2r!TO0(89nZ81m%CF&
zm;s{U$h5+9v0@dQKb`~Ioy}amN>P_GHB%&RWqC}}pHhD}bCVZ08hMoHxfqN}fgPmB
z5AC2T<w-M^2GtGJ6i*Ss9g|-Yk0r&It^M4S{CSl3PO$*c!c^R7lpCTF_R$z<s&Vo^
z69mw6dR{w@UMabKJfjQypM!htSPF;!hjEV$9;g5IMCeqkuB9QV=wKk99Obz$Wd8!S
zIf%WZNH$U%*aBb?uFbL?GtCN0g6WFapGgd(;WniGcDiLoly~&l{wPW#c3Z?#$M`3G
ztNSlEkNy4HkpuQWG($IGbq~5fVfTws@$_M7;f7IFDwT`84o2d%J}>V#OCBdEIZ@%8
zhWGwZty+*Y+z$;dVdi&K%r6d;Q~}Too&yexiy50YC6PVH=|KY6yjw~(QEe-C#H=&#
z$knB(o%xSbr(<<h*c;~i%Yr2Rdpsw0yS_cV0;HXav3DLV#;cq4m8f<gC+sP>)USZs
zmPHWvgC71LL!AI@maTUzLks!(#mr2#dquhxcDe?I998ybF{}@-k*7<RUPIwYu8D-{
zvS)0Swvat$B8wZ{k)y=@jAjk0;|gS+$_+gwh-L?)?{gkD{)(d`%&X-gp_2m`AJOQF
zQ@SORik__CSgb3-IaBZ~cu9*&Wb!!0E9^>`P+1vJ2<9sSDOnX*hs7E70xh6;8+~R-
zf!xMSziN~MN$h-*4)OAIj;iuV*J<Q%GK_=-V1;!&r%*>lmG}XzE{Opx6ierThv;zg
z&UeYYjMdaCyp5|D^vSa4Kvl+GzEZG_H}on?8{hjF7LwrU1<Mtc<sLwZwUW%8pEGN%
zUz>xb1IscygZKf>H`40yUJ3?)f|USs#}ak;QE>ur$5Di>)HltC1K&~IB1Kyh5Fa<*
zYcL020>_TaAn;LEvouzgqa1lDkc?)@=R!b9aJ)E0T&3YPWB;U|^$xl3$uq;(_P<7W
zuSTgt+-Kuo5};UA#u1`{{1B|R*cVf~Yv-O*KK0;rr$x(5%-+32mEM0c&coBp@=8f7
zv)-{&2=^2ltIfLtUWdqGM@&}ba0m_@MAimjRkLBazHN*`HFit~%5TgzLc|5L4d93J
zuNqJ!H1HI}<pmo_sCP<CJ{fEMYnuz|>(_3KvJADK$=%Mvjk3luJhye%sWIk=j}+Pp
zKM1cD5$#CdD#u3x4W8bkl+PZzYxq3LVP1%~OZKHb^<2U@C7lMBJ--4VyYm(s_;UgE
z&I`3>j2%DFS1Fmd<yc@gq-Krjj>(+~u7g57Sg-j^XSsoHmO+acb;nBDmR0*zz8MMW
z>Xj5%l~}d>ie~x~;4Cbq$bC-8B8qPgM}bOc!?Km4QJlu=Zi(!llYJGjHtzJ5#_yH-
zA1n&}(!KLiS)$Q{(PcH?G-10c#Cv8`T#q*DPYNCyzl~iusnWR^Jw&%_mLzXe3%G5h
zKCI1Ah7U_B$<@g%I4m-Qe_Xr87-Oz3dwPqjiF8(p9QF_V#ymv(!#wkwYtx9TRhqDh
zJ4T0R!!bK}Vb_htlNRf}yIwzrh4+=DZ|-nCE9nAob)P}XVS>c#iRTYDT=2W}?N+-H
z!@KiG=Xce#-LwRe%Fh<!q<jP!Ee%~yQf$B5lYZHap7Cl<s7l4LOS-T42t9{sop1$C
z4c`TDpMEdk4!z2DcQe{GYt2`2rg9kEqO&rV>7wIN^MXI3G9!AxypCH&wZU7%<E5OA
z8K-ghfltaw0<dMh&V>Hh!@`YxyfLYd3LcWNTH;2t3;<traKX>0pOWBb2D-(B+;IOo
z?-wOC^@$8Am*h^x={iz=0`gw%c}E_f1#fQc{&YGE{y`D`ri;?yDHmas1im#K4GEa}
z;d<|GIO8iK#8cn*Awv$aqjl|NI3!5|NiuBfh}aii;wExGlm8?yCD8XS+<xF^OR3d>
zRdVZsm&apb^it+9K2IM;Siygu6I*zp1uThrasN=ViCp`E#%*n{2+n}S`lMqc?<Wc#
z4u>P=`f;~5-+&~nEe(A@+TCh)(%~IfY4BrcrY)dy7-&eK2Pt2VKySw-M8WM18q$Y1
z+van>dtN%YI%U8D%2&HBD?{*@onPgZri_po+PLIBAIXs|#2yO<*!=hS{LN#c?742t
z6uCc-BI$3uVdjyI)V$v~N&56e>{|Gk>fJ8Jn7}HPt0zF0p7!~=T|4wki4K8LpY;2%
z@jjg32-*^ZysY;N-)7{6*GXL@ZP2xUT3OhwYPU6FIM7S6T{;Se7sSoaAv)yZPliJj
z9>u?yH)+4M_|_s`tAcv;RAMVLMK2FtayS7<518Ncdi6z%FP=fP|1DNGE4ntGr5bhH
zF1i)=<|W`XpK}r{-Ra-6#R;8x8fa6n?@pV)88THV6o~|$eK$XK0G%$-MkqyFrR3nR
z&QQ<y<ZIE!Y!_0p;*P5@T3t7S1*$t5ZX<jZ&rfZXaDZ=m$p1shO#h{wL+l4*_@VqK
z_C`bm@e}h=n1}~&G|~e^GkBW^5|DCu$N>xD&`X?z^~5@v&+n|Teik_T8W#bvQaY$u
zr+Kx}Fz`t>V;FXhWGqgo5@XaTK*$k|9wpI=AUuXHQ1o62!f88CmSM%6jJ0}{U@V_~
z-czZ#031733zb0c|Fgw$iKTkwvnOqJvI{$qRQCa2DSwp%fRs1nTR=l|EoN-m+;vS^
z^^&H>M5|8Gk$amVM{90;2#a&zw*AGA3Dq)PkQD$CkB9>QH?f*{Xv#<Xj@s|@oXC+`
z`4jf9^VUMf;oU-!@>*wFPf{NkIlUgGJ=M9z@o00ZTIg{4xkT&q=QD0GOOuSLjffvV
z-y50UuQtONJ)fa5ep*%}69lgV5i0}(&u*i*;9(Mk?Q5-{^dZkH$mw|HFptjcJPO}Q
z1z5|%qL)t|?=gGtcgTet;tksF2YS6%e3hi+IYDU4CysNZm(LkxH&I4>y!UP#KU#QR
zAK8QsZ?j%Fc#@A}8)y=ZpL2Ud7<IEjSopvK^E<kBl8}iTW1^7EV^Q>1LazK|(PK|I
zy)JT2$QCeErbV7@)ble>UT^|Dku1p=x|k6USXgsyAb^{6>KVb;_2^*(dGlFq4)AiH
z9Npa-<#^RMRYkZybYSwiJrlss(!dz$&$MLSEar<R`CZ*nw3%v))jE6q4l1WB=S$a{
zqKqM&#t!MmR*aSbB}L7%-HEAMFGfqU=i*@z&UXyw{^dzDz~7G*Bk?1CZ-Q3@5L;MD
zDL(z*_upY~*C`d3`}N$Lclm)fc613b&z-cM2t$-!P(~@gsFS0^4|FW80eqO^7KeTm
z{6$pZz?&a<z>wE2)PMEbXyNt+)Oo2(t=%-lS=95bs6xUiDxNIL7*#uzmVa5vI7K*L
zaE@h)8eYN`2xMSVA`xeL_c0y#4I~?b@#uV$Zxs0ixyUJUku}1jGaq<eNeVtjdh0|!
zsYMLVf?REn!oFEK_l3>iFgKkedq}lcP6)G`THbpJU>yJIf`;%y0B4<aSM=1}i4&y!
zO9`jdo9c?#z5r_f2~Zr{pp^gzV|ai?D_)5{gSx|3>RSfWo1eKB)grD|MCo&pLs2c=
zV(J#mJ|beQdvCI4z5P$iPI^`m>LNM7n@BbqF<se<(Q%O-dYPQsDQ!{<1^|EDdjV@1
zn^JI@gu*+g`Z>Mj%?exy$f#PqwAD?0SbxWBOGPLE^Q7_b*4SYIT9O#=^J~_b8grk}
z0`#!fou9xB&U0$0BfaHmRQU@)62sBlB)D`))f4dGDf8;%(9|{bijdd|P+jkI#T=bn
z9Z(wd<?3H!SnUJ|0|DGNzi@NL0X$~a7t48txOnS5pXHRql)+M{!}*T&{h1ZFTNGbb
zew$VgO<(ELuVPw+H}&!Figy3OaVtu#9GA=p{59~7^^SYLl>6o|Ff@X?hlf|YKWflR
z?euXt;PYSOhx?d)IsSjr^q<EamtZmXAlT(Rq=V(9V=O-k`LTQujC4Aobdn{yMpp9J
zk8^)<Q;$wtpUR1z!M?7sR=b4%4xK-}e4Y6#DH~>T><G28?{s66g+uTEVVD9n_0{Af
z;&S6#)}6OFL$RgyAylDrKV^h?-l0n2Dq5&JW{0J-TGUyFYNg>USm&~<s8HyHJD5+v
zH*fks*hoP5rFJ)!Z@B_Z1}QmY$HoC|LHGzxo`l&^AX-rw0=%5y|6tH~;T7`ad#Y2}
zVQVbQpZH1Jq-A-h8V}Mt9aSN6a?y@Nim0(jdb7X0Yn#Q4vA>7+i?Y>`w8SvSfpCwQ
zmdAEl8X5Gt^M^Z1Z7m;8QoaG4INq_DUV~AzV&^+7EDE=_+^lnr=BC>dgd&+c>?Ndl
z#vUUr#+&huM(f2kw~;XI#}I6J(j&>V_R+`5r$~>%rvL*`>%R=ZGa;j+I_lB={`9TF
zBS1I{zTcg5K+=M}R0rxz0LW?YC5NGwDpqhIB?aWt%!%{4bq_Cr+h}$gC_P!vwr*{d
z&HJ-Y`g-5uxM|cZ<g6Lx82$dtKl>P!LHScW`ab?Ua%^W<0}DJd{pE6Z#!klsR(Dng
zRql7h?1ssPggZ661`$OQqL7va?BI|8)7XE=b*EQtSy?v>ur|Gb(D4WotEnego5|j(
zE(wisxoymJQX=QICtu828n6h+h;{!g<!RRY!g$I9u+>y{QZhZe`J9VJbmg@-{Q00L
zp!!@tKg3rtW%X;hvdRh2l2iMV$D~t5k=RL36DOx4p>U$9QWux2U|%;kQxFhoQ~>@P
zBs4nYPAg{l!PG6)zt_ZPq&v|M9|yvx2O!T-L{jp1Ea`_@Jk|uSD~<z*(iK5TD}CCC
zJ^|xL3<)w0dU<L!nn&Xj_>*iT&^A=$>_7??g{*JGxfLF&)6YC+rsT?%b@bYf$-?b_
znQ)N1OE(7A-~d|}t34tD$pj+1!DkE}|9c2*tkO;$C?+b>i2#l-;H)$HY<)Pu_SEFE
zxAv<o+K*%f6Br_PPoW*g%7yhHh290WLB>z9*Ntax|M>7ldPW2o(bM-o?NETYq<mD?
z;~stCEI`Z<p+Gqmv&giI!|Mt9?qEuST<s?^+-vX1R!4{3U5fk&R`3#*@D7V__-xUo
z{qolB$mic*-qIAjoz*E9)cme5Z7@cicToG>#{su&?Q{9`#tqcWUkcB^1)aF~?R4S1
z=m{t5JfE+A1HPgx))%lkIJ?|EpUFi7n>FX%wN(=7xwLDyp;zu++3=VpYUQ2{j#Jj;
z47c*Bq<n+%=#I=-@XeNXq_A2{t5`H9%C4X3(tOc$fMPl-WLZWf3`}{sx*~zG`IpNm
z15t6YK%38rp_|79{{y2MNA~#1$|7unAG67iWn71tPVQ9Dbn@nTjZ2p;?684gu~9c}
z;N+~)jy;)*eqm?NvW$uE^3VnyFMvn6{-pP4)H$Prq^Ns|0g9<Vp*N~@qU;x=c+94W
zVMtk<2>px56}t$YXgiDKQ{2kFryK+q-#GsA5G|SIo#Y?>knqM?G3Iawsv0u^O#&}Y
z?mUkN7bXX}9X4t#>}#lqLX13@c#z(P(3rc^C#tHx;U0j*+Jjdtn67cFggc!Q+7?H=
zV*+XFMQhsMNcE~+#SSuoqV$G`kb7ZK?yVT}<OsW`nCG_0ub&e?IxE{+t&P{qlq$qf
zoSD?`rkVZaAsT4Wr_;{4aF1p&989PaXz8k2zq`OmQpjUuyEhxo#ZkFuY0~zwwt@Qg
z7hZOXRpbAKm|9qwSCfv!SrsW0RbJW%Mj2aXP<}ikX@97IyP{!k|2z)-V|!?QjIzLa
zbHPdG(l2*YjLd>=ooR0Cy}Qu?ZA1sp`h=}Sd4n|I_KE;S5(6_6NNJ{*-H|s4&vuK#
zP3Au@`UiuSx6tV}CS#ueFt9>BHO18b#qVqHb(J!3NLvY#*1b9j=$gI+==>G^5$u`>
z@oGVt=A0)DEi;8Lk`q1>#r}tG;<FXQ%$e)L$x{28#a`t6y>|vJd2~667b+%Yk7vzo
z<tR&UxqB?I>bARH=UL#c-ot$m|3=Fsuv$58=U-aPiIxQ31x57*LPOd1ABxnnc9pJ9
za7J(|nU2_%IcK&l_)RRV7P|qcR9sS3bE<}B-O@IQCA(a`mOUHX*8+M;%m;nkHIow*
z8=7;Bn0~W_W3Qa?!Anu}<t<@-VZrJn$V<dpSp-HDy*_EtJ?W#erT3~~RUk?wKHm#N
z`|(GB;s6U1PqyWwJScEjDBLBN88NpP!kyW{sJ=#;T2e}dC5l9HoFzjSA2~O?g%Q+s
zKZ&2!7KhEatox0s_Pp#?8F!1fQG3^-#H$<%ZHF@mc3ur_+2BBQK!O-sln)UD553~B
z5oY7k?E5%X3JT38`UTxxv(kQQ1)~x3Ha<((E3weYFoERl)C#d(0X%6+iW$^#SbJ5k
z=r4uXw%*&_xc;D?x?o(6Z+s@Hd00>+0z4Xe#2rY+NkGcDl@or@iqS@VEB^v~s4gV{
z-GztDNbmJMxJ~YH&#7VUEIod+MRW23lY2vOGu0ZGK|AMF0<mb(mNivn19m4#>&kR$
zRncC=uD8plTE?G~57V9B?n=LqLSPiet|#$LzPIQR$FLP4_;9ixJS%tRTEgac8mrU~
z)h1{8zkXVr%FeGgwXdGm6I{jh_ihcV&^WjV({Tfu(j+~wZ{Mi}>N^>^YXdJz`v9I{
z=jv2g7tkguw66-LOawtTv$y@|#(0p)2hHYwEwk#Z!VFi9C>D4sD8APSeggl{?=;SH
zJ#uyE4CfG=Yq1}7|G6YNevqH!(RY|nMHchwjuMU|VWjc;L2YkW6KuMhYT9PKReO0f
z#^C=r;x6>>wZIZrlOKQB>lJo9$Np{$g#ir@?6EgSeL@LA?Ya)uSC$UsQ_Pn_?$RW~
z4$=sRi-KZ{)obwb0#xR^B&3XUU*_228g5|MrpHdk?6m*2)6&E3&$0Rkh|bD6ndIsM
zj>HQPnQT|=?2%c?c+UcXG~rG}j4Y=pg}QJw&Ci-RKiryJ8bor4p&X}$o!fI$xs}Bb
zv5edp0nu2IA;(k8+W|orKw##HCh$!CYEI7m`m_W&w`HPrNW~_niHL3EU0`p5g*F{l
zDLpoaxJ>*jVt(kaRP${Kc_E>Q5yZrk2oRcMl4TgE*hD5p<T^A&2}en4HF`C~T-xj-
z8SHh?9CcgLUb17Kif%KPKd2q5HHyTE_q%<^S<+y8f&vuRd_0F?vG;%UvwAQzo6FN%
zSM@ls&@%g93ry1H)9`U-WxgWwb(&ydSM)&fbECO@89%pVWtyVLdqs!(MmwXjRM`9W
zk1DPSewCASn`4g#Uq3@7e!R(?<?X~oZr}@WI>((neuw!Q)TTD(bem^{lRiiPVv(3y
z*3rGbz4y2`318Y3jb#`ViIJplDhX@5LqQf|v?1nIm-F({*mR5z_8zTzt;%DfCPj!Y
zv!8LZPU=YrgV>VqGWn`wJ~hh+>Qyx(kGBgY#2&h~ZGmKj5JAhr>Ni;^%5Hf~xa3>U
zIQV(3-8`C9-l+WNqwt%Gs3>ruX@4U~fiwQDB05Cav0l!@Xr+8BhgfB3pjF%Q3cWP>
z&~;9PTrSDdu_Y>`#aDcNOt%Q=A&o^#=-g}fdd?qxZgDF1wq<9F;GtFg>hFzG-Vku@
zw5eaAX2!vSI=8$(f8jI}$eJ_t98Q9kkqc=MFBi*iVv5szhWW(vYQgIJEd5{;UE%k+
zly?VrRX>ic&C7jD$Y~AcI!dvXSPEhp8t`0oTaqZ6d?(=%XGn5R-AUEfRJ|Ka`dJp_
z6E=IcSx8Sa^hI-&mU2mxSkq>o6t*mj-)Nm~PrK|Zvh%tDB)ITNOK}z#N#TR{YQ1py
zZjDDRvPZ?o$>@2@kevf&!04TXn6AOs>O)gGkLrCHkl8hM79WOrO(G?QnMHp5kt@HC
z&n=<VP@h~X5E!7^p@JaMfXBMO@ty1b&yZ11Yvt`v`s-3>ajaaM`W}W&dlzSF?pKB4
zC%<Yha6oZqO6=5~NMG_fLVeCCO!8W+DVxvlqt8qt`3nJ#5uqkyQoGZ&VlaYD|GJnP
z3ws~r<`;JDwExC0`V~2`yjKY{r;U)h7tSlgwB*LjqkM>)kay?#I&_;+gU#|ww@TD^
zmM>eh9}JK&)D|qdTS4LR32j9a<{;G56t#qYx>lYwPB*b7o6e%6(VLj(p;a+qFPR%}
z81eFP<)E~5K##LiRaGD9Mf#jQgQLSXr-UYnyeA0XK;YV84)Z;GNn9z6V<&?Q?Y+_k
zQm|tqgUh#~gJ+w<XXB*HNJ0qmq$7oIVdF{$oRozM4Tb-q(QZ0!oo>=d=Hjr`LTVSz
zEmmKsS<dJnkK}`BBv#_RpB)WjoC^))`Sb+05c6KcwR`_8Z{ejCWlLVvzLV1-zMot%
znf@(t{~SJ2Ls>{bklSL57&8dZ5b^ex{DI91ogylJA_?t@%y9E2D^wH>?L3S%6+wSj
z4)}oY4@wppjdLSyh2xmlW=dlUDr-Ar4gy!qnJubn1t787m5W}Wassz#ctqd&r8eFX
zuH8ranN|;LI!#OyblaVfJp*n$q*uurp|p-UBQnZ^-D8CrpZQucbfYn1(s_|b?OQxP
z<GWfxwPw^5%})*Y#%=Tu_HGcoZXcC0#MA)-?mdG2dBnBd+45DEYD{k}wagj4X1N)x
zEn!b5fy1I+u2y^lw^Zp`viH<U2T*aNzFAG0l^`aFA=`(HJG)68^Ip^2cN!vait}dt
zzjX@WXr=H1Y?oZHL>s|>J%w9&&>}?YlZawHx3}M6iVRGtnA71}!C?tqVeTqtMe_L_
zH7R_M#tx_a^Qw{QC|+hR3lVMQ!?}}F&4bIy$P%GZnZQQs7Y6bQ2j(qJxR$$=Y=sU(
z60ahjp~el3Iehp<JrR%6J5Ac<CT}7%?C^%$9cwIwd3QCNw{L4m4u5u<A9=pwgvn?r
z6=7HsewmI4UZXVrFo>2WSK1h5D#REI0!qli+z;gUps;;5(3rFEYMI_Fxf@9yKg;RE
zp#f69yngk=iuj`XuA!P2;|ni{2~w?l$xY|9j>E3E25zdt)`+8h@5vEKkA*-iYxlax
zkNBlr{TCq!0g6$FVMeuiAbIa1E~VG!jmBhj>eCMU_aAE@l@~g@K2-bF;Rgg8J?G_8
zYwbU)r46>}+)^IgrW=@ORN%8zt~b}+=}G30#|V-hd;)d}jJ{Mn%6iX6T(!)*LOK1T
zgX^Kc%OTC)BeVVe%UY`Pu_Jn;?$*r9wLlw_5w+pk#}?Q&r;@^~p%;Q$&9dt~tByuw
zO5^xf@ZuTlBvn_>+#TCP8#b^Xpw%VabwvOQ;9&>0C19f2o-QZk|9F@tNoCWS#`ns)
zR?vtN#Rxaa&8CeAkTSoPmio)8^%FU*S5EUob~sC`tiI}7F?1BuW$_LObq))HI-JCc
zgx1`4ELmnqO=Eb-P`K-ZiqW@BYbQEOmW?Q&*R8Ng83NWAP7lg)NEAybUZ|bXVyu>j
z<Pd$v&;>uMJ~+y6gLwZElHT&zP1t6&_GxI-tJpW6#hNYbSe^JEN`~9v9nY_@v>4ol
z^}_;X%x4O7u3{g>&y85QzO~yrXqUOT_}N`QiACim%`X3T0!0Dm2XvRJH>t~Lv88sH
zk~wBtzXO&t%&o{=wcg0lbaK^&&#C530Ilp<IklX~tRs_b@AtHt3umaKjJzB<gAX5A
zHydc@=4R{1*a@9(xgiujXJ^%}A(&ylvRd10dxNFB$~9a}CF`gncui0+T(AA^dkX`|
z+*Zibmu`MH`T2&2%!!ks2vp!u6ffdT?8v1N7JEqR5kurCU+BPN88NCgJapWJ)Q(_W
z+mC8_QeKXJ+(S5zgnUNIt~0vYUe$?q8&^#N7n-AX4k(QuEU&ygZ#eJ)eIT6gT1Wj-
z3S9&Z9+XMqJ5$8~jWQO<ZQWsD0#VDJl|E+M??VC<hk#v2QI@u6`cJ`wyTg<eF(|;g
zSWV=LhV4l&9Ii}Sbywlf0D7VuD>TwL_kX+Jv<P8v!VSy>qM+#Ha27Bw)SSD@ZSvqO
zbsw|MTk+_vA9u}EY*(3Cf*a()n-z1~zm&}w$RCSJq5k(N`RA9-*&Jtua*?79=h41$
ztdjmOpZcGcDV<7;)ZrYh^J-S+;3A;%MO`2MJ=p*Jn6p~U2z48aLq$(DsR(F{=(9u=
z1fEZ@n7m6fxD#}<QGi3(GTAkB6pq4=Q#)c#R&|ap>c0%V(Q~fxd$aCz*St6Qm!A#{
zv}*Ki(*5N8I**n)o}Z8nml^~;>4v;Udcg4`GUCOOs`~xL(G^n{=PN+^BKN(!cSl*q
zb@RBQ)&j2qbkPeft&i^@82>SVVt}liQqILGeP)mrdCDaE5@BTLeQ{&!w0vk;P=wI9
zw^3P_%M4{PIl*9oZ81SZ#r<<zm|oXOPU|8wX5e+&-uuswOIFC^0LZep^`6nEL*Hc<
zemj}Ch>WM<Kn?gLw_yZ{eoAr5B*6%x&~4n^6|M!bJq^^r1C@8>lDFg54u-FvHcdCn
z-S`hC@IXLYwEaD__w)kv`{p_yxpcIKj5g5U-yzQpBcVwn0d4ZNZb-sh2*iFi<;~tj
z3pFPBT_`kaB&|hqHyRtA0(vOtZvi&x&%@!YvV2OkkoI<oujM<B^e|52@<C11s{8K3
zEYn;?`W#I~Wm2E^gXWPdmWpWy&O2%9MYTCqY!R<pR0B;pTAdD>W3Me-`m@V^8?eIY
z6BlhBb^nOvRW?;m6PomyM>(xvgkVV82r_JmZQb(Y8laxMJ=m>M`Y`8*@DwrjmsB3(
zR*3Vx0U1*QnT~Nks!~<fO<NH?7xB-Ury|n>{thN4D$?B|GS^U=0@+ziF#_3_8xiUt
z32GBTCz)57O2x@=@0@Mq{9nn1lG+G)bvPjo%T$Tccf)v19Bg_iA1#Hx@7%+|Iq7tE
zf8Jo?=JaDqQFs?XN3x#zsxAL`BxB#ygU946*5n-e6YY6BHVzr<ul!25?WgU->qSd&
z)m<Zw7Sjp|Pzrmx5p^NIFyng$Hr)?_@R5?mz@?M3%4dO-e*90E6zDAAf9>LxF+zp1
zuz4QV#1xe|Hy}Q_Qad*xQ%jnJgQ16Wx_iXjJ*kCoo<#!>t+Fn+hf1neL5#@N9H~<g
zw?sZj@|4VPuAdV)6@IxiAZY(m&QXA(cfxSAT#vI3*&zAzT6}A>J{$8W%3k?{40EHu
zS#Bf5K1Se=GfSwu^t8XW?dof1l^E|Wd3k;HxwYsC>sr^Jfl3J@LVgI2CW{7;YKa~4
z{Pg-e!RwzM!_L9Mto@Cm%%J&1R_o5YCQS9Yi_NCv&c#YGjT_L+5l_X0vmHz}7LSe!
z1f+jYLt%Wg>yC-(ES)$O4U#t>3HVUfrTI_^w7<c!Fc6F{R*q?PqetIK4hTYw$=gKs
z%&+Cy@kXhA25&yYI#3IfwfXd0lmGbNj>nQVF>Qc}Myn(wz^Ck4cA-_ude9Z&(MN<O
z9_2XK{y91As8TNP)fZ8=R>M_a3@oE)BQjR$`gaDX<+08dWCLkV)|p|&74`_Q^;mT1
zNm^#pSkv6s*WrJBN)*27C1C+=`t>}t?N!oar-MG~irf!&1P1BWI~K2TCA5kWg8g!>
zADKZaqt+7!MJc#@HDnp<a9gexOY?eezBlHyg>r?O<zWzxkH2!1faXBD69H|U4^$Y=
zQWr*;{m<Ft>doV10dA`)IQ$O_{*Qx?f<pTVw{iw6xAJMzdDGlRIzprOpOOWow}9b)
zEc|lxb1tl<$Ou;f4jbUAQ@{S3yZ`=?Vwmc;_4((=0(ONMVB>B7X{F@5bN@Go|MTY@
zn%^?$Pxh{{bQt*hY5$*p8^x{o{g$?WKCR6NEX@C!=bt6jc^)%RK(PFsx*`AV-`>v@
z6gI&De}|#a_BxgyzpuJ6F2L>d=Ne`Q9Atm4g56`c*6+)=R331K{kd|akEPk~%Xsb6
zakbm;%Leg(GsR>*6DU845b3c$*MliQ{CoFBlk2n*D>&F_HTi>z^E%n5EXcC6BKja%
z3rh(1c-#2z>SKy4c$I5CTdcPhjbLNd#X<X9sWhskh&3Fy%HO5bNdddP$m1Y-p{Lfp
z|8O)~HO?96GF!8BvUqW&r(#jCVkdLqI}Y_T3AIejoDlhYpRY%ZQhg)n3B%-8(LM6A
zWmhunNbU*%tY*1hfs@()KqSm%B?HE1Q=3g^h2@%vW$@j-x|iCNuJH?F6J73WwHXAJ
zuc2%9&TDNO)$_yWI{pr<{ouA*%=qhlo-N*FNt2_wnc1!$(0C8?LVdnnoTVDM|LXpa
zn_InREuBMHud!;U1=p>n_+)4gq>!-nv|jA>57-LBny@8q(trbEVJptK+8qJ<_^a_T
zFoW^?80-4EquKme^1)t9(a2tx#`+?b-F=uxxpuQ*u@k|5*Zyd;ig#jmzd8gVwjy=3
zD#paCUw|zN@i|hxO59rYxng4dfK3ms^~8&YahCDVsz<KBi~|!Icj6ZqWt<0_=8@74
z>z;EjkmE<y`^jn*0Uunkh3L+X{2Kctk4=`f1NcTPF9yp2-~FiPU|PenD&A>G6js*}
zsS^rjImDRz)nHO~3pG^t_rJR(8ob1P-FQAX7M{Z;v)qnN>?^JjeQIdyWw@S{@!o92
z@ifV0=LY6QvzSuBcIe*+rRXrrppAeUICUOQX0nSrkOr9-vZ2++z^X1dPwc71U|{%g
zFYjq|k}$5S9&Xe|&`NeWhekroybo7;%3VQXE<X&Vgm4+J5q2rpbu_(KKS#Mc&SzjF
zXV6RG*MOJkW8mKq84HrC-}O<92=TFI;^MabTn4qffzE2faIIes8Z5l9!VvQBf|N{w
z1(Azz!duDl?u*fgxRxYovpjMi-NILSL|k?)w0+!b+tR+m=ctB=s7iM9A#5QaM7bM|
z53X<aPMDZ*p?t9*#c=~}LgM-LiW#Mzt+e}}R!<kr*95(pvkwhWo}~Y@_7s!1UHBZN
zFer1&2d@~H=Kb#h^kqAqpV82@{%}1>z7q$VIk&asK&X;i_rSl{+tk}FG+<Befy?Of
zW5b`ZtTwQ5s<cW<yiyEysUX#q6M=kIXd6|s^3!(bmA8xL^xVp0B4(`tLE|vxdbtuz
zU-L7Yy}-2JZQX%A(P0Hl77z0tJKSwS#9)sgz>M&NXIq)c@Or6(PMd{2A<seSvX0p;
z9|-w?%*M#0YBhM0xbf_TWtW)AjH_$u{P&eJfo&hs?3UR;dI~WBj{OO_$GVd-g=}|@
z{vH+nNo8ixFfsq`E7*z|V=T6^AV}ay%DpG}YYA;gxiOCEjM%xSL<PZE7pq|f6he+v
z{{69CMZ^#f3Tqytx$D9N+9@l?57;UG%f2*QJDEX3q*d3g(KkIY*y^btVn+}0#9p(i
zwWu=&1yI_6eeZH2m!e2xl|a9w!eNo<(pj1Q>~bQfqLe6NF9Z5Du<?;jhRV}bRx6~k
zp(t<wP5Oz|3K{evxp!XvZA3{CRR>Jd*Tw>~w}(%aRBTK3#C60KK+LQVIN0F@WLH_E
zoIicM_URrAj!d4YrnHC33H!ZF|6I53f2Y87e(gp_>x$I_kYs=@DFbo^Q`?ZHd`U5{
zQ@bU`yfw!4FLks}I4i}h%Dw9UmvQD?Wdce67q31RG26$Xgx}Y(ROkl;)!+M%Wys&}
z|9_SPzIRFs9is1f?cI5KTWYfJca#HJv1{&5Pd{4N(wR}=26bLv$DBqWTX*2mqh2?p
z48ePzgC&-re8u;>q84hFMpbSgGsx)5&vGB$l^6!2y$Tx5nG5iWidj2Ekk@N5BD1!c
zhPO(KzZ9{Yuz@`s(TBm^t5a)??JIw_EHof%r#QOP9csJ94R)Tp(^JHV0Vk!v%6<l!
zeYv=@?#}4jS{^`>MR1xFiPA=NQB_$Ib>-^QWb4iC6=HJet8jNMqk1Jk%Jq--#e=Mb
z`f;M%%4I<S!8$Jkf>9f!zmL7#Y$qK^_X$%kTrBF=e{$ZVBr>3lLB2i>yp{H|Y-te)
zF*(Q(9U4|&gztC2S6yC?X+qB(!JG$*r#CMqR_?&IGJ@H~GwaQi-zdZ=PiQRQBNYWH
z>$;DlO;NNgj>vb8dVpNlWTK6@N*loz8ldPG(ANF9-W+(#D<6QR<ZvE8lk#^KN0M9-
z@mroBT}>oi$C9~fRp4xtwd;-filWA%ufcS%_`Fc>iFN-+!weSq*yw?ht=^3$+z7VB
z)(Dj^ZWI-6Ce(Z<Gz0^k@LW!Vco<&E^gfIiDJ9)lW`$nQBkzB*<7>Y<+EPuzd-R<u
zG@3nX!}RYML?t4W;G@Hup|R`bJsljA(3ElQP~xZ*Zj1%77qYs)Wfp~wMx;8K2t{4t
znt+!s4x-}@^$WhP&nA)P+MHg^@*_H`jZzUEw)z(wYc>jeq+Uz0tl2ChNQnLx{5_!w
zqxRY>&)#35(a9?!&$-X<Sh*@W!2?NSp=Py)xk*Q6+#j{nRqq|SKE#9yRE=9sk90+i
z9xa$9MjPG3HZ&B4s*`JN8qK60r%TlcT3|cya}{RELfyP5Y*pdMdAEF%`Md8obB2b9
zdpR~xvB^lc(jIguW{e<+>6H^c>T4zSF0(B<*$&Q@XQh($!{-BM9retl3dm`Gn{CSq
zn43r&Q{302%2^rLD+spCcb9_QS6>qKLbZ(GdR$|di6i`ERV#-)49oYg0gA+GRJkF{
zTx<Vy=3E88Ba_VI?>>UWZ<#S?-M<So7*wOk3R}c;&JN{YIFMb;G?8|ZN8?^Ev>sO(
z4q{{`UVD_mgauRdwcZ&l99%|65M{ZQKi68%VoP~BAdn1M&3r~w;<wwcX$xI^?x{K^
z2W@sXXY@(BQ51jxW>6>M$b84AC|)I{zA@YF+_&lillhJr>f7N6AGSh)gSX+;XLJ*@
z76>JWz4^ix89sZ=GcKH~=q#hpJ2P@M0+OnR!4@9(;%Rox5eD~`s3l^lTP$8(@gnAZ
z#;A@(IDMGq`lutksd}SDZHyNpXs!1!mU*{N`XZ*4G=j#K!z<lx`8cmBU|yYxt{F1R
zSc4Wa;x}D(Ui2jHYv(W%qjMH9Sps}}YI<--W$u=-w4OGx;e$BfHxXAEJs1?5_V0L0
zTcCz!)ot~{T2#jE8;{-o6Ohu{cF!E!*byk#%Igku4&rX^g<S)vVQZyQs?kcn%*7Uk
z5w#Q}CwQeyP|<*Mxt7M_WC=%}!At_Ho?99G@>j^HNTI4@^@jr*v=IHO<X*X@QKmVZ
zzpw_<+>dW3&9*DH^lr9fOJ$hr#F-{*KSDk5u)|iGWo2tfT4rpDd+r~`SV2VF9qpG#
zSTIw>Pi!nEsOZHICm0W=ZI<r}A}ge@=y<E#?56UV4Dg(<_&%JQXht=AzC~OB1;966
zpRjCLwi`N_geP4b4BiOZJyBjglH`y&X`=p_O>iB_f|+fCJ%f7*L$Yp{q$&>v+C55q
zR25f*3EqCQrXh;aPXaN|X$QD1to;)doHj1z7{<S)7*r&^6QHPLKZepkvMUasaeYZ_
zbx7tFkV`y+9X2;=bYz-cK8WDoA}y7zOt4TCJpQ#ko`IB`xNm<GKy0^V#TYj)8q}EL
zFM<*rIjzwSypblPn)V{k;IwLQSAR?^@0WuB&(|rVH(Hdk)yfpF^H#1G=2Z1}M}5m2
zhFK(Eup0nP1{Gn0bZeXlfik;8v%6otRR^cbILdFN?6{V%=5pNjL_JI_%+0%c@5q$=
zecq}i&LO*uzsgtRv%x6Yrzhwro5l086JY~(*^z;^sZawW?&M)XK0kN&8)kl1{|e*i
z@S&qe&V0|J+3hk0q@je&@YE*XUc(&GV!XT!w(t32_e0^$T|${{rfroSnin$Mg)KAH
zx#6%)n9RNHVMOd$SwyNJegN22h-Yg2NY{%k8RKPT`AP)gnNi1^p)EQ2o&;ST)_aEQ
zj${J+%Ca;BG{#u!xckZ{tYe~(3$4-oZFt=}WOFJ8z~j8VP@VNLRu}or#yz24qUrx>
z>dFJzOt-$<cBa?uHm%#zDmpDuidc%;Vy22oEopT@Z6z{_grc#;Hl44nBG%MaLM@e1
z1VQXcttqk9E<s8X6p`8zNh~*=e*Nxu{(j$c-uFD`ywCIge&;z)l`2hhyOCBgbKkMJ
zLZ4GgCvu&AfM0O80TM4X-uX&Oh3C7>lzak~QQ{ZV4n4QNeke>X4PkEA>avote5jox
zYo;hSvgY$Lkji?lM7d{tCUUr|+5ThQNlB^OURE0Rd`H(P21()%q?i<!NC#^<UQxcM
zZX~&!{XS0eUCuQxjHQ0Qul$vhb=`nJgCm;|LoZspbD7E=4+K>e-m>LouE?Qj8Le)0
zW$J@S6T}A^wx%@!3&-fKaX*J6+<u3Nh;Qj3`RLf;pdE)=6gwCyT;x4PST!h2O?Yt<
zK9-ld_9kzsa%9xPWhv+xu0`Y2E`Aiq^S_-KTsE4N?Uyx$H_~7Q&_y|mWI0Np=!Fb<
zP1HSBipCaP9`+-%nRfX^h+jrh5W?8giOt+W4yI?xLj@#Rrx+paojjRzVr`qsZ!-3K
zf+3IT64<q<j==FKr@i+E4#R$o&dl)wy9Nl{V4Acxut0Hk^+yx^J#tukBgeQ+5sofV
z%`bWJ8wP1|NyHPK2G=$p++Co(N*muQLGM9J)UK%Ap+5SH!nrRTstv0gFk!-BQ0yss
z2_<m_5^miiEY|O$WoDqda0uwx>BhjkP@id!qc14kbvEg888{9SHc32|Tm4oGkucR*
zyK(nU(*^mG0qPMEty7ddxGk%`{;Yek$eh?rD2G>s!<R=ygA7s}u~%dLS*&)hN0@q8
zGEh45ZqH>QuzokS7TNYJRxU_ag*on9caNWyYdw_eE>UUw?Q@M`uOG-Zj3r<yXC&c`
z<=B_=(n$o#`G<}PMTlT}^VDp2Zua@#G42Mp(~?@?2Oc#2^ETS4B<GgzRyQo_Kwd&Z
z&dxi`Y{Z=D1fRC;1rs5JUG-NhZII-6j+jzrkJU<_Z`^gKxUSllOqm{YtQbmcCDaA<
zF7EmjQ8`?*g~SJm#$##-Yqqwy$H@6o8#KyxlWdsiv17r(U6AK5$pGTCOQDAI^>;sP
zjd0cj@Ch++-;cZ}&2dpIksn-6@Vxey6>>R=6fEXwi6JBPe-EXq_{c1q7PAG9wgd=~
zWNi6o3M?cV3ODdz#4^b)^78KpYnS=BtIgbtY~!&a1d)v6r0s$|DTOqMLBAR0E>4#D
z!QW}68toe8I(9#aUe1S&L@l26Dh*zxaz>z*9EgncIDUJormH?;3UXFqD>Rh_S{rHX
zlsPJ9yVQI{)4&ksWYFqOD2=vc1ktTMvXdf=$SV6w$$CA0&CW4Vr|%h<MYI8qC3(Ab
zD_te5*B1R@M|J>-p2hmx6CrT{*q}B=Ro)L0Wzv7IyQU7QlI!m@P1rf*24eJ^615%s
zi1thBosu~0$h_3OhO#1?n{4gKxz{$oxEQ5@E3%V$b>#CEClNz{#=tDYv$o26&}9`m
zSE$j2dX#6?LLcEZIfEuFRk(SmlfT}g8+eo*rp|O}74n^Gki89s>4kFAw9FnDEf`B$
zyFBm~KV8dVt=|@@42R@|nrG1sHBJYbAe)-8c$?19?J5ZUL1K&>B^{c#Y{aFE<*&+)
z$6Px@)A~8Xds(qY>#VL{;8E4B&0OV!2rAmZ((Y1EFv3>|6OHrQ(^WEbQKFMC15}ez
zUX79V^!Qk2O8IbNjEg=Hr+43@fmq?f7)DUI`sIDQOpniOFPJyy6}1NG8Lhl%H9}Sp
zCUy&nfenThKG6luGbQM%^-wfCTWi4v*86QhFkCN#Go=2dD6ZV{P$sc>X`!Sb_^GK~
z9uRYyMll;rJ%A;gw`|!4C0oBli7@^;Qy{RF1llU|!`jE?bap%_j!>)R?+tZOlTFbq
zNx(USz-=8RE2a_-2gQKa!>mV`p2sN{v#lE>Ck9!=1kA7dE|&sNy@qJEd)irV>hahZ
zWBs#mTB@xf9d;1oZIGWpNA8}}4+vp<Vj!loSa4g>ghCa*C<>{a1KFYQOk~?D8PvuO
z5`2tGl5n(3%)2eF6HFZa3zQCHF)vdZCqX5JUz5qd%JdwR+D}v9Gv6EhyUU0U>;&E7
zxm=Pxf!yhkF%V>;0<$LYDn>4*Mq&k5y0p>Y#uIH5#jvAXTyf-N2FoY1#~bFi`z^O_
z7^N{)bL+fi-!W%Nht0-*=1qSv?AiT^caN~|Y2;I(<?WJ1Tf2pJs)qLp-l$s<m&02g
zBQl^gRncrx8lE&We(@e8I~yh-x(g01G@;OnKk{AfxQ^q$H2+2Zl-TO~nwVY@K-!6D
z@HM+%%-DBfEJH_3iBDyuaMyy*^#x4qnhaA1gr>s!)5w^up~e{AaFHng{6ewmCDLYO
zrHy0skhc2A3U74P+r<1qBM?d6z_qadUb$ZtJT&LrYLzyrk3j5)!_PUM4Te)URCEf;
z&x)Mc#_F2@nR81UJ)NsdKcE6yn^h`ALz_M38<j3$AvYk}KcC{X@ZZ(gcx1Qoz%Z=F
zT1xutQXMrF)vk?b3Uq{on=?GFU$knz8X1TvDW}_$?kqzauw``<`xo7Z>VP}T57?nU
z{&Cvu+bk(K(RPDoyApwpu3l1p#ul;<=~zF)pyFanweypxamXWU*Dch-&8!nGZKq@d
zQkM%qJ0Ye{)$Yx2rBQcS7fP&bqei<cn`LxHLafkaP7rb(TV_8}o=kyoL(@eMtrZSa
zFDK4MM5l>x`6KjEjGDq_y13Ca+-NS-ds!NqE4SbOzM(KNFL<Y$*_BG|2rfWOk~rbE
zoam^W`;>si1GzHsfz5$FSqTw&2_}Chu@P*gGXS=nff%LBcU3vyS2j)}9Xgk9Rqd}w
z>hrdAb%nM4yDLjQeE%}aI0LUQ)TQ_{!h2t8ZG>D4rXQ8p{}<<CvRiSB#Vbna{TLbj
zT^aDP6(g;gKs977bdbtN!o*F&jE)PgQ37OiNRydcEfz4*FF;1Ei3)TxKvo__04A{N
z?L;-tcP~&3fcgxsPIwEpO~z|$L}+pi1apcHu<c2vWI4%Gd%GU?Ui+aSA^b$_Ui^4E
zJiLkX38diXi{CfytC8L|@9;Dan4Ny-_Go}u>#<&#kbi`i5W409&sNg&p~vyMI&K_o
z!9S4;`{?!)6Dio8(};7}-xZ(;;vg-}J;lKw<3aC47XjCMwAZ=7Sf<L-Z$hr<P116G
zz$;FMBnEYMPq#eS_~3h=pT$7Od%_a-5p-TA`i;&~#81)}lz#_a2<%7XrT!#w0Ug~!
zkdCX{YrJ3GK5%DiPINpUpnFqGe3yf%j!kAWYTkZ61s9!Sj+jir2*fz>*z}iZ0JK;<
zCu74DtyiK$H(u98HV6NsJ<e!rNspJ{<bTm<*I4PR0(Y^32toSrJdhly+EFYDW3dMM
z!uh7-9VI-R+ZhE>{o0q(eDM*H_pvP>G9j;b5nP?jH&9~@!vkM+YyPlu@XcUz6nmlL
zkV1^E)Ro7%sbVm_tTGE=t<kuKo1f0`7uNUg*L0`wInf&NmmvEE4i@6*uC!$>tYXw0
z4~VOgk4s|Sjz@X@81h-7VNL`-6Ovoj8+P;SMQvj2c2d;0(3j`7{^X37d+LnM&@^)H
z|3N{SII$(r-qu1dowR*dO1Y0t`V>v$s)jL63#Ju$$1$0gV}ET^%=}b+?>pG^eysPZ
z`#LtS8IC7ybgJcse@12;1-EN7xie3Ts{=*HWX0vq92ey~Y>>snzY(4p6|pP-S2Tmf
z9&_dcD>CE#4dv#{`5W6o<X(9S447-+P6}BMn(r!9(2~XNsl3uupWS#B!kr1rJN@--
zzR4e1*<zf#`mh_^)aT0H2&tXby^yD!0s0a?KNrpz>PoQO54jBcm-CQ&(&R*Jx0p=%
zZn<{~E(OrX@)+P#<mw_pR%8r#V?#l_uezz4H7A-G>hK4woe7#_x91meCXEND9SL8N
zEdKjqQH#{-FW%`*$N}1EkEHHZ%K(LCSOy}qg=6?2?D~{OgxbVpQ-!zB(K&+5=b-f0
zn%&Feb)UoJzZ>?Pe;m_Y@>n@`-<zumR-h+w2ny|6lj40t!i{`szvD`X7>Gs<!(|9y
zVh3{fz#Q>jZwJ^DkaU&>K}}H^g#iQ@tpz*;8DNyn;tb=T#V$hH#lKtTtPL9m@4wv3
zn}J?(dk4T~1q)ci?UGV?Ypuh6aw4qKYGM5fR;hbHy8rwUC4^bZ1r@2|h_<5bC@J+x
zyC~yytBB3%&U`;yZTl&zd7EO3Q*j#pj-tc&$A6zJ4iPcBt{cRhweM>M%ndBKqD;c!
z(Ij!=tQuK46BIk9v)zupg(vY&I<F?8)jkhKD%#ts0aJm$BEpJHxTj==dXCxV2Rax}
z3!W2fQzX6vlM=55Q8D1{-|*X_7_zWA48Bp*z}aSG1E)5O=KC=jud|b)+omGmNew%D
zrrJq6o4i{?XBs@sUf=!gQp*vjmy&f)uuq$d4zWT}T#o!r7HjLdnt~n`zG(Es-gCib
zzJ4}j|4ZNeVPy>+2zmWYgD{``Bne@>-Zq8-Y$f%qD};|K$*W3ArHB`V7E^L^kzh$=
z6Cy%!T+wX~^s4uJ*h_5umbu*oo*T&26fD*PGcOG={6NTYvj1G)>cZ%Wo#zI@sKQ7%
zGqpWh=4SR?4*nz%V*Dfo`a}|4sb*ta&-x!ynRSGsD)`9wixu09<Onb|11!sT;Q6+%
zBuHk@3tB!0{g;xHxhk$AP^!z-<H!Nry1AMSvtLT*eNRMvSZQH0vLbCJ^7Qc0+y2!Q
zJ^83r;;p$u&IK1B7M|DVT9pkw0%3(VIscA5c?F<wJyp@dpU|-cez08xw!<~wF$Y+e
p4f6b&wDX5dED8UYRZ(3#(FZi1E`l$D&A$2(Y;Jo4fBoT~{{b{i&8q+a

literal 0
HcmV?d00001

diff --git a/auth_oidc/static/description/oauth-microsoft_azure-optional_claims.png b/auth_oidc/static/description/oauth-microsoft_azure-optional_claims.png
new file mode 100644
index 0000000000000000000000000000000000000000..1aa720631163248b51b4c558ec0baa8a0e0da715
GIT binary patch
literal 43656
zcmd43cT`jB*Di`%x2QA~6_64;x&=Z}I%KO`QE4JdC!q*P?<Cadrl|<%MhG1h1(6Oy
z5(tSBAwnohhd?l3KnN*xNFX^2*}rqYGwvAok2}sd-(kQYS*(@yzH`m;%sHRQ<6CA%
zV*8Hn6A}^<yK()m+d@LZU?HL3WcKU^j(}bU*8{(H1m8BgEL71YHv_!c<#EaMl8{h!
zs>p`(@4)-L0oQGVg@g`<Z2jz@x`PnF!Gj@JZ9**l-9zBcL2g1uL2hn-!T0?`pm+BG
zmy`%@{B`LL0y?+JMxUlTgVwr`&$Ma>aP8TVl6oJL`%8PVE?Hl)OJ$P%+_UR~9+uun
zEY12;8cR9ldwKL>;I5$G?kC{Ko<Ecoer7rn_E*}|m&$F)$|AOp>XRFN>q4HX9y@NQ
z>GkrG@bQML#OHl0!Hg2eI(WZjH?^^g9o@AaH4rf{<JdS`G9CWjYqf-%|9%s;v1Ei-
zICRzG|NTACxFNLz*b?yNw0jSD`{jeIW4K-02i^bX9Nd1DxwqMP`<2s~|6?cG92QK2
z2nu0i%blDi&;};EMlBD)cUS`%uJ|DM>G1dGWX(s95I8wV1uCBgv$FiPLMP4g8wefd
zgus1|uoY3TssWBK;C~q;&kuLFU=ClYkgn>;?mYNW*=lrp0zasfBt{qro||<ow#{fj
zDo-t*OEH%#4jJoBp+(?a8?9rvCGa5mG6HMTZLsQt_&#W8(PXEi##tZc!S)C^C<4~&
zVQZPqO@s{T-doaX>*=yY)cGbsKh2(nc<S1#_^7m;G}O<#-5~Fp!`Lj%FZPFUV+>o?
zgLd3=P*H)L(|<~iTEk0a7(gevXSPM}RJb2n@c_o_H!njxkRhE)5K9#d=Xfg!`R-Di
zyK&_;-7Z;ou=yqnSuIFgK}-L=Y+yBb5;s@d6}V$uJKC^d_CbyKb<1VlV4igpnE&ds
zL$}LFx<-ZnzYkG!AC11xwoRx6&r{wlo+M^h|D=D<QR~94x|)MLnEXf6k-^#M+HUP~
zBZLg)qVgO2Iko=j#ggs_Qh%@L5mckZzHMC@`suEVd)mujKTSHVWgcBk(D65bMIR^R
z=ZpM45f#Xf$frAehm{Cv)Soj{sb_inz$+X>$BUO=iK{@lR0;dZZ;CeWQJdVPX>#Zr
z%CQPU1vulvg~vVN3Y+b+^aj^4i>AEUL5l{a%j3{u-d{?gklDZ_-(=quc7JGVL8n{x
zX679ahYCL2(hjC;KE}6!2U9~fUWaUAmzS$YH~k%8me}<m-uFu6OkG!0AfXIx>NvrF
zuHpMMc((c}B)BJ9En|x7x*2G&963K8i0t%5+clZ^uuoyvXXoD)w}cfl-cPqBTjm}a
zPg*pYwJ(Eop<;IbnEhoQ50)>~(%f+G^36(#Pu*25U{#gi=0Pd0>!W^Ap~-F=n1=SF
z<qM2bR5|g%Tbsv1wc<x-HJ{27hNg!|sr+fS=ydtcf2J0y@!GJc3vTlKzUbt|f!?55
zw;aZ!S$c1nnQV7MbRa&${>>{huI`i2f#qw}>}Ac$mifoN$>Z`va-}w~T=X!1O_v#2
z(KVDX6%|?#MAk%Gj3v553PYN(zC2l2METuS7bOotlCQU4X<&~gX|R*2&|*mP?8LXO
zPX=|WRgg-sRJ^OcSuVID(g8Lbs!5UUXBw|I+6=x~9w5J6emfg;kq1Kg#+dc{de<LE
zJ1CoZuLL`cpYctdYS=corgB?^3^>>PkIsN&O)tk^K+94qd!H3TVG$O1>>TFLm-v?u
z<wu$Kbavbxt8k|TKfLyW5&2@}xXPg1_y{H<r&U>&(PiqN5}508n>V{$#C*g~rSR)8
z`GFL_+ej~L=#SZ_p%;0o73MSiJFA`!vN@C@h064rzD;m_ow<EB#Sl#xaEb1$ep1;x
z|ENc8Mz1yPv+itn#s~A|`jSCw*+Kjex`CkM$s@JZLC~9%yiU(FZeEvOh5sb?nTo`(
zT`+vluyMJEe!f|3O=8bn-3)ZTym&b}S5fL&zmy=@xx;0S7cWZ$@jrp?RB~mttgz3H
z53ZhN5;5~nD<_v6<m)g#D%X#qSyLPHo1+oEE6I_0_WsIfejugkNb%r9E641`saX?V
zK~C{NE}C^^BqJhXY_P#}a@OJf+c{*l7?zp-#J7T{!_t1jeQNZAl^9LJq((&LkbjJ*
zmqZ8Ju`<g{DQvG$2*VdvSsUYMJg7CJZHgYo#C#6@QO|TCN&eb~6~!b0HS_y=(I{?v
z6SdSesK)1;#z)U8UBfLZXS{vn+fi4n(rHNND!hI51@rv`KBYG}v@eJ}K&FpK89S_!
z{Wk)9#yojJ$ITj2M(a%&DHH>#H~qXT8gJT|C$YM&IkWVlWb0sRgSls8aCAB4cB<o8
z>sz~7{-BTG6riyMk2bv(QcXL#L6eT&DGZlZOl3p|LzgkwS#RPs{>JcHXmqD<c3OoN
zzigH5P(so3G@1AiVgDBvf3?$h;KPggZTsr~(M4ACwR=zBg-W~pjN9Z63yx0h5po?x
zv<?PF_(j(Rl2h#A<rR@zN@F$)KU7RoEnbiD+r;|nR>)(cPg#37c=*`+xW3quxz^b3
zx*Nb^b!Tj{+;w;`Ka<-thH0{kb_IaS`1Zk{O1awEpQ!_z<<y(HM7n}pV6BgrFHj6U
zv(})x{(dGsx~<D6S0Lz$w<(IhBwdz~B??yTEP$4EJNBiL>6bI7YL>6^5%V!`l@zs~
z6eU|8z3`d;<L|@|`51=^YT#twhup8Oqxyl-ovJn6_1DqCfK_kK$U<8~TQo25@=G-U
zWiourDB-<GVSd1;*jJ>|Sx5^XWCgPBgJ6<tnQCOf#xVE4<vEY5L7&=qIA{)7ps_lw
zX|pN4XXH_U-Fs5%VvwVl{vNf*zV9foQpSC=?qy}K6~Z~Q)I}0~+gguw+(XFFe~U%D
zGSGq@)qW$z_x2Rp&oJIuwnqKsD6jH8Gi2pjmRsuSza`j>R1OtPO`a}{$e;SqP=I~r
z+QWSv_=<#~yHaLXO!rxziAPmSq{h&b7sf5PF^2^5#VxB|f!I;U2Z2i2ivzAN{CEy|
zGarUhhYCXQA@cJcQDbG0_r-(Jk2ihlwYmyelhI{=1<3SolIxDIsA(CjoYu++v<o(w
z4fJQ_EF&%yFUwEnYMbj$&4<=Thi-O;UR#b@u75o18C`$Fz~9clVmwejZPtX6>1`hc
zHcMJ;SuYHXP9k5NE^V3VZ9VjB&jURj2`CF(l>)eH@HG6n0rZVIxNp$;QW^SO7Yh2Z
z^2$T^8>k%j(|;E>ban=uxGO9f3Yx_iPrev903*362x_(L7vD~1Sb}pB6fDN_-ScK}
zq1tx|Ai-w22Kxns5jL>cSIMZpKajIhV(Y&l10&IcXl^52YwSt_0$-a7_%BAeVC)d7
zqN1`wV~`yJ0|c=77?QL6BPG_;>JN-hyS!A|3hD!BKGbh+mS4O$Wg<J78<J%c<T^43
ztA%+ICL;sw#+m=<o#}C7gcmI<rWgkghdgy{bm8?x1OfY<8bDF5{n~6*{=g~RXh(h|
zYxuB43irvUzcdgs9u5K3(AM80m8cOc<ge3&&YL2z4}JSML2B@tZRA%Kx(BRPWh()8
z)m}eOfEPtv++W=CUA=zq_66B-DA^$Z+hEyRPg^Ekwy*he0Q%eZpEWKa{yni{7wz=+
zF;&Sp)b^{7Cj0+yJCS}ZaEewnJ(1LW+HF`~LC4b6!%cd;KR5_^v7%J3e$gmQVjwV}
z0zjRjlqMcc6=v$HsjQE@AUD*g;b6z?MzJD0G<R-o&&Ii#oO~Hm-|&<@djM(%h+q21
zlg+gST8u+_L{46T2pm?e><~0u5g@P>p>Hg4dcFk^-K64~Y>HG0w__{S5c;E;{MJre
zekw(7AAGJ!-C-H;TbMMAVv1TjqQRrlKM>l>*DkVe4t=JLG#huv6-taL_^o|Ur#0!#
z8n!O50@j5q_iBx;J87@<{2}~XsTyADNb^jZMB)`RQ_R|NKEKL<IcOk}C|TTPr2+22
zlA2A4T$ka);sl!}EpGtE<w~T^RZ!}`)LcGZ!U@`GqpiStXPBcR7?PxgECgN<{G=Wp
z2iO0NjT|?SLmL>)ZEh|4;{#4mwMs{#<SJAn%IEtJU>(dR5^*EmYnVRtlty2dYCZ{S
zsyQ&53@(jvj*KV4`E9)BI#eAH%pD@eqG_K`G{P%nGVajdo8xaa>AA+CB=>?n#<AT@
zS)W3AbfP4dP$*3e4>#3b%GCo$ma=iUi44w=`x-=S>;5(en#nEN@Th=?4KhwkXDN^n
z7-A*rF6p*!J*NggG%j6y<Fpi11-E9R9rmLlpf^;HxT#qB*tqWYWF*Z;JJ6i)XZ_u<
zxqYjUF|8$ONlX)AsN3qqS@wCVEq6(h_B?VW-WyJpYP}Y&!5<om5B4BpwR#pzw4+S>
zr&0}`hZD|{4T{b;lZUn7=F7IBn--LJsEJzIXCjT2Q@Iy4&M>>PwM?hLI8-#C2Et)h
z&et4O8qdf*N=-Bf)>QiZ^=I>CZTM7tz{D4Rmm{1~iPX-8npJ&hYbJX@s%tMA&a;TF
zSw`<va+6Z0$3Wux+1GZrtlU>ZI-O}I$E(7t#wr(Bl-T+CszsVZx~U3I4P<7p9-tjC
z_Vf8;w_%I2)wiGYC7afqFb&YDZ2RVNP#FV(#0X}*^6S3tJH6^Z#8Iz2u)lJ__0M=z
ztv~Dg$ec(HX+$0p$1x@>edACHHhq@25@;b!eCS><EPOJtpKy7NZx5;9_lM$5b_wG{
zr}AcD;oVIeVat{K`Ez>bLyY^rUe0VRmcQvs;C~A6>hbC#>=%cP<7+vybp3%~%Xn0G
z9B&+Q6lENC*cJQJ3BCgCrI@u3r8RPh_=VVQ-jEY?JeT`}wc?m<&^j?}jzek-gbn9S
zGWE1ay6cg12n)v11JH^+H2Rz*R3(EGRGz!BfFdFnsReuW_+4Q;&TOqXr!_kfMG!1&
z5zUc57{s7qWtc=aL4BWsHv}<#dCfWz=F`b*a~&_I`bP2+kuv<@oy7@@n}v;d8EEFg
zFqNB&W@wu*mPBy$!nZ{d@uB;5Ef%kbJ9LNUriXACX<^!mfXx$$jn|mi9}{_3bGSZp
zz;o=fkPdHap)|{zo7u1~Ypg{B(#E=sv~3m&h3N2xT=s&k<2XSpd%;r12&@&0AixK3
zzCTpQ9CF(7qpEGU^S>XS77PlwsQ1?19-TyTDk%Ex;p?qI6YIhKjVINfnN0IYgoX0i
zv3hV6lb08cTo$RcVynP_)wURBFOC*Q%95dn{J0LQ-`>3y@gSCvB+|#n5uO*>E33?X
zS_T379VET^Ba#(O^Ov<(zA|YE5-GD!Qo&6dv5`c134;S>p^19_Z)ayRMd0jrjPva$
zSU9=e29m~SuG_cGcZRd@oQJdpsd$M|p2_kx34b{;tqU1V_r_hF=e}yjwy(*f0`1O!
z&8<pJk4V6m&)@GF+;jR&y1SFw8C)*1rpZ8MEWGo6q|&E`1k}7uxDyPs@?`bG-#=F4
zN>``~;t>92ZLL@4y?{ozY|QFKkPKrQh6n}GA)L+1!cAU#0P#~Iadap;`~$d;vN{@U
zM10s}ov>;}ntqv5n8sFz#RV7V?@9Eh$W}zaCjDqG@`Kc<vvQH1CbM`|L`cYV@Xv;5
z8tY`R<SMFb2%0IOI1x5t3#kde)%{8`>$yJ@y{@jS(%_nPcn}1!l;z#<CV(n57G*9(
z`8R|1{gpO*og%ZEa}u3cTFR{6Z2h5UkhEgR`x#41aVfw=t({%+ngc}_HNwDN9s7vg
zS?3C{j5>)9Oz?D9e5v4D1xG|M(YjD4v<225+&B`sdEcN?YcIGs;<%hbOtF)N;hK~7
z-KJi0vm`AgV%Wwn@-@$<dl4`fNMFonpVH5I1_kT`6^`1nQwo@(z(BakaG)Dz`CD)Q
zWtsDLyKO{hpGhN|O&hM}OZ&<*4nZsW*31HC)2uaTaq4o=QL}?7V^&~UGLvSbN%Bm!
zkGki>9FCOT!AmwGB^D%ePGnSHB6}sEz<FYdy5nNHe;9AZ3@rny+FX*jVrF1f537dA
z$)+Wnh=O5%)L)T5l_HBmDTtt<YR&>Y!UJ=%al!prdU#x5?NSpZDtAqqDVxSdn6~Gi
z9MkLqQ9u=5{8v{h9O~h7lUX^gkrDVcB{KpVVN-vYVQxr1a`>~U1XwB`sXF>BN-C(<
zhcHp0y1EwkJ+OsH?tm|8u6~-9FqP*SCv|5J7-E4MMgwc7Mwz$@AXlUfzp*}_aO;;1
z@wiZk9h+g&O!n+DIO6B!@O?C<+a>mSFYUSaQK{>_oW;xYF$-gvba{IaF6h>*o=X_Z
zXLK0V_%#Q+f2^!H+{nhZ)$yHUNkox$aENrfDA{c=ZYQ=e{AgERl<H`7x8v2}!H5^^
zel3z`Xn2|Qa{H5H_9+jdD=&L_{GyJ-7wydw?`z~#5s3XI#PXM+k={-{h+-WQOQR2~
zuHL%XrNusqN4B*z0x@_V+%9#L_t*KaXY1$lVpW|3NMrZ`$NQmezuWefMI(kcR7QPi
z?^6w>r=a?>39$Z1eu$bC`sv>&wH@DwI5jd3F+cGf9~J$m$?5>_!;gFgUma;fCF?Y<
z6f{>P5po+{Iiv_ZY66mBilC`j!Voen!5)+?Qp{LB#DoNPSJ3Kh7gkI10f-_&?9Zbm
z2<Pu9o-(?qj8nsuvOX3veGLV}7MT$<p{sS=BS)qHZ^9NC9B}@g;vhKc8fj{QtTwQB
z4RJo+0oe?|gi5<J_a(yQlu+3~xI9O5bG3)oEM^3({g?@;Q24twrY73Rz%0uZ5l<xR
zi65avktzaK(~6BINA3(*&JFU!>qz+f?CR9y72ZZ3)qp5CN24n-ch=r>2(Yzh!<4ol
zXQpp&1*o%m`817w;l`ud7q{r2^9t#`BHcuhQn%qF75vW*dbp(2Wya`mf791URxr<Q
z$E_8!R*g1CMZJ}H67?OmwCs*S^wTEEbJTC^Uw;_wSP`RHc||E2v#xcFUDE1&ydrOm
z<$qAP<N#5x&(POhnN4i{y`3xumbH8JBks?)7hy`2=DVwM{=SJ*g%;$RI5jyxM%_Me
zL1U%YVtv)LrQ~lL*8)PrC;f&;s>V7E3&8c3(NB|`7-|Vqch?M80&5m&_YKSyqkLE*
zYzg5SSjNbP*}#N02x-igPJRF<v8v&uP~5x?rbMAOmKpu_t(qA{Bh}tdUNGO)=wJ}Y
zyR&$K?e1p>Md*x}rLmkG5&T<|ndGS5VyT7cd%<Y-kdAwfb-wOVaflX6Z5sR(KdHsb
zWE|cD_V5AOn5(_i=TZprhJk`j+ACrrX*X(q8NAU<*dti^{)r=4^QYR!B>qD8Kc0%5
z^*D}s8i(pF`xBvq<2Yta#ZRxC^bD4Q3QvqZ>tv6afS2+W9IvM=n?%gHPoD5qVm|YJ
zJ8K&k+#P3R7~ytaRX&4Uv3E6fQ=!J4qplKXUoxNP{(Cd|)OW^8aZ}3Z?<)g^t|UV$
zrW<qEN(0xid(TW^T=A|8GTyRK%@K-gWC8bHC~7w4HSET?9snp?^PZ$B400!8`^QL@
zD}yc@!X#_1_CzaQb;g27WCxEOVa2@99vI~C97toYP;l-mFB}!NguF?`2F$IzM~($b
z|8AXzFU15-FD<vh4XrW`L&ed(yrk7LaQ6^VkNO#oc6N}D=roxrWq=NsAR4)OurI)3
z5IWwxj}bcSbTI1DJ<;<L3i`KV2z1Q%8u5#4Acltu=v$TY2g9h{>9q$Pt^uyc>KINg
za++=|k?5V+i%ypK=e6^L{l-BL!_=1Je((<GJfz<2uiZ6mW^jN-!1LC=4y70rM7^@H
ze{Zx0eS1=`e;*+At;l<<`c&%E@;U{1J=Wz-ZXyc)gYdN$$ADiLcR^n|`Nk%Rv(P+G
z(_Yy}H#3l~_+y&w*Jy<pj_R22qL5<D-7iG-aXxJNVw5XyD3t1qNUcPLT^36w9X8ib
zP*0#-kQ_<Tis%cgZ2W$dX^d_O@F~`B510O&EJLQpq2|98(`#nNdUVqMCLI<BSLTJF
z10)J>sSf7T6Hv8ii82&o^`0o0FrVyy$Fd>&liN|Rig>UAA5k1#EkEz~?SnxeUK;|)
zMX2_bxRPL*z<-;ySLGyNxr;{j$Gav#=d_LwdBy8mDzpvlOZ!KpDXFCRD>tTP>i6aJ
z_Z~7wpxGjcdT<v%a@=`?%b4_|<0VtXZw!W8QcYa7^zS>?mnFbu=I<flA#=j4PG%`X
z9$K`+?us|Q#V@v1y5cHAN3K9^+<Zjs_~?5|bSFOmxhbEn=f5{KS+@8lFNGEJwuv?G
z>&4K64OS&5aVHbLaa(^M^DXpE=Lfa{lGt^-cgo%jfqkbYt*|p|6S+ohk3$KY-AOC5
z)s{7bMC<1wLO9Vx_?#($hqwr20TkhZ-Zw(QO|j&&{M)=*5Fb`*y>pU(6Wk?Lyp<@b
z>P;*cBRbtP@CnxuI{glqMlQ9yW-dZiX*MRkRsMLj51}~lIQsB_3HI2S9xnH`xijLq
zW*!nSs2$V!4Pb{cxm6%3S{bZOR`DbKBX$>XTaf_LUjNeTNaG~+%Ql^YR~NzeoPKqW
z-6K=`j)b{ddIV}FO~EfFtBryNFW}}VUEeUNV%A|kvb!&XFpG#OzsY*B!%!8k9Hp@6
zN%Y<EKfOkx&L4!X$i&jro()$fuua#Ma_*2^T31FLv~m6&C!6d~59X(ffIZwmHvW^p
zbx7M)cm&8KH!iC0MzMaiFEV|XL9YgP6zPFw-Rg<trN*_eDbTP^E7oXLGXpSCM9qO4
zADXk5cs~y|5y|J4581&@GzqeSz&4K)liJ*F5d8f^0`)THerEyCT;WK586nvBmI|yx
zzJbX8UG4=FWc+vOz@(Fubpu>^SsHyEF|2`e_@oDhL*&d32^8jxw)}I4si-RIh^XeW
z*rOw|r;<e}i0OH+o1nsF-}ic8-qTMU=`V8v;_ARLoIb1r9jrQj8U?`Ptqhv`W1cgY
zw3X}arrcXv$2HL2>Vb_W9FsgB$Pjiea%jS()>}&b6~<jETUw3)r1d<(s1YPy%!@)&
z)+cFyE~a4DFx^u@=41VPaII0P&Th0JW?@8+NE4CWTRPhoGw7_0C9~@lukC09yufWc
zXRC<n=#aoh9@On^D>}7n?D<uBO9h@z)qb<lb$)Bm3`UW*o&sQGLj?Wv0(DBhR7=5B
z;qI^kx_UfxXhf>@slPYRr<zj}XcSr*;I_6|I##72W@;u?$q-tcHP_cz!5lTbxt2Y#
z_%6F%+aR`#x)>@(!Mua`A&$%OzdJ=+M=!*CjqFNhgG|vaH-EP#?*lU$Ya)G$zpdik
zR|K?qwe<r-h21ryYJL9phP=nK8lKkk$boe)7Z+{!(u2@0s$ms%7A6NCUx(EH*1=;F
zDwVcmR3$z6cf0LgRY3PPXc9>27)B~=FGP?tzAus`xMs^Ael<<(9giuDsx0wG$e?(=
z{xRUuwF10B*&=LX+COo8eIcu=s_J&&$S`LJKQ)GuiYG&YLV_NI`>BiyUQMY}noSGz
z?3-+LR)KhFF+F5-6{>B}u-_r$$7TP6xxR#$%NXu$UP^;ij@A48lBwoziTQh{i*|i1
zHpF_{2tMe6YZ<VTdFHv@5}l3U$<-qYc}r_UK-x5_7*>}toF4;*E)3B&R&DCVViRlT
z#Eiz@QO};HXg85-7v>b-v!P|}OPrv~FKc9o<OvPh&*Xky-UEy`2JC^a{2-gH6o-vn
zUh@};G`x6b;g44DDz?&!T1#EO1lS0<rp8P?K9b*r9!czltbKXpJmw_V!27->{Jmf!
zXP4@{GiNZ#(SM)?kU<Zn9OT?Hy#%fg`5PW`PFv2e@Gej&@dv_rCro<M)n?Mwg(0ND
zk8DCd->RNFxn>=?WfqB4F7rgJZ?cgP+(P^L;h+^Cy{K8B;w%!5<+_9~c50Pktv&(@
zn?jyw`DQW9$B)tYMg@C|yYJ3-$Hxb-I)H@Y3OcSd8%}5m@4fZ@h2cM8_Ct$pr}`RI
zK`GH?@~7x3OX6Uh6@4Mq;J{R`2;L)q54<n+x2J9%tFJjX`!$BY|HfT8zY>2XaHB^r
z5&)33Mt*xygUcj!x*izq!QODd&NCG&*kjCwFr4BXcJ=-`rX}91Nn{$pnu;J%H1wPJ
zXYg<}Sbt#O(WK4B<sn-Bj$1*4Kl&vu5-WeC3@5=8b}EjLs2h`LGzovUmq_-VWdAw(
zg65|7&(%m_=bpF+YELd9*TZjhps>9cLD{EvOg%T*OonJ?t|jh{Uz4v%w5K8av|h~V
z!MbJw5Q9#`#z4}qSo9WG*Xo)Ch9IIgK)M$c{3F7r)Ec9AmUu2IE8;{&S_Ja_0^zj!
z-k&KH8+9JCHeU_iK#C3unVU*^Wk?D7!1f0Xj?)a~jSX@75z)*1%=(Noaj4pQAZm_+
zpL7Z>62jTtFDkcy*2`4<r+ee;R^;pil$uFL{L|_;QsY)9a3(vyxkb+0#~k0Q%6nn#
zpBsR3XPn@?^g+V7d%pTQcN_3z;kxcBORbH<mFC2%)|1yN5#|hWf-z9iO3Wua+=iA!
zoH^?FCnz1BNQPiE97eJX5$pl*8%oUqmAmwwyii%TtfR@6{+CJ<3boGca4!fNrUrai
z%p9J|v$@(fT8A3k^VDT{*@+RDUih_Kh0+{Z`L6Ze^h+jas40@`>MBcXe)-wgrhoDA
zwcP3(MDhhE+-#vl0`}T<`K|)-;AF@>X(@+fF;hE|i{VF~gu9eV%xO8paNRzn@c}`m
z3%^g2_7#7g>{{O_#@l6UF}~h<Um+IdD9J)@#H)_4#m2|434@GQ5_hK7pDc9Ggae64
zyep8QxB?1jW)K6z)bsVJSV)JPf`7y9PyIE`<mL?zqv&D&t46zM+f3wfxyIG(iCTYq
z%w)a&ZiY;)Ae9w1dZYqBz4lWAGJ()<APfyY+5EwM4<6R#`jRar`gqG-0gUG!%~4I}
zEfA%11Hqxy`K542+s-uPy``VxoH5$h-u~&;EXC%>)4~EJ(|ur(+7A+Ci8lzx26jxf
zfsxqkUnTK0WzA;}a~tP9I|+*m4?VgQQt?r*&LVX-*5CTW+0Pt0;82B4tFqubu#I&_
zcUeGyt=_5$;zwbus#Ab-*kvHI52wLLCM~4QsQp;W;5+s4r4wVP%3t0$sS2irAj-@s
zDim392;_KxLrFwywg^0x>3>^=a#&oB47=$!?$)QoOqw~biH~;Fwx{ao#^iM#yi%D+
zti{TDK%-P0#xhrT7G&~)^ptZs%C?8i^GWa<tJ%D=8t+lyFPygi()F@I=QEGq1XMg?
znw8g^l8#9x33d=ae|>Y<i6x4TsgQNb=Q{+Uf-2^4r}YP9x-SBf5b1_!FH1mH<ZeU~
z_L~`efOmi{JZ*nFD8Db*)lc8P<hvJ^<~B#JZ9Dmz;<n{Vq}sbbd}65a1nU#E8cnW^
z7VUa;bCdUl)Ac^1okPm8-5r+1?#w8JOqU#UgLYl1eAx_ee4Zd1Z^nAk@vRV((+l40
zF_MaII@bk4*?W5{K&kU}=w@ZG;4Y@_>~eQuaRb^|=?qSPBN_BzHVGneh+%6g0ydCL
zF${^sI3rf6FJHiynN0?AF&ptEuiVI4Sk9MEO|<u`ccqFZ$5J9!6AQch;blt_gI#$M
zC*<(u?@AkzDwI%6hmb}fsFZCL*%U$IiL6nn3e#3q>ZNdICoi&ma=SW}OeY6MVnU0Z
zJ%1;m(eb^sVIz<z{18*N0u5aiUQN(bh&YjZQ$dmv!hJObkAdpYc?$=(s%oOBPNenJ
zMp|OC>0mM|tSMyrBCSX`MM6Px^l0kdOGctzpfQl&{n6*LsSjnd;d}k2I5q$1S+xgZ
zn4bdX`hGy(WFF1_@b{ZMT8cxa;M#n6h<Tur@~jP0_U1~S{}Yi#XVw?T^5_cvBNY@W
zmZ7?oSt?KO5n`?tf04~q;f66g;qgXhW+_=fgUSv_fc8TwS@`wrfN=RA8JpS{MvRK$
zQ5I?`iVFAr7{0V7(1?_{L5%K;E85j5SAED`5mb2<aDD$PMd6bd<Z1(HZc7uAEz`kG
zO~Oo{XbDaqr$&7z@1q?r9vN8p{a5m&><yGVDFxh1YhPwW$`>eLB?#{6Lptyv>6~e=
zMASzgnFI*{n>LTwYlrciK>3IE{4zA3psi=F30K)Dl|st#`{7S+Z#p~%s={pCF83tP
zKgoV;c^QNESPH^h>N0d<Kp(fE1=Eq`qam=f?GmL0BDC7^+1<$idOdOl(UuU#e;i=6
zyvAsWA}DWN@zK3@g+_1FBAOOc_i9PK<*yG<BY|$kM3=FXS{%y9M#?OaWLOhiB~YR9
zpuaL_&9sXWVC0PX_#R$9vh=QD?Qb;t&o1(%1JLGy6S#X;onwvXM?<=aw4vT&0B0U~
zUvgY2H%Fp4AE+-ywABBB89lNhH~-OQ>-J9G_KTc_Lgd1=wRr!Hmv;>pJGUyq|E{(y
zTTeQ+&67SxOGt$7DZKxS2H@mv2V62BS(zwX5Uw%0HaAS`?v8R@|Fwuu=Csp3%FV{^
z1G3;aNh9%iy%neoP%Vu{xmf@)*kKva{ggzY4%8qJ+m`PQZxB?WKtiz5jfb2ymxzhs
z%6gQ-jYh-&ZTQ)ffl50le4){qJqVS62<q7Bkkum)$mZw*(HQ=3-|u5<Js?F;(-Hpg
zXjJLOK(N0RI|Z}&FTt!nV@qK35>T<hf~fMlF^pk);=kzxkX9%A$~TiWXw&$pGY$f}
zHMsy{y|Gd5frmBeak})_af9P)F>AA0uzj#-KE0+Rnvu>~mV)l}$FIAu$E4}~%WQL+
z+!7=*aw5Ho_nGY6UC;-Ci5vaHSulcdEfDl{>(&gAV2#wDyOXI07QXtQcBbss?zE6I
z^eWz(@zoL}{!q%suq^Nd#`RXi*80fP%|zfRzgP-C4kWk#&vwzkb|=B{5|H)0*SQM(
zs8f<qJoeW3Roiikb!%FY$4F{Y`FhvCw7Q`+Kr3-G^Sw0WW}y@@QSeib-fh#Gh$_@O
zH`$$|824X=0hkGLoj1N$@MEYTk-`7ood^Mib0dKz73zT*fLd;;4WQ{ATbkY?4K<u+
zT4CAduu`gg_(lu7{a8)75#1=iUHG4ZD3<d7T=8!76pc>M<9n@<2)xUfsrgIm!{Y{r
zQ#Nc@yU1ykeAQ8Y-_MlxoC5nj@MxyPvLB_oSA>>PO#NdzX;CmS*p+y4To=|PvVC`-
zU4T{o(jOtAAOFWVgWLE1Z=oyxZ@zW&`$W{@_@<xs#&@Ks@QMKR<n>wl^ra1l?fYCW
zk3h)8KB<hMpYK2KRGL&EJRkha^#~oSn+14jz58CaO>c|;*-6~4f!yw2ZDyfkMu@#-
zIt3!<8O4x=<<nBXJ}vWfv$0d>x`U0aTHHprc~@d(6tA3mx(oa-9dTd}_~FIrU}v|M
z{p!2_Njfkswf$sOz2i_Hvlp>dHGaq+AqaXh$f}b2FC#!T3Fs<EEuHs|Lvp=~+ePLC
zo6PRG9MDG6)p5sN9SSr$SMuLaNpe@mZG6&`YX7=0WzN6)i`!XpTrP6TXAQ<5TXcJe
zrR9ZRh*~0o#8UH1pu{65a1J_Zab<!pCo}XSsPWk2M6xwRK8DZsk<fdxKo0Kz(0{AK
z!+&k5)D>F!WRO_A>Ib-`;la|uU)#0s1xQka6<%dV>ZOjypQa8A=bw-5z(aMo-#9>$
zim`A%cHt1TCcfMqv7YQ7buw2EUJ-G)9f_QoCzV>~7;jujk^Zx_n=E~;wY!CZWZnrc
z=6(<g2I~8REQPp7<u$9l&daaSmGLkr^J|S}A&t%`7^58Zzx0baR3+2tfRG`!Aubv4
z<rJY+sc^TI`E(vc&M=BmNK2m$U26Xp8IP(;u{w`?`icH2R`|Vj?Dqu^$Oa*!S1U)_
zto7Lf1fl~om3dr{I`7wUBSQ{40EbXF>%1;2C-{RTX8KB|3>CsQ@)XGBHy+qzwQ&}_
zX{a1msBhxMz1vDM@U<fzHUD=6F8F?SjMNz6AS<u`!7W7Fk@}-Fy460FLTS5Jj=G|u
zpI*$h)(09Hl}8FntN)spxH3VQTu71tThmxZG&eV(R4?E0uaaoy0DLIk=-pumZX;mr
z=eMb7R5)EeTT<aXB}PD`Q7f(d{|eo|-oK`SNBUP!wOg}&m9=mpA<|Is5gWpIae39Z
z@(={J|8MeHLuh0VDB^SXm$mSt(@BDq(?E$jGL|t|t#oaDsOPG|(Xjnh7eS#TqLhZz
z{LaM8naSHZi*MPXMBJtCy19zI{4n`QV)1lqJn9Bg7hZ6N(Y~UXR}3}R!j+K}rEaOj
z*#A-kA5je{XlrBK1l-Q-Ap4IeQr{y>h(umupo@`=iRL&M<+&@<LqTj+^GZtx&+Yzj
zxW4a3MW_3I?oGrJ-yI>dlYHT)PnSea@6801y&C4}EW5G8z(p@+)h()$PbG5?RL=)%
zP|IZ?SET%_;k&JlJ5E^?m+NK(PP-|7ES&|#M~~@UCI4Af-Ej=#Q$Y}y>gA|sWz38-
z3N{g?(K8J}n;_+0g>k>eYwZzwpU!Qq`QwyoFwN}{`^*!mDbi!O`xJiK7uPzL?D@zx
z;Zd?s^%AhOfgA8k;<K{UXxrbPmp7{QhTk4`D=L@L6sFM^TE43DUy<Zfb1RBO`{348
zY9=%hWh|jmcnOn1{e1`@8FYx1+^A8d5#2^}6P2JiyZ4E%w1>Vu4lB*~!`R*&yc?gA
zw_a3d5RMG`sl5*@{K*aN|JKIC-C-N{Bmp`w>3C)SMC8$1tw{^>m!k{VpF2vgbnHzH
z^?hOWNE>GvbZ3O-7DT$IdC2#R@=4siB%3yl`pEko?xH6qJ?QDegaZm|6W+86BiK0@
zi33C`cTq4(%Hf(N3up2hLAuXvT6x-gSB$Y3xb)A!L%Eta5AUy!?RPJky+OH6t~f7w
z#=S`5Z_-r5EO(K{zJ3uOskjRj?{n-|RH}O10hk`Rg4Fof<$=tVc7z3gN?34WqjzF_
zej*a5P0+vbr!<lLBe1gM)2gFpZ0l$qs@eFb_gf<Qe(CR-YPnAf5|`!E=NHv8xS@-w
zkcsKpg}=!UAH&7ZT%wM|q0&&Yl!OtCZVjV-*OT&@e%E^>>fI4AZnPTiZ!!I5eP1Qs
z(C!xs{dh*hlIAAwpb4%av3-)@Vl6$mwEH@C<AGUX2XcZ^k<0^7ca-=3EiZHpA>*4a
zR2y@_M`>QdAbTPb(6t@z-0Q<`vQiUQ+amKwL@V81)KRFFGwsbYe+Suwc3qNzcztz+
z+NNKB0mDe$*JaJVPaRiV=iqnq!7tEOb)(Y+ktL#nVxOl`=im;2j$d-hq(-l&^B9e1
z8Xr!4H|y}ExmEx8mU;&6b0l;O29Uu4_h1KTUu?Uy-M|Eau(USWU)p(`>YQbGRP!*z
z*!97>H=)4zD5^qqF6h%pW<d4f0eW+@+9xL?cl;+;XUap`mTDi=ErP?2FugvM*c<h;
z%n(@}sDUw0m}7UG+rGjT&1Uj_hX+}^OMjVYPKQYxs#Mb9T5KaIXWVjFT+;jQgW=4|
z!^f;1dTdggV9elY`p07*JNnM!?upoUa)N402?TX&x}hoVyoTYm`fgm3rEoB_M|^K#
z2tMkk=AQkop2E+S^8x~#KKR`2(UVR5<my<|Z}H){qxEJ)g`@SzxbBerKw6`$hHp2g
z>+30;k|@J_<;FG`^a)}pKr5gDdprK1(R;==+6a5l;EBMh`Ng{R&26TeDtW*F_Y}T=
zuZpwx0jP?j=*eC-HuuMtI`1_9wWpyy?o)c;hvmfS=AIVP$5tcK%3;EydW_L8){2nN
zuI*U->s+Cr?Et&|27pmpVR$>tZ!zz@yZ#g6YiDV6ny|oiZPprpyXm+3hPCkhknP|u
zbh}gm+J#(gbh~wc{o(eZtB?Oztne>a?@!SGzY!1jkG0)~rDp+j@?XDY@k*%w*5Q$D
ziDm8u_MRU_>*S<g(^*|f)$4_>Q!lSgk^Mu9w#6u9PXd4zo4RULelV6CGEy1CZ>gH5
z7VGtHf5L<EEB{FZ{#RaO?Zgj$0MNuIp7eOX4J(AITFL-WMr^OV(2hkTN3&MiSC2Gn
z!D31^eBC<ZcS^wysd#3LNhGe%j)f}zJ7nXOL^%kDc7cW+6VipvtR(*k7IuAfPIY?%
z=Yeh2I+3g)k!X<hy~b*HPHl+rnU7`RtXmi_(p6fIY-$(Z!)-YW+4c$R)x6L4VMKQ{
zEhAtCpdZ~`?TSy2*_v?L%3swqXml12uVBbQZdj}#HwF2k?50q9GkJm4{#YtUI5ka~
z*tswfGG*4W@VtVTq;r1x>RiKz*#dwRh(9~0qi)StVy{J&88yx5zOH7J41RlhVE5*I
z)AOitSd)-uc0B4y_j7<gbXRZOU_)+*k3UbW(*o@yndOyF+3jp5A1<-p7NY7HV9$c7
zFSRrfRY0O4xu4UB3+9mZe$H4hxe1pevVOZWJZMp|w_RkY^H>lk=BQFV$cR!%_4!jb
z#vo7c8kwH7D%(37{y=Q1IZ8WhI^8+)unn|fu|1$)xU^@FI#}@KTLAZRT}Mrxc<NZa
zmP4KY&Rs9kIs&%u|1kv6ht{fv^T|OhCP<=qv&Gv#u~C8Ne*S|`hIh>7XZ4*Om%eMU
zo>$i);O_D#!Y+S0^_NeVUf(_i%5hg;yCzSBPN)HWp>0EW6<+){R7k_mP=Dolo|`sy
z^9np(66|KUa~yF-|8{rqCh`0sCvg_lFWSuauWi$MAm-}`Fc=xDeElfK@*-_W3opx`
zN3Nw=1*{tvtk-h5_7Krvu=4b`M_4@t%NhOo-}q<mC|x1ZT4w*qd@5C?_f{SnHmFlV
zy{saXhskf9^dqmkj>Xb<_l_`jY9<61P^_teItDKs_5=$H@0e=ec>Xsh=)^V~_hYur
zAdvkE#w=;AMuY==VjHS?mCCn3EHNtMb`~I2fGVVad@*eE(%OdBG?9JSO=n^(F%7J#
zb>-v3Z}Lf<s;W0()1p&t@p~s3%J-VdZ4A#PW$2yC-x8hA9%WE|9^d72Q7V7$DuJL~
z0UuRJ$*U|ftqIT{tuD+IYywrq#7ooP7Yq6Nwg~=x?JBqj=E81&DSr|6=2v{c&%YMa
zUhPv3e#@WBJviD~5QVWJ0o>MV<v=_+EMuG;eqxm*N%wGEwnaD_=3?Ofn2nlGK`7R!
zEDNbFC`q>`i3z7BSk7oGtKHLw&pr<LIpv+;3-I!Q!gnP=vK@dC^ed>_Y`FNGic*qx
z40r}0gzh8}qmCMC@eKQ@&_#2ql;1lAF*ycy@{0(OP0EE>luch@%jlaSNRiF?4g!%y
z^Lk3~OqX}Fsf58~q~?|fc_8KtP%#_y=b2i~vh0ns8+<ere1+VgWE}n}d_(?G9tnFb
zlw+-8FZ^U@FY)U<js7M=SgOvbx2UrCR=<|@k~0Qx1J@NBlFn}gM|}s_$il4XqHNW%
z+EqMZZElOKiS@dCQdG|>>Y78$d?T@6i!A{k54Ohe>c{S`q085zv>iK<y81`P8$Dnc
z-2_MWxIF7DOo}ejukRY$xE?U)+CS;->I9#5!tT^!zyG^7kM^<cl=^uH<4N}ya{%9N
zk&`3Fn0fVMOV}SNJg+P!Tegn*5kISU32q>5cJWGcps&35aedxn$HG53_3zoMbKspH
zc?`%28B70l<aM>p9!FmD!}q>$2kZD$w81xVQ3gJBFBo)gw&4S7GOuOjY;2#4ee_C*
zwj&N5J%oSl+cK2Sz~I;A-xf9o8Zoia`xA-;-M<`i$Gfb3V8PftJC1;uWLgDa=QuUD
zU=C*NdrCW-eX3-@XV~Jx;_knFoSg_RtpHr(PU1SySFvRH?#i|tl<bF_0Fy!uNnRs)
zIY7NI#wzdKnWZX#`Vo}%&Euwgg0Bb#eBMxYR!`U)Y#_Jt`B?x7&l!^K|IiahYE9Y8
zGDCWOrIH~lf32zzrATGP;wRuZy}9)}@-M}e4zV2-1{XgG6HC18W=axk;rD<>sC1t%
zBg#zW3{K9V2yHX{rqPiUk4gpYOVvjiQa5}MJ}^<KGy&{Aews*rJ=Xx%r}$iHDyI@O
z9PqBz01@}vp$J+?ox@2?%={<y2ducF`1NV%p6U0<U(E83n!5lU-)2~8n#!N&j1%~Z
zU|_n@_B~i%iyW6kiQVtqA)nL#`%eo`>Q$X{xZGR*wjM0MjzEUY*_}hDe5B)Q#=;*C
zugod-G@gz8xyz+cbuPhZaa<;f^{t7{W9rFC$w1vfwv>9#nle42BIezJ+XDsOGxBL~
z8<>s6Z-$`FJb*|JkZh;anvz7X)*>&Yd9$m!x9F`!&nGWyhXF$uNG(56D4A<$-*4TI
z>{o<I<92UFouLO-2DscGOwgvA_C{Y8p!kcGiT+*Yjju(kbUMZ)*#q_f(fqQ|S`U#n
z;*u4%AN_?>6Y-h(`Q_ZGE3F9Qu=uU$ZX|j<O=1U$dI0HsJU51m(B=aCHWp<iq0~^D
zYeuqaJR+$+kUF#ZS1M`A?7dbDo8G3_d{W}G(G*m&qTw|c+Wz{(-|dfSbUepqYT!$6
zK|_(lnMf@^JD3_3odIuTi6<6x32%q*T0ci3dBoU5s{MP743ytCqg4vuQJ+B9*9;4h
za+6Om#qe}xKP#)?%Gg{+6vWNAsLSVp);}WKl*L;y0@r`br{3-CLH!Vl6E5Q@R2+o0
zAIEC9WkyV=G9|2AKC0s3!(Fd^BZbFpvF!FsV*mqUW2K$?$(G!Q4p^vgj+}tUDQK$?
zM!x}Om4VnTn)8@bbL2{g7Iobs+~~~53}8MXoCIYZcr~dX=^xcMmrmnwj86;#>{`Lx
zu{-w5oSGPYW|w{Q$(gaZyN*Db#9My#Pbr$8(k3x>*bLVf^TS(Sw;~i_yESc~&|u)O
ziAN~<TdV>c$19y|@-N_#>8x=W`kRku=&iwNJ?X+l^QU-tP4<O-#3#C~^t<L`cN5+)
zjqoZ9)z!ng2Su*(CW3ehB1Fa4D(bj7s_jTs2d4&#AB6wqK5MYthJd^A)d-BEP|Xeq
zbWFx>&QkHmFRc7=H!x|Oc^v4(mx{hItYY8SHkb)4km^d16owyJ^fUguNmrBt&_&b>
zti)IYQNL*Gmpz};=$w=<yyjZh5t&$$bO4oezc4xp7{!W*$Htsu+L<716H6tzsxM05
zbF0A#wLnjPzG+zkT=+@bR|F2ZYq}*?p-ksy;|I1uKp*V~_tT^yxM}`YCS#XtyhbqX
zYcgA98oTk`;kts2UA*(vVJsw9n!2DJ!1~M&2#>0iyxkSw$Y|8=J?3w6Y;8`_1#y%T
zpr31u3ZK7^nc1usgU4gtcLIhr0EfnW@0u)+QPD@<|626HF=;PYglHHw_qYpwB|mZ&
zAAk|xP+t~j;gq-wCB6MG9<G!8B|wiBTUQ6var%pw5t_r)mh17Z=$6fMQZ>Jdc|hIl
z^v5!6fUex;&vd$Dl3H#<$aFgGy@Zw9^sx_5;XRI_9$Epi@y_VPM)t6b$}lkbF<syI
z1UY_~h2a~->Vhe<Dfl~`h9CBuMV0L{txO`bB(yfK9WG85+2yKNx<8c13yaTT$(2oi
z>}+g)J2_DMg`=+25#I=J_1x<IrZV3%#%09iaBs`Jb!cw25-11F*((NC#ILH>?5sj(
zbI~Yp3>?Fq+AO4p&4~-Ma7AUorbP0>awCx*DLmOXXQcJxmxIVO1s;J+C~K<)+&LIm
zO4ZtP*!A(HDKRt<bZ{3`o_HlVi_rQCdBpsPb#hpOthhqwXr8r>;4<Pz{U3;@4;?lg
zpGofg6d%Byzd|cwgjtbWG@+7y5#JvN{DIDINkDzWVguHu9BEB%w=l}M)hp;kqkKKR
zGH+X&TL>`zahS(>^~Y#31LNYa&H1TOsCSdp&zq2>eWW(9)wFTo+_NLl#1!wNP`nyy
z4tzBdXp@N>WP!Z5^yh)?Dcr81J7*G|x84b<l7T^|oG1So7B@!htt$Dq<~@Y@|Nhgj
z>;GHFqcXEN3z7bUv$)MdLfLlzN=V4Q6F};O<qmIJJvje8R4i(<Ln1Eg*J6dL;sIKT
z4DpLOWYKOdeRBL9vUN}mgPZ^6{{rG2$R%($7HN>&sFG}T?<wNRM({qATy81UJTM4}
z`7yEiYI^kFk2wtt4%-U<qxP=Mcri4}$A`(W^hoH1={DXnb*#V!Y=NQEoi$sdS51xD
z|H)2mJiU)VV^}$h#6Q)Qg@NWrDR%dG^g25QS*%1@i|j^`l?OMTkGa`kr>{3wd|Dc#
zJ=f@u>#xb>1YM2ozVtIY<yT}C66*N-q6iqYwqQK`T|EP$v*~_u@CzCWf#K0}oP`de
zb9akW{7%Kv!N->#VB6tW|DAaka(aJpFL?5#s|5d30sJz6{5EGLnnfxLz|%<+g)R)E
z_Et848^A52pFC3&<@L?Nr2Sf}sx*-5-I@EV@Wf!7SyFq^j(dmSr3_daB!pq+zWaTx
zVG=#7pUz$%Os{|IP;Y~DB;{Wr7}`w7xou0z$zZG6&wgn_V5nP9oOCG+98bo6VB_b4
zi=7Y40d=a=aj4j5RpE*Es!cR;a((@__4Auqi$*J{3T`<~i!~PT7ud!R;>r|w?uyLz
zyt9xE2uOt#VrEUwKa#VKVPp-Sp}vw~*y3WG9nb4K+(g(WBue7-f~EfypY`0GZb``$
z16#T__nATdGt$>l0br9!`E;zRy7G7=&xkfIFECqavhfp4l)P_k`6)SYdQs^#u0y5w
z*6wGG#C#ye2iTq)PlexfzuaC;b2}WTc~cQLR|Xi%whheLEprwCZEH_>4p0@yp78sv
z5g8|t!Y-BvO)A0=I?niSt2Ua=?SO~x)~Yx7{XbKNvYkK%KOb0yRjsjYHTa|6*2Td1
zpLN48MVIz#>nP0)Jdb<O1d`RW@%!fNRce40y8WLUwxWSf$%X>?Mrth6a$=!6|LrWb
zMEln6sJyR%`xR1t!~YSGdkA`Dcj(0{t*`TS^?iPSb~l<RREvnNl5synb2}q#8r#-@
z1UN_Yy$_Y$+d*Mv?>&(mHB(lq$r;;jyq{OjhJ?%e%_6>luptPZ0D*j+no>$aBCQGC
zCcM1YWsx!@UXTf6Fvw80y<w7HZ5C}`lTYzASmF|#pEF@|0;#t$3WZtEV-)U{O;>kw
zZCPxD&&}272*Xi9mfsFwgap7?Wzm3XHc#Vq2tN;^><=U-J!Af(gFOm;_I|uzVQ8rR
z*hjf^+D4v;Vk~!esI}DfAoAU7%LAc(WC>s}BRFs6sn|K$$tq8<HZft)u$5fX^QtXK
zWduAJ1oly0aaoF33AJPd&PNb$3dSq>u)|QzdiXMrYz0(hc{24C5q{|9uig$)!~7OL
z(juFtmMt?geW^7<fmc=_##vwEPIku?;2GUSM!&ZeOcb0$_oxuK55+Kn9=4FsGqgL6
zUgotsrCHypNttCfpPvyjA9h%IwRxay*@HYAINvaI({m5zxX;f3ue}lSmc3~B`uauV
z9c-^?E1%5nmttWX<*k9}SA4?IbxLXXG(>h#edQ|cv}M%NAoN@k;E*49)<+@ss%o^0
z7*2wZDC<aP)+M2v$)><R^zdBLEs8^3k)6`Gj=)y)3Hzby=i^XiDY{#fcOfAYpl_CW
zz!kKr|H8rKDD>D-hri?uUFt227Fi3IN>nD?!78Vh51nobxQnjFU-@v?<4Ob7%D@2Z
zQ#WYwq5+nb^exE_w#mJ>VGFkGw;sqd@y^8L-@)d$Zrpfhnd;`~v3MdN(xA8X50=ze
z_$)V(`@y3}H;o>gs^ssPOn-TS<UO~N=dutK>w0e~W+e67@2gfwS=VnRgb@kdN!$C~
z_H4_}(3N4$(45_qGK{0imOTXupPWYcqbr{NjMqr)1CQAizXYkV?i6SHTH3b-bnl;b
z<~8|q4YIS{e@BcF2bmE$u0slquT4haJ<$z*=FvWP$OF79wX9K$CPhv4m0(%-s9P26
zBARj?;HvUk*1A8AM(k$#nx1Erj*Pi(NR9EYqV?L#PRe(OL}ky04v;UbJYV7W4z2cZ
zlhp6K$|WrUGe8=3A)uolqWe+@BJ@b#;==m>na|;_gZd|LH93sbzk4&8w(@Eauc2C3
zDIXgsr<~>)Jce$_%TiN$yLfTRmq{F^_f8u4Mm9B}){!@K2d;Xqz-K*L0_^WpCNliy
zL@Y-v+1<?0i>TBdW{-!x_|jf*LCjAEtr&6}<<UG%uy3;P1f~EvjP5)Be~oW0a*_hG
zJSMu=_~_=|mLEY`iBOp`B;bXc=J6my<lrC?Y{<X4UfYDXZmyJI+!(p#Sy_6vg=?R`
zZl%_A|H^tTf}o}{Q-kFek_bU6yy%Q-{r^GSdxtfdeQl$T{zfbaj*SlESWqdUNH4LB
zB7&fz(wh+w=`}zIaRz}=AdDhS2v`uLh8hSZC<qY(i3lV>fQT4k2uWxOkdWki(3$uB
zzVDB7o$EU1JI6mUd9t6q_S$=`weS00YwO&b5sit2OTfnR_B0UH<o%6x8h_lc-?k+e
zdug~W_lBotg-3ReyW2f&#}QhfgRt}N4R`a)*=8T-t+3*r7E=~Su~HrT@h18Rn{=Dv
z$P0+9tql7~6Gi^!82d|A>>pK5q~g@-2&sHFm+Y9~<6;FL3_iiOx0;BaT&41)G2FZE
z7hp0-fnF49B-eoI(u7#D%&&%e)dc#+A9ug16`2z-FLzVPm3>n9c%^lm{K`Mk5R+}Q
zns?6hVq$8!wd<p}7W_;@kVDf+6xuAB9=;#{Mpt#PnN6;IWvTiEa!<flZD=(KMnR6A
zYC7A*$r`l-P8Vp?weU1d)3x6wiP+jp8A&G`xL)zkhV+DyBP4R|tvC4SQA!++*br@2
z!tYS5pN+1hjws_VG`8zj!K54LmiqNk!)RDKqKI#VOgz@mT91qb`;&_t(E3fN{2@~~
zAqZ`(H742R@1CgpA%w+Wd1q=mV^roo675fRN28tXt(@&!v{LDZ8nxzP$00gS2ne<i
z&l$!=OZQYX+BR0-qOouW3<9&?ail1ZT#o28wW7YBn({|%=S5*Wmq+KnY44BfY4`A}
zuO=^EZ>K5dFxd)~rDL>U3ns=EEUTV($b)=%=BmQH!Pb7RIChPP@9=Ctac2ss@Z3>}
z`n;an<s<d(j{4QWvRVIO@UDYH{_I~PYjCp-<<-8eb078m&-<m7TfY8jHhr}~dt2{{
znHFm)U5<8=Ve>z)7M*6DOpg<nyHgFiQcd!9KYG3N=dHM(Kv?6^mgWN>!BM$94d%+q
zR)>?02%GR1r<|eqhSi)_oSVo8h4p{ME0*g!R6%jd4zdv%jvBehX}R7;w9bs&;}+|(
zYl-o+(ngIww=F7^Z0n%3k~VO#u%Q$Rx_=QR0@qhZTjV8NK+)p@^R0s}mt0YKg}kGb
z?uw(}3WK>EJ}CjYVvfviKwW40ofnv9A+6R;C#xqDqUThMs+lX{SWf(;ZZ8i!guGGO
zffb!D^K%YTi%=f!GaaWUklu+V{i`sxN|Hi0TI=;B6EL3Xg<w>#lXNkh&{#q8yTogW
z2$Y^Hic#j>b%aXNK4JWdXE4P<x*XA+xFUEd#qh4uYTi&@A=~w$ujeUN-<5#jBHDK5
z%1)}8d-Ql%rqXH{p?D|-UBN#(Ln*Zw6JZUaE%+Tfk0<B&T*{f+<4hBc?$C7I4m~52
z*sgolQ{i|CtBM<6=@CsQTR3?JyR_~}Khv0PXP-#9URlu^s6MQ<vh&x7cRmNYfHX1p
zci`OEFL3+IdX@=0d@`a|6Z+yrD<>Q`SU0x&E`$Y|4SLGI&|}*gP>bvD?tDS71~rK{
z#V)2zk2hFcLps*G4{2Y_X4z(!^{v4nzsNN~+*3UmUL66R2atmK`n=uG!{B3VvtWy?
zTEd0>*+E)4ArXvok-lpF>3-`8bsfK>=z_rf`21vQg+mD&k*FJ@tzQY7kk1yLnJfx}
z<YDTm9HQ~X_Bm}$AG3pf{#9Z_j7`9#0+ZhtxEkpCDb6)0<g&o5#DZD-j4OGdt3Z)_
z@tpjuzG)`X2yHkXOqRoAoI}FnR}>{UHd?c6ay_bN@d_TS(L@Y)i7-p=dqZ?<eWF`l
zEVPBHJ^GX&-GF>m##S62RH=xc)M6TI`naYEE4AKR%2H^4G-l(TaTnIz%haq*gW+n6
z0=oQXFlP^wbNX{IO%q0X@WKs*wQp+!dE{vWdi)UVkw11_*r47DE`>PakOZFm>ihQq
zaeu$AgNwKK!K;R}qC?8FogDxbi5+@6?+|N%A9mF<02e9B!|fsb)<y6Qjpb}4Edj8K
zm1CP{^;oKbR&RIle0R$^QwzXes8a6FEtYamx6740W6zCo#z%MG$@*@l33+<S1^P-P
z>S4GFyY@2ZDpG}D4JSPku`$P75mAq80}-OB;V5Kl=(CQi<CwJF&&wXN3u*!bu<`k3
zavA!<O9AGDRej+_KddG7IIYB(^tG0KN;s&<E#`zl<V$6R`oWq*(a}^?>kb;4)A_P#
z$cuKb3f)+J4)CL3bbmAnbF8UwqWKm<MhIAF5@JA+M7m^%9hV#MX8#z-aNbp!de4F$
zoi_9-YV}_eF--$Ta^+qNJ<bQChQ^)y8a3?l`3j%l7JqZCSjNxBtM7p26^$<L`EH%3
z!rxo^&#?6CNVuT@rG`fG;8TnSwJEJX9!nbFH-u52f1Gnj$WLQ;{hr6xi{5y`&w@Bq
zMnDHs`g2$O?V}N@`aN`~gDjSTIIC=$-n@D$5npTA)tdmd2(DZRzn*^)5P)H-<VY4?
z(W=D&#7G3By}lRtU#OQDTPeBgX3KQ#wWEYt?ZOMp6{g(N9{2bwpulu4WBA7ohSgP!
zcoFEelti6~;VTmS;iSIwchBLIsbg8bw36xwH}^!I9d1XSKed^6B>?|)wH}Ck>`5U_
zM1Ego#ZCM51k>51aJPH{Z_LnwdirK{;T@M!_%?b=vM_EO=hD*N$|7J)Opvz%&FDx{
zq)TvNNu-(IYOO8c9e8#=b48cUL|Ru%dK)Z7AhAKPM2TEqiDAsyzo$P6GIR`VC7TZU
zU&ClIomK)7LDp<yy5z$!M8ApX&(@@m8zd+huI6ooWpS-4L=Myucgox6?lV1ao+7)R
zV7i-EGnsHc%7gkmXad8rCGoY6=z9jMFdGgEC+4;EIWs*V)KrW+25p6K7!%tm&-e?k
zQCILi(TVuSs_&*XALPsk9@~+s!H$Tj=7ptt#F{VTS}kq{h-tg`d2H?fd+DX!?AHFz
zTd#%>zG*x2)J?v;q*2?0u5BDuvPXNPLHp3nC<CgV=+En`U&fxZhqU!DQJ|QE><UWj
z1dmQGYCVx{n{PH64@Nu=JyC^LBrxTUNbySK_~R_jDb_tr2d-6@AeE<f7h|BGyr1Gs
zEE<!0<PX6=f2vl>;a81+RLH<^!qY`B6=%pTebGiuQ8)`!YFQrq=%mLO=DjXS%gCRa
z=I?+34~Tt>gDNQo<wxqPSn&F>91p755GS%D<CDKeBg&NeMpe?FW(|Ax$<#FJqDU|{
zsa9Sa9E{dwTQ|AlzT1ZDVDHTgQmd@T7DdvLsc|lKf#^l<kocvzg>7>WT8DgzoNYsq
zQg1{90nl**ZyoV^p7x&f_q{^0<pDY?psB;EwNI=$y$n`KITn=K(!mz}rjpq`Z<g6~
zwtU<%AL3fA;U9qsQOE-X;~e~48j0kX96)refHpPe1L-go+Bo2<IkmUa{r%!Evgb61
zUi~<2y5nRG@s(J$J>p4)l;np%R(q&~3l?2fS%~U-{|=R_e+bAQ+4soqysEKeT^3hc
z3D0&#S!x~s`v3rbt8v<_LOQsQo&?#E0cD~x+?mKa3k2uSEASU#G1KbU=F?Z*i<Poh
zM8GDt%UUQ~5a@BEoW>=i6dSSCrEw4}i%<oQIID}w#`t|os(oW1;k<LdIFR~ytXA`;
z+%~z|>X#TYCUv=K&c5f(5XF+EiHEF+|HxcV%~wgMKa+#WnH4rhVtr9?VP3Tc;ze_N
z##fAEt5$bQxRBfsq+fF7wH=~F#faH5s~4qCHRZ$R#o%Y?*7gW?@UVM^Up438xLxAa
zSJ$jsswZ0VKe4kW6Y?-=WzacG3x6ybXOIw>KUBg8pDNumtDvm0UhD2c%_NQM_O;~W
z9ldLC#W;@{8d}t4s8u%EYpMuw$}R?}j742cjLVOr<6{@5-oS?}&zFnUi|l85%9mrC
zK16qaVr?36zIlb3GA@j}_6f(gh!(CizOoRHk)~^@=8yBxtrkl|*#fNdoMt}re0l9a
zK2_a<Y|3H<rVi%HvhqF^&Wk4$TRG9T89CO}MrjaOZ-;We&w-7bhdpQ7Z^bwzXAaN>
zle}i~w9gHxim`;>_mhjXss6A{iKDmo0N)F|F_s$jwk6DV>lW7sn@Q%#W;yW9e~#%m
z)IkYbwgjF_-FXx-D+swI*}CO^0+3BAWi9L@4@|uKI$EJxYs6km0f-ClfT&QWW96;J
zw3yUyuNhXDA$D1<tq0194;S`%y#kQ#EzEeSd;lFkdRtY}hYh8bGSst4;_3Y9iS^wh
z0Cf6e#{V}Ui~jhSSpGmxr#eCiPEPDt4;cBOthL2U|Jm5W5~*-qv@j@?oL^&R#J6jv
zWQg%|D*u$O^q*k?gmp-vG|8MV+bKja-|IA|9h>^&AMALb2XNJpAPJCY7OZdBC$EFV
zzpu@4H$)3!gvAaW#I&Q>!QeY$3g8kt5BwezJB`Ze(#R0qh@nRy>ZP@58;M2I412c&
zvzDu?1T!7U9Zu><LF7P+RWty%Ffn#)pURz;IRqaSg$^qH7!syDN)|+mWkWj&z#bUS
zXp;D@5!FP?p@KE7>3%s(irU8Fh3Rw%SOK@#jkr31{oPMh2Btl=sS(va75Q)dD^La~
z4U0!Qu?s}~qMacs9YzI`IrT0oV$sW3^v(V$)GdKA8Z|wEjqovn1FA(m`@sqxLQ#=4
z*b-Lf68A7$eiQa#k?1|{W*iFq;9I?vJFi>^g7ovLKjzLWz^Q&=X~R(rS>tqcXtwbQ
zV1pAW;%H-$8Tc3C#+3a7ikhT1RIn<+UyF&|$X=MFNgjssnTT6j?b1Mn13>zIf8iPv
z;LdP85yVzY%DxcGa}-C%tVbX;3f9{@6g&_c>YZcY4OcoUo3{Q%asan%W%NJ}EHvt@
z@Z2c7$Mm_}MVMxt-5X<lldoJhQ$D9#nZ63}Rk86i?fo+@1gqyVj4`!YJC52$<&-Rs
zwdAKusu4%$w-8R#0NmeMm=#;?#QEmg4SzG1;ZaeZVp@ra`yV)S?KOlJgRTuU@f|QM
z5oyu#+k(bt3Rip{{`2zp8#f_MN%f!<irN|ipb_ISNseG}^UP9zsrX`y&>pmlQP}oI
zTBk#pRJ6lSwbj@yhCwe+_EAi}H9*lVxSaT|$2@6XCC1-9>hs8sNmJUSaWtGwf4P1{
z=o<7bLG})ZNC=KG*|Dg|s-TWlRs^4ijQ<KqX;2KHIu0S@k{;HzqE8q(f~s;=YonWA
zL8^~y)NIqhAHMhVgNNvW&>w4w{QjARp<#0FqD((GfipRxk^>moe8n>bEbtT)7M6gq
zu1)16=(X`jY0@ABN4?7oEwXDI-gPOl=G6OVhqla~tCX*K4K<e8T61bI>p^hVtogO$
zrwNyHQV&lxU@`*En_5tl-9(v<_%bu(`I+&X{z*BggeKl@`AnQ9r1eKFyT*{L*_Jky
zFt>ktzzQu*gKfNAKzT~gU1}nd#Al5dBKF+=jxLw*TiXV<Xa}Q%7cerRadgi>-C>ua
zy#YG*tlF1d*MAPujU@c+=`U||xIlxFU(q^zq)nNUd=EEWH)go98zcpdHoP1G_i6WU
zl}aWUa9&n6b`r{~!lvBzni_glZte4Kee_8Nlv6kP16k#y0Tk+S%YL%SfCW2}xGI9O
zg)bcvm`~{Xmk{Yc365&QhoQ5}a!K5TC2n$)c#Y<0Q~5WbGoZd5HuGoK=@SKem7^2i
zDgaF6(9rQCZo6OYHFU>6SE0kw;{XV0m15>g+uia~@9svl9*6%cL)YI1ROb=q61UtA
z?iU?NMb3i|+Paa{J9>vCZ=oIJeq$<ZeG)GTj$u23v^r!XqPqxTKe?V)*ijPY7zMDx
zU{_cG@KWe_sT6d$tv|i@YfZ>Gc&|V`J*WlAF^vHJ^9QCr@N~dF58S$$(E~~XJtT=c
z1q)ltl$AL8++P>GDB48>$6bgK$x2f68Y&5uKp@xk{^(JSIWrx%;H&l;8>c98++Bgg
zSrx5A)o0hpg`go~f5SWXzb5G})1UWs5{P<Hv}BPMIU>~d&8TAOx$BM^ZJJX7m>2s`
zM2}krOCM76n8p9V^WSf*+4K{mj{U?9D&WtpjF2Q?NH3>Va?z5M4i#Wgi1jK1lXK*V
zI5#cqxlbR<L;kvXMMEuQd?&G->0_N(-4o8M^Z(WG_^%r0TYTHG>xwM3|3qLh8J(>y
z#asqe=UAI&!<?4Dkh1GgCeDaeo=EieN1N>d<wrI2bUYn1v=&L(X|suhhTze^JOG8T
z>2=4cGLLt&cfgw)_x%C?kuE|LZbPk011k0;Y*`+GCDZ|a3!`;UvrE-9X_AVhh_25|
z^W4encGSq82U%MxrYQ-Mkx&sDRsO#{$H+3mA!Z#Zv5E1K(02HV+4c|WJ7DM6RdTO{
z#Ltb_z5g{r|K8-y9W{LqOap)BM{IiOXu&Omwv7rk&;yFN3%n~Ne%3P^>eXZQVRmD!
zm8}yo^C&|(h~{k)b0ARAeEt5&kzsF*nxak5dOO=N2leRL5}{$;5pX?pXQjal8P`8V
z%9~F$ECsGVesXfvSDNdGo6oPAsmXd)c+9q|TDC)BYwIMON4tlbXDbXgTDv-QA%Hv{
zF6>yNQ_yIFe!ei4w20shO*16KsRgEE1to1oP;mDIJ{-2@W6#)}wb9eSF_Yi_?18Dz
z+nNt=&%}%+F4Un%Xe22Jwz(Dnmgavy_`L`Khaylf;NaZG##FmEezN^Yvcet^B@RBM
z*<?{qE*hzy6UI(>ro!XH4ns(bavsR0(eK~9zj-{=^j5~bao7$5hVB};1yGPa8#6|^
z$7L)chmDbRR9XA^xM_Ob&hPvwj5%=gynU%p2`nuezu5SYUL+nb3#GpcxkC%c-sFpv
zle=R@^{>pdS@+dTrQu>bcS}`V_U>clR+i*t(S~0KSwCLrvPSO-H#0r^@x<?^sAdJ|
zTJfF9+F{nf&$rldEnM02ImJ^eVcGr`Y#e`&8lDHPj~^#})qTUpkqNSx^X>i5W!X{H
zvk+4X0-OP_>S<8!(Dim9iJIC6QsWq3!hx%pGC~#$U5bx=#x96XJ1rRfo2GVL*(!^_
zXbG3d!_0jw)sK_iGv1BrK73t{t~ATryo-L@5BPQ9ucVG8yV$0&;_&W27@Y`&P=9Ro
z8GR7lc5S3ZKJm;QdDS$mO}Vtvv%_OLU;X=CuLNxWCF+u{Zd*lmz<@*2zE>^VU)Z=%
zo{N29%ii85o<|Clo7^fgqI5px8t%CJjBs#<B5h#?`8&kkrbL29@Mmtu47rN~pnl^h
zzSho)XJ;uV?p!W4V7WW9+KX~TO2K$tYB58cKPmNOv7g!KHj;e$Zw@qVMHW=5V#QuO
zb%1pbX;Tg}H$bMY=)e9(06_(hk?)Fi6?iZ7t70`bH!2<d@5`v%(oTQRq1)d+?)rU~
zf9_SA?4XpRjk;&Aoln3<3YtTI3kpeqSGDx;)KP`Wr(XB3H59Wv<0MigprY+puwelp
z@VE29<Hh&yHC9a}OsOQ=89ROmNr@cOojDy`q&SClTW>L=HN%T7EUI5olPAO<t12dO
zVJyNk@+#5K_LM^YeC|;m136H}+B_M&+JO>*Vcv)|2y*H1b_nY8Z^>J&KRVn?`Z@7x
z@qS`tXVGvoeODC^Spf{E2t867CMwHT!5mXc{(A1syM}j@X^DDO7Dswb&5o~>Vu`@j
zC)P481V886C~A}Lc)}jt`MxJ8<<3TU)CKJQsxof)SlsdXBUNyd;I3e$60YpE>Y^~(
zvyY|Yqcdes%#g{vjJ_HKya$jA=ErRAsa}VEjBiiW_)nd0PIvwpHvPMX<~Id#<jNl3
zxMXd}tZUUm_`->gzCvN6-%)2jtGf910mbR1>)f_Lbi{IU4(fT6^OLYSKG;Z{cVAPk
z#(?Lp?Miw8FKz^(y<(g-GX5~WwO?S!k10QjAM}EqX4&xDEg?_L3?sgSjyKtB_pkUi
zo<mK%(wExq-Kq28#Q8shV{~_L=4!n5CY(Os_(ySdT6DACCyhwvf0WkOU7~!py#z{L
zO39}avnN_U`9sDhb*d%X*z^dhZH!6pT7s6pL~Hf2EgXV;`~pWvA2SlF9KqsBM2hub
zq}lPyknFN6ZkUgz$hdi!KO8HF!2ABMld&`ExYR!OnaW*fp1p8ZIB{U;nfF-*)rQ1}
zdTu96()U=tEUzY;`@eB$dT|p`;-2L8G1E?|p+X_@25>P$NIuMdeyj?*_b&sXUTlF)
zp14Cimf;Au&$g%D2$7ohnR<UlgBbyMaVuAPE>GU$P@GoI?zxv9_)Cq*9^6%K22-rV
zHWrLe4n*70QtIIql(F&clPz<)su*>Z#EIOm7}oosO+nDNfEEj|9ahNA-8uKf<zRN?
zR;2uc_xlo&wLf*<#d#LytHwVq=cQ*~IsaEnAv%hBZ9sSUO@&8@!r!M8d(Wvn8-6|1
z6Da>AIX-I3O^WVa+MDWQe8ebv(c9jFMwy5;>3Pm&Mu(ijmt$pl69}r%t~TTARv_Ia
zTq#$dv@#X?KILSfGse`8t68z5qlHD8+WHeYpJq-l@gUMMp+}Lff^aNTX+JR1Eo5K=
z_sVoenSqR+#sBqww)WWSvb8t8JXCqpM{4++ew((Sx348I+BFPp-+_+gnIJd6=mgtb
z9kUv=1PyaRmQlH*Yt~1fdg{Dzox&kn2qLT0Mp(w1zVF2bHtx{}53~aV>F(L-+&DMk
zXT9+Me*EUcw*3DJJo$el3H$&E^cXT82eh%q*{dnSqUz%%g*Z_B^8&`p8pelsgI~VC
z-<Hu+WaGBB6M>S^#hR;E)SP#yTVjHY|0`|A6dFi_&^uw#`1?!zP|YhK5}+9P=mniK
z`7hpN^d(uRZ9+vgHge(asFJFMYrB3ZfS&9Y!ny{nR)HKcDF+ao44yhT)d~r9oPBM!
znk=+G-8qoS(*r$lunLxS^gP6X0f;CJzLN=Ha+At<zk^iwK;yqzc*7ROo1&aj$blrQ
zX#DzW3ie+1r@WbIal2X9>+blR`561!>XfcBAY}USHgBI)2F1kAMjE$OtgTi{bus7K
zuWo4AX{f22N&jZ`;>*V4_UUn|s<c&+xvHJH*sD3puQI^Vc;mLg`Nn>!Xn^M}2DB<i
zX8_o&nxgrifVADkfIJtHQbtn#?HcS%AApFq>UwA;3t*&UpranisPu)U*C_yYWBfH`
z(&!Cqu(flfo5iN6?cvD%6Mw#TodHVrgeB3mxU|Bk2nmJULhDca+?}vc&{A$~FJP3A
zZbCzD5du5d4+o+Cg|Wu-CrjMxxV3<^^69EVhoZK+K*}Hc)BVN^5x-3g?gCYCXX7RC
z>9LFOL?5(tiv7*+{sIJ&7XbRUo~ANr+q)$@f~j;Rz${D30l>0&)fSD3+Esu8a4^xT
z1vA^LwSTtr4`Ui9#R_`fu95+OaB065n-A_XVPxWa0Pr3`N8eMXK-2F>D8D7!i`_-&
z+{9bQz+r%XG9b>}oz8u0oA@CK8w!nYV-ee@Kfc0uJuJ0PiO7)U<htF6F=;G3U0exp
z4BUnaJVsyxiPK|7#N-HT=Sv*U5AMbmfosl!UK=32D*$jzbTeqOP4t9nvi-d)i63lr
zOb~Zghht5reKO)^WqP>1f#yWRN3;+HmO^q4PvzMKPmfdTKTN(w;|{!&5NfF0u4`AJ
zrsisWzK8K;)%(!0TP@gp>FZ+X{0rC4LXBt)gSp>>UsjsSSZeM^x=+7-tln9BMA+5H
zr5>yndj&GSA^QQ9UB!Orm;pUr{gGf({$h0bA>ShZpSAU+(ji8nvoo_Ph0R1EQNIEr
zym5Cu0i=EN1^_#6vN&W{bZPd-kLV!2;A$9fAnQ%-eBBx>n_(_F2M8N73gdJpR$d5T
z`b|lz9<@fw#$>ne`ftFF<^&{6!EO=L9F>8+{}hj$v^ohp4<Wl-&x3ZUHLvE~`>r$$
zeAeYbPNTk6*A-ZZY)T)u)?87B7Ja4pwB?~_JSVhavDx*<h`j*8@&LwcrwE3Y=B8&n
zOn*W5G5gLu0XTm@K2if<!~c1`{{sr-P5@x(Yi}k%e5$zh{a5Y}bfNwa{@(xX4Rdo~
ztM)kg>UA2pX@1}LxC<DdAsWb85cCgj&0i5>-U33hpx(8u!=mY1IFlnqphGPFnX1{w
z5`eQD5|0@40rX$gS5s`Xr__?$PkC}>G78E(>h1o8^&QCmQGlpy1h8~Dt^gBx)4#E6
zFGH;>PM_=I>Fu8O!2*(V0ENi2y*BGdCIK9N1OTyR<tg-D!<N!^fmi)5IQNj8NKXLO
zCbI(tW--^A@2qxtyT58V-R2e%G5z)j5-%q&Y<%O1?vF8gxdTNlEQ6``ph%-HJfZqd
zj7ctr2=%On#*8T>zEeqY)%frazkEyolg5taI_=c>_LtK>ipu2Wf;2ESBTI|>Nwaj%
zWsPr&WQ!f|j$0%&y4znvj3<Yo2~la;?CnA9C_EmO&3Yyn9Xi@fs6u?1EK97>=SPV@
za0UhWQNQo+iLN2WVP6)rl#n6369Cr1jrJt$9?798D%gqiM^|slOhdTlMbW)`Asu%R
z<=F}n%O8V>R}P?ZJi&4t*dl5HRJeY2Z6N1RrxkAT*7~xMU5CTeO$9`cnI>15+C*T6
zi3N<18(>H6w*HAAM=8&|h50l3?@x7MF1mNU)!g%SeEKFsw-J&<_zx_dzWuPbzOwSl
zYlVhAiSI3GW5$72pKvFt!6>rcuK8yywFmL(hDZhKSu_2ar>=(eA{UVcBY^187-Vce
zN#+aYTE_nfHENrG@UGX;j#dP&13Ui%7yLeCANh4V1v?yk8r@f9j}nEgec6!h0wIL)
zYf~BGx{X*sVJB+{u|B*Wj$2!HKx;lFfIt9;{pPFU7j6djtJOU>_C@>T*mR=pYHsx=
zXE9m5-mVH;e7E-4jb=NL!FT;sVoLsSUygEA+)EauUDH0DCeU=f)N_hTCYxJOUHXDL
zdZJGnFsx^PRD`{HZ-Lw5qYlrn1L|;(83}vsIwB5l^gySy5eaj2XeYi9p%K4awR;)|
z27B72f@g%ZSeTCIh63Xu0UwurR8F<z-RI`}y5(CNeAmWgD4*z0bTq0ppi+>1Z?C}J
z@1+FIZ0#wV_Q6ahwn*{15g7^@FT!59Yj4=hohp3|SGvnPNhO{O5O~1{*!rh<rag^~
zRx!@ODQ=V4*d_Rn)8%;)Ad5uPB&c;Pb}fL!^MSyeom=}5!RYe`X7C!zFCI*!6dWQv
zO3s0A#hg>viYZa|b}VXv)EGdfePT;}_@c8SpS?yWH#7l+HY_d3L`!W&%b+b#>hH3!
zAhv?XEXK2E;c@#p+wV*3{xN63^_x6n%{Jy8aYiL=g?VJnSE~>Un@{Rq{lv`O7@+Lz
zyS4f3$Ht9?I;F}zWUxV-^8OD|;|Ap1Gde1nQxGMd0xeirn$!rPJ`1ucf<vB!!GCzU
z*E3-I01KB~r@Ih>$%T4Paq#+b*9fT_hvaEmYsX*S)*X0eWKUb)-+}j<v$c(4CU@;7
z&~LjFc7s@P&w`YvL`En337T?y1WjP&56Lgf$~_18Y3u-_4W)*9i}w9Jvppv%{P4;r
zZ)<Y7XX^HR63>>F4(Y*9^{Z4;Z?qw5)(ii+?(ixDfR7vfP+~G-$*Qy~${u%GuzqK$
z1uv{EJf^VSYv9R)KOtK&kz?D`g%b+KmV1?|!P~uuI{PfAeV#VxRzn4-zXqRId*_$?
z1Vmk>2A!|sFx;9#MwDNNL0sjxS4CM<-9WH9Djs<XKu`L%Mo^1CIR)!fTVOn|UF1S(
z``vz6S9243>Y0bom@rwreA6R%0~UscSgZ_z+T5yl{_**8-ro2hAFNpisG+?st`+#~
ze}TkK&Op})&16`WnP!DmZb?S4`@w%>&Rc+{{drbG2z~rNIgkH&<@;Fx#No&G@xS$D
zJJGg2n?Joo0LiAvs#TY4e#SM4wRKB9z+8QMstlI{{e{-ux-jfMy_DLN6abEDc~)om
zWoI90qo4GkgHI8=I2XLB$*NolGm?x=dJDS&hLxS>4F@3P;_0fXj=2})c(!#IpZD8G
z`Pr#$J#<A7H2s9YPvMz}+&7|{MjEGP-uVJpNw3~ndrM^*pnF9d)XH4pRNtmxCErqc
z`!64^cM^o1H_fJ0f@31t3G8zFs|g%Ng7*9bR(}G<ZJ$O1;;@|Gld?8Da;U3H4TO&o
zzZj3HshXH5mC9+rCkDVRMs6)Yd@6Au0w=9k*{sZQ#xK@m5yd1fx07J$CO3LVyI@bL
zD)>NfOR!&agQ<u1B-ThdW+g9_bIySDC|A}hBpy1N&<*#ti*a`1E_&4iC7+s@f25m2
zKQ+u)OwZ-70;~zF#sr)?6*@xvlJhjY#94T(ydw6`echQ)!5dv*X-|oO(q%6iwokXX
z=IrFO1KrMd;q5y9ri<V%+>XC=O=cqg3J@~Q{b#P{)%41vLi4KE_1+vKppirh-W&*R
zuG=BJL&bXuDwK{6a|FPX7;NZLC*6v$t0PX+Q!~DcF$D|eD?JW638Max^NhdNY?7)C
zfX5n^;zoezW>3>WJOL%_9N|)L*-;ZjiPOW^|7^^g$f0~`p)wbo+Q?1ZyD$}{&!fIG
z!1-5mmy~dOubYRsR=sm$^s^7Yix6`?oPmPgLSIxrdCmNfSQ2bXKYsE6Emd7l=cbB>
zs;%}xw_I7grJ*shTKskQ$oupj&#-M<-n!(1>srmB#-Vl3K2l93#Ds9f7$*VxusY+l
zhumL7U)uV!9f~Gyaw2ln%nK)cuvgpUI=&RgaQBmL3?1@5zDjRw<{0|^_rQ!9s=JMD
zb~M}KAeF-1#7-Og2j>A{bW2}DOU#UTf4XO+X~#y|oH1|ZMNR334Hl3X6RJv=0#dr(
z>Kvsjt>UXOm|Tqf;_t;}u}}8B=29NytQcyyrD>Z3;(>_8DIs?^=~m`tKV*t<^;SmH
zL#QF`*1RMg4imqB5jvDI<xm)z#g&AIUBA^XHvo?HY@U8JD0GC+KYS<TE%KDCx?ZrP
zxH)p*<I2!dPjf}isKHvr2+*;`!qg)oqpM2$uREa10@!h7i)LsHp7~F2g*F~uwu}BK
z3ZSU2evWu~S5hcdc+yV)r!8JAMI{eAkwvSLhxUOEiKj<DY~4y#2{mMIE~PLMb{m(A
zHqH5qA(c|7D#?%I)HcD8@fONc2PHs8LUxOsj%hw379(Z`zf8QY#YIGPMda83Qhyxd
zrE|iG&z)ln^N*=1(2=NW-IbbQ*49pfLgWkMoOIzeb3D-lZ8|w7xyX0{h?;I2iT&2i
z4OZE<4maWWLBz(-jSD{ocuJ`Taa!RSWz7h#tkHZW=O|k_AM$5+$?ooT-nMiz`&80j
ztwn(ojqdTu=HafBWPnw>I_20<7Kd)R_3>193$Ed>#c%LJHEwPd^%r66!b6?avab;#
zE}o;Cx22lIhwnfjBY5yQXvd`I%h`<iJ(MZ_cb(nPFN;!LRc13FgVxSzxeA4zq!V14
zLUjwL`Zo5}w3xNMqXGU|FgZQ05xg@+4e^_DwW@ck2!hW!7+$P?a%KmJ8FW3y**MJ4
ze0y|?74gP?k5jXt1m}*G7Qh*MUqO>9QYln4T6J(~0-m^g4@~wZS8bP3e6eNEq0WhR
z$82?r91keWc;nk=QGRemwn|~lyrzABa*qmBZQ@`x4j=~I7>=kk_HMzn{aU9#A#u|s
zbTV}ul{2I)<x3APzsH!bpHp}etzB6FnoGqCkQ!ZAWR<mM%@k$WN)5|Px83F-7!S@8
zs<pFm_0V!RF01I5P41*N<HL49)l5stgD<c!+qu7dIh{>063fSqn|!E2qNbPJDG!9H
z%ZaaK=e0;S+GAlbW8GOtUIa-lO4Kt|H|aR3K!uw3w*w?D@ablK4)S6gcHt}gLMw|V
zWbqC%j!@=-qJp`uF&cY&A%*ZN;Fs=o(mRxoBn18@m(eR2e@hHq)x#k=xKTe%)1^&$
zUd`pBO_n;-#J<gZeAH?RY>d_##*;_7ac~|=HU*MCb61GN_eD&E3Bws{kIHA5PYBft
z^Q{?RWtpdxTFgPlL}^8yK-B?A@Bq2jR)|HnX~tB2z{l$8Ml>g?Y4~%mKd^bx{oZ?7
zG?5wN5x)=orE!-*yufsl*t(tOyxz0BTdzAd)(tPUDr>1$XsR+Rr>iO=E|Ze+{5?o+
z1;0B$B{3+Ji9CDB8Ns;%^r?BWu<!nb-on#9J_!#mi<g1`jb$JAuFQ<E!+qUN4<J0x
zY%TL&I44RC&XHz4DK|5-&&BjU%HQW9BmT2q254&WFymlHfjZ)tsWG-iPucROGNMRD
z8PSyR;uqk;0=L;SCk7pL_+^<4C<Jy}UOu}=6$;dRjLNMChgOqh4-8qU|CzVH@ti<G
zx7qkwL2iS%K@eyh2dU@2qPt`aYK<SVCmu%u=l@&Z95Y$&DlB>i$~T>#P>{G2-EtFT
z^vYiuOMyIP`&H83b)NW7-&{e!fhl9t9p{r7$97MT26eN%mF9Q{qrmP&ovR?npD**)
zNqaI3iRp8!pD#?>9BZ3+8!mMH%_4h_qSo9LOLSJV5_Up(5M*6cDdYXf;!|afu2OCG
ziP-@5j0Licj1}#k4&B)H1u#f|R8#imIo@38dQtROxv5mqVfL~ZFvYhBpMKN0bo||T
z^+E>a#WHF@Y2O#dIpvHv*DIXe`I(zDZnBDn(?PQA{lx|SAmbnPmx_(++=@B8%ORgN
zf*m8LXaZzC(jaRof3agG3UStD*Yq)s;M+0IsA5_Bzh*lpbsuCb`(0k&EmZ36jo~>y
z`k?`^D3?r|(dCUQLw}>Nnl;>vEpw;VchB>~D3%J9_B#BO{k_)R&6z!dDF4fAfS!-*
z*;ObV*WpL$sOQSSs%eL`$7;>Ym#&+*zQ&teLeqr!4~2=tKiTuX5l@9GCt1x9x%Mem
z)hA21%@qY65^q1u0fyf9c`US%e8yC$^k>jA>=AR%ZVND>s}3U%=5Ym_ijl?0fv)bU
zak99JF2)aU^rm#ZFk1z}s2KXf;>Q7=4{1_~sM6Zr@@jcAf{+E|Y3FJ>#L~SvWfZBn
zbSs=aGd2OPHS_l268&n+{2H#t8AyYj3g$pB=kR`MIU9f0U)|W}D9&Ph)_tm8XsJT9
zuv|;6o(7q<pL;sd5T<UFs?R)1$AiUTJajyu?5~!5JSl{cnz<5l+aUpMbAwH#n9CQ!
zX9A6Lo+b%izE7&39-aY2LwV3^x1cUEh+6xEX|=vWw*zr1&?JE{I0bQdlJVd>>xwWU
za*wT@rfW@~iGM%WZI;R$07uV9$b16dWy(Wku3L;86Hn7W+o5|hvwA8)59T<HbFz6X
z9&ItEX_7&_B80FOkGsp=O_2C#w*}%zrf)jTq8w{8j^ZycJ9j5?+mxq%GD!d@@b_~;
zB^l?43Eq=^fW-0hj0^`=b7Hi1f$6fXvGTT!9zh+0Q)UE|^1eVXWKa8v*2Y`*G^Ie8
zi~9)+dll=E9y5b%hm$5GwWdAWe+t*LpvoC)0Q9fa({YDHh4z;EZLA87^`F(3Q?H12
z_l3Hk_Z~9}n&=()l4fT8Q2kd=(VSz-Pd<tsmXeKS&ikVwZfnui#>~GE>k|UY?3loA
zk+CS?Tk_YK{8shCt2Z;U%EWz<LLE2TwAN4^PBZmd!Fy>n^_vA!s;RW|5!adpFIHft
z$BRPu*a@c8WEybNeutHXm)xRP{(5GqZU6*%2k8lpoF5LqyR_@bh{=Z&Z|B2gJ}s|`
zE5jJS-rS27L9Dutgo(Pq-_quI$1<kOZ^Ex!6u}WZ_vk9CE84VX*4D6b*wk{N_nExp
z9Pnxcn6gvf8J5VskVX^6wZYrxHV=Jui2P{61OIllCe;8_X%i(HIBzm%2m<L}yfF-Y
zlQ0o5R$__2;ae!s$V?szr{MQh=>lDy@Zc?PRL$}w($?wDR_Mh`!W-74<<yow{0Bp|
zNhL74uSJo7WbV!f1bpsyS9E9`5!Z!{5ktFzph=t2v2rsY0y{z!E_M7q@~-cou<MAu
zsw_~0JvI*<Ha7Hy92BqtD<<Ut$%qUHXS@+X%BFb0wBpwZo-!fryzi=ZKKi2%vIRLy
z?!rFEozQ~$U0f}DW1uw+m?GAAw^^k$-~L)0E?GOa0`$4#$KS5;BdLukRa?kQ=IR!G
z1ZH#G_&1W8&o4unQQcwun6LsBAZm|v<>gYs<Ya);+YFOr13vwR@ogKBcGM13ovBZl
zXJbNn7FJ!g_R3lr9mL*Vpy=&7<9UJ8tT%BZp;r8vusY-Uw+HX-x39$%Yv491@az~Z
z3nnT=0caS;QaT=QXC}oQzSfI5dD8;Re1d9v(6xE`A-p5CuP4wv!ic||PbIJ3lA$=Z
zLAyWqUcn>hWhvQE7lUmBF{{kavK8oY=m}*l(qmN_C@mgl>;gxNuiLh0@1+ULiUeg#
zacA^_S_v>ScU1PA7o>K64=E>|3sPuU5J1wOb6f9uMbAvV$4h8yH%12kg}+uStI{02
z@buNK=YZMu@jVeK+ZjaO;^|86<TM$SraERS$}La)2$f?$!qW#sCA`*7x^9h<c227$
z`9>w9XE00!-PH|&3$4o4%TOkY{HKg{p5LYLJuhy+Nxp3fiywg=cqyt%ZIlS}I1~fV
z{ZAE6wX}`Upj;1RcF=CC4Ke}A{jpG9V*x>K^BRy_Ys7+$yJikYGhxhZ?RTDyoxo=J
zoH6esZcahOm2sr;os8kX?Yu%ZX)8FsJr|#$CJXA=2#>A%t@%zlup%yEzv~>sRAnL{
zc5g@)Kxo1|&x3Xb@8)XRjmj!3&9fPHfKZFPY6Mp%hdZf;w4|+R^v*R`+V^8R(8k9R
zGkNbke*+n|X(DT}`&W}JeB3XXRd;|2E>Sl=L8g&&i;X!wR?7!6>(teOwr(%H?<(P+
ze;axQY7n1m`ESF&D(morlCtC;(IkYLa6jEDLDze0#;;gF|0w95^A3__4eTRMg?mzM
z(R8I}F!a2e=Q0QL=`I|oIW>pj!eB99vA!Rin*pM}Su=FS{XWpikutU66@$4+>wEOm
ztfz#9u-Hs}ePT{F7o1(xCRnYeC{<tLGp$<fWtBMijE=pk*dWK|hKY>mBr|03@+_ae
zQCqvPF&OH_C7yK;o7@y!M%^t;Sv4=2E!rVfJ`)a5_fyW>%LN5$8ELhdE6rLCT3QAh
z$DA&>XYPHn&8ZSHN}h}BK0jjcps#Z%<s#*0pubp)O$#k%#gYWFBmjMA#y#k3fNpnV
zHhWOcPzBgwHP1=w%y>HW0M?0k7QGcHK-AdYj2Vl&ap$DkeE$=9FL5JKLFoIfd16$M
zv{0FXh28dYLD-*g-7H%iI=MZUWGSrt{N&2zO)O$%_1U`(5ep)bR=t|XMcub;g1L&H
zbCdvP_C*wM_wx&PPC4P9uioFj$?mN&wS!N;Te!qS2{xORuoj<gQvxIdBlda_{{-Tf
zSwN^*N>v75&Ye(+$FqUnOZC;41AR8DD2kh9|F?6wX7cABLQ^V2V44NQscXmD?y!L_
zNbf!iHPNR!93vLiL)W8(oiEhgACJ!c_eFtI6HwOQ9g^%R+JN>g5sKEM*OxWAPyZ;s
z{Lof@0gf@*fHoEG-~!5FWBX{Z6$1KZ#E&xB7T0b-5erak30wP!XVm@SQ~f@6M(@YB
z-;!$p#%m$0C^#uo!q&ofb*$TyQh*;y^?4{k4n14mq4NVh=f&Ctf2zgL6S}VIC1+u;
z>e&g`{BV=IbR={%*b%rOB$_Mp-P+8|!%O1YXa6n813Y^)5}Vj<8Vz=<+`JM8{@t1a
zhC_>AuhPqn|H7nHoIJcygoq1RYbxrfTU#Hz*LP;aqu=*_>{1e-c#_ThE^GFK`mXU`
zBFF@c@3aqbT@9xYEMZHu=fwk(QyV>MlUJ{(+}%vsuSc(M|A|&O*_tD_l=ag$@yBv+
zK=c6{>SeHXH2Yp9@~@NsfC9|`A&`qe+nAUXUlk8AFoSPOw9hN(0Bsftdw@gZ$B1iA
z0p-24>92#OGIpAawY9oHD};Wa)w~aOHY1JGoR$G*Z;#MDFu(n8`m5_ogl;?$dHLXN
znJ&WF8mEq;-IDRBqpXU=!8+VveAn~3xcQ)Z=_x`=x=&I5vJuDlicrtZs*d9{2hd-2
zpJGnJE9Zaf`7TMZ<$hHV09Ferj18B!<!goIy;1Pc=E6Xktp_8Z_WT_n8wj^8?S&g8
z&cw477w?`PJNIkNFI!}`ewY<J!98u6rvF-Cn_WS1Z&*E}Z$95(pq5<1R%_52!q3LR
zkpGyYvKIn@$eWaHi0g~wx98a77K$of-&!CN^fdDiZP5m|7092+UOq~Ay?p0<dqb5)
zCm|eA4v`u%6#__?=-+!+EFu4_v!o~qk-&}TGDBw&0$0@MrF>9_fwZ=S>WXx9$T^-I
zoSE2sA~_gnCo<#{@$OFBwp!Qm<>H_G6!*=Z>*{a$gl{S-zgjznyoLgPBv9V$qaqi0
z_5<!fN6G&p<_Fww0eXHEpkw3ApM-C;jZ#Jmz?)xv;&ZO$nt$>=K&8@d_W{a@HcjC$
zv-RI{C9e@!F>RSkIpAgX!uuh#qr<uN=22S0oL8=p$i3yT9Vuo8bOF)}^mv-jdVAW~
zuOWL!)3-J(zWDs;LC#q0K8=GOc5aTr>i{ciLC@9xsqH_a!&^QM0qa@v8RDs${J2A~
z&V3LOB595*WdlBmJ?JJToG0DlYIcA9TXT;gA+&n2C0_F7Xj^|$So_wNcdXNwP-de$
zGys8JtYuW`9!_;2`R1?#A2QL#{<Ti!hD`C$_L(6L)HM0uTCBjOej%LHZr^mS7qQTR
zz_#tz-=0_d9)b5Ch!um?ij<VX`PY;G@DC+l-5xOTF?jC*az<AA^!VsrbV2DZDVS7b
zqJNZ#XPO+Bl#>*Wd$*LxT-OO5CeF4cmD64^^P*1AmazuXyLCQS*(~Ayoju$pp!e_{
zMK8Nk1R3q`zT-Pd6SdYmZ}CD^0<syYG{1G)RJgg4Q_ntHY6kLWuPnNqt>LCP<bCI-
zW+|woty@@k0HyHpUb!i0V4CDykJ)YWO8@#_A37bts3N}l$;pp(2&fYhF@3#%WoiTd
z=Q~!3YBJ5(?u7#K6ij(lxZamyAltg{Z20dN002tWy^4Y~V<u4C_R1a@kF8j~yM>$w
zAX+NMPpKcVYXKgU>r)>+HD|7PKk7I@jVS+r_3@*_|I>cQ7*Hv&Bt0_0g5AOwISU{1
z=Az2(F}iP>)h$;(-_%YFbH88$R4p-m<j6EXYZG!svzFgkYzId+-=9^zCLU+xdJMvS
z7V_!<*a+_#Zz#m|sc?dml8W_yUBzacMUzNbYi$(?IeC0of3{EsT?wuZIY@czRIgju
zxO|H-s8grN$Z?%E-<1u>gx1^)%F6sj-M#<O+yg%!Q1wl@v=X<g&fMLuC?0w)sS4N<
zkJ+DsxeVzR9&?>8Zk_N<%Gu8|DRGSS{KbPPGkuH&^yT(Rz`K^xOvr(0_<|;YBrqx7
zsN|=g{fnxpvC;Zy`L5xcrQBYXBQ};uN9IO2%5uo-$R>dCrYrr<duuuU-#pev>&>uh
zH5YHOUfM8jUnVQ2NLM86%jJ@ud6>I_uzN#Z_rS8Zbvg%A_f-kREiZ+aIe$K02#>Cu
z#W)p#FXpKzHAzGXV5gJ$K+iCL8xgW;PNIfh=EgvXuFKOtP)Yf={DV|g;;XUeOGTcE
zGcap}TdhkG6BS2U)6ddkcFO^(y2Mvjgnbg!Gk(I#I!);2O#bt~7f9~T#jSVDb)AcL
zKX#q#B$s>YxG{FSvVbdH|4M=QRNKV4TM@21KuJ09${!}UDRIAZ2N;NYn{sXgA`8-R
zPFT1(5!OYX^u@MONzpBqe!Byj7UJv<20Bf3;W^D(Zo&)+qwYPz=n4$nBCO7krDaGw
zg1)cbUiBkUI~>|8i`ApLDD<5-7P)mt340LEN^S*Z4A((VazUi-?k{0iQAe}X9rAYn
z%F}hgfz4G*+@JTNJ~w2PI{EQm+Qe=&GL#fXTmf*OzWJb18@OO99v$m_(%tG>Uuq3D
z)xLdP-^eY5b2}I|f7`$E70>y`)0N^zvAL;p(-D1so_H7n2&Y_`_j8O!lu^gm%!7hT
zUpDmk{oG?%)zO{~i$|6Q-A$8>w&1@7GA<&HBfDzQGkl<rq>!~DsTgP3i%G0+s}g2$
zZR)4RZ^0dfMLQe&#Rl?;{01^^%(!GIsOB5|^+}81RK0JWk{}a!{Il)6lI5pSr&%6E
z!!rC~QDqrkr_3zK#uS&yLcVrJ=v5sXvoBGRJ1@dqXd#WDsgRMol+hrXL1k;BZJn%@
z1IE?eeljDDX4~WkD`F=k_vqaXfZ0Z{(G-Id>4x@9$teA0oM$=fgwW(Jp?Ic>BN+|S
zdpfUC#gpxUtaw~I&bD#DSl_C%wcx+P@ywC+GdI3ri)<%obCB9bS?wixmV;G$M-Tt>
zia=UX=xpw-M1~xappXvN`go@qWv`bp<5Y{}5;ctr{%M}$v`F)wU{;AOVosNd2-F<P
zT_zK8`IAQXcrnp&%`uzH(-d#(z+Y34tWT`RE2s*Yk|aQdJ{-GJf5IKQ%zHrk)yX<)
z!6|1roaX8O@5)%rY2fr;kNaY7{w~l~Y2!<dxb6@mVB@7@;f-jPr=GfdW$V}9&ha1k
zNA^c*tG-sZ&|?1l=$-YA<=_2cI!7u?hms@RM_9M9gFhGRMwO~3qf&4AEA3{Qw^N5^
z>JRJVP^7|6ueKq>14BKiZ!$gthi{Fd5`KLJ>0yYU*?}3eiC_&A3@XU=4L+!ku{QCJ
zV>vkISj|ZzMr(+po>!ONCHz55$Yu(kidtS(syl~_aA(7PsHX5|r>o&&uu4P7@YG9L
zsm$G{27){r1Lne%ghPP=1g`>9c)&<ze`avU1b-fjj(iQ-%cEuw;nfY^7{NQ-NqSAz
z7BT~|FXO-gwrYVD`~;&gHSVy5VkxnK%;zG*umeMezC7w7=Av$J(KB*&K}+>)U1Dtj
z*LBD;WiD=<r7`|7(7{iwTnKidcuivc*${wZ$yxlHD;cKG!OKkSZ#qWg7smx<mP@MQ
z%6SIVF%y}dTmj;IxxRRYibA@UUKtB}HdPV_AMi(sssb5bgPh6w{%JkKgUZ5bTsG#l
zbBL+$2+O~ydo0L_NKq-`h(G3*4rN5zR#18c^`<Ozla+5iZ<OqwCkD!0N*dn%u>lGB
zNHug_yT+g)V=(aQ7zzDiWw{y8h?vdI2iJA*Ox;TY&&Mg3@Y2@fZNZ6NuYs&2FBE9%
zndQA8FPS{e7JUF9J(cOliqhVDa$3}FnAX=Ba=7bD1gCX^OI(<D62d#;Q+FII_WBbG
zUp+bh@$sm1vugyEA{3;uvHEN~bEl&VA{ve|^b_Rw*AMgWMD?`7&YAvgOG;3sYr=(B
zxPFdB`)QFv!>Vtiv*RuANsC0BzK`-{RFK(~7WOh+1v(*}6~wA;YIGaJG>C?JUf?CA
z`-SH4^)PsT1L=3RD7dC@n^fyiGRv-swu_^Y7)8&q5q{)^WGu4fhw~F;BAa-hnyeF)
zca4cODXS%4MQ+q^-f?Pad%MPd;n*;@`7*ve9>vK=iF{ooQgu-`*)IKztGL1&E+N4d
ziP4Ob#-@=5QktzqsF^dFQ^Kmh@`>$aQ(6k4QX1$>EK*2jWCwG2GNM4hR<~AqGE-W4
zBxtn(qUmVm8#oTxx0)A>s*3H48(Or+hxQ9h@pqxv3Cp24@Vx>3H?LaV^*`}4l)570
zNI@vJ{o&RDGf3^$o`R-mO!rf`dTWPP(&k1VR+O_Xai&cy-LDE_>Kf8>HI5bSw5c$X
zDEvo*$zEo3F%njxeLv2duRzNeC%BEJ0yFHo+a*s*i#o~QU1I|%U~7||Iq#1_&t+No
zmUzhftAT2f6SYItuo~NSxo@aXxWAv0voL0qjNp9zsK#06I9OesdeXXXV7eoJ`Gh(x
zn@L66gIfhfYdvvGMWvY(>|eD5?2NIne4UE}hNo9iWx}|_M1B6b-+hb^z0zwrlON(3
z4GvbMU}jgAXlx$YXJb_Ri)6?N_^W(X>CN(3S7FTgXhhIGzE-t5(jJSuh)@seScz)*
z3;tSb|L2vlY>S@KfUDewj}Q~;QLs$XL@r%W=!{<w0U(pOO#d!%<mD2SiU?T|Sw!F@
zqA;@<IHg%+V$?oF*%_p)(C`X7@umYSW{jh3HH72U_1dpm^mr@I+D!wnT-=o<ywyn}
zMV?SrRIw)$V-1k(OR2wtJxj0b@9{qgG(V3E*NmQ1%HD~0DnarS3_rSuv>?mV{HbT4
zU}A6=F*hoQz}6q*A6@<`AV01Kk8v+PfqQjgf(cE>S_fbh><%DaFr)s~y2q-H?Y?W%
z|1u@A_awA&)^cpWu48p+WB)h(7x5qqnV~pSp7xjJy_g--$KKv*{F?cAjo`5=*R*of
zf5O@!AdZyD@Cp0W-J)2a+-QIA;_Fy%Em*&8yUr&|kJ~C(NU1wC{H(eLLb*i!&$0bo
zcK?^=i$krE`*_{(iiD6PykQfVzpe~o_-EMr(RxQvkCxNg_g)K1yyg07w`3jXyE;=6
z78GCyZ~@yABt<gP;~v2@LHkZ&bX8-9(O1ggX~kA!%S6+QLWk0+$h2?>+0V20auZ}2
z;>wpVs=lU{za;$d3G>7GDkoRVgfZ0|xAxwKFrhWr0&@YV#n%bFN~^Fzw5+O%kIy`i
zS712*ptQbNm!M0+d={d5vbSNBQdXpp7bnonq0U;^(vGjsyn5Q8f#^RP7nq3&`|f`@
zyZ_PLbw@Rot$Uq2Bcl{Y1wm=fIN~TJMmh-0j2FE~8$=1cg@`}`0s^509YAzwqm+P@
zSSV6LC$x|tNDu;vf+RqINC}Y|AP`C*c?ZyY=e>2;TkoH@-aCsw&R*f1z4y1z{`NWF
z{(isTNQ1xqIO=H7THX6f8K%Pum{y&%5LO81=Z)T9KxK~{&jHV>(Zew(x;}s{8U-Fi
zSrb|ogJ!pZ^Qa5u=t=MRN>2xmIyWpeV{P)%Q*rNc;h9dhM>&;E0c)=d8)}m#)t|#J
zZ#F!p^%aF2!NgS<14s#6G2j^|)!vGsI=uw}=?0yq=$>38b`b=(XtcG2g5WEcK2J56
ze9p02LWifdK*!ATYsge9t(TFaIW<`oex#7fwz43oM&g(&sNh7!34a8l&d+#vY}Vzd
z0G>q^65>6s)rDZ+wI`Ghf_+c+;b;TA(Ws{Z2!$H|IW3=B*f7E1I<B&>?%eFFH?TFi
zOyw#0Rpq3cdf3#Y_ea;#@JkaKp$-;`n6ilG4gXS=fUJZONEP3%n&1dncyBgYC*Oax
z36J*{ljS>ZHh%E(AtExc%63}x4lhLanrcpZmggfz@o8&I46BOYdp8mo*3zav{+u;%
z#&9j|K+JYB^1Pwd3*9=Z2%|?zeoVuO_m4lk_li0vpE689zg@UI0w&`c)Nf^0E;LXR
zChH(JjROA;0OVPX<tokTdntx}nKbT>L{ZZrI>}$5=YXa_=hKEAdWM_%1fbJ7G4!f1
zPzCg_$&!%rcxAF-tG!gm$~X5z8n;I6#}9o4Id{tT2I1;4(7=ypbxfNsJdp#jz-hYQ
zn<i0zX&w=M0pK`U$!!!9+p@?Uugu2Y(DZ@a(r$K_tJqLqFST-uZRPCiusVdY=4V>r
zN*cO9wt7?>1&W+aSUaDLKn({VZr4=K^j#+r<=8aA&4jDE3nM78DFhEdOU$*$7I=#_
z@lkaPHMu<8^tH7%%F@t~O{|AX)5MY40i%;0-lbWQ6qM4W*{6_3N{!RteC7x#l1CiA
zw2fnZSn8BXu!Lsbm9z24^5CuB6*KKQ^@72s80MDfL;Qln^C#>S9r{$<9W-W4UC?@n
z`Rb?y(sO;S#75Fe=ylnbckLs$5@=~YP_>`06^f_($h*Wo!m#rd$gs8i*8%fdwW~u)
z4UzfTg&ipLOr^PA7i?(zEkan-;h*XQP1a)3v@_Dx=rSq8^-_VBmq=kBtT@RzP~~a*
z3iVkxf#w;psRAJYbcZj*O*ajG>?`n%DuL$d;u;7ERx~smJzP^mxr+f>7GyS5_Y%y;
z!kl_wXW?yx?YZ_)4cQy)j7P=Pca+NP4Y+F30FNCQ)*Y1e`n7NgJ5gR7vN8yvsu$&g
zG1?WeyC31OoP-ZVr1-ThW6<`Q5|oobj*^va21D7ESmMKST6kl5@j)L9-Au%jUWU0)
zb6=S?4?NLzE<ToT(&1Uun2~B^$n9`j`+Ei9x9h24VTC=JfVhnPufXDlQNGE@S}mLa
z-)bl&$<Prq&D%;m_3{y(yC4rcPaW*m!G0Jxer2|J=53Ng9mPgAJ`$!DX!YEBO~xxK
zuEQ4EBvx=Zsq#HIgX6>d>Z*0Ke2V{^0wa1ei)*GxKPSW}MRp~c>nUtRhOeMJ<)O7k
zFAo&+cms5OMm3x8q+f>rx_*tBZrxFMdN8Sd3mb-RGOwEW?QMda!D#c^($2ID?9<!s
zssWcUasOCrm^0MDVWYKzk{j+fmhtK>2i1%jz0~LMtYXA(Ankf?{UFm(m@<F8%iNS#
zTP5J>O!19i4V8>KeI@heIupP*_cLxo1I)C{8A^7E;76>M&S9;8kY0U)u({vU>waZ!
z=V`hGCp>}PuI#W))^o=MGO!~!;DxEVADJlM)+o#YlU2~NbdM}^EHvAYQTkI(BS{6_
zFEi1YJ1kQel+LHe&|&g@ym?^Eb0X`iLE_iS!H!}(OJDQ^$l!`n#8hxn(XgjqxP7>M
zdu8rM_H=g&Eu~0%?Znp(yAc$7R?6c!lhLp{z2EGs@apO2WLK*=-_X2rfpKdd-yf>6
zZ`N!l%z$0)d<aB~TwnSyLkG^QAAN8TR2Ux;mCzI@m2u=t=ml3c#!99}fbpvvMCsAZ
zW+Fr&drz~b>+I>B@RkjLK^l<!a##3BE0CqSmAOcRat`?^3SE)F=QDE*OKn!(`n2L%
z9J1dws3hXz4?q^8YwbbMeRDS&#UbbF-zq4yGx)8gOlk}l!06WrCpkc<Z|7PRa#oac
z$OvU}?_h<}zlr}~Ly;R35Tj!hqZ6EZl`gc<dA&rG-RiQv?ug{SVT$@0ER`+NIHDK!
z)85$Vp700kv9CoXYd7Yyue4fI93))sF%tK~Jbcb-YSnicJU+VNy~HhHv@*`ddqvrA
zZB2y4a-$Z3n@BUI)bO}U;@_$x?)EIiwMDEp-UU((+2ihER^w=vCwsrG@?P)+h+I{}
z|JgAh{~XD~i2dHx@M3F;sgQOyemTxq_qYpDIXmjbPf<Eyd2`p!wY8qVRB9@A1aetB
zBU@DD$tq%aF~IOrRg-QKKYnz-Eal%czE&JW6s)!BTOvd`mzq`a+wG=9EKzg}mk8NP
zNKV;)DdSrPKm|vZ>e>G|dMtOCnS;9>eag?<04BSe=u{4Q4UpXW9DPtQd+zc;w5$PP
zu0h^Seehq=x7E<uQmK8mX91E5XCya%ET^2PjOWfZwK^mVu!}U$sH&T&#c7NfFw#YL
z1j&Gby30R6p-mx|%1W_-E>=ZVKQo1|{YgF#;AzG^`&Ssy22)3|-+wQts$hpknU6Ur
zO7$hDhY%EqB7qL|izCz<fgt9KubN3A*VFTZwB6)=d(w=^S1E?+-7cwmTi&CIwz%h-
z%#YxbLH*;<?*_8#-t%g5t=?(fcHlPKV9xSN{wxdZa!Q>Cn_nirp7nC`A6z5pF}R1n
zVvq3~=CysZXZ~FG7-7FZjp$pFEmN1ryb$B35YRrN@EiXe!+k9eDyMeXTXvWkLW(ib
zi_1=9t+UF~j=|Bj2WQ^-AU!>#zLki^>zy*=<aU?8JZ2U=!=b2uOMjvzSK3z9aOat|
zi~fpF+#hLP+cS7fsb|8i^#KV5kyXn>ApQAE4MebTg>xWB$D+SJZ{nSur{`7x1B@^Y
z3~x~aSj~5~F<eOiwe1NfWOca6RIIkm#rlK-5wBXAKZAayEH4l?Db2q)jWit%d=8PS
z4{9ZujKQ>PvPzpq9RX~S3)YZlm3X<K`&kc`MMhbam8)xs!xVeh?4jDQY`y0ml4!5w
z$Pd0(Z|UE{ohVIL%+_z3g2~Jv9zT)&o3WMTU;kh*asbu=c|v>vFP9qYCpbJ-u9jUg
zYIknKwX#HFG9X`KoYbF&A$(e_y7~zs64Jxdq%#24_%(o5%+MkeC3PU=SBV+&gXE&~
zu5+X9_Wew6Pp9J0!bEGeJ91?pYk>bN)-AkX^`O=ZvzEFdAW{q*>VA=JWKX~w5RoQG
z_B3KFrw|vbNDS~>rF3=1BAlW>dM`UAZ`|>5|J3j3r*y-oNBvBy?AI|pTETREHT+zN
zHv1<Tc}4drj%&gUkM&h&<pZXJuDw!H=lZHNfHJYLEzt1gUx{9e$=I!LUx^Pu-e1Qa
zm7+um#us@Irqrn6M%f}n6a?XvKD&4-OW~FIVcm{chmGlY2~f%61x1Z1+WQ<D(9x9=
zRY=F%JS_=eizq6kh7S(iexIi$88F7GfnA%x`L(@JtlaBWi+iaba)Sjp6-?8Q`0c_S
zH_1GXS{d(RhMwpT`6jrvB!z#~?Pid)t55E(G{ps<i25|qZ>1HTY4dQ3bt(7bskdZm
zR?S&JDR>sLgyJ@Pjkygb-Ia$i|G>$qkkqv)j~d(wS1gAn?CJd{*}!AS)?tx!yK2J)
zZv~GSFEuT!d?P+@rGbI1v|J&O<XDH|kKYj-W=c^M!y)S>isdUI&RRE~+irZKx^;>~
zZmgXh&ZNI;LK#WN02CK5^-@d8w<DvQM6UL+FV3H+smv}s@w3GYWOMXQlY&UE7H)=|
zVC?<fk4e`&2^8GSgU8U0bLy1ZyUo)BAw#2Hal2~0!1Jw%1+1|SI22-#KXNv{oeIJO
zD+S2VuKDx+6kKzbKQLgladr&L+$dU%W=2AEgd&P!QL8U+;=d@rW_SVJ03>;~(1tP;
zBenXy9QS)zK#c)dqIQmZPe1R9?EBx)^%S<RO}U5yTU=f1d#U=R;$!(hDfRzFDG|U`
z`SGcs7>wX8og6ULUD7r!bQP+zYB0@fvTa^b{+s<{_z=V8);o<rqr>))b*_kSK~lz6
z1^=^BVLH3j&pF(xenA^U#@A(bJ;R_K9a9;Khnf6wkd%<1wKb*Q5bF5~o*H~!c4uz~
zIDDXiacEe@&2IuSdqIB=1G15ojCk;)=P(0vWYJG;pN*He1JWh(y^-S%<*`h`W@Z)s
zBJi?6Q7)HY8}M3PH#VEkpgkpGXVWDE5V4B^(3K?zVkn}1a_I7yL*|+!OmlDM?GoHX
zY<-AWA6I6Ay0XSt>YficfPj^>3#v97L=om&Go_r%!j3qf@5=jU-Qn;#P$Uap&tee|
z)g5Q8WWHZ<L~iu-F;xM<S|%?|JFX9Xlk@<c9LI1-PBCXs9|&iiwuuk*6OP{|gxTYg
zmfsf;C6m$+GCg!h6x>8Hl5vQ00O3Qx(CmyPaAJZ7Tq#5m+hj<i^rdg$%d)$pvncM8
z2YlQ%xI-uMN5pocLUq_iux!?9Fke?L&QV{w(%gYzexW$w+^!8<hIaP&X`m>ht?_uH
z^QM@^iwDqk_!aaRv-B3yF4n)twMs(t>i4etc)73P^A#%M>;pj>w3{M-Cf-qjSlS=p
zYA_sYSiHuh^Ur+BwEHj`r{oUY?_oVLOg|(3O-W<m{rTGs#xZCUCstJ^L4$p+<FvR;
zM@=;Yy`Y7#luhvT(KRmG!(8qfc<b#WPHdJ%^D$qwF82kzW6xsMF}+)b$-g)IX4s}y
zjcUZ0wYF$<tB_Br_=q5TE^chY|3qgx^I-NL>8J7C$u}E^e`qC}F&O!b0sv@3$eCXG
zWn?;Hf^@@bx4-vlD}m$(km1J2q9}9y7eLNh@JyJ429;0cpriLG%Sw=bhRe9${C=nw
zkUPs=8;`F7^sWl_vr`u@%KnjbO>Dy64eIoSRpsVfXfX1u!hl*|c@6FGcVy;4nOSgW
zlABdQ96ElupmY5oD9wKlo@^@%kPr#{qSo!#*;M=qUzM(Dh_k$f3z36&bbJ@oSxY}o
z_MGzT(J!b0MDxA{WpPtqyZKydL>zTKKYQ~ptv0vBALSXYhS_Zbf`n0Q*1G;aMxX32
zkQ1qA#%v2lEv92)E6spcaJ-S)ZPUVX59FYH$uF{uG1$=5Le+>CtM$!7&GZ=SD9#J2
zFqVI@Z1>i{Eb3_`M<x>`%ZxVc?PeAO1htShbK+9ZVzp4vuox9F<G`BLiNq4P0T)!I
zhk`io<S5nzrr4+AJ8B1;lSW3r714KdQ|W6ZpEomQ1cW!|zFx*YE1R*brT}2eS$bw;
zyjKsa%PX-`X65<F1IMghuhoEKjMOY#D#BjszqBK23DA^ovc${rwmOyD7ME)w)EKlg
z>I{D6n$;f|CL#vy<IiT@-aHi}o2ub4cfe`n=dwc=WLM3^N5W#zm16X?k~)bCarq3Q
zlqe{!@5*e`c6`Hk6(a@f&O;C2S$brH+@dBhCFpI24;!$9N~<Z%ac?Q3k$@e2Z9|^>
z`k;}aQ~DGX>L;KbCO=!AD#s{VIHYm#H*B6yUjEs55dPO;<udu)J0ps3mZit^0ib#T
z8;aaOk4=>~Yi4WVxy$)dc<yz(jf)GuHpYV<f4OjUv8k}N*5zdCEo5lm3Fjmt_c~Jd
zG%KE%I_#FYK`}QT%=^oKpO?koC0xCJrwE?2<5{+Zj3x|Sr%UHvn?QPWWq@aS1Rr*^
zrts^bXz6eKz5%7LDBbw(T+wggx3f%(et(8LUu5(9`-0!RpSSladY}J#`j@3eJ?_Gs
z2Wla2dSOl@RAK$eTz8Yce#%4~Ag{4<8LvUgNZK>Y=J(Dgp=KR>kIMFUphR#1bnlTw
zJw%ga`u3o(KO4O<g(ghP?EdmhaXcSPx+}I@cz1ZIR|cxLm)i0v4(XKumfu^N|8q4<
zzw$m~>|M*=d|q^2zx%&Bn^FJ?xA>UFNv5z0ve)+(lqMRPN$To@aAMlX^j055EJ-&Y
zST)<B35|7~p(Vv#7Ljg^y*fDSWN+kuO3q$KQLCE1ckKn$<_@xkBO!2%eaT*-ss6~Q
z8s1{9XU?KqW>F$0zjiLjSS+wp(3@>b<t4q*OhZt=S=tk&zjuGuz}dM`aN$Z<KFBxy
z2i8c3<?_P@d>BB4X`VIK+IqjDzT(|U#aXui1C^U!O$Ew+5t{!v1qd(59>$GR9f&UC
zXNh5_Ber_nku^d30wGx&9rbX3;7o{%p`POL!wQFImpr-h4-?%kj#g&iLE+~<GmN#s
zyDvHCI!7vJZ!X-PkTc*0*sf2u>u{oY*BmjUk26W+HMNm%6(hEN3>BRl<kvW~sV<&8
z+UuU9W0BE%4cN@a-P04_O;27}froFwCFwY9=Yph@9o6Wp;X<&Sb@kPcq)vs2lhn#8
zRmh`?2`ZJ2{@s^P;I%l|x)=nb%&YY6s*AS8i!ticdV5bz1$*TvsN;S>FVLFnj#0kz
z&I#yp%%-70j#}MLw$dOA=`hvF#G1H<!g}t-!%x~}Y@@c|ntx2azTl!R@vvR<k^e_B
zUFvsNn8P`V;Ovg6t|i*fx}h#7&B#n}**RzC)>BDbJI5O7G9UIM`!^kly%7v&c2BT+
z;+Qx}FS~qdX?d<TWMXqk*o<E%N8i~N*mwnFk1H#K)vZNS?CvUGX&HK2JZI2P_5CBR
zCqyBMegk@|AXshU-arKwDdN%QsXY>@7wWRQl~oQ!gimM|$rX;__bM6yNRKe+X<_Z9
z(2d}F{<=xTcAp=*m9!0--~jsC$`8n=F*NT1b+1FQ=0`62>f7d0TI_B%MPINUG9;8#
zdFg!xb-<TiDh>+3o4uj8Pe_>!K=g!23vrHRYFQ{yRW6gKS(Kx`R~!FV&eHNS*2w+Y
zC47XcqY29L^i-mV!^VVrpULT|4;~@gh>q9esnPbH8D?hc&NPm#%2R)Q_nV+4`#Css
zZk#pnsjO$E{s*Pq+qDRK!|`US<)fXKVL`q1y5{C?ejbvYf82+sFI8<CG$!{0j@>JK
z%cmG$zSYbag$xRAECu9kbN0MLi}TJ5yQZj^b)_3Btv#McEMyeSPJcDHG7hUMkU3P1
z$mcvZcv>qdcoJl~@zjn)o~*W%q)S65@*-Ec$sI*8o%IFCxturTNxoEh>=))qVYjL?
z?}r0Tn@)c=sGP^eHYn-GqdUQL(vd)o#QmD084T-$C+bP)PEYCNW_gLT^FD?`s}>b}
zVOV6a49FDo{b!u*oPM~zGvzY$)#opZ#)s%Wr7shu?7u7Q*}CP_!_TRO|BGk)Vit`?
XuS&YCK*%*a)tVSv{Jrc~*WdpG4xM*q

literal 0
HcmV?d00001

diff --git a/auth_oidc/static/description/odoo-azure_ad_multitenant.png b/auth_oidc/static/description/odoo-azure_ad_multitenant.png
new file mode 100644
index 0000000000000000000000000000000000000000..31033f38161a9641286ed9e5371f2fc8a0d1142e
GIT binary patch
literal 37344
zcmd432UJsEzb&eN1yn$6Km-9BMLN<11k|VqN|7oZrS}?I2q<V!kRrWf=pAVZ9Rn&z
z2{p7(qy`8fN=blF-UjtM-+A|pH|`zpjByWRFxUxuuf5jVYpp$hbI#v-r=h0Ac#7@R
zkt0VKl^@;LJaXhX{K%1`t0!oIZ_+Hjx&VKUTi;c^d*n!21pUr)8sPIumq+^UM~<93
z{5|^qY7HIm<vEWB&pfo8tvtM*yICGla<jB_a<_5zFwr>yT=Ky}`TkvPZxiA!)I~=p
zV{bQY&AK43Tr-t_DHrQV!7XwX*A2J(&&dy`IgN8CsUExgL(==Im>Hdou*wgb*bdsV
zyXR=wZSEd_YIF6((=+`&A1}M%-i~P>zkeo4j#jkirRp<XdF%H+`t~I?!pfp%&D;J3
z4<YkO?qM?X+_v}@kojIyBXx-RDc^-tZ|)&9{`|RFdWPXYe`R5F1(fmk--l;?@9CQj
zL_D6vYW}BdEwq*6J{U#xSp*_1c>k?P;3V#7mGaJ6gE#^w1Gk*bzu%AVg33~qpt<dP
zx2_<B1zmKJQN2gve^lq-+RVr0o!9l1<IqN`wl1QTmN@)>sxe=Tm3EZnZKRQo=y9Oa
zj~sb9|H|yd;n8LAS%#yBM;3g6R}K$eGCcTmS|s8G@K_IiZeBp2IXt)nzY6;2@Tg5A
zjD^8?yCm*UNgpqk>4$fDL|Muo2OpkrMEcXilW+%`zaP6oxfr<VgZ~!kWTtovwA%FK
z&%Ju;j|W{b3`|rH3Pgm)3!nc}D~W4T9c76a9UAan{NF2+(p^L?Ler^PjPO9yPt0fj
zo+{!m8Y6hAKu>fwAn|Xdd`{AWkplvtRq4O=wrSL)0V5^&K(#KvO#fB4w_R=yIqo{>
z$bIg=-7wF4iD4v43bd+63)JlB-ws%trURp07779p0VbQ_fA90V@obkEw%Gqwb@lIo
zR}BAF+Q}vC9K*<|zaNuW6+z|P2^#})pj9aS-)A5pf;QtDw&$}IoejSCJrJ?BUw{8^
z|GXa-Y_*bQJO$qg`&S{Q+UQ6jS9B!TslO$Rf&TvU-yWG=rP;#RR_OoQ*#EdrLJ_$0
zrPEkBP`PpV-y#kwsUnr~{!b%+&_4YC8W`;hW_h)C8Jrg@RIn3nDaMwy@^X5{tUeug
zX!Rv?G~}(hR^#qnwO-%CwA3yO9S)+TQXUY4(9@x1BTE{U(By#3Nd{_iIMz2=B8rK&
z^66l4%la$SrC_rKIK*L3%We`DGN@F~<nQo7h;67rgL_Tgmuqv-{(kGdDoO`9K!em9
zJ8Cdfd|FNek!Dp_pF253L&{7DH6VL@$hZDv#rab~<(e?aZAoZ|-%ELPtDtr+;^~}z
zoy#L}E|Gz^SWFUE>ylelK>a;x!-In%d}mj3#4HaR8R4<nCdM&=H0XzW={#N=5rI3e
zA!|;bfIDfJ+Ntz%VH-X@0v8DTrtek@Ys=@>-|NrGkQtqW&ASC%QS^9cbQ=+-70h31
zmL$bZUsZ3G2W!ohpj1;5N#5BiDUh%;3}3GtPO6vlMc-+`sEF|yAw#G{foe(lXw0Jf
zKAuiR`)7x4`%>ALkqlqQL{0}ta(~N0PP%+vb4XADR;Fvk0l9_cD|SalH42l=kc%Hr
z(q+@gJ49ri6LJ|e>Ltf>_I4X4b-Ni5_WP@X{n<{y?I<F;Q^v*EX1~Gdd1}KpqsX0F
zl#=3jRP^;n2HG#ky{fz4zAZV)UzYL{8eaM0Yq+?Qc5GnV%AH{ZwTMr(vWH+leO_g7
zj38&oW@7ggQXrNFsUGi*tU?`9GSuEwR8EasV;cjq!+p}JN0lnQ!u3)<U%LW23BR(^
zeJnj4p~SV?65~E93r*pa>LALo5T>RcS4mrvvZ9l4O&URyyZ58%q4s0ne!zdBBRj?w
z%Dg^IRj%nX`qVz65eZm?EsSog9+{KhO`)ZtHAc-tXuwo!CN-Es%6?d}y`oja+IU+p
zlO!@LeznuuXB=)b{mmVNU!m~WY~Le|%~JZzqmc`SUd7sLiB_jcrKgc4)et8fys1_@
zJAx${#++~douRnY6?f6zw7f^)tIMr};qWq3|2R0F+^J19bi-z>B^Ue(LM%&dN3^y}
z*!AkJ4ag~b&CV8B;)mA1e@OK$oIGate2`+`^PnnJrL&u28`IA`Q*BZ`<VTsfDElHV
z5UoLM*F@=QMhsPY;&|jIYr^#LH1bvU0|ecQePpI~6-7WNc67Tzw!w^#FnD`+|680b
zx^=$dGB2pyF*&CS>Sb4;MLOm?sDR>1EuKvB+@JnsIqE(u(6#t{aLxmp9+3nwX%HfD
z6{3(^trnv{op&Xyae4-FWx;NpZdCmhFl9&t;u$XEysgGDK~7qI0(JKl6vNYtoh=S%
zM6o9sd7FY)wKme;*^rhIOFg;Gj2?Y(zLjntn3e4e!cNEZ{lajwb&Q@y$y{z%ya?A|
z3h%j~BtBd;@4k#s-H$iY=7Y%%)F>LTTML`W>vuC%?lp`})9`lK)EhOfq-{192AO8u
zH=))5^$(70rW#q(dX&X-nW!a*mi7;hbgF!X)6!`joK^)DQn74$%q!0@UW`kYa5Y!4
z=jY0U924l7GWYrsnOv#_R!|8SU((tm{kVba;6WYvE-_-(2ET#sn~slIjNR4i^c4Xu
zA%}_j=0yUI_Q*wqUdD|!wvF<;n%(^Qg9Gt1G^&zo0}}&t!8g!mZN-_-+;>%ufxnNr
z<QLOA{T##!>snW=g#Vg<I)E#2f8%I)PEB-{PHV56^%l%)@S?ESww#yF81mJwT>acL
zGZu!PdiPbTPw!<LYTM)uf!uWd21}3{NaBu`Cyqw??IV_9qi1r;#;d`0NG`T)#;0TH
z!KLe337JXbt>h!87_=UrH>#HRsh4@>+5PSfU$_KXWB;p_`V}=f$DS9#9bbL9WE!%T
zMXQ|S3P@F_;hi-d0x8+46EDWLE2-}nniuV`_pK|#ZMGgYF(P0f*QsZ<W^I)RVCzVv
zK{O*g1DL{Y(|!`iL*SPu&fM%c>7DZ2s_}=EUgx&1nh2sa^(8OMWtt$wYuSI$op^JS
zdvl75>%Bymm*?YzL96h9-M))#^FvTcw8pBakkpgYapH>}W}NA5OKx*-co8M~rDtil
z*~&)Q_bjp*C7Ka$>MpTQ%*O608_YPKoqHn7kwR$Ob#h1;#;$|hg1DeXPCsU8&D2s~
zZ7fDC(j5m&Wu4@zyYbceQn7nF=1ir3fJ<<c&m0{c*oxzz374yQ*crb56Zz?j86N_r
z{;4(csiEW}nUV2<8bd<0iR1=ROk2D#Sl<h^UHUVSzx0x#*IY0SSm3d0ok8K+^0nFv
z#$J->o>sO^0e3+TQ|zld)YDutghBciM%KXRZwv#`oys~4{F?Eu$<vcdu~I!Jf?1p*
z5YL!022#xU5%M|rTM7#k&D-exQzo9O+pZvoHL9vNAg?79^IA1ZeMSjF-<0draUJ=O
zcIP<;Xh;KJN6#p<uK!-%zqx^rgBRyPZUZHn-G&Y)F0eneq6xa<c(Ksb0;TEH{bt+3
z*(My3#Ls-ooq@5}5EpLST|1=hf)B9WjC-so2r}sFuB@mURWDonM@VaN*E3!3JcDw2
zgja+N>5b~Bc{loJNo|*(%=7A}Ipr;t=OzZ3dvnUqm0GLXm>@p3`G&QTil+pK4O)fg
z_t!#}vpSqKK3uQ#ZW&k`mS_m*%Xx1_l@woJUlsvhNySCy_OBUsrX33x(V1LuL2a7x
zx&8V$!7lwN92Mn*j>yMiatEdm)58jZgnmw~ax<GsmaTVoQD!zja1$i#8&x)Ajf|sf
zUUEm(XQ!RIIOJ6WD$XNv8R1A<Kd=5Y%gI~r=Z%L=v#-!Fo`9b+?H#nhzm_>fo0p5(
zuYqoAHja0=KIrg8>FTN>tf)+=heo0o`~^ln^LprAPB_^ZD_A&}x*ak7b=2DHCpZu>
z8kA({*W@2%PH@PjgVs9VbDtNmGZVeAuUoFW{hb(LGcYPXQTqfBzn=Q7D1vm-LZ;Le
z_38tA^J^$+bE@rELHTFHZ#lN!B8qvB7=)%LRjejIZbZd#F=n%1{CCgrw%He+pMO2N
z-orHj^~grju1wtmfY;RP=l*RLuLpA#ax_FO!heOmA`6*6U~3o@g#VMayO#d6b?4q(
z7;aXOZc=4%53$Fex|>M#EUQFEt`omq^er;{0L9Q^dS{<MSW?&seN8N?Hd|=s+5PTg
zIHJ*|u<U<fhU?hjuulYl(r=vp!}s#P5cpq2cQND-MEm~(=l@#^llB*_EPR5p#upH-
zI&awt@julyA2?=F+jdlk0d_amx?%3yr&=Q-S80#G^Dnx0DZO|(CPF!Cn6KnPYS?_F
zm4Zp$*}{gezM(dxW>?=$#Jwugv#jul+X%(IjmOU8OdBG_JN=Kk#*7I<2OU(co8%!{
znW1iPX^FyqW}KkgD8Fx9;SQk=%dfmR7KrF>oxs0VoSOEFH(Q|9C={7U%WJJ=PNW;T
z2l4h!_$J&$W+DIpLYFE=7=Lq&dC8XSNO68_f_k+*lf?wNK3$^5<F*bCBU0!fE{$46
z!RaZPOzOE?%@N;a8r_OlS<V{|B)P(LZc|_S_nduA=}$oSVDzv;0i8_rCCx<p_p+sl
zg$(dU{enggI{O0FiDlTvyJ6S_$ZpX7%eC&j>1q@M(25^PHnjjM;NPhK%4p^0TY58M
zePaV0gh)&BoJ}}Q*S<*VR0%{_Iq$QBWA%Qfun?QF-qvK=k#%h!-TkmFe0$N+)$uwl
zI7o8sWu14;ynv8z?R}r1xTOT@)7w-Rqr>?~2vpS+4#*7C>T<o%)hp~3nv)%F##io>
zR4eiDrMplN;+saRkBvdeP0%S0^D)@Oqed7-AL6|YGyWNOFaRYQfdv>_Z<5C{!ZF}w
zMrS#9!Ok-bb?+};{XU5c<dnL@-}{fq@m1*dEu44yI1ZX%Fge!l=b!99VGBp{DkqJZ
zwGGS&wVtE_S5a9Df0hj9gw@!&t~sy&7-lR$3Z(2--NYHYA`26-Eq<lJCa$9a58Ue#
zJ;%j$Oy%rd$L|B6-`_b52bxspE_V%)g{0@GdZK-LIEr1P;d$o%h*3O6b247BABBl~
zI9nYT5m5|v=wtCpU28a*w8B()vP8U(1{~hT5=KZHmg?AYvehYKjPnwlk%opMm7Xe#
z%=ySis^CeX<UoUi(1lmeE(6urk~yPY);+FX3mHV=1hltp%5Zi3^-ePk8~(SDPAe-0
zsA8)Tk#~2&UzYo6U2_{OGv~#-E=^1l8JT6B)u>iL{KFu!vn4v>p8_ehDG4BQE|vDZ
zDKk-qq-HjM=$BadaFrrUbBxK*+00b!*Ri}GyJk=~M$>`@t6=4BFyDRUaZc&1i+f9&
zq%qb*fEuy48ydeXTaB?LI0Pi<m90{{-V!XyM6%2hVLhdSn3jcp^NJ9=q`-74l@*#g
zz2bgtWzWYufydwDTMZ|MWHcp6^pNh)f7AWtjW06owpK*{C_Tyk(Vlq0<~RKV(&h)7
zO$NHhwZWy7^`kdhjjE5Yhu8v(?V7B=MYwDN(U5WLQLuW7UNL2t#W8rH*wHk<VEt&-
ziR03DH%`Ot3bb7ci``=i$o|<?A{Pp>^DD+5?~4j34t_SBTguJmN>1-yjGe?Gx2T4h
zCaB}S;#1ov<r9>QH|uDrcf%@Fof%DLPm9#mL(@VspKIPvZdZvJvQBFh6}XnWuhh-V
zZ2JiNfCPQOpH>UTTJ?9-nM!w*{p4MFH8LV~f#KrGD{pzR_@@Wp(u}-YfXiH1y@I1J
zK>4&u6K^h4a5xjqV7o4)_4-8HL~rnl2f@QHe|tXO=8Fnd)U>b^ANF=bQ}&a_S0+a6
ztk6pB`Hl{3HuXX=%Jc~&jU%UcJiTWfHjyE0H`4!L>E=8bU;jWY;N#SI=o4Hj%XLoZ
zCp`^sMKz758CRTf_N-4gR!=U)I1l0qmZ0HeU4nL)3~PQkn$RHmqKb;L8R|HeK?xEj
z^$)ZjBQg%1HB!TIN`u-7;*XOZBhQye^L0UPA%9++V~!y-M6XnhJ3te+@GF5b;VXME
z&fYiO%dizXu<gp)ryj9y<M_SZiXC=}uS23Gd1{=Z_DM#&f(gecvXuH<%4oGEy}tl-
zp^k2B?jEDR^!L5PSsjvdk%1$npsw5<qF2LcP=A?kw1Y=gbXE{67E|O|CQCO&cRkg-
zZBqR*$PIdw2CuLhScHszLa49#u-sjhBP8PpfhG^GxKxYqE`~1;E>-pIvXo?Qh~$II
zgJFrm1J!1H{>iCY`*~`XxK8zC3EBOKq@8?f4KwVF+NQ})Ps%nem}5uy&Qm9O+aN?$
zbPVeP>^VpBe#|HnwN8A8$GAGmX&fO9e@Jloiixgpnhl<Jo%B+{={gK5)VW5vgCO3B
z5IMD;)dkjTwJx;=l1_RTuVu_#Gk3Ie5uGh{KVD)lk9j&(_=-Mi9dz2(GyN*$BI<^(
zn(&Zz;r5GV!7p89=S!|try%9uwbV|pq`w>(n#!}a=X>Jno9#n!Zr%%`K5<VEeiJTM
zZ9KhuzIPiBEu;>Jbap#|W-GgCD{_R^I!THB(VZv5(y(%6B0Lj^h?`9(ngK4w)MThX
z!XYvBv2K}G%B#>L)Oh<9TEiQ5r%wj%P<pNI<{1WVg8pnJ+Fq-81o^<TY+g5(AFr2L
z>6E=SX{b_Fl<`bo25B8l<uFoG<|2o^<^=!3ec|+U?D=sz`JDiaWl5u%QX&jeA^$YQ
zgI(`kelZ}vqm07Xx;Ot~v0XP<%>4EBd(b}uSRZ6mQE2)zoREKVUzG@=<n`K_6Yz6`
z7Z)+$dve!C<)C@8>-jG5kOwj?KWKfy-|NqLr5=MEkMBq3?x8i72$9c}#;i|LnViz+
z6}*s)CpgSMrG6j1w9|Q-tD>R5vDjD5*x_fbPm=7&<?nl>kJ++w4s&+v%Ebpm?2Bz6
zI#O<ozho#}ZyIiGTw%ti@bjI@g4nv8d{v7f>ylVjl8;^bxIxn<#C~pF{~C?&Y0F*z
zG|eZhf%f?m?hG`?Ub#ddeu(D1d`*%R1*wR)Msk$Ic!ndi8`SHA35AUCbI{B$*Gmd@
zy7DVlW`~tA&$aJGAVegy^A5ncN0a?=+<*;Q1Kj;I&&j&kL2mtqaHo4Pn)!CqUEX?5
z^>;%uJ&ixyM#%#J>jmS`+yJRSx{p&5=M|Xf4;q^9%TUww7!J$Sr`%vu%=uDBBL1w!
zOIR-b*tCCs-RLm#3@i8!ywY@nVxm(E>%I|B)L(Q6-lL`&S&rX))M3|vFpy!g`LSBM
zt~~c_mpo`Ds+}E}VpLU4;x67@{%BWnS2V^y{7MG_dm+_uA%tc9(|J>TlA||eHG+Gu
z*y615Fqf}D;@U?-x7Ic1aKyPaQAaK#qW$3Gf$U06IpR-58#ggU@oB&|HSx=tk4Mox
zbJ2#96_qQfC`KO~z4{I+YU|1)@5ZEPt^}gFdvg}OULT!^=U&n)wx(~Gv*rZj(s!A7
z`*;{QT^iN3-aWSVtfAb<_!N(AnCj7#8TR4_%KhCxFM&O4P;e1<Ji@h9sYn&$1NBSm
zf6NO62P_N(j#Kb|sLHGilIxdfO09vY1LU=moYuc9i?Va$a$dC)7;7|3wZ&=eoAHf9
z-lm(kjTM&CPFTbPPf>#6^XzBB`)W@(5Fk;+fMB_<aC}Bka{@e1wUV|{GT5)*l0U&{
zZXSN+;Kej*{{r0uFkfRT`luM2y9?+(*kgTxxdtcBo&vr6?o^b_-44}a&ZnhLP4vfQ
z^(tXI0gF5pm_@X^P~eqoo4Vyial{wS+-m?Kz%K33>9`ML!(N{hOS@sW@fCM|BVkR7
zhoY)%9$$AQvIUwD(GXiyO53IOOZO(;QH^=jj?~|C%xxU4;qW#bb`8tL3(LEPX>oOP
zZ7E)b<_9;Ks;4@0*Cm;?ooLkIFU6e+Gxiy~-3TRQIJfX?wr2cb?>M~}_6jMq@~Oi6
zoilgEM)gq3fVfLI50k*^JVH#^4-ubQJGQIt=kM_mhS<%bhrg#y&HTLKQIaZ8a{X$|
zI)ZPK>1;e(^h7I78ut+T{q-not<sXOfPMqex(!Gkq1b|X#c;TO&BTOl*t&pvThQal
zlxGewe7ecsI_T>|6ke1(Pn(2x<JZGyiY<U1{aiIL>&tLdG3oV7x-g;DMM35-G`H^9
zu@<Ch1>f;L&<#HR0$65+Km_6QX`Q9Q#<hsA8=Oba4L|pbxLxQKwV``J>Gs$F<S`ez
zXXC8Q#}I@_-f9tw;rgap!2SVP?-IBKtOPIZ!~VxbD{B81tz2xo{y}`(5C7bl%re8#
z*V#%ByrNOw*G_TnzdE(C{H#O=b0B;jxg)D83^M4srl&u0LnVTHLRZ;n&CKRqtt_$H
zFx#*`A_JMfKIFvi%vIM)WvCAKY%FlvGS~JQGz^bEiq`nKdGavY{Wy_iB<iuaF2<qo
zqC<&oomA7lbhFh^YHr=@phT1zpPo#EUj86;pv<z!f2#Nz=wAQ9^=E$T5d((N^zavC
z8|~yV4H1O6fjs%_Zhbc6b0@71&tno^`^;WCK=BXheJh{pVvey@wHTW=AfGTHYr9T5
zJK1f#eON3%<F~S|;rru8*wTQSbRtB^snHZxFb4TGX0}iQmE|ME-8EoQg_qdqlLp&w
zrcW|6!0njqoPO<YD~IC-)4llnm+ZV^E4ra+8k3V%y7Z;;BHqL=l2K<^j<=kn;9qrj
z_n41|3^ba5kUgD}SuBZx|Ao{q0GtgG)DBi^&3|F~#kd9nubqt;G@MLG*NZRQonam&
zm53d%`{*Q}&wH18Kg5doYy>ZfHjbMh`jkS?501cC!&7qZMkJ8J^hthk+6$YF;|fZ!
zR2VbBCPzzDi~5MpUcxPdC!)^Yrlq=<o@7(3Z<0;$tP03$O7o#q%baT&nLMs)dP|K-
z(PD7!4=G%ymb;;A`=R#9=%U~aH=~YLCLoCa={ez(zRXo8L*f=+pDJOJlp3iyJveh|
zNRzms{`}vbrH<(O)+XJ+)w;0N9MZs)W5>ETPPe_bN?X9;(RoHV#zsFKI&c-wxv_dI
zEl7Mom{(6ot|>=7e0g91;}`>Z{Ej7oF2HLcDSr(hbSj9FbK`b#IJKKlCifr&?r|%>
zNN((^i6Y+L$X-Djf)YqCz`QbB2s$d2&_0xo<mjJ@_(nKgw||t70>LP#QcvYL_wf>P
zYN+cG$A%ut2O`v3Ca^=EQAr(Ci3ar#vhqz|Pu_L#?rZ!ZBP44ftTFq3f_=o$$9%Bv
zsPb&Jf=OLBqbv|8O$zFmuB{D>ldldfh3WxHhE2HVNLP3=WD8*WR^R7W=$dx3pEYJ3
zr%c$T7AU(19giRdjyO{$*y`IbHRl0%I-h@QpFikI|NN>D()g@Ssi0nbIKZB{R$xX<
zKZNA2XjI9ZjrVGDirYQ&WZSd*A<S<e4e?egHkPln`!?)3#&LFif1xJhDr0`F%^-Ig
zCEuzBMmcHV)|W<jJbK&b<pD|*PQccgaGoh{os=5&{4L^D^LO!qwx1mfu#5{(R5wvN
zZEKnDR&JR8*=d>v>@|)XIT_(_XO`->3~O&+LFny>tbj^&CnzbAIjV^}admf}zGLz3
z5Hk^#AiGzn3RsTIft5OQB}-Wg9srz_vkQep3)b^k`2x&c*9mqvmH@#i*r4u(WEk?0
zgRt@2I02syj8?bKhf-`uE&QLbryb9xhYQ!2UIBV;bzYdG2IP7#Vo3|1`aO!NK}>?p
zzxu^w1y$G&``EDWB<JL)a=SnZcWG1jhuO{B5L&QntNT+DgMjwrn_R-J^t*pyG|FZ<
zU4EFb8?%|(P^xftQk=gB-XV!CK;kjyQ9{2L3Zq!73k+N6Cm%)BT{aUa72?VePl2j*
zW_tM8C*HDQlH_gBXy$0a-S+P*fO@o#I7#t#KkY-M;PmPO%1+_N7a7z;SHvHP&eG}(
zx%pq0xCJ`pFv*9GblvKqOWK@0-yYD$aaGd24oB!bsj{q5T&<baYahKV7yIKEcV%W-
zAmTIGw%a;Vo^HxqJiGheTG$uTmwVULKQT(C+s^-dHKB1Js~_OR&rE$gz6=n<OUauu
z$`J@$x<O%$JW;d+;|t*Dk=j0Fd%OSr=q55x895}iW7{t9%D#|A(}Ix=d9fi|P#7dz
z!n#tmp-{+(Umm-=4%+U`X1p2onk{VHd|}lmRTie~6cBHa`b_F>>ME~on7*4YL)cD_
zAu9<Gba{r%7fz~9;)TB1J`(kK+L0!#iC$y(X!fkQIgRB0&EXdIy$?ieW5g`{OY$|*
z#Wi-lo>A<L%Sp4CU;REwgDdhm>in%sC@+N^>2PC5(d#hd2{e&rolrLFp!k*^P9}^X
zkrTNG;!bhugnEtVxg|4E3p^;vKEfPPJE}J>-r7^e43Ows4U&G@#O&Wxt*_^MCV1^_
zV`k}Ajrej$wP(>%w@+fkW{;l>k{nlyyHt}^$|7H=25@fB@KdWwHsPtcZJ42o+bj%=
zpYJg%N@&as`OPp0)%m$K@Pwz88c!NqiVnP#fv334{qn(F$9xE-t1^2=0yy4)JRUkc
zs6F5zbFU0slMY-a0~faIsy+v~Q9PjLd}184b$%na3C9UzJPB7Td=V+b+V4dO%%5NV
zUYz7ma`yLF+Y#;J2ZaO(=nL%5mS{V3i%0AUJjV7pxVH{>r*b|-qoS&+x1@btmT5=g
zUjv<#l_@@e5uDW7WAc&_2Ax{zcC;RXK55ujFu`@nT5~lm746rDqN0q|TMOIAq-|uJ
zE0c1j8m5B~KMcRuG8VrD?o?pLx2b#6cmR{weSD%(^1-o8@b{~ubsjH%6kA-Aw9J%#
zRdd!)K;Hy)g{`g+MjZkS1@Pi-pXfviylS;?79Dv2x#()0k5o`oH+L3*o>(ciP=APv
zRRF210ibV;ibq~SN9J2i_I*yqwM)$TR1_;ppZ`0zcrG!FS2sVu;P3G6=!5>47mb{X
zZMF{RBL}SB5f|`P(DvCg43d&v+@M;_Z*~0#TuF5O+GUWP-3fTqZ*Rg&cFy1B9r<^c
z#eXX;`+r(klBH<nN2QYT^2e2*g|$oj+FE(+^s6ck@z0SX8v_zSh|y>RNdR=L&g-_f
zV{}53NqX_CjH?yt)n+zbqE($vnF{tPI(o#lGRoJbC!g*ctIC!83cALPIXbdC*k-4X
zO+0|{pDq~Gr$6YbBR#hz&}IuEy6d)?MS!+S{3)}I3&AEy)fXCAp)~8__of`q0^vmz
zoDM86No*5?l}`)FPp)xRi4yC~cQ~!(4@<e@-m@Nv07jLtoL&>(?ya6<_!N^ZSV_6R
zqza)^(@3;3@5@d~VM*w6p!UJ?MzSkrnHR_P=k<`jR~*pRDD1Us!TDAF=NF}R>-!lT
zr3J>fUwkbU;L#Vo!0-W+C~F`fkgHK)UmtOJzavT2IjjtC0y!tM`&$9CfWGlf#asX<
z4do3Tt`LU|SV13v3#bZVqn3j*=tyJf`_7JQLsgpSbEp+c@D65RhWwB0ZffzZyb`mv
z<=Tv4zd?frUEkk=<`D_kE*{V+6=nu(Qo5nV0mqH8nh*NA<S;lc<{uyd3K=8_O)3m>
z>|uW*ED(-_UZ=x~z08?~FNw|4N_iUlxi+WUUt;Jr|84w{kX97|t>Qs!ja}5w1(TP+
zk`=xQ=_K8KW~uuju`~D*qZzY>_w$~=!!6*!)Jrs&J;G~`RD_kgt!U=D>HrU>V8QVF
z4$40}#XK)Zg$4tJhMWlV(TWvG=CLhPw#GTlRCG_;FQ!`v&8KrbM1@(u3z32#H~h8H
zijoji)WK?h<fT<UV9|L<R4!(tzV%<MmlxEN-d(;6@$sn>f8VKck>Mh+Tv%4sYwbU+
ze@0!l|GsnruHA5-rm2$Z&YKk;F9?X?pR!~9-Jq-+zb5?;3}`@QpGb85i7}20UHYFk
zss7q){@tMyhwcgFtZ8o-?)|4uqe0~wS8|>u7Q=tonj-^R{lH*Sx5ExAt#>3F-Vl(}
zJ3#5i?b2=C{?ma7$(Dhebz$2@uDZrmfYQNQDE@AAH&kbMMQz+-G&&ZRY=DFsX(?=B
z459MNy?Ihrlk#!i9ly&~d~%)v0QV2lrP|w_GAB=`XEqf-E4FQ^E3gFc0d$cI!{Un8
zxTXw{{(?`30OP~-<o4ngv)sn_5E<WkM*+*Z^&Wwt;@oq8dfCPZ7+12gU}CxZMrdDz
z4gq#OwO^pATW7HJp>3*u2tAx7HX+>|3;AID)0aGkH4v&#d-#T#Zrs;1c9Fb{^tG53
zt@8A}I-Zm6m4qN#WgD6nZ9*Q%Om<-#`n$ckKz01utIq;d_lAv&Obm1A49DmF_H%Rr
zea|2OCorlf_8DirBWvBXZ&DOEnLw(#5iJk>j%&Ja+~rmj7RDa(d(d?b0PBNB&rF@i
zb^@UP7CxTG#{kL;+eWRVp3rExCU&A!TW9;FfyHF*)4EPskulp|&$kn!^QHFLf!t2x
zB&My@{M_6e4w;<(sk1Lk8uW!oI`L&4>&o6i{{^ZKwKWafT7o~_elya|vD--@JN2!3
z8UqkA8M5M9skstlE@3yw#-Tj2NAlQiI|u@;sKV|U_`|v$`4Ma*h1Sq0Fv}a<8M|5s
zI1*f>#JL22TN0?5XpKq}=Phy>H05jUJV<kcR@HmcfA@Opid-W;f;!IWoBd5c#`C?N
zfQW}dZ*En&+mi-=N^THo;d^UZPo<-O1mf4|O0f#gAO2@TKJ)}{fZUF;Nmrj_;oaFn
zpd(Ak_2g2hD$TwX9<)@%dU~6vEa+*9k#$aZ_RQOOl>Eo>_VVH2df=6SaKsd@o~dZN
z>rjc`+H%@3eGblgCgZ=-&U6Y+ezH=MzDru+-|wS-HlW7r#p_K1pl-e{!e({o7q#jd
zCIy1#1WVRc&X$sFTFL;O-;w$|R6cU&n!PVN5|dw^n;MK4hOp^nHx=iFG{!E6|8ja8
z%@5L4jXjkj<GXzOUTbA5dAVk-Ny4uqTQ&$GKf~p6FEOKCbrjaN#b-5ief&B8Ol?4s
zi76%aw6kGOAC;KgzoNSs_jw!BU+GB_gK5g>HZ`n?HMl<c<<79R#zcb$og(w74EYm>
zDjd7WP5$?si>aD)<IcZlkx><(&t9zJt+HFbww=AtQwn&qghiYq)T&c%f^G&nZ?xO_
z<nCp9myt&%WFg1F1tuARrlY$x?#JF3k5*{BA+8LlB26l~)SXBf=*Q|0CsSAev~u8x
zqic1Fr1DS&7AI9$*sS8pcOPzK_}6~LxW@FW$F3;-zP(<tE$tuEW%c}jvAq2CKDKH6
zp8|mY=E5S+mZu5y??XE`eVOZo4lAGd(T5fssuB~M3cQayyX)FL>b4Gs^B81k<X}m(
z)8e^WmLsHpB&Ou>{K%94FR51{@QQ>+`A=Ts!|8JQyu`R!o@cD@L=@rpo!`{S@Lkc@
zv??rno7r9ON80`UHOH(Ei?Rs(FSX2O6;=i;=fK!Bbt5{(Xsuyz+cNiNaS2l3fMzkO
zS}6O%m}obj->_u@=wZuIb^;-)sR!)7@!Qf&$gdZ~wdnjMoh5fY`+lU+_`niVdtI<u
zp3Dij0{R6Qkrc4|n2SU95=G`u>)+9WTQ`~;YT9e93mVCRT#BDvvl!sOAh%|>oV)$;
zRYy}_8l*qQ%f7^5Ob%?CTt!g9@e=@X0JCERI9;@Yxh}}G45qxqhiu7cw5~p_z1CW~
z&y{0b46q5-j74Ml>iogC2q)l4jb;n|&_$@)*4M`YuJ;h``?br*@1q?LtI>8`RU9OH
zOUKI+zf`gskU)dVjW~a<#$JmKY$Eb8J<fmG$@-E{e#Hp+s5~`W|CxTlB|KihpeHld
ze{^19ZtQ^FrU0Q$P5WZS!vf=s5*f5?iH(yqU}TG~Y%OfUwhg=9j4AQ~I>Ft`f8NhC
zZ{Da+qmAY8<~Q&D7D?o!iaIudSlnvMDb~p~UW*ny(T%|?SmUS?cJW&y^e|byBF$36
z<*Y&b&V8hAX~EZ}l<{^yl1k-i!vLeQDfOuBlklWqm!IY>2yH~<@8JbJV-Um0C!P!K
z-rS?1x#65(G^f0)JlsRAbVor?rm4|T1{GuX<{$asa_9oHT*L>x*8N{!>^KzM1a;L?
z^n~Q$NyQdZ5gaOU%kGAM`$`y8P|TK<vTQUi>7;ZyVFUp*^R`?|W9LIXnbycTvO-9g
zkhc9&`FUmQM91)3hF_Mv>)moslg6|1<w@9m8MkEN1W1J(N^`K-Sh9Vf`x3ZI>EB0i
znOPgXiPMeVz#oQf3=|>D;uy+yjRZRKtY79cvg5YTda*?sW9GV6z;J@jTFz=GvX^9t
zkTpQEf2^T45W&ve(0ZsL;1sy5zZw0nSz{D&<%dC=Z;7Dok(i=k$HUpucKrYHf^gWQ
z|FymRUp3=*4@4~Kux$<B7b+yj5p3^97+F@`(9#O8Pm!{Uw|Rw1>B~4*F%Dy^>M$%R
z{p~wGFww$Z&f0BkU>XX-y+gy6R}seBJ02nJf4M~=skln&j@bRvc`v*JAPdj((khsI
zxCYVw)(i9nw+TX~*Wwktm3OU4{g%!b52~3I1dJrWtZaYwUeU#zxDm$z>oAm&x*it;
z5x`XQbqAR08<tiaav4+*vBB0`rg2Rd8amWGGRGD(sVB0s9>=Z|#vja*k4tX|_4;^E
zUM|i)wr=31S(`i)F?619#PJhh?x-D?ygC9Vbu^bn!908o0z0c}dfIk=X0e3up!njD
z-q#AIh0#_+e5KtJ(+y+qKEngR`!Yua=%T{=q831qDX%C2S{gQ-k%DJL9T*&(h9t+=
zDg(%7Ra_MlhUI;9;16B>19NQaSt|MSB(|L%cLPuK?_zjLM*d~UuzQZQ{bR@o2|r!9
zYb4@fmz$gdp%ki<oXS3bIr+d1z;Ih5CuK*MK742y*q+y&U&F1hsfkxM3_5|jPa6AU
z!KwcEm9+zK*33IuBM<~J=shxLi3csqqGIxZiT=uRe-mS~0ifEoIC2GUpnUvD*LVQ8
zhTgGJ5F-FeO}`!?$vHul0FJuI6^GL$)_L}+yLEaQAp3*naFFlD?6N3I;iu`3DdU!R
zL@&r}BfiD0Yo?9xl;ZBhVwf0ChFlt2{iQD35<jXqV47`tUK_+<nX#-uYd?Q<E%W@?
zlb-cAGwVOW^U$q^_2Dd`?ZI);dBBq`t5E2*bNTt21f*RW0!>u4fYhwko0(%lUYjxJ
z!*5NgUH;-4h|rVp>N^AJq>R>x>Wf@Ng@MyJKLVa}J<+CWjg6GmkhK2DJ3Z5+eux@@
zmr<)xJ}vyKueW#hkb5hmHLZdo7_jHAknxoeq}Q?)ZpUAI{kg{@gZoOljah&-Nrp)J
zxo}HoIkajWM`Y%QRSp|deu}E@EWCHWgcK^9k-~3XgN7eV|4Q>v_lsZdBN%HMIj&(Q
z(J24jM3q{dbAa)&k`F{g<?`Yt>_C^fqcvC`c;GA?ODbe>RLZv_=^0S(A^rr_&vi|D
zLlhiiV#go)h&TY0v56MCX~gBaj;ICUVg?Ec%RUHRn+LScER4;#gIQ4+c^peEWWu0;
zSxQX#A_H+?@fw$HPg63<GcmJ82~#jXc7r3Wx8Gr3j?n=2q_x|)7e7PvR~_&7TKb8!
z1mcE|E3~LyIW_AxBY|=G-T@zr=rp&bOF2x-vZW0|a_aq~4RVsXczMhow7C8%w&ZE)
z=NbqFzad=P8-!?+3KQYe{8d;7LEm0BRnP`JgbiIt)>Lfkyka)_f!3JWHMfTytuc8p
zKn&Bu4{%^oz=z~=1H{!K?|_#a&jzdrHcKnTzmmu2R4p4a(NByXMHjVdw4P)1p?(q;
z$XJ>?KiwP(Dh*?I9R3wE&q+}je9$0X1mql`zHEFxx#A9Zu&{`3K}RHhYE{~|J0)1H
z+gS_>u=KYpoc^;pnxdAJJd#q;r4{_GIT|qSmfE%eRQkhGENf{JWUmJ~V`c3B?xEoR
zH~Da(3hfjwIcG+Km_>;_g;xTWj<UHmrHOVo@Mv=!f?k6PbPwQDcmgH`9M9++I8=U)
z>g?NF$h3^ZcjbjW4xDf=a|-ln4ubhMviHSmH1*DJaA7B>3|%jy-D}_3q52g38uVXT
z?^EVr;HH&*NA<WD|5>BlKuevziSY)I>Y{E8{(cTu7@OVxt0f(d?3Ke9u;1a3$#y3v
z;vU_mdxfy5nm5AF9vFC9x#BCF%4Cyw$HgXYx95&{t$pAD8OSO7ys5a5!q#>&C?%K*
z_?mM?8|mJjZyw+UopOqn{ru@Jn38Xrklxrc+iWdK>axb>J0$BPC$}<r0+t+fy+kia
zTk!Y9-P-eUfg)o%Df2C54KG%SXZYB2t^<7any8=UWn0-_H3fqKj+hTnhcd_tGH4PK
zBpEFJq)RUDz{2GJ4qjjLSV=gEbYD1sd%!0*co1-p!0*Mr9aNme$tf~2z)y>4ySAP*
z;IwfYld1d%FXTE|=KgHbe)duIAuQ?fkSsLg6Q2F~C6Jv0-M80}kgVlFYm9jXXo$wl
z-U@<9SBCAm4j$k{I&9y?wE6f8XpN6yD>bM5TZJ%team%QkIpl2Ln9;n<F0#uBCv^p
z+~7PTFk)I};N8cNc5+_X-Pqm9mHx`_xFXk}D>n{|Y(Dak<*a@uQu^lF1svWg4953>
zdOloer0iRO=O3aS^GQO^!hW6%<TJcOtM6C?8A0bt?rxj4<>M|v{eJnL!mhE&kh>m>
z4IE}{C8b#nn=g3z+67b45##1IEquEYmhv0RVgrt4auE^O6Y}uz`hk&=)<{)+sxJX&
z-X@RoD%=k-m-V}@yBvw~pgJk^9R~yEhmj+9a&^S`2B_I(L07EX`o-ByrG^P;bBfHJ
zXj5T5x`2e}-eJJlnw@iDW3W0x%GQW-G^t#!UZJ}Cx;$JseJH;_{t30YHLjpFQhJAf
zTfR`2H*Vy)bF_siC;|8mCx@3^2eEBEU-xS*oRoCCZgfZq+SDdFhz{7bDY+i~I@Ldk
z6>E*G^w}J5Kh;e)00M$vOwa8*O4fO)TP7Wt(#7b8WC?6yMQf>bQ<|fFBbC6rK3FRP
z>Cr`IrRzK6_eZkSDd~knm%xmSaB_mI<7U6}mfmRei!^Q^Zbfa^P`&0sA!&wkxxHeP
zI<LKWxN}X6=VX^sk{RFa)}HT763v24`K$Aw^0hf5>?QC9BYgS#_pj~ro!RC=`Sm*)
z)h^s(AhzNM{-=C_WHMBGaAzY`Zz*9-xxlP#tQTO&)++li?#-nI3(rVB2#%tO5b_U4
zJRZH6qSQvN{mzAu@l4}#UtaNh<Rp3_&3vKRdQCfp6s(&cgm~p#Cm%k|oo>#jBbs%L
zUT3H0PME1V#gP=Wk#x(q(No5~Yly_A-zjz|)yvqHqazh#ZWz?3Nu#B$Wt_19ja|N9
zk1F1Bx^^5)xs7Oig^FtU)B<%+D6yeF-bXo=Id8Vx77reyU7WZhj}6`SA#CUO`J0VW
zmYtp4N2fZ+&r=S))W%b&C_pU&n1--ZDM8JgP11yV6J3nVW<v-q?Su-s58uoA_!pk6
zwyOjLL-en;rSFNxh-$adU+im&U4E~?&`2yCI4xt>Y4)i0=SqbgiH<jJZP!}+R~X9S
zOE6pT`nNkc6X(2s9a`{;pJLe=L1WPiz@2wYmc;z>$+E_lQ5=Tbs3@Ybtk_T8@()Sn
zVl2y9fUzMK#E{rMuQ+3rT<_|7toHo{XYR+$0DTC<L)bIQ1R|6u#_9Gk4(Y%md88*s
z5}=ubZ)Gmos9Y}=U_1`~tP{#NoqH^f@w{(Wzlrl%RlV7Meg5jSmRg4%a%Ack+#iUv
z0tYyZnB91%)!=(VT-kDNhp9kiDF35+Q_E3eOJtAOM$d1o#Qt@K2TPhrq0#8$sw0Qc
z4Tk5cJ3T~5(G6QHM3Z>f2M@VQ)&4N7`9d8rY4zvsifDey?_l%v`sII0R1Tc06nNBE
zM#Q~}Gyn2a_=Oqy29$4ipJupw@Tgx}{rGn3&`NORh=%jOK=c1)N4SQ{UqkS_Y69(n
z8Dwe~i!ev{Viaa!&(tLiCCUzRv%Hjw$O?s}T;-E5oux5<i~=>fKIxK;2CxSA(t>Lf
zFSLGwF^9DN<zm33h)o+PD2rH#mquyodIBM_UsG+2vqlxl07ye~CHyOcu+aX%qYz{_
za&t&Opud|_J3byoh(gu+14(-l0JhE~M>Lg)2t&CfKIfEAEJ>^e6`p$H-{x-)q$dEn
zb>q(a5?d>G&l=h}3N}=(VUFkW)L5yoG``|*Zs2FEeIUArxp<-fq5g>DI&R8+9mQNI
z>FBKoXdc;~BD*ak(}3pTLtwQdB2^7;m-G~MV?|UHb&D}T05jO$UZX@KQZ&em>!eWS
zKeEhIiPovEji!pn!O}^)6?BEW2^$ldEk$hZ8x637di^y*7<OJhiBJ1YZnLTO)5F6t
z8g({pGjh3l{^^B9reS@u6_p=@x3*Z-Z%7r)rs(eEH*xyZswnN;!M_^%NB%w8MmM0s
ze@WL_=JTSl$3ezKV>ApfX6HXCOcj9#B4ThCv4sP<<EgdZE9C@os|;901{F$wRmoW`
zpmBzUZ;Xe^Q#miOFK@jje1+2!<+i`lKfBsm<+lT1VO08o^#VxbL&#ySbot%hG<F8*
zby+7ZGBVkxPd<)N9nEk~CC+d!d%6Ec*}~rJ4rw`RTRCdZO&_px?exK%bo>M22EjK>
z+SZBWQ?UvL%YJb~j&FIKZsYyZKGWW4;IRjYJEjf2#b%Dt+d%rDf16-ymEwgv2bRU!
zNp~b}mOSP<Dq%3gBX5hj8?|POB#PDF?0LMDg50JOfFuHL@yf<;hOw*AcX)rda>Ah;
zQf&vY)&|<s4Esy9ZH8ncS=f`{h!hAs2)3(folDmvv_JVgsdnWf=IgoZEhJZuWG86#
z6K6;Frsy%|Vu1!jeHo^OU+t-*6;4U3PF*^o80P|>3k)#P&jX3krHYQ?#7&#}mA3CX
z9Y>{dWOGMS4HJoJ0Lct!B|A69okk~DvS+NurDFGF0Y)M{Up@R%Kd+WAA8%ciZ*e8{
z+Xl-@O$87e0(RhT#w&*=VJ*t35K@)fp+<d>7I#H?cAbuGqT$gsUEVB}@Xg)PPnnN0
zhiV_o<?cNt%8>^*yH?6Mq+;tC5ufLqscccE8D|BEJ>_o;;?>{MCrl5UwfUj^9-HC9
z=e=`CgESSpbI~L_mpv}YEv-6N7e&@8E2DRS0-asjB@<#aR=fxc(Z0E##mc~(@4ckU
zaT_u?a9+$&#1(_bgd+P|4Awo~$tKQt-V|kj2}%D*QNx}01R!~WW4ixjQQ-`fR{n6s
z`Y~z?P}}tfwEdGNTS#(+V|9GEINj5&89QRv-I&^348X{9>k0V^z9Xw``%VQAKD6Q&
zqJbot5KQW=oEBaT6z4<eq-4!(ukBhXqF9!Ec(b<Eaw8HP)dQ>ti?z7eC8{{4X|=2H
zkg*~;|CJCe`jS!?QIDD&1FY2hp9g6eG2q7OmUnN3Q%ZDIE2W>@?@-D)9otN;dam(b
zVN}EiuAbL#psPlj8~JM?l2c$tb!-sNrL5}?1ahY<ujlC%>*$AgMZ_X?xx0kk)KM23
zt_Ao<?sjD6b~~}#QGeYb<&C>*M=ENcAM~3`Lv`RGOY7Y1^x6AqcYh~W52;lwi(LR5
zVQLL?op)mj<6wiw;pzH-&*U?YD$ysRzojiblh5j1Z4zl*!7~DN>B6LWp6C7x=IxfR
zJJZL(R^z{#Y<~tI*9N~biPx=vcYxG%u&czKF`M!|MJKW1BI=wFqj)>t1RZ%8Fq5f4
zaxt9(7~fp4a7rSp$@S$Sa#|U|;n_`_d^K2wHjLidHun!q6*S=kX&y$X6HIkLdgP0t
zR;DJm=Cs$BxsCKf%oc`U>|SxII|88mMh+pPT;?6Yj3uF1-&#{s_eP>dd3@zgo@(sU
z_8*no=<$J4wA3XgF-HFQ6Cl{P>s0nA``PIm`*kRcY-T=F!iLnBEw|bgaRMp%lApua
zNB^d`G%{jb_CHFep$yn%BZM@ILvJrI91iko_jZb;ZZ*IH<>6zT_tZo_j;@V1`NfEL
z3g&jRS&xv<xXCiXymZr_c=3Ms3{IT#4P~+!n=+&6cJ4V@ic`J!^86VtHNX5D4<0N@
zlRk=H=ukN!^3OR!l`{zXaHfN{uBF_=fH{cPX0>B($qX5~@%+>&8a_3ql(R_{ljPd6
zC>p^uz=908%R`KA7ivk)qqwhtRIqFKi#mSiH`ADFvQqoIWELxWmSuJ+f`9Buo=GO6
zS?&ePw)nN0$En|R7M%qOG63VKc|CDtrj#-v>pA<|CL&W-^9sPT!JZJE#d_6I_v?e1
zd<qWb(|C|<J+bP7I|ES~GMY}jeXne{25?zNXoMm&Q)J+$ouSHJ$q-DV-Gp{pYG~e?
zJ%B)={OLU+ovyPDX)mJ8jI@3o4P!Jvb!=_f0XwVkV1of(uh%L<eHhQ&`({^%O|vJ`
zjPJ#gfUb$ZV2X^?{*4NwEHuf)L-Em>Q||RL(72Q$NMKy)guj|Gn>+{r#%yb^*wc(B
za)AXxX9q5Wc?|$(y&h>_5!r}H55$tp9J6X~uxI!c>{6(WXv`i|x6dr^C$l5uyx0LQ
z`^?k>Yy*)=&e9Eo-EUf-KT*4A%~a6QfirJuyGN)nn8@Gv_C_io<=u-&jRPq_<W-)n
zZ#{?t>?GS=pPCk*m0vO10F;xB(VOxMowfriiZ%8xYbVSHcd6cvD4pZMi6c`ln3@p8
ziN+KX4FFb?pBH)yj6__&)N`LK6xN6>Y{|4tTCLYtTqgD2xypA*&9BZC&PmX<Xf(_U
zKZdti{dCoN;^X~y=tz&l40pf@=hNZTbB@3r&39=&rGHzwOxkAy=A&!&&thcZY504<
zqQbcy<V$rHd3*x?UUotSxi|L#fZnRwa|$9O%G8GI=$<#K+tKdha69sIlK5dS=-4Lx
zkyDS9$o$=p;(vErj{hkT@PFMf<bQ6>{&Tt_T}=j2e4i_}bH}J^f;SBDuU#!}mb?Oz
z14qh?3hTe-*f%`%xKxx#SO2w8x3JV}MF;Z5u%4%+Re>$fDwGExB28NFg*_v}2KlB-
zJLbT3>syOC9zVLqtE%IZe(a7U=>9Re3R%_an4iMBldm{02ER+0C?p26t?kbN{CpCU
zhl2q?m<9mClynKA+-(3PctCUjmi@ZnJRmP?cWY1A&UN2`<Cj7WTY5x8_a(gp$08Sl
zO=gi{@ZvG&nx}&NV$^E&Okk9TZ@O0iUY-#ijla`q52H^kan{OV&)|AyjMmt^LSUm)
zJ}`X8<56t^R$)TYnxY>6fr0I(e3vs{NyTpH=6>M%(){uv)cdqaJe$sGAx)HG>#m!m
zIBV7N;<+%~@O{nbhc)pBy!ER)KWit_ho=1C`#jkVsB5z2tK9N~#gBk39|~GpS|nU&
zWSosZugLH(nC6>Lyl~qn>To^aOAiufD;y6p+IqIxoOSMOk|uRdas-&uf^qv}dOqNI
z0$?l$tW}xz|H_yY1TrS=?l7g=Uu2LB2j20j1Ja;vO0Vz!zwO-tZG;MnMKm4<4*^EO
z{F>eUyzlA0p{^Z348|wUefyG0G>{+aQm@JVrefgr&4!0(PQgoZ39bt4XBZwxscXfr
zblbh^Cu9S}MSS7oJ)4G&u(}E6gJdB4pLMJabF)i&@g1}ZJ~VR%PSE}b7@MtxbHFAQ
zjl$jp<Ef?qy+yV|nKm&8*yiKVM(Rno!7+SSU*=5`$F5$hJR6or;gburF~;T<>pu^m
zpNAdmyH|+vPl}zLEESqm6-g3c+-_Dr`QtpxWNG?r0@2-o5TDv!Im*>P_gbJy3!k>1
zotzTMUF|Gw@ouF<p!ZIJZ_q=CopqzNg7gMb*rW(%l|E%6EA=S^Ik}rtFci0l)<ww>
zoVQ1U_=|2W(3r361#Ay{Z`2f4$tYUE3YFHI!v!#-w*a1FIxs!JrdhtM+o|5nCNM|j
zQf@F8zczKp#23h{gxTwk(4C@+OgUXFDrcpmi))}$rJm`t5B$ai?5;sx3*IIqdPP9@
zr#ZG+HxB&X=@jQFL+k4b_eYQyx}L80eGv-&=WUy-5Ep5ezTVb7Vk&lfx*UbUkuu5N
zvIo0^^h?yo@0(r9<LxTrbqRMb&!JK!TJ>vPf~C6E$m1@COnEOhKie2`C0BkY*32vi
zRDM(S?Msn!rdGB>)C_lbA%dE%QD&t<KV(r#&B2&RVd)ERjZto@r;YVcsril0S@P<?
zTG^l{AQZVBZ1w@+K9Jbhz{CWkUrwwvH;&%|H*g^#)s&vG@jb2^6;9AMdQC&-GnwKm
z4fs^tYBixkIbDg=I!hf>gnl|@ve##*qSfT(2kdn+HD-+wlN-XAJg!iL2E?dpJeT<N
zXszzY?Y5?j8vlrM_zBq`L|$)yVmH~3CbUWT!7j$<gagp~d1`B2nOt^7(w(A*g2p88
zew=#=eztu<^h>p8ZUdL`hGP1|gYasf<6T|rxga6KQh6490Fi9+ZckOkRe?!p#~Bjf
zTA>vzuwG~PpwpU3KG#yJstm2$YQ3Q*fi9a;{Q%cCE;2RdgmTiGG8PR>tH0TbuKZ@`
zF>KGgNoBpQ2kf14-1l0x0@qa22vTUV^m)sQYk;Ee=9t`9L)HLw8r<naYgq3g1e4a&
zr#!(9nSAQ^kK5-m`rk+tZF9;l33W(tQ;U_y@d@CMG8*m0l8cga>J7V)6im+$@&&Jv
zSjYaLaZoF!KO_?k3&;g>(ZaM8w6=owt(Jg|JW@2ibGXHA9PoTVI3<p{|Nk`i=Fw39
z4gc`BR9Z+SQDRa`B}--BGi{QkDEpSOGZ_0AQ-~xKA$!QamVKRsD9l*LG8htL9}F|r
zncsU<*Y&-wbKm#xexCE3^IZMo<T#)G^L~HcuT`i`0ksi5Rtc0n!;mFeEtrPdRf7DM
z(Rr=`@qZ0yNwSA=ujpIjXXXgS)a})q_uC@-;KT=%xW)X_T$RO^=>vpE(=(eBtOMqm
zw;Q$GrOX<~hYI4xKi8{Gnj{U)LFqEEQW3%<$hp(m#(Md}JV~8{U?C@|+S8jGH!auv
zOD>N^EnH^nfD{aIa(<ch@_c${B5675OG{l~{vU<=T(uQ9Qa3nJ_?`e+^M@Q-nhnmh
zJXmQOcYin3I#m9=cYKRLW<*vIae1iH6pdIiV#R3Ss-{wKuLSQ!XXGrGcn*aAT9gfr
zy_`qo988q4oz5C72SZlIJo~b7xG{6nF@>?^+a9D3(!CZ#6Im0688hOCD)X(;Nffz8
zMV2PYn1c4iN=#Z?X-zcMI$Mu|A0c6<u9=0xG3+;-b|`m0dw$W!D)XEyacCy80|YU}
z6-<>^pqEs|9<51M+7*0@(z}RZGsXkW|70P%bGf~+cE%e)*Dn<ZWwnj9xu!Xm050rF
z&5z8deO|Pe)6TPj*MzpA?#u<Jmp_YjN7@}CZszwTtE@rAhv-J{9C)+0$TNcmKqg;m
zpW_Z2k0bS)-#so7f0Z~es53F_=o8r4lXQrG*Yqp9uGO7zdy|#<F(~7E6>m3_$SGiT
z-a|duu7C@EmlQIaCs(AAVQoEsO9zU{;BkKVIFtw_@&?D#l<KQEW8C`W(+(=1Q~?u|
zOw!`%B+UJ5bz=7WbAurmSMbHZlNz)Y7e#u0lkeNKGf&T~!t)cgR|-!LTAZ0D4Lzrd
zHzejnK0`}(m}ic8`}>r28Q1R_9&_5*_hL53(MQ8_;PVA9jsB+{-4zZmD<mV5zz5#b
z^n4)KVa}M&2Xi?PJr|8U=ab-fewe;5AU;hdAe<35gF?2+l}IYmi<iw|X)Zt0FzNZs
z%ehE5vKI?*OBzMn5pcZ|vJ%x(m6NZiL7XT0yPFOZ(ib#8nQrt(mWnG<+XXvNZ;Vro
zC32m<KwxzFsPdfq#ZC7JrT{Lv!_Z}$=})Y@t6cO=9$~sOnS5sX^_ykBOXb6IBMh1g
z(21c6gDjr#=+M6RXPi}fGB9z0&-qUqh~*<jOeX4EoY<Oy`{2YEkDc^SsL7CI8%3~O
z^voF~rSA{uJc-a;l{y2l@fc)6EL4q_D*SCZe6UN#lFnW%w_g2@R=ycX-)CEUKP18}
zp1}^Zrbcg!9OrbFB8oiJSvSoLC1uEK)S0WX1o#rKP&8v6qxMnXv{Xc$QFMVk;>jqs
zZ?u>r7my3l%)Wcw_cGS&{MO_hYGITU@aI^S$74rb_jgB^`jA#1v2Dy>mZsKVc_Rn`
zlO;=iyk}^Y{^o3nU9037JZvCJM^wdj^J`j;;;8<vX+ywYB_|uJe;(&?AJ{lIzBOsn
zx3-<EQ^tD>-~%|K@s;V#xVM`pv%h*9Yd)H0rC6w(#JGY5LF$~s6Q(wQKGU0>mEJ*f
z8dmTx1av#$dpTOtH9o9;F{3JgwW<lav1lZUDziJZ98ebKkGS}45ioaR>}prI2IMv!
zo;-1H_xGFs#Qk9~uT#ivig^#TZe`!hE7SMkhw}O7tK4qI;OjFiBfDC@5?Pq5hIr=3
znMGFi1sth=XUgTmx~;$)*O=mb=6bA7vof%7mHACephA0tK$0d6I)5l21|Pw8p^)v3
z(M~qQ(eX-1lzGxwh3Y<6+U4D~2E8Add)5k%Z#tL`eQaEZDjUcHyKk@cZp9*cib+<+
z#>#^xZ&?@OSs_Im$Uu0BEUl=RZPgX2IOq8i2DeiTa{ZbgTqSJAb;rXhWU*uQM+5Uc
zjZcByla?#xrHjM{g+tL&P=9ah8I4Slk3Phcx9}qetENX;SDb^(gy(7^Jv16tFfZ<C
zp_K7EUC*s;vHC>OYE@hnD`!r)DYQw>E~Nen1WKDne9I)m?*EW3hD~wPbw##DSy9c2
zO?y7pjpjzNmM0`Xkyxf6F7N)3Etoye3k^b%29uxB4&5nR1tjm<ULI7X?K@g*_eaRB
zOk(Vl88$;G`Y76|8xNLW@7Jt=QyC9ES1S-~FqkM$T>egKb2i@vH4aODc*cBAefIL(
zb6nY5h8i*B$Lw1k!H-D~nm12LXavTqLl^C{tC}=FPTZWS`pyegUEdwh>RAm3lJy&C
zg!;DPM<|`g_{$B^xAT0L+Re}BGhfS7zf@GucLYLXCm6n+Rl8XiSfwp*n|QBLavnY1
zL>DaI%17OO<~4no_xjnBmaAr0SHb7b7=q=7aAHr^3HTX-S;Z}<8)(ZL!qyo)!rhk1
z{qSsF#TxP9xSeOWn0$B$8i>RnSm>5-GC$k*3;YzW><1xNXE6rRAIhK^pX^sEOP#=t
z+2r(qcFS$w7_pzt&b+UOB%~tPIMq6s-7*t7>`Vp_f-XsG^)8#k#}kWJ1d7EqEwg#S
zC8=_us!eZnSS_p-*JECG!-lUB2lQ8}qF*hP<j=UTEGejwv~qv+2VGP5kjiPH$zR01
zE*r*~qPS8;)Qqm#e&uMyUS6KM<Qhg3y1PWhOofOm!zmjmMZbUCr@lgj9N<m^{r7m~
z>roP?#WfI&cs@p0-rv2}3lpS|PXcLp^_Si)r-ZK3k@MAGhvPUWBffuJpUbl_60^#>
z|180sSQ}kTDe}t(Cgm&zI7`}o;K{qjMjo22dayK{tZR@kYVN@8?4#I~Akd7!M?;!t
zkJF!$YZ%&5dz!3-a9=i1Yk{}T<}UZ_$IYe7Thx~c6Me_Bmwl+ZNh_fOe5?IeB=UP-
z7Y&o{9Tl>4{icU+?OyrI9&#Fl96hARH1_*|proPCv+LfdgYRC*CTW1QjY9IvRW?Z=
z&u*2mOk^RMotJ8Qolus#A!h$c(O~q+t%bVta-3KIqDY~GuEK62iNK&fOPKG^3{l62
zRPsuU)p8pW0gyJqWa$t$>GuIysL_X7A6tUZhE$SkJResxFRn`awnDue6$H*q)tik}
zrf>NSkdLBxr#D1lfgl9OE_T@6_Z9F(U4?33X`O34FHa67_f*Z6T&<Q4NJm*fUf0-8
zDZU7pxK**xFUJu#qwu6`%b15+a#&74;;suMfC)^;9~6iu*LwxTnqIR%RG@h+S2`5K
zrPk(D5wP7T^-kIPh*F<|JSGAKF|&J`1$)_Li77<1#YZE_C0V(0<Krl?t2h+_V>Ow`
z!^4O&OH`iAbLa1arKU_1a_#5C$hff}wg6>R#Qg+p^NzN=$A9)ol=Io?Hgxy%5sLX%
zFRm54CUkMymdTJ`>R~FDh}}!`A(Mk<-)O_0WJ#e#9|+oOLz*nvie{UZf+Q2>TzU(W
zsU8dNQl41x`s4Z!L0Z)i;yWfs!hKn6s}1D|@=uhmb~gAXHy8^l{1V|+u7%MU(#{Mj
zF8^UzrjDd+Oc8{|sDrXd5qboqsz7AX3Cs)&d5<yNEnl|z$BGqygm^`A8^>G@*CCGs
z`idp=NWEVBkDj@r+0mIJ(QZb99Pir3eEF(m0GoMCl8^*`c<ly`2wLMsJNFEP@a*Qb
zGR2g8wp*UB!&mk$VbGF6rTBcuppqiJteG7Ho4065@sc<Iht^a4pkC(hk@&lBZWf3K
zQ~1s>JWMvT-}?-{QG^q?JhVD*t1S}L**yef=8_M^dq`E!zGOSaaE-6ry1EmVbizKg
zLor=R-t}bFmJaQpPjs9MTU_Xfd%Zntb>wWaVrCh=G|hjD+qF8<ZmZ=C6YN=R=JyY<
z7yD}-wBGiRx?7%aUCa2KgxDhel2^AH*`S|lxR%yMB*e>s)&44;qlX-F$91UpW^SIF
z@o~DDl(7-aZa>ZvvZ}~ZyDz8vWC39hk#}!(1!??3I&wJviZv;3Vao=q<Lxx?I^V~f
zzG)fnHXc&62;CIVA?H2LQhxrHI@S}fL6xaO7p3PvgNu3UzLD$=ar%LjA48EkoK7e%
z1%0l0`xACQn{3_N4?ilLp5HKPxFea@BUH?_qK5ub90yC0*NF&_hT0?$3IvE&IaK=i
zH~Mh@oH>ely;e?8w4&zC{PvffNqxZ3SRKL405<4^|Ix!;oe@uX-k)^VKL*SiZPy}Z
zF7Fak*~eza%HajS_hqRk==x@pT8jeLS2p6#6gzAwEmCGe$hhW31*sY$v{CgY2x@a;
z&f8eyTR?#^TL_s7mQsK9?x{PZ2?5Etm3uJ4z3*>T_g=;G3A^cPclO?93IS^4ZH8Ia
zyZQJP-4DV~@G0_-7>J>m$S$Z7QmoOmS?(oXa{YQ>ntuRfNALA7qMy?STI?BFBw_~t
zf$&>CWBI!D6VeT+;Q_^EW>#<Vi!$YHgE%8DHa5Q{&~1v`br^PGnAY#t<J0N|+s8Ox
z$5fke;Me%|iZ}q@*+YuGP5-=;+S*T9n9#x){z}$$PvCWa6MWbxUpnQ?v!`jEyP)FP
zC-px#poYhVn$G-kbG9;kVzFnZy;Sq{Hw_f!(T_3|^e*2DE3;3_jR)3=0sNlTH)#h@
zv8rLoF2A(!r>+7cl$B150~Yh|juc_Tj@p+yY>;rlCoyxs-1Q;$2EYCGM${ta2f9w0
zC2r5PU<R)9ROYSfC;6Y8^>bF9K6q)NR>CY^wr$)n&;drLc#$6gjtq@xD6U)u+I<<V
zIY&lhky?_b3@pb1wOXzDJ4F?m@V69IK{SB{Ik~*wxy&9G__}||<2mIIN*Vth_$3(t
z3j|LD;in!OEUG1n=B^b3)Y$in^&1Fi?>0muIB@Gik3zh8;`^xsHD1t-Fxw2C6Ox6|
zOLw<;czH59>S?!s(NxFZPl4GNgq7le7`Ix-=&Nv-K*m_$>mCQLG>~T434AV<HF3+{
zMBppB&^>#i$QigU-bCa?C75&x+;W@F^I^-p;Re><o@Y-;l~kj0f4OTI#JTq(@c(^W
z`K^5)PmT9-02vDX0uFzv-|jT<<K)3TDe~~7%5e~>xbl#Xg#raYhX+=a)4_*%3|3z)
z?f<?q{7wIY^Ub)7gAWqfcUJsB><07v=>hGBkERncL|WDV79Zta|Fn3c2sk^@-Yv(q
z%&+$df|RE*tysih{@o%r;=5pNIoH7KHZ$Yltx7$0942^z2;>5@Mo9aa@^XW&jiVqF
z13ZvQd#r#p<w4Cgc3z4X$=_@DHf$?>R)2&#A-x)!=smkn4Sz0=kv>XF*0H<&Q#aMv
zO;;bAZ6(_6`ljqo(o7aga)s`bXk!zdnbY5^p_(A9@|B})&H`7Gz@L)L?av<m);6-t
zYA$~Lmg~i<lA)X|tR_>`I_d0w<bLthA*HA6{V7gE3_!Coc;!HVgtd#$tn9-jK7H3&
z>>lVd&F_1pe_O}fu-23}j;-@fp}KRz;?)U^7wRdu8t|BTmk>)(L$()JC1sm5Eo&S#
zx8p7BzrVH92$})z2X3-n*jW`{K9S9jc*Km|UJjl6v&?Op;il)0`7|(}3u<|ot=R}n
ziv8HR_CifSc6A@qZlWFWP4=2k9j?>#-T>JvjJ-9pfar{Ys})r~6m(V2rYecac1~;E
zq~9TPY<d5F@P*o+b{2)a#T~jPAMjFKQbtl!9`JpwT8N@~y2qmu;Mh7QD1fOVvnQ|R
z+yd#Gq7m858n6(;tT0Z5>yx}wB1q<%Cua40M9Uyp()yTxvCV(ET6xI_Y<l|6Lvnh1
zk!kh#sH|lgcs^@EUWYQAg{MC&i#5?a^X>x#`hHI{=6ew4vI{__hNJ^{3kI|55t7z6
zSi}k{bTIvZdMY6D_*8((kO!C_ua8MKO#p*XUr-X6817apqwRSE{u4b|<5SlTv_Cp2
z!fBBMo*lDIxT~lX+A{TX!*n9!sneussvX2!eoKFK5wLZgv*02fg8zD+(rv)=<YbLi
z<|wVwlI$Nf?9W?{z*ku<bVeAH5(HO#81^6%TTSF8oiYOb_7LoBORbs^p0#~&OQ$;0
ziW2{tAB5c0o)D7-$w467d(Pm?t99^Mu@GXGo){RYV`b}dF!y}`nAcT8jADL(zd?d5
z@+&q9U9HK;gtG8)SHw-Nb7ALxjgu_x{C>%{r_IhEzj8<UcIPYpm|r&1r(cys{aclO
z4GBs+efb{m`At_Hd940BEc~g|f6Bz8$>fcqXw|GNxrB(srR(4lRumW^cYpn5l?aGf
z?V5XCE$LHvBGpfBmEc<A(-$KVHRCsb%-OEr>KSI9GQ?4KqdHc<Me0+-BGxHM1VmCV
zR6f*NCvC0Yj$KFu)14DsHq*ypSyH=ZmA|$rKj+N3ZL;{wN7R?Er~q7j#rLcLNw@IM
zWFpeD$O5&vC@P^dctUpEVhi2s_4~@T_r+R*M3|?;2>bMNv2$OevF)$i-Dh$M&xji*
zkn8huk<o#@p02GZjYuu}4;;sSVB@!-ZRnFH>@w!}MG&WI3TlIqz4O=$@RF}SXNwE6
zU=H1Ns_G9Gr@2|$1~XytXJ_JZ*dXMeH1`t*R{`tGXLOa&TiZqNp4uYG;?bpRNftxY
z_34_J6DBmBygn2z*C18r`_@Pko4dtyPa1d0MDSP#vT--mVrx_Fmg{=M!8Ur4USf$#
zhFT51a)B-Hommv;e7h$+m%dK>M7gwYb_QY)KPOQA@qxIy{SKYOEJj(w*`5(<$O8%)
zO~1&(@^i6fqRSfgv>6jI8Wv_-uV}MeKsr<TIM4*i`KFeTQ}#V$DlPKXP{9-eS=r3y
zUM+KMP9n)Gd^hx&<5$*~o1*6wnmfid#IfFzr6N<C6VEL+&^B|{BqkH2A77DL?&gj0
zg8a^CV>bSOUTiZE(m=-+6g%h34%&M6yQnP&I(ia9*mUnYeM!_TG~WUYxSlN918YZO
zy?P)UCi)Y5xtNYr+gIH3$5$7U2PVS|$*D-q^FOG&oS{d{0^1cuP%s5_F05ws(Kw0c
z73D`v<qzA0vK_%D!iG3%2oH<r#(K*M)Qp&Xz_eWYLhY91`xvB&o5G)T*N}X$&1~F&
z9(d+B1+`bQ5@v|D_PSSYv46M7b}mp;QMVdz=@K);ov;i|CJRW|s;`NudD8v$IOC|6
z{qqqrsP#+*<D~$LJn7_tuLnUcS2jE}Stjg)6G5hwu|nl$sYw;8``i*wMv0H)t!=*u
ze_c}(<+>uwgNv0UmcuqK#-#_L5)0fFa)L0d%Uk_JUIJiHX_R$6U3q08z3|hN*J8;y
zP*)4-nKMIgTA66wuZe8U9(#Ahmk-^m>6um<D>GyY;+}K)kC$$%9skk<X#DT^+Rx&*
zevc6Um!66Ll;PtKp<M~gAAf5%X#brGHT<Zn#Q2QNL0l`-@Q(*MJ-xEjY?&WI#_YZ3
z5LWG?8|<oH7YfXiZvw@m?a{^F@n41{Et!RhdHq3EwFR2p-JF&l+T#8>>anZJ=Xe29
z{Moe~)QIescaDrqNLkkXVISE562HT7=v%1+4FfA{eH%aUab5c8P3&c_ja3dy`O%&*
z5Fc=U^RrWk--iPauvsl+gP)2;U!%A$aLH5|`YmltHzo`(l{m^%I+WtRd*yUBvpq6X
zN|nF8r$F_$ImunxHa3G%nh^BW-tKgkO6s6$pcr{k>6C{N2|MGcP>+h}9L68!(OU}#
z!iWzPo&!Cjqh_(?i}7W`rqq)h%LUz+VV5hsaN|-LE5G7c`%87#wk)iWA!Qd&tx{n<
z@03^Kk<CW;I2mu@Q`-~(<V34Ox<=2GdVjb^Pt3^`hF3q)Qb!T(Bd<s73-GduwVxSQ
z)8AB99G`f%V*mYT{Bhr8h(^Tz0CgJ&x}wce28cg*HeccTes>>ROfNrI<&KjD+A5=$
z#FOt99QFs1Wm8`9*gd<ptxstiMf#4JxJy0L4NK0h-ynHqwNAZNr}gRHFjgOGN?E+&
z*0eLonJ##5*kTW>Y(6do(Ms7alYrF-(nt`7GUIbt0XXK%i^;(=uO5aWuPef=6|jHi
z-)~-H@g2Urz)nMcdUMXPSEoRz%P-FX?zJ@7J$*PtAMtf<a4LEEv(|~8tOSQEGYk>y
zx^~6P4=@3P++53VCAm~|qrw@k^+hSR2kc_VQ7QRNO-82euiAp5?+WkwQ2X3lOe1Tg
zqzY%{tp=FGjoHO~fRC*(2{@gw)ri40PLe<B9?B*DBE?glxfFBT`^6{w3$dwIsEG1$
z&A$#y=Z}xopq@$E&tI;-Z(>Nnd2S%Pc{Q3I$;)}i22htEub5UoNK<xUoYZkHsH6!g
zRWO)O^na`6c9;Pf&JZs98S@B<3VHYVtuU}e(TIf;?UN`ViZ%z04!tq0dt}!2kRg$B
zd$s*|=Xk)*k24SRza`I1mtO6mh7=Po&~(k&ispR+e>X13bd^yV!qHy5QC}IiWhS-0
z^dOZtwhFKCq6*}FjrNdM`c@}jAxNIYQn~qcJD@S&xV)x7#q#F*Mx&RbI=e|cgwI4v
zDQXP76;o2w+c}FJhA<3Ytd}}Bg{9b5K;SMRwV|TypvT6(M3apod6T*y1*-SZaNeEx
zFg-|imp6Gb@Wc%3)z%pa%``Ig8+tr`M!MpP49n&GA#2htoh@v}J<t}hj=J?@9=Ot5
zaJFHMYbI4SIw=5>ipN3^&<%!624}lR_iyFvA13!hvDPta_I8Cmi+VNeYL0duS|9ix
zaL(vNHzhWG(P0v#v}u{q`12Nz@lf=oQ6%Nwem3vUE&IKDpcImtbx`H2we~exb`&zO
z!Am@Cs|F08PkVA1N!E(*kM-NXl|*JRoa;^aQeYxY(>F^>N=a@xE;IuV)Bib`YV7kF
z?iesI{*O9}*nx_WPry;SlMJEGw~K2L55yH);%&cI^;{}Tcue7S<^ap-#gb{uUb<Iq
zJU#c^_QS`_h}Nz5d{JHvIv7rRl<!k;)WuMeQ3;axXxK+KkH05*&Bvup+v3z*d4Jlj
zH0D4fiOlj7e8jPmjUT+qZZ&dBjJ6il(eV+e&Yv7#H{;?Eh1?q&(U}pRnl6ci_`r%C
zUJgcuYFWO?Vokh96)@xM-QT+V;p^a+1o^f6Jw$<-A(wl$Ut<D`w^`2@!T(QLPv(3B
zWs+aJtJ=mE<0&+gI>|ErpTl}8NV(Ax5INVO!=?5s^LgH6dBm$^GB+F(Z@aO89^T@)
zqk~c|Jd%0!liJvU))Hh-RT$d?5dIA-%0n2>uGpD?Q1E`^%M<UmW85r~)Vn$d!}0^-
zHDrJ0o<C;scfvE^za%`p{zt-dlPW@UFAYVrb`UJ-wT@Wx+4X@!Y<#e*Rx9#HiQ*hd
z9DGFNf}AmA?lbh27Iad^q#`c=(gSrjL5@DP>h|$`gskl78`c-z4yIkuf>o2j%f@-t
zB#?%q*xlmjm$GWC80y6grEGkBgb=71S<z?YCY_ag@6Y>1d53amVBv@t`6(4ss0^I1
z19E0H1$-0N9Gl~+TpAQwf7!gqPs6W24*u%Ow%OwCAw9ptGvekgD3`{F2?fNfY0ohW
z^<02OZVYMHX~vqf?T1+YgtCSqUhMag9K<o)c3b_fqd9Ha17`ZfS(I<ott8GaNHl#x
z(X34;+o>~@EaSQ!?l}mD$c-r<ByOf1k2>Nm=jsi}ul>BXk3^5kMSl!j<KIv%4>QD+
zoLoz$zII6HEaiwR!J;wsG~T_Z2l<qSGJM{AXk!+WAFyrZP!M<%qSbvt(*)GKj0MZj
zRyF+`q$(ip`f#W8em6(FTAeu(D(|5_hAn`htqqLpz;MAGolo<(J)8-j;~#$>;3d5y
z+I`TP6!(^znqx-1nsOi`XUOa1VIc^}8Qf;bmf)Eu$e!1NvLvNMGyw&(hD1{Pt*SKo
zm9CoYefOqV*yPa$`#}5xRoHueW)(kjk}M~bB(Kf0uHE4E<*Xq=$)J;F4Cu+vHaF|q
zkGQsBdgjcTke<HRf~iH^&BgaO^gf!N@A1b`5FrqjH8@L~_C~zn_&e8*Q^BT_O<KM6
z*H-y*Fbozl_HQht=v%--YG7<2r>l1HmVaq+RlL-s5R9;L`9(wGUo)r5KqUMKthutK
zx~SV$IRa+%QJK6E%hKo@X^Hc_Iy~gL_5_BY7`gK<ZhjTpsW8&J!g!@?+dgjb<BnGe
z&sUBdI+fuch~t8Uh#WL(dDk#=ay6H?SArJb_d2EF`01aj1}J4@(26WkYG99h-vc&S
zX0!o_Hz(yaAWnZO_%d}v{Hn}{mj9lNe4X(>laT>J|1BB$g{biDvVVa&^$07MjQ$Yd
z8@J>f6}Ikge(mtu3I%V`<I0I%^Gy7s{%gBJfqTvYWs^5SDJCCq#T{TCYQsgA0>tx7
z>}H8%P>Ig0Ar6GC*T#R4wcDyQ&2|f_9Qc+t=9}E-F3E<*Ujh*}G!&AZWy@pQOKPv;
z<DRuc$0jcy?e%-l@Za(A1hLVBV8VAO=Tb-f?q#FoLG~M=oSqFKT&?rzWzYevo}$_0
zf1@4A_}D`FaudhawzAo+Tr=sp1vblTa~bCW+y8bMaKen&;-w-RfTF_X&S$*tGtYb|
zjwzId8HMwnPxxNiGc)itfqi4aWQ6q|`9q#!a&7zTGcBIy-SH!L6%560K>Cus9u^|O
z-DpQnu(5ibaTE&qf6F^Y|6h1V+C=FpJc$PLgSXa9SQliq95fPoxBeW@i$Eq|BQl#v
zz$2oRZhN!t^)!fgSgQb8S7j5~H}ERM_|NC24ubWUwSE=#okG^h9K!J0yJ0CDF!dJ`
z^{UWO^t4*?toQYt6>lseo^te(6C%*xkFTdXtJ<`HuONiSqJdev3F`@MbDZm5aWsWU
z{R>N2^G}wr)>HQ*`K1(8?WR>I8OMvtXZssXNS++qCnD?1=03V6QQLv2TT_d#xH}Cn
zylHbfNYk`;8F1)cDLhUc8j%6H(U&1oaQt-$|C}H43vGLVBdPD7YdbS0|Dp+d_%Uy%
zA6fdi3S@z)SA34zm6)+g)+7Xa${x+GH}6`mWq;f~-4J`+%Zn0S`8ewIEqALGVZ<B@
z*zQyk(79Aa(GF#|$BT0+#AQ5!4`s}j5^~0BC47ku0YMH*hhOK@_*bNf?P!H$5I<PB
zwAh>4>zbNS{|&}qm{;K-GWu!p3c{XewUl5WqG{<7nj8VK^4Fsv*7<8-)uriG5N;m@
zHQ7okZsEyr<(6Ci85H4gSLkWi6Kl!v!DtPK2NlwZAii%|@<PwrtCQ`mZ?A>g`*9Zg
zU%#8cv!uqI0%tpJJtLDLf^%@4;3$fRk7KjOhqyb|o`utD;8-N}Tau@1@1mrLM=Pg<
zb+KY@+lJ?7Z|eGhG-e_+F&+INZf<%}7Fg<EPsKj?Q!fLMj5`)IGV)25eysgG*G9#f
z#@g!NQV!`BxhT=c+OYOab##Y@od};6R!tG131Y7j*7N*Ln;j9XLwV1*@5<Il><KLD
zKhk?(U++yLHs*=C9~u|~e}*!AqmHlUa(nG)I&k&G-q=t&0xXdN;%-l7^ByCj)mf@9
zSbs=gg*EJ}j%=l9?o|g;R<}mxLsNudj(h)Wa&ICDkbBl)03AZhU0FDm8I*l@Js`8)
zpz)PI^QQky?8JsOR%`PkPLk^-!DLgEA78{@K!2p=CrEjCrO4>sLY}TGz$3Syux)-%
z@%;;(UW0GGEB(wgHb2;xi{ec)Wpx$IJ7Mz(&zIIFjy~_ac0n<h`^g+8@e&_$2z`q5
z;~7StV|JT|P;Jvd#sAXu{K}SxII*h+Gf&FRvK=|8#{2MRo8sem4-@Pv0pSw=HO%|8
zqsZB{xVO{Z1Fn>l&x5lB`yKN$HQD5D#a0gTDm0#$k?cs!QK^sTE5VR@BjCk72R?<<
zYp$YGY%?l|IMVY6gtGACoH+IS(ev!ZgR^HmkO>>k6w3=V8h=Fw!0)aYvL6h1dX9gT
zFE?2kjFY;xGH-5Ql5>Qxj0M7X+$*&-px@ykA1g3!7<3;Fi`p8xE&hsl6K6#vd)-lp
zpBb=?N4tXoy<B2%z|-~By1I68M<A(||55V@f6(b;eM)%k%@bB~meH^7m1X1%jzTf7
z>rT5~z#p4C%&_yn_XO2|)2SEsKqu~PHh+(PRDWN&KI|!gVl%OwefVVXCx3~_{-+@%
zr@53Zq(BKHPfN*n1G~z9co(Z}O4hxI#t&{)H`@MSh{<hAt$w9IgZjl`%aGHwN<)QW
z)ubecJIup_M!|@ztihx@M8-ZEMoi});0U-Wjw`Vs>@@SbUVjBJ>}^(?z4eJ5y0cq#
z@Ij|^&C-V9lP#OKIM1ZX7M03+JBGWiGylraJgV2}2EIw*{ju~=*{?nhG<KtGMuZ#;
zX0LE{<!3QYgbsf-tl-l)BzHbp*f#8D$z{UKsKg|&aZ1~VL}?=D*Fm3Rl%r7(2g`HF
zm3*gdLyN1YPw*zOzR&s0Zm4Cnt)`DjO?j6=?J<TCz)DLG1_q{UvvpM+yu5zBX*VOG
z!QFG%s(A6Xt{Xy#%Ijki5^wxd?#-t`W7j-R9jeZ!T2_*em%GP~kXn28(^*w7{)wPw
zG$7@Im=K0}k@MJZLv3om1UlM_1&EaQMKWWqGN1{iRBL0fmII$^-+DAu72SHRL%fC_
zLEmkNeMj8P$vZF6g6`6iZB;(snkC^{BGw{=xOA^%>$3r2iT2S8Ii#M4%rNvUi(U7T
zzcXWJb5xsTnz<cx$DltJ4{W`)9f<2mze{O7#Ip4wR$J8NK750IFG6wU*cbz3`mUMt
z^=LMc5xVW9=9|p@dGSu<QA{W6YmHqD80Ny<TJ>R6Mm?%NJP2HzAQ@JKj){pxa5TCD
zVSeYW&U&JH1$RR~quX&MCPO6No@(utbef}jGp(wVQx3cRoQI@)?uIf_e%l`4YOcC8
z2+PR7&=({|8I~luVti6u)9fQ%RkI%UJy&|CRh4?z{b%1HtANst<S;ENDwCiO>(A6%
zOX2mji$4ZgQCI+tr!U!jqE={Sla{-nil+r8V*vHpG&LGHh<fAmTiPy~T(hNPlfm+^
zKiH3{W!NtrxpzwZ+SnGV!{=9&IJIE>4<Po_jxgHcl-)<%(xT#yPlqe&!;oXbGIj<p
zC(aKL_#LE|4;|m+bSIj02o5m|1XdAl%`LiI!qwMjfbubVos_0VthvU>N#bKQD%Co)
z$Yu1PePY5aP*Dz`7XKHh%M%9bqV(URE<4^<5k?DyA55h-rel`pkW$tndwc&5xyVMT
zqpE7Y<PdTZznX$-sMT--UU#I#6nS#%op%!G$qGeGs_Xr?>h|kuf7I;}zEs=}m|`8-
z7F9|V)ZKKwFzt?knu3-ssB0{YcT3Z}#w@^dXiv5aO<}Dp9uA6@ZU*vwEs>quntZ94
zlpaEgYRqq1b&hP{F<6plOkyi?NUF$qxk)*=&oDx}S1@G-OMM7rpB@G=G7{?d1n4l;
zNq1p4SYW~8Im-&tmoALHEwNkiA~s$NMaQgBrd=tASsEEC){Vc^`jOh?z|DK?b7>1{
zEbwYVYGjA}`A^Qi15`aLTth<w(bR|n)A)tNY{f+^>z<jA;mp$Nm)Kx!dhVVSf_pQs
z4@Td?$yhy6etXE8EQrF?0$k8OebCzaTp_O~rRhk|dR+&J_-&2krq~)&d)){IyuqbU
zK5910NI~bETZ!n|Ooc8<YkCDgwAmX_B0an&IX-S%1x+?ZdH{ksEX@}B3xaX{1;HSc
zR6R_cO4*jVKFzdI#tjCU3#TK;r#lxfw8=Z*7<SFJ$}EhZcV4ZBYv$5UHuGPq^FGvZ
zkr-5`!F~~D$jKp;QyKkbEjh)0*^JQ;me9&Hu)Au2Hsjg!zlC3zi!yTJhj+XQu1Y{H
zx`zr@((`0IrgO70LdOQ=)DkK++7S|kpw!J7-!d{qO>hO`^VDiz=Nk9Uc-tZevNk-Q
zsW&g57y4U$-X7?eT&+-4++RusdO`6PAMVX9A$J@PC=?A}_ANYkNqZ3r74MfOmB@S?
zG;EpIDjxP$Yiiqy1SaMdbjK5fT50QjC!d7@3U1^^V8ZKqdw8-;h+!5x#<eebDFxIV
zQB#J3iK=QBmgbEFjkcbR;XN|-dnUZL3x+t=oS4K(>wTv%YexO@w|4(lp#M);%;#TN
z47wMm8<wn;u-!0~KbJF%^v=8k-R~7=KSciFU%wk`-N8q#^?*Gl=^hH7@Ns#L$$+bE
z68K2^=W4<j>DgOD&P>@YRm2#w0~1G)qgljF&IU{mXmgT*L8kJf?QKte_y`po+7P11
zS~B%DPtiNzH*TD`|0GPYQJlB9d#2w!te`nwkZ33MgKiN6$IG`PnoIe(yl>qohEM+m
zz9KAq_Frv^qx-jJz1T-rJD5bA^rG`FDg$_J+Fy4lBc?_Vh!EaTt70b@kMiTE7Mv`M
zi2V5ENAsJ?Zn}DT{pru=&T3cbCbX5hzoOE#IuF40e-=AW-v(wzkTKgsRK$Z?6$Qa6
zkigpu(z^(^;Vd!ES`6dR!3hw)F3o0Jmu!|C*t`I}?Xlq>_%_(f@*TBcnsd1K5c$2t
z&o(2OM}DErXCEZVkmOAH9ckiQdNpH;4+5gccu&sN-?u6cVBb@Lhj^J=jf}Q^BB*h&
zq)7w2u+vS2?gcAEE<>Caf-0<9=&^V(Cz=PRC<3dshTl|J3u-l~a6+(0O2c~FVoff0
z*Dl)dXW%xC({~^&J&O#qz#}&ZRB;#%7_&NrMg9}HF&lZd_O>*yFBeI3<)u)S4jrC6
z9^O8|6w5m&KCwTEoj5A>8?#yY=@@pQFRnrQ96-fv$NMEkaB=5H`}~Mvw9R!&T<JK+
z-Odwer>SX;@?+0rde!e6TV+PG`*<`ZP-;~?6)UF|lCna(SkG0;ZIzZnN>*;TjJlLm
zvEhe}$;G`66Xlu6868`EP-T8EXRP5QU7_#uS2oEbDB>fk_38=kI>IeP*bOGRGo!F5
zd}=c(>*#^hA4pq_b@Waxjm)x0!EY;ULn5Q(+5Du8@uI+NXwplif^xB@6Pw7ecgUMe
z?P9%PC3A{N3~icekvI@HPU#|M*{a*F=ue?2vhw0X2Zd~No^cPVZHWrZ;Et#z%wt5B
z4{-B)=8Sm*E46lL4{Yuvv~1w@w~av^l4*02xmEfA@#n>+Tryquo$2H)Z5^p2K31$S
zh%syz<eUg(U5P!(TX~JGqF&R&!97qSpg%B9_}TED(eZA!H?@71ADLy7jH3CQGiUnz
zj)Yzv3>a}|nh6!cL5>VetMsAD)dg2$=62uvS0Q@R`nC{#xlZ$!)){YzHf=WI<Qe`M
z&8VGqII#kR=<Ox1RH`x0u+vWVW7r_p!*{9^Pv-+bp*va^4G&GVcMLRISqSi|Xf%kX
z4Bx31IK6Q(-dOu;Dzq|J49J~@G%dpkgb~XrQk*t5wJLv}95W#WDvuEnH?!Lh@)g%d
zTc9SEU&+XzJRTwBrwXF+aZURy6cW<rJ7i{kw#XdkF`9Y&z1=a;W>#^Heq&hr{N!PQ
z&9*Cc9uvz)KGkV&x)uYInOc|&cYeQ9@0IhHbq|{OEqJ=&+(kN`Ca3lYfqF0Z+-HZ{
zD0cf3$Bu5_H+HcKQ!8saT~)Da47~z!5D&4$&|e`+?em>|kY&!!cZxsna~$M*j22CL
zazpWIwP*(X`P@hNjhQ=b>$4K+`ByPEmL~KKddGdsZx7^a;`+}?#JIktmKNcg<`)%2
ztG^X$v7W`t4bF=^<g9B4%p&vTf}gp^#=^R3SaLb<E-)Oo9(<$Xz3NVXAhSA=vhaz+
z+wpEs(FE|kpCLXI`e^C<H|2Vv{6mHr<f~%eFXcM9<=wwPNUzD7(b-Kv##3f49`dgU
z(%@F(O2ciwk4>6+Ht}Ze!<GE<*W)YhGwvlOXm04?9}G#sy;)6J<a_}uMeTv-4Xx#8
zJlU4J@!*E;AF`yi7f9~x?Ys>@KLaM$bdZX^Qm*Pw_)rT8@k+pIHyy9~iW`p*6t70S
zxrvu19r0pm^eX&-HV)wItd?F0dp2sU;v1dWfcWZ6uhq7ict0Zg=`pJ4l5DH()AVX_
z)geaA6E$m`1>^>-emR2DiC;r?##<6kNE4fRzUqsv93W8zhCZGccC3ndQp40M*H!{X
z+~&W45Ndrr4P*0WNPq55^i;&}#u$cXPKiq9K<c*~&mPB~eJmBBj>m2WW#u`FBn@E2
zzvJ9(gN|vdimR??fuQbjN_;xnUN&8RJGt-dJhtQ(c7Rm6DYBAKrh+KV!;$4lm+kFS
zL3lOkwf{)QgxdISFV@DD^Dm>cWQg+ckrUZKO04ksXl+U!%`dQM%Svd8#8jm~NMbto
z14E1e0;O4RPK;*6;aGE`z{i>R3ax6>ZIycPc^UNc!^UpAASdhLiyp9*MS96_jO~Y7
zpsiP+z^HcJH#6pL4g|UjuKo>uDu;1gbc4*YQ<4}aAe8%kD;V!_(vHhMp{K~NdE>F)
zZm&Ou06FotJ1r>?NM|N2$%hD|AFaIz`>xoyK5Ao;m)}q|x}y3fRkqkGy2dR)vZ)<Z
zmYH3`lq?5oKA(8&M2uSu*xTc3!d(Y{1flpvkYxT<qJB>9-z4e>+XRok{x2o!Y;RqF
zm1g7e)S64a3KH~_5$C5Qu?dii&g*`<T%&E5e;TuQ8H*Uk*rTH<UV0R{qZhDA5zV7p
zK2Z-ViJ0LHvcR+ks*HX++#`gCla^n%R>}+anM*cMp<7hUB9kmj*)T~_)xFV8Yxwfs
zIL_v|sh`*bKhcqw=8)XgNt@)70pksqCYyd^HA?yBjA>d0Bcks3d%!_=9v9+Xc&}gD
z>gvlYdkdRcLPNDz4C-_evxihW=+i3`yx$+>ym=<U4^qd_3Av3mS|w$am!U{a#=1A}
zm_=3YEF*YxEOzOe`!J5Lhg&SW3%1OTS8Xnx1JMg0TysqWrSpmRnnOWymAGR)2drje
zNLQs(c3((AKC>0sbWwmPq&P7;Q@AzqdYH?KpgAUgvM=y;d0Du8)<;2e*jYTIg+on+
z(ZWG>Jn>t5jySWeJ^uph-G`3MT~9s!tV|<BqG=MM^*&K16xmjO+I697@B`AL%$LAg
zCJr?5fwcF-G=s1s6kyfOhwIaqnm-%7KbL)FiaSLa#&Pus?*e<iZ7jnvw%DXk0Ckh7
z#roHF*sy9^uo`PVkifUP-KZ;jl;(9H@?I~}zG1*7ka;(g|GUcJJI8Xd0oNdV2$vq(
zg!Tdym~GeaAa&_zmjX;77W7j7R}huU;lDvt@20&2hL5chip0`&!pFo;Z$!;ZeU2-n
zt$w1Xi&hB(bc`6giqd-3-P^*U=vgeVDofm~$!vcpu&VAH!sAfT491e5s3N&%#wZ1Z
zaeZ&cF-wy`&TJ`EIq*4(gtQy5A~vZ6*M@$lm*kU`Ny51aAB2YltSaQw-!@Huf}d_A
z1Wy$JCEMqa{C#_%O6+eJH1V3rlGFT`OcHMMuS!`#WV%?Al`M+n@yhky`Rad=su$dp
zw|qc?F7ZHuYyZJB0IAYrbz{X8G0fgdfNy320-f$Awu1rr&x%^aCl8Z2@NO@Hd5%30
zRg3dwn^QU?TlM%=r921)VuJdFqkT`dMf0RkD!ts;+GgNPjzqTg!#jn+cFw&r-J2Pf
z4)WOoC1oEsf-GgJ&AsL4js)xwX01NFU(#26td;OKF!2?4t=k#LbMqKd&b0$<haQ7(
zlU=_`fxx%v`QM7Ir~iNFU`*;~4rfk1=~~8d4lngox+vvDJG4hfS3d!-Bskfd-Mjpf
zYrJyoV!v*TH^z9mE;h;N5*&X9Q$diWjao^WAuM_8W(#6q-2NUcgoB00FpaatV!Fm}
z*!cv(TZ}qA@T*<r%EJiO0NSS|2t&x_1~bZ$q{*p`(GAn&qifVU*PhkAE+UZWEN@9J
zjrf$|6M|eefBn(4X{t$Z#nSGb>R<GYx<E>Dj7Ar9WRNggo)vQ)SB<oW2Pc=$JJ-L_
zg+a<fNv@Ql@z~32A{a|{6CVTHgGeHdUErG!liPz>86vts9EQPNFB<ayMqVD)@sTIY
zG)$C<kKZU#TVtuAJWMmbf|sg$-9_ow*DSeI>GPFva5811an=0tOuARo4@c$vRj*;=
zqVKZD5Q7G;KM)1>7P4qVtkSPj6f<c%!__J2h59NMf-=v+#HAI`CA7v`IIV_)P}7@=
zxS7Z$Yp+EZy`37}_RJ1>Ypi9s{bd0?3uR0j<_=xqZ0mQtPsBnxHi~E|izwr?f}xj8
z(}!6i+q(Zq63c4dS=e`47tL=l3AQPuTi+Q!$Rp#V&3)`0Wo<_Yr%lajZ^`<P1{LJJ
z6&*FvIZu1CbkPz}D}HQRVu&6eX3#%2X1V)HV@_0c0iZrNuH<_+{NcvK$`$ST$b4_A
z29NGqKtF}YUYf39WaG#wu>BCc4vJL~)y@;Ynqj@!8nS+qFk`|=%OZ0M$0hBYu~UBZ
zJRn@!?2R=ZJs8r(QsGSHp7msBeZnHZ<xGL-Ql{6MzV}ZM)7HE3fsh}&m=bhFctw6@
zuWHjPH?t;UTt)Kart=~&Fk`Ff^&H$l!vz)5qj^mR6f8UR+xG62pyDmOP(spBp1X0}
z6wB1h0I3VUeD0Yz?;5K>ryFG&JS@+NTuTT7=#~630}`PLGhH`^DGZP4pQ?q=;@y{g
zlSvx+?#hSULz7W9UEC77dO7uOnYuiTfF&t-$@B|+eI{7MFFw<5Et$Q%94+2)JBSy$
zeFP(wjQmMFocMuq7D$Y9ahOkhZ5spb>$wM!_tUK1epo1S4H%5K)?Br$zn36`(97uE
z0)tSt^Ta}b^7rFzKPI~CG_%XXL0g)OU0(V-q`JW;)h3OMSaYk?u3@C@vFuIe*2`}%
zayf^Q#f1Qp(}RfyurT=7X$y8N`?KXOr{#1{Bcy4#`-!1k@jVpMvr>=F8HuhmgtcA9
zx9N%y6P^%IsU`5)N^7qtLwZx4qveu8HCk)wdenen#VKu$Lj$nl@==WeAg6oyX<SgO
z#aohV@-E%h4*9(-eD`qSgq4!$2UWxa>7D@NdH?S1z5fN;vFqAd&z+q7^<S~WAZp~q
zpK6qpy#e{+e_qn-zl;O_Nh8~@W}s8h{|}BV`<^eK!JqPoSWZQ*C33=^-OxJ67r%RX
z-g|<ns!p>x3jDUT<#%z|UrJ=NqWH)4&31tG*uH}0&;D^RnLrv+=Xk#SpMUG}piWct
z<R1~PRU$}Bkl0Y!8{j*tDaG~a`JX+l73zg1%@~3(>jS^<gc2E)-uUWi_%U><zne6{
zzDL0hhLubIOgV!i`7&Jl1E7D{l{Sq}rp;L7iK8t2%D<JX?cRNtny{|Z!18e9V8G@-
z&u(qOFWK~~7RmHH*TFw$ASN<udj8#-*!h1wHg!=vSSd1sm;Z6S%CzfVxA}mr?yl$i
zGwn^B;bPfc#2dHufi=KxpU<;DXXm-d*wYwM0rUg@<Iu%4{)b(y><{?I^|kWxt<#hu
z{qu5*-w}Nr3}Lx<{^<Va%E_9)f5d929NXXDIbwQVcede%Ple;6iTWDxIVs+mmJ}WD
zJimD(qdUIpJ<OIi^|pwR=>9#Xh#2p@em6ubTLU%o7M6{@*^&jrbfe>C)c&zi#<rKn
z-agj5@$yKk!lqmU_SR-~16E^GuF*o!2lIm{>~j!a*Yd<yPfe;xC2ECn;m#UbI|llk
z*}S>7;|*cbQR(d^{{4Gy)D>ptACXJ`mqR|UcvB@xk6*BE_RPB=|N2t~zRz9@)hRVc
z9nd+xzkkUOTyJ05(ngqO;hS$eQygzU4o2<#Vs@|ch+NFSZO1|-$_Q+Sg+D%QwL(Qy
zHA~~vW7SWy=k&gst1>ndK6h$xufhG@*GFGBi)4LCaXIU8<ifvfBUV`@%Iw3%Z_208
ztI~Hw4OBSx_J?08Qi+;d9nS_YO88uJl%wC~*8rx|2Ah7W97lHtqr(5~4%n(hdG1mb
z72HQWU-#;4Jet47%1$L}YFEnxW~h%!X_w=e-98BgZ`0CUY;wBc3H*P*edpg!7=}MN
uRm$IT*Ei<Qr`EH25)qf`RW9i))0wA_QKTwt55XC)o5~IK>-oy2zW)ap{t~JH

literal 0
HcmV?d00001


From 7c347b19b47fee6dce21f9bf8b74261659227002 Mon Sep 17 00:00:00 2001
From: Ivorra78 <informatica@totmaterial.es>
Date: Sun, 15 Oct 2023 17:21:58 +0000
Subject: [PATCH 26/46] Added translation using Weblate (Spanish)

---
 auth_oidc/i18n/es.po | 128 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 128 insertions(+)
 create mode 100644 auth_oidc/i18n/es.po

diff --git a/auth_oidc/i18n/es.po b/auth_oidc/i18n/es.po
new file mode 100644
index 0000000000..fae120e781
--- /dev/null
+++ b/auth_oidc/i18n/es.po
@@ -0,0 +1,128 @@
+# Translation of Odoo Server.
+# This file contains the translation of the following modules:
+# 	* auth_oidc
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: Odoo Server 16.0\n"
+"Report-Msgid-Bugs-To: \n"
+"PO-Revision-Date: 2023-10-15 19:36+0000\n"
+"Last-Translator: Ivorra78 <informatica@totmaterial.es>\n"
+"Language-Team: none\n"
+"Language: es\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: \n"
+"Plural-Forms: nplurals=2; plural=n != 1;\n"
+"X-Generator: Weblate 4.17\n"
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__flow
+msgid "Auth Flow"
+msgstr "Flujo de autenticación"
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__client_secret
+msgid "Client Secret"
+msgstr "Secreto del cliente"
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__code_verifier
+msgid "Code Verifier"
+msgstr "Verificador del código"
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__jwks_uri
+msgid "JWKS URL"
+msgstr "URL JWKS"
+
+#. module: auth_oidc
+#: model:auth.oauth.provider,body:auth_oidc.provider_azuread_multi
+#: model:auth.oauth.provider,body:auth_oidc.provider_azuread_single
+msgid "Log in with Microsoft"
+msgstr "Iniciar sesión con Microsoft"
+
+#. module: auth_oidc
+#: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__access_token
+msgid "OAuth2"
+msgstr "OAuth2"
+
+#. module: auth_oidc
+#: model:ir.model,name:auth_oidc.model_auth_oauth_provider
+msgid "OAuth2 provider"
+msgstr "Proveedor OAuth2"
+
+#. module: auth_oidc
+#: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__id_token_code
+msgid "OpenID Connect (authorization code flow)"
+msgstr "OpenID Connect (flujo de código de autorización)"
+
+#. module: auth_oidc
+#: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__id_token
+msgid "OpenID Connect (implicit flow, not recommended)"
+msgstr "OpenID Connect (flujo implícito, no recomendado)"
+
+#. module: auth_oidc
+#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__token_endpoint
+msgid "Required for OpenID Connect authorization code flow."
+msgstr "Necesario para el flujo de código de autorización de OpenID Connect."
+
+#. module: auth_oidc
+#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__jwks_uri
+msgid "Required for OpenID Connect."
+msgstr "Requerido para OpenID Connect."
+
+#. module: auth_oidc
+#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__token_map
+msgid ""
+"Some Oauth providers don't map keys in their responses exactly as required."
+"  It is important to ensure user_id and email at least are mapped. For "
+"OpenID Connect user_id is the sub key in the standard."
+msgstr ""
+"Algunos proveedores de Oauth no mapean las claves en sus respuestas "
+"exactamente como se requiere.  Es importante asegurarse de que al menos "
+"user_id y email están mapeados. Para OpenID Connect user_id es la subclave "
+"en el estándar."
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__token_map
+msgid "Token Map"
+msgstr "Mapa de Símbolos"
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__token_endpoint
+msgid "Token URL"
+msgstr "URL de la ficha"
+
+#. module: auth_oidc
+#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__code_verifier
+msgid "Used for PKCE."
+msgstr "Utilizado para PKCE."
+
+#. module: auth_oidc
+#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__client_secret
+msgid ""
+"Used in OpenID Connect authorization code flow for confidential clients."
+msgstr ""
+"Se utiliza en el flujo de código de autorización de OpenID Connect para "
+"clientes confidenciales."
+
+#. module: auth_oidc
+#: model:ir.model,name:auth_oidc.model_res_users
+msgid "User"
+msgstr "Usuario"
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__validation_endpoint
+msgid "UserInfo URL"
+msgstr "URL de información del usuario"
+
+#. module: auth_oidc
+#: model_terms:ir.ui.view,arch_db:auth_oidc.view_oidc_provider_form
+msgid "e.g from:to upn:email sub:user_id"
+msgstr "p.ej. from:to upn:email sub:user_id"
+
+#. module: auth_oidc
+#: model:auth.oauth.provider,body:auth_oidc.local_keycloak
+msgid "keycloak:8080 on localhost"
+msgstr "keycloak:8080 en el servidor local"

From e14fe2bfdcab69a0149da2e5e973595b49fdb015 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?St=C3=A9phane=20Bidoul?= <stephane.bidoul@acsone.eu>
Date: Thu, 16 Nov 2023 10:36:53 +0100
Subject: [PATCH 27/46] [DOC] auth_oidc: fix images and convert to md

---
 auth_oidc/README.rst                          | 146 ++++++++++--------
 auth_oidc/__manifest__.py                     |   2 +-
 auth_oidc/readme/CONFIGURE.md                 |  72 +++++++++
 auth_oidc/readme/CONFIGURE.rst                |  68 --------
 auth_oidc/readme/CONTRIBUTORS.md              |   3 +
 auth_oidc/readme/CONTRIBUTORS.rst             |   3 -
 .../{DESCRIPTION.rst => DESCRIPTION.md}       |   8 +-
 auth_oidc/readme/HISTORY.md                   |  11 ++
 auth_oidc/readme/HISTORY.rst                  |  14 --
 auth_oidc/readme/INSTALL.md                   |   3 +
 auth_oidc/readme/INSTALL.rst                  |   2 -
 auth_oidc/readme/ROADMAP.md                   |   4 +
 auth_oidc/readme/ROADMAP.rst                  |   2 -
 auth_oidc/readme/{USAGE.rst => USAGE.md}      |   0
 auth_oidc/static/description/index.html       |  85 +++++-----
 15 files changed, 225 insertions(+), 198 deletions(-)
 create mode 100644 auth_oidc/readme/CONFIGURE.md
 delete mode 100644 auth_oidc/readme/CONFIGURE.rst
 create mode 100644 auth_oidc/readme/CONTRIBUTORS.md
 delete mode 100644 auth_oidc/readme/CONTRIBUTORS.rst
 rename auth_oidc/readme/{DESCRIPTION.rst => DESCRIPTION.md} (56%)
 create mode 100644 auth_oidc/readme/HISTORY.md
 delete mode 100644 auth_oidc/readme/HISTORY.rst
 create mode 100644 auth_oidc/readme/INSTALL.md
 delete mode 100644 auth_oidc/readme/INSTALL.rst
 create mode 100644 auth_oidc/readme/ROADMAP.md
 delete mode 100644 auth_oidc/readme/ROADMAP.rst
 rename auth_oidc/readme/{USAGE.rst => USAGE.md} (100%)

diff --git a/auth_oidc/README.rst b/auth_oidc/README.rst
index a0ca767c5e..5d551ee657 100644
--- a/auth_oidc/README.rst
+++ b/auth_oidc/README.rst
@@ -7,7 +7,7 @@ Authentication OpenID Connect
    !! This file is generated by oca-gen-addon-readme !!
    !! changes will be overwritten.                   !!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-   !! source digest: sha256:bdea2939597996bddfbd2c7949c8da2ad701b61203c3fd62c0c640bb5721eaf1
+   !! source digest: sha256:a54c4126f9873d2af17b9228f9afa844806a2541b42dc7945ec41be08379a915
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 
 .. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
@@ -28,11 +28,11 @@ Authentication OpenID Connect
 
 |badge1| |badge2| |badge3| |badge4| |badge5|
 
-This module allows users to login through an OpenID Connect provider using the
-authorization code flow or implicit flow.
+This module allows users to login through an OpenID Connect provider
+using the authorization code flow or implicit flow.
 
-Note the implicit flow is not recommended because it exposes access tokens to
-the browser and in http logs.
+Note the implicit flow is not recommended because it exposes access
+tokens to the browser and in http logs.
 
 **Table of contents**
 
@@ -42,80 +42,90 @@ the browser and in http logs.
 Installation
 ============
 
-This module depends on the `python-jose <https://pypi.org/project/python-jose/>`__
-library, not to be confused with ``jose`` which is also available on PyPI.
+This module depends on the
+`python-jose <https://pypi.org/project/python-jose/>`__ library, not to
+be confused with ``jose`` which is also available on PyPI.
 
 Configuration
 =============
 
 Setup for Microsoft Azure
-~~~~~~~~~~~~~~~~~~~~~~~~~
+-------------------------
 
 Example configuration with OpenID Connect authorization code flow.
 
-# configure a new web application in Azure with OpenID and code flow (see
-  the `provider documentation
-  <https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-provider)>`_)
-# in this application the redirect url must be be "<url of your
-  server>/auth_oauth/signin" and of course this URL should be reachable from
-  Azure
-# create a new authentication provider in Odoo with the following
-  parameters (see the `portal documentation
-  <https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-settings>`_
-  for more information):
+1. configure a new web application in Azure with OpenID and code flow
+   (see the `provider
+   documentation <https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-provider>`__))
 
-.. image:: https://raw.githubusercontent.com/OCA/server-auth/16.0/auth_oidc/..static/description/oauth-microsoft_azure-api_permissions.png
+2. in this application the redirect url must be be "<url of your
+   server>/auth_oauth/signin" and of course this URL should be reachable
+   from Azure
 
-.. image:: https://raw.githubusercontent.com/OCA/server-auth/16.0/auth_oidc/..static/description/oauth-microsoft_azure-optional_claims.png
+3. create a new authentication provider in Odoo with the following
+   parameters (see the `portal
+   documentation <https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-settings>`__
+   for more information):
 
-Single tenant provider limits the access to user of your tenant,
-while Multitenants allow access for all AzureAD users, so user of foreign companies can use their AzureAD login
-without an guest account.
+|image|
 
-* Provider Name: Azure AD Single Tenant
-* Client ID: Application (client) id
-* Client Secret: Client secret
-* Allowed: yes
+|image1|
 
-or
+Single tenant provider limits the access to user of your tenant, while
+Multitenants allow access for all AzureAD users, so user of foreign
+companies can use their AzureAD login without an guest account.
+
+-  Provider Name: Azure AD Single Tenant
+-  Client ID: Application (client) id
+-  Client Secret: Client secret
+-  Allowed: yes
 
-* Provider Name: Azure AD Multitenant
-* Client ID: Application (client) id
-* Client Secret: Client secret
-* Allowed: yes
-* replace {tenant_id} in urls with your Azure tenant id
+or
 
-.. image:: https://raw.githubusercontent.com/OCA/server-auth/16.0/auth_oidc/..static/description/odoo-azure_ad_multitenant.png
+-  Provider Name: Azure AD Multitenant
+-  Client ID: Application (client) id
+-  Client Secret: Client secret
+-  Allowed: yes
+-  replace {tenant_id} in urls with your Azure tenant id
 
+|image2|
 
 Setup for Keycloak
-~~~~~~~~~~~~~~~~~~
+------------------
 
 Example configuration with OpenID Connect authorization code flow.
 
 In Keycloak:
 
-# configure a new Client
-# make sure Authorization Code Flow is Enabled.
-# configure the client Access Type as "confidential" and take note of the client secret in the Credentials tab
-# configure the redirect url to be "<url of your server>/auth_oauth/signin"
+1. configure a new Client
+2. make sure Authorization Code Flow is Enabled.
+3. configure the client Access Type as "confidential" and take note of
+   the client secret in the Credentials tab
+4. configure the redirect url to be "<url of your
+   server>/auth_oauth/signin"
 
 In Odoo, create a new Oauth Provider with the following parameters:
 
-* Provider name: Keycloak (or any name you like that identify your keycloak
-  provider)
-* Auth Flow: OpenID Connect (authorization code flow)
-* Client ID: the same Client ID you entered when configuring the client in Keycloak
-* Client Secret: found in keycloak on the client Credentials tab
-* Allowed: yes
-* Body: the link text to appear on the login page, such as Login with Keycloak
-* Scope: openid email
-* Authentication URL: The "authorization_endpoint" URL found in the
-  OpenID Endpoint Configuration of your Keycloak realm
-* Token URL: The "token_endpoint" URL found in the
-  OpenID Endpoint Configuration of your Keycloak realm
-* JWKS URL: The "jwks_uri" URL found in the
-  OpenID Endpoint Configuration of your Keycloak realm
+-  Provider name: Keycloak (or any name you like that identify your
+   keycloak provider)
+-  Auth Flow: OpenID Connect (authorization code flow)
+-  Client ID: the same Client ID you entered when configuring the client
+   in Keycloak
+-  Client Secret: found in keycloak on the client Credentials tab
+-  Allowed: yes
+-  Body: the link text to appear on the login page, such as Login with
+   Keycloak
+-  Scope: openid email
+-  Authentication URL: The "authorization_endpoint" URL found in the
+   OpenID Endpoint Configuration of your Keycloak realm
+-  Token URL: The "token_endpoint" URL found in the OpenID Endpoint
+   Configuration of your Keycloak realm
+-  JWKS URL: The "jwks_uri" URL found in the OpenID Endpoint
+   Configuration of your Keycloak realm
+
+.. |image| image:: https://raw.githubusercontent.com/OCA/server-auth/16.0/auth_oidc/static/description/oauth-microsoft_azure-api_permissions.png
+.. |image1| image:: https://raw.githubusercontent.com/OCA/server-auth/16.0/auth_oidc/static/description/oauth-microsoft_azure-optional_claims.png
+.. |image2| image:: https://raw.githubusercontent.com/OCA/server-auth/16.0/auth_oidc/static/description/odoo-azure_ad_multitenant.png
 
 Usage
 =====
@@ -125,26 +135,28 @@ On the login page, click on the authentication provider you configured.
 Known issues / Roadmap
 ======================
 
-* When going to the login screen, check for a existing token and do a direct login without the clicking on the SSO link
-* When doing a logout an extra option to also logout at the SSO provider.
+-  When going to the login screen, check for a existing token and do a
+   direct login without the clicking on the SSO link
+-  When doing a logout an extra option to also logout at the SSO
+   provider.
 
 Changelog
 =========
 
 14.0.1.0.0 2021-12-10
-~~~~~~~~~~~~~~~~~~~~~
+---------------------
 
-* Odoo 14 migration
+-  Odoo 14 migration
 
 13.0.1.0.0 2020-04-10
-~~~~~~~~~~~~~~~~~~~~~
+---------------------
 
-* Odoo 13 migration, add authorization code flow.
+-  Odoo 13 migration, add authorization code flow.
 
 10.0.1.0.0 2018-10-05
-~~~~~~~~~~~~~~~~~~~~~
+---------------------
 
-* Initial implementation
+-  Initial implementation
 
 Bug Tracker
 ===========
@@ -160,21 +172,21 @@ Credits
 =======
 
 Authors
-~~~~~~~
+-------
 
 * ICTSTUDIO
 * André Schenkels
 * ACSONE SA/NV
 
 Contributors
-~~~~~~~~~~~~
+------------
 
-* Alexandre Fayolle <alexandre.fayolle@camptocamp.com>
-* Stéphane Bidoul <stephane.bidoul@acsone.eu>
-* David Jaen <david.jaen.revert@gmail.com>
+-  Alexandre Fayolle <alexandre.fayolle@camptocamp.com>
+-  Stéphane Bidoul <stephane.bidoul@acsone.eu>
+-  David Jaen <david.jaen.revert@gmail.com>
 
 Maintainers
-~~~~~~~~~~~
+-----------
 
 This module is maintained by the OCA.
 
diff --git a/auth_oidc/__manifest__.py b/auth_oidc/__manifest__.py
index 1d4a3e1a7a..4e855e6f73 100644
--- a/auth_oidc/__manifest__.py
+++ b/auth_oidc/__manifest__.py
@@ -4,7 +4,7 @@
 
 {
     "name": "Authentication OpenID Connect",
-    "version": "16.0.1.0.1",
+    "version": "16.0.1.0.2",
     "license": "AGPL-3",
     "author": (
         "ICTSTUDIO, André Schenkels, "
diff --git a/auth_oidc/readme/CONFIGURE.md b/auth_oidc/readme/CONFIGURE.md
new file mode 100644
index 0000000000..275e4c0a20
--- /dev/null
+++ b/auth_oidc/readme/CONFIGURE.md
@@ -0,0 +1,72 @@
+## Setup for Microsoft Azure
+
+Example configuration with OpenID Connect authorization code flow.
+
+1. configure a new web application in Azure with OpenID and code flow (see
+the [provider
+documentation](https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-provider)))
+
+2. in this application the redirect url must be be "\<url of your
+server\>/auth_oauth/signin" and of course this URL should be reachable
+from Azure
+
+3. create a new authentication provider in Odoo with the following
+parameters (see the [portal
+documentation](https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-settings)
+for more information):
+
+![image](../static/description/oauth-microsoft_azure-api_permissions.png)
+
+![image](../static/description/oauth-microsoft_azure-optional_claims.png)
+
+Single tenant provider limits the access to user of your tenant, while
+Multitenants allow access for all AzureAD users, so user of foreign
+companies can use their AzureAD login without an guest account.
+
+- Provider Name: Azure AD Single Tenant
+- Client ID: Application (client) id
+- Client Secret: Client secret
+- Allowed: yes
+
+or
+
+- Provider Name: Azure AD Multitenant
+- Client ID: Application (client) id
+- Client Secret: Client secret
+- Allowed: yes
+- replace {tenant_id} in urls with your Azure tenant id
+
+![image](../static/description/odoo-azure_ad_multitenant.png)
+
+## Setup for Keycloak
+
+Example configuration with OpenID Connect authorization code flow.
+
+In Keycloak:
+
+1. configure a new Client
+2. make sure Authorization Code Flow is
+Enabled.
+3. configure the client Access Type as "confidential" and take
+note of the client secret in the Credentials tab
+4. configure the
+redirect url to be "\<url of your server\>/auth_oauth/signin"
+
+In Odoo, create a new Oauth Provider with the following parameters:
+
+- Provider name: Keycloak (or any name you like that identify your
+  keycloak provider)
+- Auth Flow: OpenID Connect (authorization code flow)
+- Client ID: the same Client ID you entered when configuring the client
+  in Keycloak
+- Client Secret: found in keycloak on the client Credentials tab
+- Allowed: yes
+- Body: the link text to appear on the login page, such as Login with
+  Keycloak
+- Scope: openid email
+- Authentication URL: The "authorization_endpoint" URL found in the
+  OpenID Endpoint Configuration of your Keycloak realm
+- Token URL: The "token_endpoint" URL found in the OpenID Endpoint
+  Configuration of your Keycloak realm
+- JWKS URL: The "jwks_uri" URL found in the OpenID Endpoint
+  Configuration of your Keycloak realm
diff --git a/auth_oidc/readme/CONFIGURE.rst b/auth_oidc/readme/CONFIGURE.rst
deleted file mode 100644
index 64734fe209..0000000000
--- a/auth_oidc/readme/CONFIGURE.rst
+++ /dev/null
@@ -1,68 +0,0 @@
-Setup for Microsoft Azure
-~~~~~~~~~~~~~~~~~~~~~~~~~
-
-Example configuration with OpenID Connect authorization code flow.
-
-# configure a new web application in Azure with OpenID and code flow (see
-  the `provider documentation
-  <https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-provider)>`_)
-# in this application the redirect url must be be "<url of your
-  server>/auth_oauth/signin" and of course this URL should be reachable from
-  Azure
-# create a new authentication provider in Odoo with the following
-  parameters (see the `portal documentation
-  <https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-settings>`_
-  for more information):
-
-.. image:: ..static/description/oauth-microsoft_azure-api_permissions.png
-
-.. image:: ..static/description/oauth-microsoft_azure-optional_claims.png
-
-Single tenant provider limits the access to user of your tenant,
-while Multitenants allow access for all AzureAD users, so user of foreign companies can use their AzureAD login
-without an guest account.
-
-* Provider Name: Azure AD Single Tenant
-* Client ID: Application (client) id
-* Client Secret: Client secret
-* Allowed: yes
-
-or
-
-* Provider Name: Azure AD Multitenant
-* Client ID: Application (client) id
-* Client Secret: Client secret
-* Allowed: yes
-* replace {tenant_id} in urls with your Azure tenant id
-
-.. image:: ..static/description/odoo-azure_ad_multitenant.png
-
-
-Setup for Keycloak
-~~~~~~~~~~~~~~~~~~
-
-Example configuration with OpenID Connect authorization code flow.
-
-In Keycloak:
-
-# configure a new Client
-# make sure Authorization Code Flow is Enabled.
-# configure the client Access Type as "confidential" and take note of the client secret in the Credentials tab
-# configure the redirect url to be "<url of your server>/auth_oauth/signin"
-
-In Odoo, create a new Oauth Provider with the following parameters:
-
-* Provider name: Keycloak (or any name you like that identify your keycloak
-  provider)
-* Auth Flow: OpenID Connect (authorization code flow)
-* Client ID: the same Client ID you entered when configuring the client in Keycloak
-* Client Secret: found in keycloak on the client Credentials tab
-* Allowed: yes
-* Body: the link text to appear on the login page, such as Login with Keycloak
-* Scope: openid email
-* Authentication URL: The "authorization_endpoint" URL found in the
-  OpenID Endpoint Configuration of your Keycloak realm
-* Token URL: The "token_endpoint" URL found in the
-  OpenID Endpoint Configuration of your Keycloak realm
-* JWKS URL: The "jwks_uri" URL found in the
-  OpenID Endpoint Configuration of your Keycloak realm
diff --git a/auth_oidc/readme/CONTRIBUTORS.md b/auth_oidc/readme/CONTRIBUTORS.md
new file mode 100644
index 0000000000..5663785334
--- /dev/null
+++ b/auth_oidc/readme/CONTRIBUTORS.md
@@ -0,0 +1,3 @@
+- Alexandre Fayolle \<<alexandre.fayolle@camptocamp.com>\>
+- Stéphane Bidoul \<<stephane.bidoul@acsone.eu>\>
+- David Jaen \<<david.jaen.revert@gmail.com>\>
diff --git a/auth_oidc/readme/CONTRIBUTORS.rst b/auth_oidc/readme/CONTRIBUTORS.rst
deleted file mode 100644
index 303011adb2..0000000000
--- a/auth_oidc/readme/CONTRIBUTORS.rst
+++ /dev/null
@@ -1,3 +0,0 @@
-* Alexandre Fayolle <alexandre.fayolle@camptocamp.com>
-* Stéphane Bidoul <stephane.bidoul@acsone.eu>
-* David Jaen <david.jaen.revert@gmail.com>
diff --git a/auth_oidc/readme/DESCRIPTION.rst b/auth_oidc/readme/DESCRIPTION.md
similarity index 56%
rename from auth_oidc/readme/DESCRIPTION.rst
rename to auth_oidc/readme/DESCRIPTION.md
index ae89dd9d73..3677c8bbaa 100644
--- a/auth_oidc/readme/DESCRIPTION.rst
+++ b/auth_oidc/readme/DESCRIPTION.md
@@ -1,5 +1,5 @@
-This module allows users to login through an OpenID Connect provider using the
-authorization code flow or implicit flow.
+This module allows users to login through an OpenID Connect provider
+using the authorization code flow or implicit flow.
 
-Note the implicit flow is not recommended because it exposes access tokens to
-the browser and in http logs.
+Note the implicit flow is not recommended because it exposes access
+tokens to the browser and in http logs.
diff --git a/auth_oidc/readme/HISTORY.md b/auth_oidc/readme/HISTORY.md
new file mode 100644
index 0000000000..98e99203b8
--- /dev/null
+++ b/auth_oidc/readme/HISTORY.md
@@ -0,0 +1,11 @@
+## 14.0.1.0.0 2021-12-10
+
+- Odoo 14 migration
+
+## 13.0.1.0.0 2020-04-10
+
+- Odoo 13 migration, add authorization code flow.
+
+## 10.0.1.0.0 2018-10-05
+
+- Initial implementation
diff --git a/auth_oidc/readme/HISTORY.rst b/auth_oidc/readme/HISTORY.rst
deleted file mode 100644
index 33b336582e..0000000000
--- a/auth_oidc/readme/HISTORY.rst
+++ /dev/null
@@ -1,14 +0,0 @@
-14.0.1.0.0 2021-12-10
-~~~~~~~~~~~~~~~~~~~~~
-
-* Odoo 14 migration
-
-13.0.1.0.0 2020-04-10
-~~~~~~~~~~~~~~~~~~~~~
-
-* Odoo 13 migration, add authorization code flow.
-
-10.0.1.0.0 2018-10-05
-~~~~~~~~~~~~~~~~~~~~~
-
-* Initial implementation
diff --git a/auth_oidc/readme/INSTALL.md b/auth_oidc/readme/INSTALL.md
new file mode 100644
index 0000000000..37af7b9c93
--- /dev/null
+++ b/auth_oidc/readme/INSTALL.md
@@ -0,0 +1,3 @@
+This module depends on the
+[python-jose](https://pypi.org/project/python-jose/) library, not to be
+confused with `jose` which is also available on PyPI.
diff --git a/auth_oidc/readme/INSTALL.rst b/auth_oidc/readme/INSTALL.rst
deleted file mode 100644
index bccbbbad79..0000000000
--- a/auth_oidc/readme/INSTALL.rst
+++ /dev/null
@@ -1,2 +0,0 @@
-This module depends on the `python-jose <https://pypi.org/project/python-jose/>`__
-library, not to be confused with ``jose`` which is also available on PyPI.
diff --git a/auth_oidc/readme/ROADMAP.md b/auth_oidc/readme/ROADMAP.md
new file mode 100644
index 0000000000..712da2fde6
--- /dev/null
+++ b/auth_oidc/readme/ROADMAP.md
@@ -0,0 +1,4 @@
+- When going to the login screen, check for a existing token and do a
+  direct login without the clicking on the SSO link
+- When doing a logout an extra option to also logout at the SSO
+  provider.
diff --git a/auth_oidc/readme/ROADMAP.rst b/auth_oidc/readme/ROADMAP.rst
deleted file mode 100644
index 6a95f19054..0000000000
--- a/auth_oidc/readme/ROADMAP.rst
+++ /dev/null
@@ -1,2 +0,0 @@
-* When going to the login screen, check for a existing token and do a direct login without the clicking on the SSO link
-* When doing a logout an extra option to also logout at the SSO provider.
diff --git a/auth_oidc/readme/USAGE.rst b/auth_oidc/readme/USAGE.md
similarity index 100%
rename from auth_oidc/readme/USAGE.rst
rename to auth_oidc/readme/USAGE.md
diff --git a/auth_oidc/static/description/index.html b/auth_oidc/static/description/index.html
index 6ff3594f3c..40f1cb7ce6 100644
--- a/auth_oidc/static/description/index.html
+++ b/auth_oidc/static/description/index.html
@@ -367,13 +367,13 @@ <h1 class="title">Authentication OpenID Connect</h1>
 !! This file is generated by oca-gen-addon-readme !!
 !! changes will be overwritten.                   !!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-!! source digest: sha256:bdea2939597996bddfbd2c7949c8da2ad701b61203c3fd62c0c640bb5721eaf1
+!! source digest: sha256:a54c4126f9873d2af17b9228f9afa844806a2541b42dc7945ec41be08379a915
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->
 <p><a class="reference external image-reference" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external image-reference" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/licence-AGPL--3-blue.png" /></a> <a class="reference external image-reference" href="https://github.com/OCA/server-auth/tree/16.0/auth_oidc"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external image-reference" href="https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-auth_oidc"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external image-reference" href="https://runboat.odoo-community.org/builds?repo=OCA/server-auth&amp;target_branch=16.0"><img alt="Try me on Runboat" src="https://img.shields.io/badge/runboat-Try%20me-875A7B.png" /></a></p>
-<p>This module allows users to login through an OpenID Connect provider using the
-authorization code flow or implicit flow.</p>
-<p>Note the implicit flow is not recommended because it exposes access tokens to
-the browser and in http logs.</p>
+<p>This module allows users to login through an OpenID Connect provider
+using the authorization code flow or implicit flow.</p>
+<p>Note the implicit flow is not recommended because it exposes access
+tokens to the browser and in http logs.</p>
 <p><strong>Table of contents</strong></p>
 <div class="contents local topic" id="contents">
 <ul class="simple">
@@ -402,29 +402,32 @@ <h1 class="title">Authentication OpenID Connect</h1>
 </div>
 <div class="section" id="installation">
 <h1><a class="toc-backref" href="#toc-entry-1">Installation</a></h1>
-<p>This module depends on the <a class="reference external" href="https://pypi.org/project/python-jose/">python-jose</a>
-library, not to be confused with <tt class="docutils literal">jose</tt> which is also available on PyPI.</p>
+<p>This module depends on the
+<a class="reference external" href="https://pypi.org/project/python-jose/">python-jose</a> library, not to
+be confused with <tt class="docutils literal">jose</tt> which is also available on PyPI.</p>
 </div>
 <div class="section" id="configuration">
 <h1><a class="toc-backref" href="#toc-entry-2">Configuration</a></h1>
 <div class="section" id="setup-for-microsoft-azure">
 <h2><a class="toc-backref" href="#toc-entry-3">Setup for Microsoft Azure</a></h2>
 <p>Example configuration with OpenID Connect authorization code flow.</p>
-<dl class="docutils">
-<dt># configure a new web application in Azure with OpenID and code flow (see</dt>
-<dd>the <a class="reference external" href="https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-provider)">provider documentation</a>)</dd>
-<dt># in this application the redirect url must be be “&lt;url of your</dt>
-<dd>server&gt;/auth_oauth/signin” and of course this URL should be reachable from
-Azure</dd>
-<dt># create a new authentication provider in Odoo with the following</dt>
-<dd>parameters (see the <a class="reference external" href="https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-settings">portal documentation</a>
-for more information):</dd>
-</dl>
-<img alt="https://raw.githubusercontent.com/OCA/server-auth/16.0/auth_oidc/..static/description/oauth-microsoft_azure-api_permissions.png" src="https://raw.githubusercontent.com/OCA/server-auth/16.0/auth_oidc/..static/description/oauth-microsoft_azure-api_permissions.png" />
-<img alt="https://raw.githubusercontent.com/OCA/server-auth/16.0/auth_oidc/..static/description/oauth-microsoft_azure-optional_claims.png" src="https://raw.githubusercontent.com/OCA/server-auth/16.0/auth_oidc/..static/description/oauth-microsoft_azure-optional_claims.png" />
-<p>Single tenant provider limits the access to user of your tenant,
-while Multitenants allow access for all AzureAD users, so user of foreign companies can use their AzureAD login
-without an guest account.</p>
+<ol class="arabic simple">
+<li>configure a new web application in Azure with OpenID and code flow
+(see the <a class="reference external" href="https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-provider">provider
+documentation</a>))</li>
+<li>in this application the redirect url must be be “&lt;url of your
+server&gt;/auth_oauth/signin” and of course this URL should be reachable
+from Azure</li>
+<li>create a new authentication provider in Odoo with the following
+parameters (see the <a class="reference external" href="https://docs.microsoft.com/en-us/powerapps/maker/portals/configure/configure-openid-settings">portal
+documentation</a>
+for more information):</li>
+</ol>
+<p><img alt="image" src="https://raw.githubusercontent.com/OCA/server-auth/16.0/auth_oidc/static/description/oauth-microsoft_azure-api_permissions.png" /></p>
+<p><img alt="image1" src="https://raw.githubusercontent.com/OCA/server-auth/16.0/auth_oidc/static/description/oauth-microsoft_azure-optional_claims.png" /></p>
+<p>Single tenant provider limits the access to user of your tenant, while
+Multitenants allow access for all AzureAD users, so user of foreign
+companies can use their AzureAD login without an guest account.</p>
 <ul class="simple">
 <li>Provider Name: Azure AD Single Tenant</li>
 <li>Client ID: Application (client) id</li>
@@ -439,32 +442,38 @@ <h2><a class="toc-backref" href="#toc-entry-3">Setup for Microsoft Azure</a></h2
 <li>Allowed: yes</li>
 <li>replace {tenant_id} in urls with your Azure tenant id</li>
 </ul>
-<img alt="https://raw.githubusercontent.com/OCA/server-auth/16.0/auth_oidc/..static/description/odoo-azure_ad_multitenant.png" src="https://raw.githubusercontent.com/OCA/server-auth/16.0/auth_oidc/..static/description/odoo-azure_ad_multitenant.png" />
+<p><img alt="image2" src="https://raw.githubusercontent.com/OCA/server-auth/16.0/auth_oidc/static/description/odoo-azure_ad_multitenant.png" /></p>
 </div>
 <div class="section" id="setup-for-keycloak">
 <h2><a class="toc-backref" href="#toc-entry-4">Setup for Keycloak</a></h2>
 <p>Example configuration with OpenID Connect authorization code flow.</p>
 <p>In Keycloak:</p>
-<p># configure a new Client
-# make sure Authorization Code Flow is Enabled.
-# configure the client Access Type as “confidential” and take note of the client secret in the Credentials tab
-# configure the redirect url to be “&lt;url of your server&gt;/auth_oauth/signin”</p>
+<ol class="arabic simple">
+<li>configure a new Client</li>
+<li>make sure Authorization Code Flow is Enabled.</li>
+<li>configure the client Access Type as “confidential” and take note of
+the client secret in the Credentials tab</li>
+<li>configure the redirect url to be “&lt;url of your
+server&gt;/auth_oauth/signin”</li>
+</ol>
 <p>In Odoo, create a new Oauth Provider with the following parameters:</p>
 <ul class="simple">
-<li>Provider name: Keycloak (or any name you like that identify your keycloak
-provider)</li>
+<li>Provider name: Keycloak (or any name you like that identify your
+keycloak provider)</li>
 <li>Auth Flow: OpenID Connect (authorization code flow)</li>
-<li>Client ID: the same Client ID you entered when configuring the client in Keycloak</li>
+<li>Client ID: the same Client ID you entered when configuring the client
+in Keycloak</li>
 <li>Client Secret: found in keycloak on the client Credentials tab</li>
 <li>Allowed: yes</li>
-<li>Body: the link text to appear on the login page, such as Login with Keycloak</li>
+<li>Body: the link text to appear on the login page, such as Login with
+Keycloak</li>
 <li>Scope: openid email</li>
 <li>Authentication URL: The “authorization_endpoint” URL found in the
 OpenID Endpoint Configuration of your Keycloak realm</li>
-<li>Token URL: The “token_endpoint” URL found in the
-OpenID Endpoint Configuration of your Keycloak realm</li>
-<li>JWKS URL: The “jwks_uri” URL found in the
-OpenID Endpoint Configuration of your Keycloak realm</li>
+<li>Token URL: The “token_endpoint” URL found in the OpenID Endpoint
+Configuration of your Keycloak realm</li>
+<li>JWKS URL: The “jwks_uri” URL found in the OpenID Endpoint
+Configuration of your Keycloak realm</li>
 </ul>
 </div>
 </div>
@@ -475,8 +484,10 @@ <h1><a class="toc-backref" href="#toc-entry-5">Usage</a></h1>
 <div class="section" id="known-issues-roadmap">
 <h1><a class="toc-backref" href="#toc-entry-6">Known issues / Roadmap</a></h1>
 <ul class="simple">
-<li>When going to the login screen, check for a existing token and do a direct login without the clicking on the SSO link</li>
-<li>When doing a logout an extra option to also logout at the SSO provider.</li>
+<li>When going to the login screen, check for a existing token and do a
+direct login without the clicking on the SSO link</li>
+<li>When doing a logout an extra option to also logout at the SSO
+provider.</li>
 </ul>
 </div>
 <div class="section" id="changelog">

From 74893eb65789f7e9afd3e671de207268ecddfaec Mon Sep 17 00:00:00 2001
From: mymage <stefano.consolaro@mymage.it>
Date: Thu, 28 Dec 2023 18:39:17 +0000
Subject: [PATCH 28/46] Added translation using Weblate (Italian)

---
 auth_oidc/i18n/it.po | 127 +++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 127 insertions(+)
 create mode 100644 auth_oidc/i18n/it.po

diff --git a/auth_oidc/i18n/it.po b/auth_oidc/i18n/it.po
new file mode 100644
index 0000000000..e4f38a45a8
--- /dev/null
+++ b/auth_oidc/i18n/it.po
@@ -0,0 +1,127 @@
+# Translation of Odoo Server.
+# This file contains the translation of the following modules:
+# 	* auth_oidc
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: Odoo Server 16.0\n"
+"Report-Msgid-Bugs-To: \n"
+"PO-Revision-Date: 2024-01-05 10:34+0000\n"
+"Last-Translator: mymage <stefano.consolaro@mymage.it>\n"
+"Language-Team: none\n"
+"Language: it\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: \n"
+"Plural-Forms: nplurals=2; plural=n != 1;\n"
+"X-Generator: Weblate 4.17\n"
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__flow
+msgid "Auth Flow"
+msgstr "Flusso atorizzazione"
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__client_secret
+msgid "Client Secret"
+msgstr "Chiave segreta client"
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__code_verifier
+msgid "Code Verifier"
+msgstr "Verificatore codice"
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__jwks_uri
+msgid "JWKS URL"
+msgstr "URL JWKS"
+
+#. module: auth_oidc
+#: model:auth.oauth.provider,body:auth_oidc.provider_azuread_multi
+#: model:auth.oauth.provider,body:auth_oidc.provider_azuread_single
+msgid "Log in with Microsoft"
+msgstr "Accedi con Mcrosoft"
+
+#. module: auth_oidc
+#: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__access_token
+msgid "OAuth2"
+msgstr "OAuth2"
+
+#. module: auth_oidc
+#: model:ir.model,name:auth_oidc.model_auth_oauth_provider
+msgid "OAuth2 provider"
+msgstr "Provider OAuth2"
+
+#. module: auth_oidc
+#: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__id_token_code
+msgid "OpenID Connect (authorization code flow)"
+msgstr "OpenID Connect (flusso codice autorizzazione)"
+
+#. module: auth_oidc
+#: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__id_token
+msgid "OpenID Connect (implicit flow, not recommended)"
+msgstr "OpenID Connect (flusso implicito, non raccomandato)"
+
+#. module: auth_oidc
+#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__token_endpoint
+msgid "Required for OpenID Connect authorization code flow."
+msgstr "Richiesto per flusso codice atorizzazione OpenID Connect."
+
+#. module: auth_oidc
+#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__jwks_uri
+msgid "Required for OpenID Connect."
+msgstr "Richiesto per OpenID Connect."
+
+#. module: auth_oidc
+#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__token_map
+msgid ""
+"Some Oauth providers don't map keys in their responses exactly as required."
+"  It is important to ensure user_id and email at least are mapped. For "
+"OpenID Connect user_id is the sub key in the standard."
+msgstr ""
+"Alcuni Provider Oauth non mappano le chiavi nelle loro risposte esattamente "
+"come richiesto.   È importante assicurare che almeno user_id ed e-mail siano "
+"mappati. Per OpenID Connect user_id è la sotto-chiave nello standard."
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__token_map
+msgid "Token Map"
+msgstr "Mappa token"
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__token_endpoint
+msgid "Token URL"
+msgstr "URL token"
+
+#. module: auth_oidc
+#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__code_verifier
+msgid "Used for PKCE."
+msgstr "Utilizzato per PKCE."
+
+#. module: auth_oidc
+#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__client_secret
+msgid ""
+"Used in OpenID Connect authorization code flow for confidential clients."
+msgstr ""
+"Utilizzato nel flusso codice autorizzazione OpenID Connect per client "
+"riservati."
+
+#. module: auth_oidc
+#: model:ir.model,name:auth_oidc.model_res_users
+msgid "User"
+msgstr "Utente"
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__validation_endpoint
+msgid "UserInfo URL"
+msgstr "URL info utente"
+
+#. module: auth_oidc
+#: model_terms:ir.ui.view,arch_db:auth_oidc.view_oidc_provider_form
+msgid "e.g from:to upn:email sub:user_id"
+msgstr "es. from:to upn:email sub:user_id"
+
+#. module: auth_oidc
+#: model:auth.oauth.provider,body:auth_oidc.local_keycloak
+msgid "keycloak:8080 on localhost"
+msgstr "keycloak:8080 su localhost"

From e3949ec6cccd1fb2e2f01e9c49c1e3fb68b527d4 Mon Sep 17 00:00:00 2001
From: Andreas Perhab <andreas.perhab@wt-io-it.at>
Date: Tue, 9 Aug 2022 14:10:41 +0200
Subject: [PATCH 29/46] [FIX] auth_oidc: set user_id for auth_oauth

inspired by https://github.com/OCA/server-auth/pull/336
---
 auth_oidc/models/res_users.py | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/auth_oidc/models/res_users.py b/auth_oidc/models/res_users.py
index a1be73ec88..29e7f6ee4d 100644
--- a/auth_oidc/models/res_users.py
+++ b/auth_oidc/models/res_users.py
@@ -65,7 +65,12 @@ def auth_oauth(self, provider, params):
             raise AccessDenied()
         validation = oauth_provider._parse_id_token(id_token, access_token)
         # required check
-        if not validation.get("user_id"):
+        if "sub" in validation and "user_id" not in validation:
+            # set user_id for auth_oauth, user_id is not an OpenID Connect standard
+            # claim:
+            # https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims
+            validation["user_id"] = validation["sub"]
+        elif not validation.get("user_id"):
             _logger.error("user_id claim not found in id_token (after mapping).")
             raise AccessDenied()
         # retrieve and sign in user

From 621b422b0431cf9f5375ac4fd37b8cebda3abc21 Mon Sep 17 00:00:00 2001
From: Andreas Perhab <andreas.perhab@wt-io-it.at>
Date: Tue, 9 Aug 2022 14:07:28 +0200
Subject: [PATCH 30/46] [FIX] auth_oidc: support keys without kid

create an upstream merge request after
https://github.com/OCA/server-auth/pull/393 is merged
---
 auth_oidc/models/auth_oauth_provider.py     |  54 ++--
 auth_oidc/tests/test_auth_oidc_auth_code.py | 257 ++++++++++++++++++++
 2 files changed, 296 insertions(+), 15 deletions(-)

diff --git a/auth_oidc/models/auth_oauth_provider.py b/auth_oidc/models/auth_oauth_provider.py
index b969fa3e8d..39935cf927 100644
--- a/auth_oidc/models/auth_oauth_provider.py
+++ b/auth_oidc/models/auth_oauth_provider.py
@@ -11,6 +11,7 @@
 
 try:
     from jose import jwt
+    from jose.exceptions import JWSError, JWTError
 except ImportError:
     logging.getLogger(__name__).debug("jose library not installed")
 
@@ -47,14 +48,18 @@ class AuthOauthProvider(models.Model):
     jwks_uri = fields.Char(string="JWKS URL", help="Required for OpenID Connect.")
 
     @tools.ormcache("self.jwks_uri", "kid")
-    def _get_key(self, kid):
+    def _get_keys(self, kid):
         r = requests.get(self.jwks_uri, timeout=10)
         r.raise_for_status()
         response = r.json()
-        for key in response["keys"]:
-            if key["kid"] == kid:
-                return key
-        return {}
+        # the keys returned here should follow
+        # JWS Notes on Key Selection
+        # https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-signature#appendix-D
+        return [
+            key
+            for key in response["keys"]
+            if kid is None or key.get("kid", None) == kid
+        ]
 
     def _map_token_values(self, res):
         if self.token_map:
@@ -68,15 +73,34 @@ def _parse_id_token(self, id_token, access_token):
         self.ensure_one()
         res = {}
         header = jwt.get_unverified_header(id_token)
-        res.update(
-            jwt.decode(
-                id_token,
-                self._get_key(header.get("kid")),
-                algorithms=["RS256"],
-                audience=self.client_id,
-                access_token=access_token,
-            )
-        )
-
+        res.update(self._decode_id_token(access_token, id_token, header.get("kid")))
         res.update(self._map_token_values(res))
         return res
+
+    def _decode_id_token(self, access_token, id_token, kid):
+        keys = self._get_keys(kid)
+        if len(keys) > 1 and kid is None:
+            # https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.10.1
+            # If there are multiple keys in the referenced JWK Set document, a kid
+            # value MUST be provided in the JOSE Header.
+            raise JWTError(
+                "OpenID Connect requires kid to be set if there is more"
+                " than one key in the JWKS"
+            )
+        error = None
+        # we accept multiple keys with the same kid in case a key gets rotated.
+        for key in keys:
+            try:
+                values = jwt.decode(
+                    id_token,
+                    key,
+                    algorithms=["RS256"],
+                    audience=self.client_id,
+                    access_token=access_token,
+                )
+                return values
+            except (JWTError, JWSError) as e:
+                error = e
+        if error:
+            raise error
+        return {}
diff --git a/auth_oidc/tests/test_auth_oidc_auth_code.py b/auth_oidc/tests/test_auth_oidc_auth_code.py
index f608d02dde..a1a08b0a71 100644
--- a/auth_oidc/tests/test_auth_oidc_auth_code.py
+++ b/auth_oidc/tests/test_auth_oidc_auth_code.py
@@ -2,9 +2,18 @@
 # License: AGPL-3.0 or later (http://www.gnu.org/licenses/agpl)
 
 import contextlib
+import json
 from urllib.parse import parse_qs, urlparse
 
+import responses
+from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.asymmetric import rsa
+from jose import jwt
+from jose.exceptions import JWTError
+from jose.utils import long_to_base64
+
 import odoo
+from odoo.exceptions import AccessDenied
 from odoo.tests import common
 
 from odoo.addons.website.tools import MockRequest as _MockRequest
@@ -23,6 +32,41 @@ def MockRequest(env):
 
 
 class TestAuthOIDCAuthorizationCodeFlow(common.HttpCase):
+    @classmethod
+    def setUpClass(cls):
+        super().setUpClass()
+        (
+            cls.rsa_key_pem,
+            cls.rsa_key_public_pem,
+            cls.rsa_key_public_jwk,
+        ) = cls._generate_key()
+        _, cls.second_key_public_pem, _ = cls._generate_key()
+
+    @staticmethod
+    def _generate_key():
+        rsa_key = rsa.generate_private_key(
+            public_exponent=65537,
+            key_size=4096,
+        )
+        rsa_key_pem = rsa_key.private_bytes(
+            serialization.Encoding.PEM,
+            serialization.PrivateFormat.TraditionalOpenSSL,
+            serialization.NoEncryption(),
+        ).decode("utf8")
+        rsa_key_public = rsa_key.public_key()
+        rsa_key_public_pem = rsa_key_public.public_bytes(
+            serialization.Encoding.PEM,
+            serialization.PublicFormat.SubjectPublicKeyInfo,
+        ).decode("utf8")
+        jwk = {
+            # https://datatracker.ietf.org/doc/html/rfc7518#section-6.1
+            "kty": "RSA",
+            "use": "sig",
+            "n": long_to_base64(rsa_key_public.public_numbers().n).decode("utf-8"),
+            "e": long_to_base64(rsa_key_public.public_numbers().e).decode("utf-8"),
+        }
+        return rsa_key_pem, rsa_key_public_pem, jwk
+
     def setUp(self):
         super().setUp()
         # search our test provider and bind the demo user to it
@@ -51,3 +95,216 @@ def test_auth_link(self):
             self.assertTrue(params["nonce"])
             self.assertTrue(params["state"])
             self.assertEqual(params["redirect_uri"], [BASE_URL + "/auth_oauth/signin"])
+
+    def _prepare_login_test_user(self):
+        user = self.env.ref("base.user_demo")
+        user.write({"oauth_provider_id": self.provider_rec.id, "oauth_uid": user.login})
+        return user
+
+    def _prepare_login_test_responses(
+        self, access_token="42", id_token_body=None, id_token_headers=None, keys=None
+    ):
+        if id_token_body is None:
+            id_token_body = {}
+        if id_token_headers is None:
+            id_token_headers = {"kid": "the_key_id"}
+        responses.add(
+            responses.POST,
+            "http://localhost:8080/auth/realms/master/protocol/openid-connect/token",
+            json={
+                "access_token": access_token,
+                "id_token": jwt.encode(
+                    id_token_body,
+                    self.rsa_key_pem,
+                    algorithm="RS256",
+                    headers=id_token_headers,
+                ),
+            },
+        )
+        if keys is None:
+            if "kid" in id_token_headers:
+                keys = [{"kid": "the_key_id", "keys": [self.rsa_key_public_pem]}]
+            else:
+                keys = [{"keys": [self.rsa_key_public_pem]}]
+        responses.add(
+            responses.GET,
+            "http://localhost:8080/auth/realms/master/protocol/openid-connect/certs",
+            json={"keys": keys},
+        )
+
+    @responses.activate
+    def test_login(self):
+        """Test that login works"""
+        user = self._prepare_login_test_user()
+        self._prepare_login_test_responses(id_token_body={"user_id": user.login})
+
+        params = {"state": json.dumps({})}
+        with MockRequest(self.env):
+            db, login, token = self.env["res.users"].auth_oauth(
+                self.provider_rec.id,
+                params,
+            )
+        self.assertEqual(token, "42")
+        self.assertEqual(login, user.login)
+
+    @responses.activate
+    def test_login_without_kid(self):
+        """Test that login works when ID Token has no kid in header"""
+        user = self._prepare_login_test_user()
+        self._prepare_login_test_responses(
+            id_token_body={"user_id": user.login},
+            id_token_headers={},
+            access_token=chr(42),
+        )
+
+        params = {"state": json.dumps({})}
+        with MockRequest(self.env):
+            db, login, token = self.env["res.users"].auth_oauth(
+                self.provider_rec.id,
+                params,
+            )
+        self.assertEqual(token, "*")
+        self.assertEqual(login, user.login)
+
+    @responses.activate
+    def test_login_with_sub_claim(self):
+        """Test that login works when ID Token contains only standard claims"""
+        self.provider_rec.token_map = False
+        user = self._prepare_login_test_user()
+        self._prepare_login_test_responses(
+            id_token_body={"sub": user.login}, access_token="1764"
+        )
+
+        params = {"state": json.dumps({})}
+        with MockRequest(self.env):
+            db, login, token = self.env["res.users"].auth_oauth(
+                self.provider_rec.id,
+                params,
+            )
+        self.assertEqual(token, "1764")
+        self.assertEqual(login, user.login)
+
+    @responses.activate
+    def test_login_without_kid_multiple_keys_in_jwks(self):
+        """
+        Test that login fails if no kid is provided in ID Token and JWKS has multiple
+        keys
+        """
+        user = self._prepare_login_test_user()
+        self._prepare_login_test_responses(
+            id_token_body={"user_id": user.login},
+            id_token_headers={},
+            access_token="6*7",
+            keys=[
+                {"kid": "other_key_id", "keys": [self.second_key_public_pem]},
+                {"kid": "the_key_id", "keys": [self.rsa_key_public_pem]},
+            ],
+        )
+
+        with self.assertRaises(
+            JWTError,
+            msg="OpenID Connect requires kid to be set if there is"
+            " more than one key in the JWKS",
+        ):
+            with MockRequest(self.env):
+                self.env["res.users"].auth_oauth(
+                    self.provider_rec.id,
+                    {"state": json.dumps({})},
+                )
+
+    @responses.activate
+    def test_login_without_matching_key(self):
+        """Test that login fails if no matching key can be found"""
+        user = self._prepare_login_test_user()
+        self._prepare_login_test_responses(
+            id_token_body={"user_id": user.login},
+            id_token_headers={},
+            access_token="168/4",
+            keys=[{"kid": "other_key_id", "keys": [self.second_key_public_pem]}],
+        )
+
+        with self.assertRaises(JWTError):
+            with MockRequest(self.env):
+                self.env["res.users"].auth_oauth(
+                    self.provider_rec.id,
+                    {"state": json.dumps({})},
+                )
+
+    @responses.activate
+    def test_login_without_any_key(self):
+        """Test that login fails if no key is provided by JWKS"""
+        user = self._prepare_login_test_user()
+        self._prepare_login_test_responses(
+            id_token_body={"user_id": user.login},
+            id_token_headers={},
+            access_token="168/4",
+            keys=[],
+        )
+
+        with self.assertRaises(AccessDenied):
+            with MockRequest(self.env):
+                self.env["res.users"].auth_oauth(
+                    self.provider_rec.id,
+                    {"state": json.dumps({})},
+                )
+
+    @responses.activate
+    def test_login_with_multiple_keys_in_jwks(self):
+        """Test that login works with multiple keys present in jwks"""
+        user = self._prepare_login_test_user()
+        self._prepare_login_test_responses(
+            id_token_body={"user_id": user.login},
+            access_token="2*3*7",
+            keys=[
+                {"kid": "other_key_id", "keys": [self.second_key_public_pem]},
+                {"kid": "the_key_id", "keys": [self.rsa_key_public_pem]},
+            ],
+        )
+
+        with MockRequest(self.env):
+            db, login, token = self.env["res.users"].auth_oauth(
+                self.provider_rec.id,
+                {"state": json.dumps({})},
+            )
+        self.assertEqual(token, "2*3*7")
+        self.assertEqual(login, user.login)
+
+    @responses.activate
+    def test_login_with_multiple_keys_in_jwks_same_kid(self):
+        """Test that login works with multiple keys with the same kid present in jwks"""
+        user = self._prepare_login_test_user()
+        self._prepare_login_test_responses(
+            id_token_body={"user_id": user.login},
+            access_token="84/2",
+            keys=[
+                {"kid": "the_key_id", "keys": [self.second_key_public_pem]},
+                {"kid": "the_key_id", "keys": [self.rsa_key_public_pem]},
+            ],
+        )
+
+        with MockRequest(self.env):
+            db, login, token = self.env["res.users"].auth_oauth(
+                self.provider_rec.id,
+                {"state": json.dumps({})},
+            )
+        self.assertEqual(token, "84/2")
+        self.assertEqual(login, user.login)
+
+    @responses.activate
+    def test_login_with_jwk_format(self):
+        """Test that login works with proper jwks format"""
+        user = self._prepare_login_test_user()
+        self.rsa_key_public_jwk["kid"] = "the_key_id"
+        self._prepare_login_test_responses(
+            id_token_body={"user_id": user.login},
+            keys=[self.rsa_key_public_jwk],
+            access_token="122/3",
+        )
+
+        with MockRequest(self.env):
+            db, login, token = self.env["res.users"].auth_oauth(
+                self.provider_rec.id,
+                {"state": json.dumps({})},
+            )
+        self.assertEqual(token, "122/3")
+        self.assertEqual(login, user.login)

From 375dd0c297a3677d79cf7f22d309c2267613a32a Mon Sep 17 00:00:00 2001
From: Andreas Perhab <andreas.perhab@wt-io-it.at>
Date: Thu, 3 Nov 2022 10:09:23 +0100
Subject: [PATCH 31/46] [IMP] auth_oidc: update documentation for 16.0.1.1.0

---
 auth_oidc/README.rst                    | 28 ++++++++-
 auth_oidc/__manifest__.py               |  2 +-
 auth_oidc/readme/CONTRIBUTORS.md        |  1 +
 auth_oidc/readme/HISTORY.md             | 20 +++++++
 auth_oidc/static/description/index.html | 75 ++++++++++++++++++-------
 5 files changed, 104 insertions(+), 22 deletions(-)

diff --git a/auth_oidc/README.rst b/auth_oidc/README.rst
index 5d551ee657..ac51aa7f47 100644
--- a/auth_oidc/README.rst
+++ b/auth_oidc/README.rst
@@ -7,7 +7,7 @@ Authentication OpenID Connect
    !! This file is generated by oca-gen-addon-readme !!
    !! changes will be overwritten.                   !!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-   !! source digest: sha256:a54c4126f9873d2af17b9228f9afa844806a2541b42dc7945ec41be08379a915
+   !! source digest: sha256:ede04e51899d4490eb4be0352376feb7833ba8d0546f36fea929c28a99a96d22
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 
 .. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
@@ -143,6 +143,31 @@ Known issues / Roadmap
 Changelog
 =========
 
+16.0.1.1.0 2024-02-28
+---------------------
+
+-  Forward port OpenID Connect fixes from 15.0 to 16.0
+
+16.0.1.0.2 2023-11-16
+---------------------
+
+-  Readme link updates
+
+16.0.1.0.1 2023-10-09
+---------------------
+
+-  Add AzureAD code flow provider
+
+16.0.1.0.0 2023-01-27
+---------------------
+
+-  Odoo 16 migration
+
+15.0.1.0.0 2023-01-06
+---------------------
+
+-  Odoo 15 migration
+
 14.0.1.0.0 2021-12-10
 ---------------------
 
@@ -184,6 +209,7 @@ Contributors
 -  Alexandre Fayolle <alexandre.fayolle@camptocamp.com>
 -  Stéphane Bidoul <stephane.bidoul@acsone.eu>
 -  David Jaen <david.jaen.revert@gmail.com>
+-  Andreas Perhab <andreas.perhab@wt-io-it.at>
 
 Maintainers
 -----------
diff --git a/auth_oidc/__manifest__.py b/auth_oidc/__manifest__.py
index 4e855e6f73..be60eba9f8 100644
--- a/auth_oidc/__manifest__.py
+++ b/auth_oidc/__manifest__.py
@@ -4,7 +4,7 @@
 
 {
     "name": "Authentication OpenID Connect",
-    "version": "16.0.1.0.2",
+    "version": "16.0.1.1.1",
     "license": "AGPL-3",
     "author": (
         "ICTSTUDIO, André Schenkels, "
diff --git a/auth_oidc/readme/CONTRIBUTORS.md b/auth_oidc/readme/CONTRIBUTORS.md
index 5663785334..8bdbc1daa2 100644
--- a/auth_oidc/readme/CONTRIBUTORS.md
+++ b/auth_oidc/readme/CONTRIBUTORS.md
@@ -1,3 +1,4 @@
 - Alexandre Fayolle \<<alexandre.fayolle@camptocamp.com>\>
 - Stéphane Bidoul \<<stephane.bidoul@acsone.eu>\>
 - David Jaen \<<david.jaen.revert@gmail.com>\>
+- Andreas Perhab \<<andreas.perhab@wt-io-it.at>\>
diff --git a/auth_oidc/readme/HISTORY.md b/auth_oidc/readme/HISTORY.md
index 98e99203b8..0e26e3a694 100644
--- a/auth_oidc/readme/HISTORY.md
+++ b/auth_oidc/readme/HISTORY.md
@@ -1,3 +1,23 @@
+## 16.0.1.1.0 2024-02-28
+
+- Forward port OpenID Connect fixes from 15.0 to 16.0
+
+## 16.0.1.0.2 2023-11-16
+
+- Readme link updates
+
+## 16.0.1.0.1 2023-10-09
+
+- Add AzureAD code flow provider
+
+## 16.0.1.0.0 2023-01-27
+
+- Odoo 16 migration
+
+## 15.0.1.0.0 2023-01-06
+
+- Odoo 15 migration
+
 ## 14.0.1.0.0 2021-12-10
 
 - Odoo 14 migration
diff --git a/auth_oidc/static/description/index.html b/auth_oidc/static/description/index.html
index 40f1cb7ce6..eb15be7dc3 100644
--- a/auth_oidc/static/description/index.html
+++ b/auth_oidc/static/description/index.html
@@ -1,4 +1,3 @@
-<?xml version="1.0" encoding="utf-8"?>
 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
 <head>
@@ -367,7 +366,7 @@ <h1 class="title">Authentication OpenID Connect</h1>
 !! This file is generated by oca-gen-addon-readme !!
 !! changes will be overwritten.                   !!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-!! source digest: sha256:a54c4126f9873d2af17b9228f9afa844806a2541b42dc7945ec41be08379a915
+!! source digest: sha256:ede04e51899d4490eb4be0352376feb7833ba8d0546f36fea929c28a99a96d22
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->
 <p><a class="reference external image-reference" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external image-reference" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/licence-AGPL--3-blue.png" /></a> <a class="reference external image-reference" href="https://github.com/OCA/server-auth/tree/16.0/auth_oidc"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external image-reference" href="https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-auth_oidc"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external image-reference" href="https://runboat.odoo-community.org/builds?repo=OCA/server-auth&amp;target_branch=16.0"><img alt="Try me on Runboat" src="https://img.shields.io/badge/runboat-Try%20me-875A7B.png" /></a></p>
 <p>This module allows users to login through an OpenID Connect provider
@@ -386,16 +385,21 @@ <h1 class="title">Authentication OpenID Connect</h1>
 <li><a class="reference internal" href="#usage" id="toc-entry-5">Usage</a></li>
 <li><a class="reference internal" href="#known-issues-roadmap" id="toc-entry-6">Known issues / Roadmap</a></li>
 <li><a class="reference internal" href="#changelog" id="toc-entry-7">Changelog</a><ul>
-<li><a class="reference internal" href="#section-1" id="toc-entry-8">14.0.1.0.0 2021-12-10</a></li>
-<li><a class="reference internal" href="#section-2" id="toc-entry-9">13.0.1.0.0 2020-04-10</a></li>
-<li><a class="reference internal" href="#section-3" id="toc-entry-10">10.0.1.0.0 2018-10-05</a></li>
+<li><a class="reference internal" href="#section-1" id="toc-entry-8">16.0.1.1.0 2024-02-28</a></li>
+<li><a class="reference internal" href="#section-2" id="toc-entry-9">16.0.1.0.2 2023-11-16</a></li>
+<li><a class="reference internal" href="#section-3" id="toc-entry-10">16.0.1.0.1 2023-10-09</a></li>
+<li><a class="reference internal" href="#section-4" id="toc-entry-11">16.0.1.0.0 2023-01-27</a></li>
+<li><a class="reference internal" href="#section-5" id="toc-entry-12">15.0.1.0.0 2023-01-06</a></li>
+<li><a class="reference internal" href="#section-6" id="toc-entry-13">14.0.1.0.0 2021-12-10</a></li>
+<li><a class="reference internal" href="#section-7" id="toc-entry-14">13.0.1.0.0 2020-04-10</a></li>
+<li><a class="reference internal" href="#section-8" id="toc-entry-15">10.0.1.0.0 2018-10-05</a></li>
 </ul>
 </li>
-<li><a class="reference internal" href="#bug-tracker" id="toc-entry-11">Bug Tracker</a></li>
-<li><a class="reference internal" href="#credits" id="toc-entry-12">Credits</a><ul>
-<li><a class="reference internal" href="#authors" id="toc-entry-13">Authors</a></li>
-<li><a class="reference internal" href="#contributors" id="toc-entry-14">Contributors</a></li>
-<li><a class="reference internal" href="#maintainers" id="toc-entry-15">Maintainers</a></li>
+<li><a class="reference internal" href="#bug-tracker" id="toc-entry-16">Bug Tracker</a></li>
+<li><a class="reference internal" href="#credits" id="toc-entry-17">Credits</a><ul>
+<li><a class="reference internal" href="#authors" id="toc-entry-18">Authors</a></li>
+<li><a class="reference internal" href="#contributors" id="toc-entry-19">Contributors</a></li>
+<li><a class="reference internal" href="#maintainers" id="toc-entry-20">Maintainers</a></li>
 </ul>
 </li>
 </ul>
@@ -493,26 +497,56 @@ <h1><a class="toc-backref" href="#toc-entry-6">Known issues / Roadmap</a></h1>
 <div class="section" id="changelog">
 <h1><a class="toc-backref" href="#toc-entry-7">Changelog</a></h1>
 <div class="section" id="section-1">
-<h2><a class="toc-backref" href="#toc-entry-8">14.0.1.0.0 2021-12-10</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-8">16.0.1.1.0 2024-02-28</a></h2>
 <ul class="simple">
-<li>Odoo 14 migration</li>
+<li>Forward port OpenID Connect fixes from 15.0 to 16.0</li>
 </ul>
 </div>
 <div class="section" id="section-2">
-<h2><a class="toc-backref" href="#toc-entry-9">13.0.1.0.0 2020-04-10</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-9">16.0.1.0.2 2023-11-16</a></h2>
 <ul class="simple">
-<li>Odoo 13 migration, add authorization code flow.</li>
+<li>Readme link updates</li>
 </ul>
 </div>
 <div class="section" id="section-3">
-<h2><a class="toc-backref" href="#toc-entry-10">10.0.1.0.0 2018-10-05</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-10">16.0.1.0.1 2023-10-09</a></h2>
+<ul class="simple">
+<li>Add AzureAD code flow provider</li>
+</ul>
+</div>
+<div class="section" id="section-4">
+<h2><a class="toc-backref" href="#toc-entry-11">16.0.1.0.0 2023-01-27</a></h2>
+<ul class="simple">
+<li>Odoo 16 migration</li>
+</ul>
+</div>
+<div class="section" id="section-5">
+<h2><a class="toc-backref" href="#toc-entry-12">15.0.1.0.0 2023-01-06</a></h2>
+<ul class="simple">
+<li>Odoo 15 migration</li>
+</ul>
+</div>
+<div class="section" id="section-6">
+<h2><a class="toc-backref" href="#toc-entry-13">14.0.1.0.0 2021-12-10</a></h2>
+<ul class="simple">
+<li>Odoo 14 migration</li>
+</ul>
+</div>
+<div class="section" id="section-7">
+<h2><a class="toc-backref" href="#toc-entry-14">13.0.1.0.0 2020-04-10</a></h2>
+<ul class="simple">
+<li>Odoo 13 migration, add authorization code flow.</li>
+</ul>
+</div>
+<div class="section" id="section-8">
+<h2><a class="toc-backref" href="#toc-entry-15">10.0.1.0.0 2018-10-05</a></h2>
 <ul class="simple">
 <li>Initial implementation</li>
 </ul>
 </div>
 </div>
 <div class="section" id="bug-tracker">
-<h1><a class="toc-backref" href="#toc-entry-11">Bug Tracker</a></h1>
+<h1><a class="toc-backref" href="#toc-entry-16">Bug Tracker</a></h1>
 <p>Bugs are tracked on <a class="reference external" href="https://github.com/OCA/server-auth/issues">GitHub Issues</a>.
 In case of trouble, please check there if your issue has already been reported.
 If you spotted it first, help us to smash it by providing a detailed and welcomed
@@ -520,9 +554,9 @@ <h1><a class="toc-backref" href="#toc-entry-11">Bug Tracker</a></h1>
 <p>Do not contact contributors directly about support or help with technical issues.</p>
 </div>
 <div class="section" id="credits">
-<h1><a class="toc-backref" href="#toc-entry-12">Credits</a></h1>
+<h1><a class="toc-backref" href="#toc-entry-17">Credits</a></h1>
 <div class="section" id="authors">
-<h2><a class="toc-backref" href="#toc-entry-13">Authors</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-18">Authors</a></h2>
 <ul class="simple">
 <li>ICTSTUDIO</li>
 <li>André Schenkels</li>
@@ -530,15 +564,16 @@ <h2><a class="toc-backref" href="#toc-entry-13">Authors</a></h2>
 </ul>
 </div>
 <div class="section" id="contributors">
-<h2><a class="toc-backref" href="#toc-entry-14">Contributors</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-19">Contributors</a></h2>
 <ul class="simple">
 <li>Alexandre Fayolle &lt;<a class="reference external" href="mailto:alexandre.fayolle&#64;camptocamp.com">alexandre.fayolle&#64;camptocamp.com</a>&gt;</li>
 <li>Stéphane Bidoul &lt;<a class="reference external" href="mailto:stephane.bidoul&#64;acsone.eu">stephane.bidoul&#64;acsone.eu</a>&gt;</li>
 <li>David Jaen &lt;<a class="reference external" href="mailto:david.jaen.revert&#64;gmail.com">david.jaen.revert&#64;gmail.com</a>&gt;</li>
+<li>Andreas Perhab &lt;<a class="reference external" href="mailto:andreas.perhab&#64;wt-io-it.at">andreas.perhab&#64;wt-io-it.at</a>&gt;</li>
 </ul>
 </div>
 <div class="section" id="maintainers">
-<h2><a class="toc-backref" href="#toc-entry-15">Maintainers</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-20">Maintainers</a></h2>
 <p>This module is maintained by the OCA.</p>
 <a class="reference external image-reference" href="https://odoo-community.org"><img alt="Odoo Community Association" src="https://odoo-community.org/logo.png" /></a>
 <p>OCA, or the Odoo Community Association, is a nonprofit organization whose

From 37efe807a09ab6e626f829956b117b03c223b12f Mon Sep 17 00:00:00 2001
From: Andreas Perhab <andreas.perhab@wt-io-it.at>
Date: Wed, 20 Mar 2024 08:43:36 +0100
Subject: [PATCH 32/46] [IMP] auth_oidc: pre-commit fixes

---
 auth_oidc/controllers/main.py           | 2 +-
 auth_oidc/models/auth_oauth_provider.py | 2 +-
 auth_oidc/models/res_users.py           | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/auth_oidc/controllers/main.py b/auth_oidc/controllers/main.py
index 0c0861e6da..2104a6cca0 100644
--- a/auth_oidc/controllers/main.py
+++ b/auth_oidc/controllers/main.py
@@ -16,7 +16,7 @@
 
 class OpenIDLogin(OAuthLogin):
     def list_providers(self):
-        providers = super(OpenIDLogin, self).list_providers()
+        providers = super().list_providers()
         for provider in providers:
             flow = provider.get("flow")
             if flow in ("id_token", "id_token_code"):
diff --git a/auth_oidc/models/auth_oauth_provider.py b/auth_oidc/models/auth_oauth_provider.py
index 39935cf927..ac498a7cdb 100644
--- a/auth_oidc/models/auth_oauth_provider.py
+++ b/auth_oidc/models/auth_oauth_provider.py
@@ -64,7 +64,7 @@ def _get_keys(self, kid):
     def _map_token_values(self, res):
         if self.token_map:
             for pair in self.token_map.split(" "):
-                from_key, to_key = [k.strip() for k in pair.split(":", 1)]
+                from_key, to_key = (k.strip() for k in pair.split(":", 1))
                 if to_key not in res:
                     res[to_key] = res.get(from_key, "")
         return res
diff --git a/auth_oidc/models/res_users.py b/auth_oidc/models/res_users.py
index 29e7f6ee4d..1684480fa4 100644
--- a/auth_oidc/models/res_users.py
+++ b/auth_oidc/models/res_users.py
@@ -56,7 +56,7 @@ def auth_oauth(self, provider, params):
                 oauth_provider, params
             )
         else:
-            return super(ResUsers, self).auth_oauth(provider, params)
+            return super().auth_oauth(provider, params)
         if not access_token:
             _logger.error("No access_token in response.")
             raise AccessDenied()

From edbdd48f90f702f7d90eb0da7f3a5050e7176f3c Mon Sep 17 00:00:00 2001
From: Andreas Perhab <andreas.perhab@wt-io-it.at>
Date: Wed, 20 Mar 2024 08:48:30 +0100
Subject: [PATCH 33/46] [MIG] auth_oidc: Migration to 17.0

---
 auth_oidc/README.rst                    | 21 +++---
 auth_oidc/__manifest__.py               |  2 +-
 auth_oidc/pyproject.toml                |  3 +
 auth_oidc/readme/HISTORY.md             |  4 ++
 auth_oidc/static/description/index.html | 85 +++++++++++++------------
 5 files changed, 67 insertions(+), 48 deletions(-)
 create mode 100644 auth_oidc/pyproject.toml

diff --git a/auth_oidc/README.rst b/auth_oidc/README.rst
index ac51aa7f47..f17c56847d 100644
--- a/auth_oidc/README.rst
+++ b/auth_oidc/README.rst
@@ -17,13 +17,13 @@ Authentication OpenID Connect
     :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
     :alt: License: AGPL-3
 .. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
-    :target: https://github.com/OCA/server-auth/tree/16.0/auth_oidc
+    :target: https://github.com/OCA/server-auth/tree/17.0/auth_oidc
     :alt: OCA/server-auth
 .. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
-    :target: https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-auth_oidc
+    :target: https://translation.odoo-community.org/projects/server-auth-17-0/server-auth-17-0-auth_oidc
     :alt: Translate me on Weblate
 .. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png
-    :target: https://runboat.odoo-community.org/builds?repo=OCA/server-auth&target_branch=16.0
+    :target: https://runboat.odoo-community.org/builds?repo=OCA/server-auth&target_branch=17.0
     :alt: Try me on Runboat
 
 |badge1| |badge2| |badge3| |badge4| |badge5|
@@ -123,9 +123,9 @@ In Odoo, create a new Oauth Provider with the following parameters:
 -  JWKS URL: The "jwks_uri" URL found in the OpenID Endpoint
    Configuration of your Keycloak realm
 
-.. |image| image:: https://raw.githubusercontent.com/OCA/server-auth/16.0/auth_oidc/static/description/oauth-microsoft_azure-api_permissions.png
-.. |image1| image:: https://raw.githubusercontent.com/OCA/server-auth/16.0/auth_oidc/static/description/oauth-microsoft_azure-optional_claims.png
-.. |image2| image:: https://raw.githubusercontent.com/OCA/server-auth/16.0/auth_oidc/static/description/odoo-azure_ad_multitenant.png
+.. |image| image:: https://raw.githubusercontent.com/OCA/server-auth/17.0/auth_oidc/static/description/oauth-microsoft_azure-api_permissions.png
+.. |image1| image:: https://raw.githubusercontent.com/OCA/server-auth/17.0/auth_oidc/static/description/oauth-microsoft_azure-optional_claims.png
+.. |image2| image:: https://raw.githubusercontent.com/OCA/server-auth/17.0/auth_oidc/static/description/odoo-azure_ad_multitenant.png
 
 Usage
 =====
@@ -143,6 +143,11 @@ Known issues / Roadmap
 Changelog
 =========
 
+17.0.1.0.0 2024-03-20
+---------------------
+
+-  Odoo 17 migration
+
 16.0.1.1.0 2024-02-28
 ---------------------
 
@@ -189,7 +194,7 @@ Bug Tracker
 Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-auth/issues>`_.
 In case of trouble, please check there if your issue has already been reported.
 If you spotted it first, help us to smash it by providing a detailed and welcomed
-`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_oidc%0Aversion:%2016.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_oidc%0Aversion:%2017.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
 
 Do not contact contributors directly about support or help with technical issues.
 
@@ -232,6 +237,6 @@ Current `maintainer <https://odoo-community.org/page/maintainer-role>`__:
 
 |maintainer-sbidoul| 
 
-This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/16.0/auth_oidc>`_ project on GitHub.
+This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/17.0/auth_oidc>`_ project on GitHub.
 
 You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.
diff --git a/auth_oidc/__manifest__.py b/auth_oidc/__manifest__.py
index be60eba9f8..5e046a73f3 100644
--- a/auth_oidc/__manifest__.py
+++ b/auth_oidc/__manifest__.py
@@ -4,7 +4,7 @@
 
 {
     "name": "Authentication OpenID Connect",
-    "version": "16.0.1.1.1",
+    "version": "17.0.1.0.0",
     "license": "AGPL-3",
     "author": (
         "ICTSTUDIO, André Schenkels, "
diff --git a/auth_oidc/pyproject.toml b/auth_oidc/pyproject.toml
new file mode 100644
index 0000000000..4231d0cccb
--- /dev/null
+++ b/auth_oidc/pyproject.toml
@@ -0,0 +1,3 @@
+[build-system]
+requires = ["whool"]
+build-backend = "whool.buildapi"
diff --git a/auth_oidc/readme/HISTORY.md b/auth_oidc/readme/HISTORY.md
index 0e26e3a694..3df4dd917b 100644
--- a/auth_oidc/readme/HISTORY.md
+++ b/auth_oidc/readme/HISTORY.md
@@ -1,3 +1,7 @@
+## 17.0.1.0.0 2024-03-20
+
+- Odoo 17 migration
+
 ## 16.0.1.1.0 2024-02-28
 
 - Forward port OpenID Connect fixes from 15.0 to 16.0
diff --git a/auth_oidc/static/description/index.html b/auth_oidc/static/description/index.html
index eb15be7dc3..2f2af23dc3 100644
--- a/auth_oidc/static/description/index.html
+++ b/auth_oidc/static/description/index.html
@@ -368,7 +368,7 @@ <h1 class="title">Authentication OpenID Connect</h1>
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !! source digest: sha256:ede04e51899d4490eb4be0352376feb7833ba8d0546f36fea929c28a99a96d22
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->
-<p><a class="reference external image-reference" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external image-reference" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/licence-AGPL--3-blue.png" /></a> <a class="reference external image-reference" href="https://github.com/OCA/server-auth/tree/16.0/auth_oidc"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external image-reference" href="https://translation.odoo-community.org/projects/server-auth-16-0/server-auth-16-0-auth_oidc"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external image-reference" href="https://runboat.odoo-community.org/builds?repo=OCA/server-auth&amp;target_branch=16.0"><img alt="Try me on Runboat" src="https://img.shields.io/badge/runboat-Try%20me-875A7B.png" /></a></p>
+<p><a class="reference external image-reference" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external image-reference" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/licence-AGPL--3-blue.png" /></a> <a class="reference external image-reference" href="https://github.com/OCA/server-auth/tree/17.0/auth_oidc"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external image-reference" href="https://translation.odoo-community.org/projects/server-auth-17-0/server-auth-17-0-auth_oidc"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external image-reference" href="https://runboat.odoo-community.org/builds?repo=OCA/server-auth&amp;target_branch=17.0"><img alt="Try me on Runboat" src="https://img.shields.io/badge/runboat-Try%20me-875A7B.png" /></a></p>
 <p>This module allows users to login through an OpenID Connect provider
 using the authorization code flow or implicit flow.</p>
 <p>Note the implicit flow is not recommended because it exposes access
@@ -385,21 +385,22 @@ <h1 class="title">Authentication OpenID Connect</h1>
 <li><a class="reference internal" href="#usage" id="toc-entry-5">Usage</a></li>
 <li><a class="reference internal" href="#known-issues-roadmap" id="toc-entry-6">Known issues / Roadmap</a></li>
 <li><a class="reference internal" href="#changelog" id="toc-entry-7">Changelog</a><ul>
-<li><a class="reference internal" href="#section-1" id="toc-entry-8">16.0.1.1.0 2024-02-28</a></li>
-<li><a class="reference internal" href="#section-2" id="toc-entry-9">16.0.1.0.2 2023-11-16</a></li>
-<li><a class="reference internal" href="#section-3" id="toc-entry-10">16.0.1.0.1 2023-10-09</a></li>
-<li><a class="reference internal" href="#section-4" id="toc-entry-11">16.0.1.0.0 2023-01-27</a></li>
-<li><a class="reference internal" href="#section-5" id="toc-entry-12">15.0.1.0.0 2023-01-06</a></li>
-<li><a class="reference internal" href="#section-6" id="toc-entry-13">14.0.1.0.0 2021-12-10</a></li>
-<li><a class="reference internal" href="#section-7" id="toc-entry-14">13.0.1.0.0 2020-04-10</a></li>
-<li><a class="reference internal" href="#section-8" id="toc-entry-15">10.0.1.0.0 2018-10-05</a></li>
+<li><a class="reference internal" href="#section-1" id="toc-entry-8">17.0.1.0.0 2024-03-20</a></li>
+<li><a class="reference internal" href="#section-2" id="toc-entry-9">16.0.1.1.0 2024-02-28</a></li>
+<li><a class="reference internal" href="#section-3" id="toc-entry-10">16.0.1.0.2 2023-11-16</a></li>
+<li><a class="reference internal" href="#section-4" id="toc-entry-11">16.0.1.0.1 2023-10-09</a></li>
+<li><a class="reference internal" href="#section-5" id="toc-entry-12">16.0.1.0.0 2023-01-27</a></li>
+<li><a class="reference internal" href="#section-6" id="toc-entry-13">15.0.1.0.0 2023-01-06</a></li>
+<li><a class="reference internal" href="#section-7" id="toc-entry-14">14.0.1.0.0 2021-12-10</a></li>
+<li><a class="reference internal" href="#section-8" id="toc-entry-15">13.0.1.0.0 2020-04-10</a></li>
+<li><a class="reference internal" href="#section-9" id="toc-entry-16">10.0.1.0.0 2018-10-05</a></li>
 </ul>
 </li>
-<li><a class="reference internal" href="#bug-tracker" id="toc-entry-16">Bug Tracker</a></li>
-<li><a class="reference internal" href="#credits" id="toc-entry-17">Credits</a><ul>
-<li><a class="reference internal" href="#authors" id="toc-entry-18">Authors</a></li>
-<li><a class="reference internal" href="#contributors" id="toc-entry-19">Contributors</a></li>
-<li><a class="reference internal" href="#maintainers" id="toc-entry-20">Maintainers</a></li>
+<li><a class="reference internal" href="#bug-tracker" id="toc-entry-17">Bug Tracker</a></li>
+<li><a class="reference internal" href="#credits" id="toc-entry-18">Credits</a><ul>
+<li><a class="reference internal" href="#authors" id="toc-entry-19">Authors</a></li>
+<li><a class="reference internal" href="#contributors" id="toc-entry-20">Contributors</a></li>
+<li><a class="reference internal" href="#maintainers" id="toc-entry-21">Maintainers</a></li>
 </ul>
 </li>
 </ul>
@@ -427,8 +428,8 @@ <h2><a class="toc-backref" href="#toc-entry-3">Setup for Microsoft Azure</a></h2
 documentation</a>
 for more information):</li>
 </ol>
-<p><img alt="image" src="https://raw.githubusercontent.com/OCA/server-auth/16.0/auth_oidc/static/description/oauth-microsoft_azure-api_permissions.png" /></p>
-<p><img alt="image1" src="https://raw.githubusercontent.com/OCA/server-auth/16.0/auth_oidc/static/description/oauth-microsoft_azure-optional_claims.png" /></p>
+<p><img alt="image" src="https://raw.githubusercontent.com/OCA/server-auth/17.0/auth_oidc/static/description/oauth-microsoft_azure-api_permissions.png" /></p>
+<p><img alt="image1" src="https://raw.githubusercontent.com/OCA/server-auth/17.0/auth_oidc/static/description/oauth-microsoft_azure-optional_claims.png" /></p>
 <p>Single tenant provider limits the access to user of your tenant, while
 Multitenants allow access for all AzureAD users, so user of foreign
 companies can use their AzureAD login without an guest account.</p>
@@ -446,7 +447,7 @@ <h2><a class="toc-backref" href="#toc-entry-3">Setup for Microsoft Azure</a></h2
 <li>Allowed: yes</li>
 <li>replace {tenant_id} in urls with your Azure tenant id</li>
 </ul>
-<p><img alt="image2" src="https://raw.githubusercontent.com/OCA/server-auth/16.0/auth_oidc/static/description/odoo-azure_ad_multitenant.png" /></p>
+<p><img alt="image2" src="https://raw.githubusercontent.com/OCA/server-auth/17.0/auth_oidc/static/description/odoo-azure_ad_multitenant.png" /></p>
 </div>
 <div class="section" id="setup-for-keycloak">
 <h2><a class="toc-backref" href="#toc-entry-4">Setup for Keycloak</a></h2>
@@ -497,66 +498,72 @@ <h1><a class="toc-backref" href="#toc-entry-6">Known issues / Roadmap</a></h1>
 <div class="section" id="changelog">
 <h1><a class="toc-backref" href="#toc-entry-7">Changelog</a></h1>
 <div class="section" id="section-1">
-<h2><a class="toc-backref" href="#toc-entry-8">16.0.1.1.0 2024-02-28</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-8">17.0.1.0.0 2024-03-20</a></h2>
 <ul class="simple">
-<li>Forward port OpenID Connect fixes from 15.0 to 16.0</li>
+<li>Odoo 17 migration</li>
 </ul>
 </div>
 <div class="section" id="section-2">
-<h2><a class="toc-backref" href="#toc-entry-9">16.0.1.0.2 2023-11-16</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-9">16.0.1.1.0 2024-02-28</a></h2>
 <ul class="simple">
-<li>Readme link updates</li>
+<li>Forward port OpenID Connect fixes from 15.0 to 16.0</li>
 </ul>
 </div>
 <div class="section" id="section-3">
-<h2><a class="toc-backref" href="#toc-entry-10">16.0.1.0.1 2023-10-09</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-10">16.0.1.0.2 2023-11-16</a></h2>
 <ul class="simple">
-<li>Add AzureAD code flow provider</li>
+<li>Readme link updates</li>
 </ul>
 </div>
 <div class="section" id="section-4">
-<h2><a class="toc-backref" href="#toc-entry-11">16.0.1.0.0 2023-01-27</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-11">16.0.1.0.1 2023-10-09</a></h2>
 <ul class="simple">
-<li>Odoo 16 migration</li>
+<li>Add AzureAD code flow provider</li>
 </ul>
 </div>
 <div class="section" id="section-5">
-<h2><a class="toc-backref" href="#toc-entry-12">15.0.1.0.0 2023-01-06</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-12">16.0.1.0.0 2023-01-27</a></h2>
 <ul class="simple">
-<li>Odoo 15 migration</li>
+<li>Odoo 16 migration</li>
 </ul>
 </div>
 <div class="section" id="section-6">
-<h2><a class="toc-backref" href="#toc-entry-13">14.0.1.0.0 2021-12-10</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-13">15.0.1.0.0 2023-01-06</a></h2>
 <ul class="simple">
-<li>Odoo 14 migration</li>
+<li>Odoo 15 migration</li>
 </ul>
 </div>
 <div class="section" id="section-7">
-<h2><a class="toc-backref" href="#toc-entry-14">13.0.1.0.0 2020-04-10</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-14">14.0.1.0.0 2021-12-10</a></h2>
 <ul class="simple">
-<li>Odoo 13 migration, add authorization code flow.</li>
+<li>Odoo 14 migration</li>
 </ul>
 </div>
 <div class="section" id="section-8">
-<h2><a class="toc-backref" href="#toc-entry-15">10.0.1.0.0 2018-10-05</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-15">13.0.1.0.0 2020-04-10</a></h2>
+<ul class="simple">
+<li>Odoo 13 migration, add authorization code flow.</li>
+</ul>
+</div>
+<div class="section" id="section-9">
+<h2><a class="toc-backref" href="#toc-entry-16">10.0.1.0.0 2018-10-05</a></h2>
 <ul class="simple">
 <li>Initial implementation</li>
 </ul>
 </div>
 </div>
 <div class="section" id="bug-tracker">
-<h1><a class="toc-backref" href="#toc-entry-16">Bug Tracker</a></h1>
+<h1><a class="toc-backref" href="#toc-entry-17">Bug Tracker</a></h1>
 <p>Bugs are tracked on <a class="reference external" href="https://github.com/OCA/server-auth/issues">GitHub Issues</a>.
 In case of trouble, please check there if your issue has already been reported.
 If you spotted it first, help us to smash it by providing a detailed and welcomed
-<a class="reference external" href="https://github.com/OCA/server-auth/issues/new?body=module:%20auth_oidc%0Aversion:%2016.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**">feedback</a>.</p>
+<a class="reference external" href="https://github.com/OCA/server-auth/issues/new?body=module:%20auth_oidc%0Aversion:%2017.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**">feedback</a>.</p>
 <p>Do not contact contributors directly about support or help with technical issues.</p>
 </div>
 <div class="section" id="credits">
-<h1><a class="toc-backref" href="#toc-entry-17">Credits</a></h1>
+<h1><a class="toc-backref" href="#toc-entry-18">Credits</a></h1>
 <div class="section" id="authors">
-<h2><a class="toc-backref" href="#toc-entry-18">Authors</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-19">Authors</a></h2>
 <ul class="simple">
 <li>ICTSTUDIO</li>
 <li>André Schenkels</li>
@@ -564,7 +571,7 @@ <h2><a class="toc-backref" href="#toc-entry-18">Authors</a></h2>
 </ul>
 </div>
 <div class="section" id="contributors">
-<h2><a class="toc-backref" href="#toc-entry-19">Contributors</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-20">Contributors</a></h2>
 <ul class="simple">
 <li>Alexandre Fayolle &lt;<a class="reference external" href="mailto:alexandre.fayolle&#64;camptocamp.com">alexandre.fayolle&#64;camptocamp.com</a>&gt;</li>
 <li>Stéphane Bidoul &lt;<a class="reference external" href="mailto:stephane.bidoul&#64;acsone.eu">stephane.bidoul&#64;acsone.eu</a>&gt;</li>
@@ -573,7 +580,7 @@ <h2><a class="toc-backref" href="#toc-entry-19">Contributors</a></h2>
 </ul>
 </div>
 <div class="section" id="maintainers">
-<h2><a class="toc-backref" href="#toc-entry-20">Maintainers</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-21">Maintainers</a></h2>
 <p>This module is maintained by the OCA.</p>
 <a class="reference external image-reference" href="https://odoo-community.org"><img alt="Odoo Community Association" src="https://odoo-community.org/logo.png" /></a>
 <p>OCA, or the Odoo Community Association, is a nonprofit organization whose
@@ -581,7 +588,7 @@ <h2><a class="toc-backref" href="#toc-entry-20">Maintainers</a></h2>
 promote its widespread use.</p>
 <p>Current <a class="reference external" href="https://odoo-community.org/page/maintainer-role">maintainer</a>:</p>
 <p><a class="reference external image-reference" href="https://github.com/sbidoul"><img alt="sbidoul" src="https://github.com/sbidoul.png?size=40px" /></a></p>
-<p>This module is part of the <a class="reference external" href="https://github.com/OCA/server-auth/tree/16.0/auth_oidc">OCA/server-auth</a> project on GitHub.</p>
+<p>This module is part of the <a class="reference external" href="https://github.com/OCA/server-auth/tree/17.0/auth_oidc">OCA/server-auth</a> project on GitHub.</p>
 <p>You are welcome to contribute. To learn how please visit <a class="reference external" href="https://odoo-community.org/page/Contribute">https://odoo-community.org/page/Contribute</a>.</p>
 </div>
 </div>

From 08101d93f38b0865ac222007bfd93d7268c31936 Mon Sep 17 00:00:00 2001
From: oca-ci <oca-ci@odoo-community.org>
Date: Wed, 27 Mar 2024 15:08:15 +0000
Subject: [PATCH 34/46] [UPD] Update auth_oidc.pot

---
 auth_oidc/i18n/auth_oidc.pot | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/auth_oidc/i18n/auth_oidc.pot b/auth_oidc/i18n/auth_oidc.pot
index 560fb4d168..630ac018ee 100644
--- a/auth_oidc/i18n/auth_oidc.pot
+++ b/auth_oidc/i18n/auth_oidc.pot
@@ -4,7 +4,7 @@
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: Odoo Server 16.0\n"
+"Project-Id-Version: Odoo Server 17.0\n"
 "Report-Msgid-Bugs-To: \n"
 "Last-Translator: \n"
 "Language-Team: \n"

From f99c6bbacfed8fe67bc59cf771d08ac9a423287a Mon Sep 17 00:00:00 2001
From: OCA-git-bot <oca-git-bot@odoo-community.org>
Date: Wed, 27 Mar 2024 15:10:51 +0000
Subject: [PATCH 35/46] [BOT] post-merge updates

---
 auth_oidc/README.rst                    | 2 +-
 auth_oidc/static/description/index.html | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/auth_oidc/README.rst b/auth_oidc/README.rst
index f17c56847d..837cc8704b 100644
--- a/auth_oidc/README.rst
+++ b/auth_oidc/README.rst
@@ -7,7 +7,7 @@ Authentication OpenID Connect
    !! This file is generated by oca-gen-addon-readme !!
    !! changes will be overwritten.                   !!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-   !! source digest: sha256:ede04e51899d4490eb4be0352376feb7833ba8d0546f36fea929c28a99a96d22
+   !! source digest: sha256:e65c1c978ca0266a8e54f8121675cbf710359cf407413e35518f670be9c9753f
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 
 .. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
diff --git a/auth_oidc/static/description/index.html b/auth_oidc/static/description/index.html
index 2f2af23dc3..412ba2dc79 100644
--- a/auth_oidc/static/description/index.html
+++ b/auth_oidc/static/description/index.html
@@ -366,7 +366,7 @@ <h1 class="title">Authentication OpenID Connect</h1>
 !! This file is generated by oca-gen-addon-readme !!
 !! changes will be overwritten.                   !!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-!! source digest: sha256:ede04e51899d4490eb4be0352376feb7833ba8d0546f36fea929c28a99a96d22
+!! source digest: sha256:e65c1c978ca0266a8e54f8121675cbf710359cf407413e35518f670be9c9753f
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->
 <p><a class="reference external image-reference" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external image-reference" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/licence-AGPL--3-blue.png" /></a> <a class="reference external image-reference" href="https://github.com/OCA/server-auth/tree/17.0/auth_oidc"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external image-reference" href="https://translation.odoo-community.org/projects/server-auth-17-0/server-auth-17-0-auth_oidc"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external image-reference" href="https://runboat.odoo-community.org/builds?repo=OCA/server-auth&amp;target_branch=17.0"><img alt="Try me on Runboat" src="https://img.shields.io/badge/runboat-Try%20me-875A7B.png" /></a></p>
 <p>This module allows users to login through an OpenID Connect provider

From 396129c7201ed32dde504a63c04576a28fe1eeed Mon Sep 17 00:00:00 2001
From: Weblate <noreply@weblate.org>
Date: Wed, 27 Mar 2024 16:12:07 +0000
Subject: [PATCH 36/46] Update translation files

Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Translation: server-auth-17.0/server-auth-17.0-auth_oidc
Translate-URL: https://translation.odoo-community.org/projects/server-auth-17-0/server-auth-17-0-auth_oidc/
---
 auth_oidc/i18n/es.po | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/auth_oidc/i18n/es.po b/auth_oidc/i18n/es.po
index fae120e781..6cda9344b2 100644
--- a/auth_oidc/i18n/es.po
+++ b/auth_oidc/i18n/es.po
@@ -75,9 +75,9 @@ msgstr "Requerido para OpenID Connect."
 #. module: auth_oidc
 #: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__token_map
 msgid ""
-"Some Oauth providers don't map keys in their responses exactly as required."
-"  It is important to ensure user_id and email at least are mapped. For "
-"OpenID Connect user_id is the sub key in the standard."
+"Some Oauth providers don't map keys in their responses exactly as required.  "
+"It is important to ensure user_id and email at least are mapped. For OpenID "
+"Connect user_id is the sub key in the standard."
 msgstr ""
 "Algunos proveedores de Oauth no mapean las claves en sus respuestas "
 "exactamente como se requiere.  Es importante asegurarse de que al menos "

From f1d1845835f862d62974838564a796a2c2ce88a1 Mon Sep 17 00:00:00 2001
From: xtanuiha <feihu.zhang@live.com>
Date: Wed, 3 Jul 2024 08:29:32 +0000
Subject: [PATCH 37/46] Added translation using Weblate (Chinese (Simplified)
 (zh_CN))

---
 auth_oidc/i18n/zh_CN.po | 120 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 120 insertions(+)
 create mode 100644 auth_oidc/i18n/zh_CN.po

diff --git a/auth_oidc/i18n/zh_CN.po b/auth_oidc/i18n/zh_CN.po
new file mode 100644
index 0000000000..9357399800
--- /dev/null
+++ b/auth_oidc/i18n/zh_CN.po
@@ -0,0 +1,120 @@
+# Translation of Odoo Server.
+# This file contains the translation of the following modules:
+# 	* auth_oidc
+#
+msgid ""
+msgstr ""
+"Project-Id-Version: Odoo Server 17.0\n"
+"Report-Msgid-Bugs-To: \n"
+"Last-Translator: Automatically generated\n"
+"Language-Team: none\n"
+"Language: zh_CN\n"
+"MIME-Version: 1.0\n"
+"Content-Type: text/plain; charset=UTF-8\n"
+"Content-Transfer-Encoding: \n"
+"Plural-Forms: nplurals=1; plural=0;\n"
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__flow
+msgid "Auth Flow"
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__client_secret
+msgid "Client Secret"
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__code_verifier
+msgid "Code Verifier"
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__jwks_uri
+msgid "JWKS URL"
+msgstr ""
+
+#. module: auth_oidc
+#: model:auth.oauth.provider,body:auth_oidc.provider_azuread_multi
+#: model:auth.oauth.provider,body:auth_oidc.provider_azuread_single
+msgid "Log in with Microsoft"
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__access_token
+msgid "OAuth2"
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model,name:auth_oidc.model_auth_oauth_provider
+msgid "OAuth2 provider"
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__id_token_code
+msgid "OpenID Connect (authorization code flow)"
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__id_token
+msgid "OpenID Connect (implicit flow, not recommended)"
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__token_endpoint
+msgid "Required for OpenID Connect authorization code flow."
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__jwks_uri
+msgid "Required for OpenID Connect."
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__token_map
+msgid ""
+"Some Oauth providers don't map keys in their responses exactly as required."
+"  It is important to ensure user_id and email at least are mapped. For "
+"OpenID Connect user_id is the sub key in the standard."
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__token_map
+msgid "Token Map"
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__token_endpoint
+msgid "Token URL"
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__code_verifier
+msgid "Used for PKCE."
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__client_secret
+msgid ""
+"Used in OpenID Connect authorization code flow for confidential clients."
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model,name:auth_oidc.model_res_users
+msgid "User"
+msgstr ""
+
+#. module: auth_oidc
+#: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__validation_endpoint
+msgid "UserInfo URL"
+msgstr ""
+
+#. module: auth_oidc
+#: model_terms:ir.ui.view,arch_db:auth_oidc.view_oidc_provider_form
+msgid "e.g from:to upn:email sub:user_id"
+msgstr ""
+
+#. module: auth_oidc
+#: model:auth.oauth.provider,body:auth_oidc.local_keycloak
+msgid "keycloak:8080 on localhost"
+msgstr ""

From de1109254ac825c6d00c690118e7fa2691206793 Mon Sep 17 00:00:00 2001
From: xtanuiha <feihu.zhang@live.com>
Date: Wed, 3 Jul 2024 08:32:45 +0000
Subject: [PATCH 38/46] Translated using Weblate (Chinese (Simplified) (zh_CN))

Currently translated at 100.0% (20 of 20 strings)

Translation: server-auth-17.0/server-auth-17.0-auth_oidc
Translate-URL: https://translation.odoo-community.org/projects/server-auth-17-0/server-auth-17-0-auth_oidc/zh_CN/
---
 auth_oidc/i18n/zh_CN.po | 44 ++++++++++++++++++++++-------------------
 1 file changed, 24 insertions(+), 20 deletions(-)

diff --git a/auth_oidc/i18n/zh_CN.po b/auth_oidc/i18n/zh_CN.po
index 9357399800..f4249bed9a 100644
--- a/auth_oidc/i18n/zh_CN.po
+++ b/auth_oidc/i18n/zh_CN.po
@@ -6,69 +6,71 @@ msgid ""
 msgstr ""
 "Project-Id-Version: Odoo Server 17.0\n"
 "Report-Msgid-Bugs-To: \n"
-"Last-Translator: Automatically generated\n"
+"PO-Revision-Date: 2024-07-03 10:47+0000\n"
+"Last-Translator: xtanuiha <feihu.zhang@live.com>\n"
 "Language-Team: none\n"
 "Language: zh_CN\n"
 "MIME-Version: 1.0\n"
 "Content-Type: text/plain; charset=UTF-8\n"
 "Content-Transfer-Encoding: \n"
 "Plural-Forms: nplurals=1; plural=0;\n"
+"X-Generator: Weblate 4.17\n"
 
 #. module: auth_oidc
 #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__flow
 msgid "Auth Flow"
-msgstr ""
+msgstr "认证流程"
 
 #. module: auth_oidc
 #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__client_secret
 msgid "Client Secret"
-msgstr ""
+msgstr "客户端密钥"
 
 #. module: auth_oidc
 #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__code_verifier
 msgid "Code Verifier"
-msgstr ""
+msgstr "代码验证器"
 
 #. module: auth_oidc
 #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__jwks_uri
 msgid "JWKS URL"
-msgstr ""
+msgstr "JWKS 网址"
 
 #. module: auth_oidc
 #: model:auth.oauth.provider,body:auth_oidc.provider_azuread_multi
 #: model:auth.oauth.provider,body:auth_oidc.provider_azuread_single
 msgid "Log in with Microsoft"
-msgstr ""
+msgstr "使用 Microsoft 登录"
 
 #. module: auth_oidc
 #: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__access_token
 msgid "OAuth2"
-msgstr ""
+msgstr "OAuth2"
 
 #. module: auth_oidc
 #: model:ir.model,name:auth_oidc.model_auth_oauth_provider
 msgid "OAuth2 provider"
-msgstr ""
+msgstr "OAuth2 提供者"
 
 #. module: auth_oidc
 #: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__id_token_code
 msgid "OpenID Connect (authorization code flow)"
-msgstr ""
+msgstr "OpenID Connect（授权码流程）"
 
 #. module: auth_oidc
 #: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__id_token
 msgid "OpenID Connect (implicit flow, not recommended)"
-msgstr ""
+msgstr "OpenID Connect（隐式流程，不推荐）"
 
 #. module: auth_oidc
 #: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__token_endpoint
 msgid "Required for OpenID Connect authorization code flow."
-msgstr ""
+msgstr "OpenID Connect 授权码流程所需。"
 
 #. module: auth_oidc
 #: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__jwks_uri
 msgid "Required for OpenID Connect."
-msgstr ""
+msgstr "OpenID Connect 所需。"
 
 #. module: auth_oidc
 #: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__token_map
@@ -77,44 +79,46 @@ msgid ""
 "  It is important to ensure user_id and email at least are mapped. For "
 "OpenID Connect user_id is the sub key in the standard."
 msgstr ""
+"一些 OAuth 提供者在其响应中并没有完全按照要求映射键。至少需要确保 user_id 和 "
+"email 被映射。对于 OpenID Connect，user_id 是标准中的 sub 键。"
 
 #. module: auth_oidc
 #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__token_map
 msgid "Token Map"
-msgstr ""
+msgstr "令牌映射"
 
 #. module: auth_oidc
 #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__token_endpoint
 msgid "Token URL"
-msgstr ""
+msgstr "令牌网址"
 
 #. module: auth_oidc
 #: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__code_verifier
 msgid "Used for PKCE."
-msgstr ""
+msgstr "用于 PKCE。"
 
 #. module: auth_oidc
 #: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__client_secret
 msgid ""
 "Used in OpenID Connect authorization code flow for confidential clients."
-msgstr ""
+msgstr "在 OpenID Connect 授权码流程中用于保密客户端。"
 
 #. module: auth_oidc
 #: model:ir.model,name:auth_oidc.model_res_users
 msgid "User"
-msgstr ""
+msgstr "用户"
 
 #. module: auth_oidc
 #: model:ir.model.fields,field_description:auth_oidc.field_auth_oauth_provider__validation_endpoint
 msgid "UserInfo URL"
-msgstr ""
+msgstr "用户信息网址"
 
 #. module: auth_oidc
 #: model_terms:ir.ui.view,arch_db:auth_oidc.view_oidc_provider_form
 msgid "e.g from:to upn:email sub:user_id"
-msgstr ""
+msgstr "例如 from:to upn:email sub:user_id"
 
 #. module: auth_oidc
 #: model:auth.oauth.provider,body:auth_oidc.local_keycloak
 msgid "keycloak:8080 on localhost"
-msgstr ""
+msgstr "localhost 上的 keycloak:8080"

From ee889ec011ca5782da9069a0f6d8ca8368e5a202 Mon Sep 17 00:00:00 2001
From: Andreas Perhab <andreas.perhab@wt-io-it.at>
Date: Wed, 9 Oct 2024 12:42:04 +0200
Subject: [PATCH 39/46] [MIG] auth_oidc: Migration to 18.0

---
 auth_oidc/README.rst                        | 107 ++++++++++----------
 auth_oidc/__manifest__.py                   |   2 +-
 auth_oidc/readme/HISTORY.md                 |   4 +
 auth_oidc/static/description/index.html     |  91 +++++++++--------
 auth_oidc/tests/test_auth_oidc_auth_code.py |  25 +++--
 5 files changed, 128 insertions(+), 101 deletions(-)

diff --git a/auth_oidc/README.rst b/auth_oidc/README.rst
index 837cc8704b..de5411ac46 100644
--- a/auth_oidc/README.rst
+++ b/auth_oidc/README.rst
@@ -17,13 +17,13 @@ Authentication OpenID Connect
     :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
     :alt: License: AGPL-3
 .. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
-    :target: https://github.com/OCA/server-auth/tree/17.0/auth_oidc
+    :target: https://github.com/OCA/server-auth/tree/18.0/auth_oidc
     :alt: OCA/server-auth
 .. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
-    :target: https://translation.odoo-community.org/projects/server-auth-17-0/server-auth-17-0-auth_oidc
+    :target: https://translation.odoo-community.org/projects/server-auth-18-0/server-auth-18-0-auth_oidc
     :alt: Translate me on Weblate
 .. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png
-    :target: https://runboat.odoo-community.org/builds?repo=OCA/server-auth&target_branch=17.0
+    :target: https://runboat.odoo-community.org/builds?repo=OCA/server-auth&target_branch=18.0
     :alt: Try me on Runboat
 
 |badge1| |badge2| |badge3| |badge4| |badge5|
@@ -75,18 +75,18 @@ Single tenant provider limits the access to user of your tenant, while
 Multitenants allow access for all AzureAD users, so user of foreign
 companies can use their AzureAD login without an guest account.
 
--  Provider Name: Azure AD Single Tenant
--  Client ID: Application (client) id
--  Client Secret: Client secret
--  Allowed: yes
+- Provider Name: Azure AD Single Tenant
+- Client ID: Application (client) id
+- Client Secret: Client secret
+- Allowed: yes
 
 or
 
--  Provider Name: Azure AD Multitenant
--  Client ID: Application (client) id
--  Client Secret: Client secret
--  Allowed: yes
--  replace {tenant_id} in urls with your Azure tenant id
+- Provider Name: Azure AD Multitenant
+- Client ID: Application (client) id
+- Client Secret: Client secret
+- Allowed: yes
+- replace {tenant_id} in urls with your Azure tenant id
 
 |image2|
 
@@ -106,26 +106,26 @@ In Keycloak:
 
 In Odoo, create a new Oauth Provider with the following parameters:
 
--  Provider name: Keycloak (or any name you like that identify your
-   keycloak provider)
--  Auth Flow: OpenID Connect (authorization code flow)
--  Client ID: the same Client ID you entered when configuring the client
-   in Keycloak
--  Client Secret: found in keycloak on the client Credentials tab
--  Allowed: yes
--  Body: the link text to appear on the login page, such as Login with
-   Keycloak
--  Scope: openid email
--  Authentication URL: The "authorization_endpoint" URL found in the
-   OpenID Endpoint Configuration of your Keycloak realm
--  Token URL: The "token_endpoint" URL found in the OpenID Endpoint
-   Configuration of your Keycloak realm
--  JWKS URL: The "jwks_uri" URL found in the OpenID Endpoint
-   Configuration of your Keycloak realm
-
-.. |image| image:: https://raw.githubusercontent.com/OCA/server-auth/17.0/auth_oidc/static/description/oauth-microsoft_azure-api_permissions.png
-.. |image1| image:: https://raw.githubusercontent.com/OCA/server-auth/17.0/auth_oidc/static/description/oauth-microsoft_azure-optional_claims.png
-.. |image2| image:: https://raw.githubusercontent.com/OCA/server-auth/17.0/auth_oidc/static/description/odoo-azure_ad_multitenant.png
+- Provider name: Keycloak (or any name you like that identify your
+  keycloak provider)
+- Auth Flow: OpenID Connect (authorization code flow)
+- Client ID: the same Client ID you entered when configuring the client
+  in Keycloak
+- Client Secret: found in keycloak on the client Credentials tab
+- Allowed: yes
+- Body: the link text to appear on the login page, such as Login with
+  Keycloak
+- Scope: openid email
+- Authentication URL: The "authorization_endpoint" URL found in the
+  OpenID Endpoint Configuration of your Keycloak realm
+- Token URL: The "token_endpoint" URL found in the OpenID Endpoint
+  Configuration of your Keycloak realm
+- JWKS URL: The "jwks_uri" URL found in the OpenID Endpoint
+  Configuration of your Keycloak realm
+
+.. |image| image:: https://raw.githubusercontent.com/OCA/server-auth/18.0/auth_oidc/static/description/oauth-microsoft_azure-api_permissions.png
+.. |image1| image:: https://raw.githubusercontent.com/OCA/server-auth/18.0/auth_oidc/static/description/oauth-microsoft_azure-optional_claims.png
+.. |image2| image:: https://raw.githubusercontent.com/OCA/server-auth/18.0/auth_oidc/static/description/odoo-azure_ad_multitenant.png
 
 Usage
 =====
@@ -135,58 +135,63 @@ On the login page, click on the authentication provider you configured.
 Known issues / Roadmap
 ======================
 
--  When going to the login screen, check for a existing token and do a
-   direct login without the clicking on the SSO link
--  When doing a logout an extra option to also logout at the SSO
-   provider.
+- When going to the login screen, check for a existing token and do a
+  direct login without the clicking on the SSO link
+- When doing a logout an extra option to also logout at the SSO
+  provider.
 
 Changelog
 =========
 
+18.0.1.0.0 2024-10-09
+---------------------
+
+- Odoo 18 migration
+
 17.0.1.0.0 2024-03-20
 ---------------------
 
--  Odoo 17 migration
+- Odoo 17 migration
 
 16.0.1.1.0 2024-02-28
 ---------------------
 
--  Forward port OpenID Connect fixes from 15.0 to 16.0
+- Forward port OpenID Connect fixes from 15.0 to 16.0
 
 16.0.1.0.2 2023-11-16
 ---------------------
 
--  Readme link updates
+- Readme link updates
 
 16.0.1.0.1 2023-10-09
 ---------------------
 
--  Add AzureAD code flow provider
+- Add AzureAD code flow provider
 
 16.0.1.0.0 2023-01-27
 ---------------------
 
--  Odoo 16 migration
+- Odoo 16 migration
 
 15.0.1.0.0 2023-01-06
 ---------------------
 
--  Odoo 15 migration
+- Odoo 15 migration
 
 14.0.1.0.0 2021-12-10
 ---------------------
 
--  Odoo 14 migration
+- Odoo 14 migration
 
 13.0.1.0.0 2020-04-10
 ---------------------
 
--  Odoo 13 migration, add authorization code flow.
+- Odoo 13 migration, add authorization code flow.
 
 10.0.1.0.0 2018-10-05
 ---------------------
 
--  Initial implementation
+- Initial implementation
 
 Bug Tracker
 ===========
@@ -194,7 +199,7 @@ Bug Tracker
 Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-auth/issues>`_.
 In case of trouble, please check there if your issue has already been reported.
 If you spotted it first, help us to smash it by providing a detailed and welcomed
-`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_oidc%0Aversion:%2017.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_oidc%0Aversion:%2018.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
 
 Do not contact contributors directly about support or help with technical issues.
 
@@ -211,10 +216,10 @@ Authors
 Contributors
 ------------
 
--  Alexandre Fayolle <alexandre.fayolle@camptocamp.com>
--  Stéphane Bidoul <stephane.bidoul@acsone.eu>
--  David Jaen <david.jaen.revert@gmail.com>
--  Andreas Perhab <andreas.perhab@wt-io-it.at>
+- Alexandre Fayolle <alexandre.fayolle@camptocamp.com>
+- Stéphane Bidoul <stephane.bidoul@acsone.eu>
+- David Jaen <david.jaen.revert@gmail.com>
+- Andreas Perhab <andreas.perhab@wt-io-it.at>
 
 Maintainers
 -----------
@@ -237,6 +242,6 @@ Current `maintainer <https://odoo-community.org/page/maintainer-role>`__:
 
 |maintainer-sbidoul| 
 
-This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/17.0/auth_oidc>`_ project on GitHub.
+This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/18.0/auth_oidc>`_ project on GitHub.
 
 You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.
diff --git a/auth_oidc/__manifest__.py b/auth_oidc/__manifest__.py
index 5e046a73f3..f6897d2f7b 100644
--- a/auth_oidc/__manifest__.py
+++ b/auth_oidc/__manifest__.py
@@ -4,7 +4,7 @@
 
 {
     "name": "Authentication OpenID Connect",
-    "version": "17.0.1.0.0",
+    "version": "18.0.1.0.0",
     "license": "AGPL-3",
     "author": (
         "ICTSTUDIO, André Schenkels, "
diff --git a/auth_oidc/readme/HISTORY.md b/auth_oidc/readme/HISTORY.md
index 3df4dd917b..48ad92f7f1 100644
--- a/auth_oidc/readme/HISTORY.md
+++ b/auth_oidc/readme/HISTORY.md
@@ -1,3 +1,7 @@
+## 18.0.1.0.0 2024-10-09
+
+- Odoo 18 migration
+
 ## 17.0.1.0.0 2024-03-20
 
 - Odoo 17 migration
diff --git a/auth_oidc/static/description/index.html b/auth_oidc/static/description/index.html
index 412ba2dc79..7b4f908f30 100644
--- a/auth_oidc/static/description/index.html
+++ b/auth_oidc/static/description/index.html
@@ -368,7 +368,7 @@ <h1 class="title">Authentication OpenID Connect</h1>
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !! source digest: sha256:e65c1c978ca0266a8e54f8121675cbf710359cf407413e35518f670be9c9753f
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->
-<p><a class="reference external image-reference" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external image-reference" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/licence-AGPL--3-blue.png" /></a> <a class="reference external image-reference" href="https://github.com/OCA/server-auth/tree/17.0/auth_oidc"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external image-reference" href="https://translation.odoo-community.org/projects/server-auth-17-0/server-auth-17-0-auth_oidc"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external image-reference" href="https://runboat.odoo-community.org/builds?repo=OCA/server-auth&amp;target_branch=17.0"><img alt="Try me on Runboat" src="https://img.shields.io/badge/runboat-Try%20me-875A7B.png" /></a></p>
+<p><a class="reference external image-reference" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external image-reference" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/licence-AGPL--3-blue.png" /></a> <a class="reference external image-reference" href="https://github.com/OCA/server-auth/tree/18.0/auth_oidc"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external image-reference" href="https://translation.odoo-community.org/projects/server-auth-18-0/server-auth-18-0-auth_oidc"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external image-reference" href="https://runboat.odoo-community.org/builds?repo=OCA/server-auth&amp;target_branch=18.0"><img alt="Try me on Runboat" src="https://img.shields.io/badge/runboat-Try%20me-875A7B.png" /></a></p>
 <p>This module allows users to login through an OpenID Connect provider
 using the authorization code flow or implicit flow.</p>
 <p>Note the implicit flow is not recommended because it exposes access
@@ -385,22 +385,23 @@ <h1 class="title">Authentication OpenID Connect</h1>
 <li><a class="reference internal" href="#usage" id="toc-entry-5">Usage</a></li>
 <li><a class="reference internal" href="#known-issues-roadmap" id="toc-entry-6">Known issues / Roadmap</a></li>
 <li><a class="reference internal" href="#changelog" id="toc-entry-7">Changelog</a><ul>
-<li><a class="reference internal" href="#section-1" id="toc-entry-8">17.0.1.0.0 2024-03-20</a></li>
-<li><a class="reference internal" href="#section-2" id="toc-entry-9">16.0.1.1.0 2024-02-28</a></li>
-<li><a class="reference internal" href="#section-3" id="toc-entry-10">16.0.1.0.2 2023-11-16</a></li>
-<li><a class="reference internal" href="#section-4" id="toc-entry-11">16.0.1.0.1 2023-10-09</a></li>
-<li><a class="reference internal" href="#section-5" id="toc-entry-12">16.0.1.0.0 2023-01-27</a></li>
-<li><a class="reference internal" href="#section-6" id="toc-entry-13">15.0.1.0.0 2023-01-06</a></li>
-<li><a class="reference internal" href="#section-7" id="toc-entry-14">14.0.1.0.0 2021-12-10</a></li>
-<li><a class="reference internal" href="#section-8" id="toc-entry-15">13.0.1.0.0 2020-04-10</a></li>
-<li><a class="reference internal" href="#section-9" id="toc-entry-16">10.0.1.0.0 2018-10-05</a></li>
+<li><a class="reference internal" href="#section-1" id="toc-entry-8">18.0.1.0.0 2024-10-09</a></li>
+<li><a class="reference internal" href="#section-2" id="toc-entry-9">17.0.1.0.0 2024-03-20</a></li>
+<li><a class="reference internal" href="#section-3" id="toc-entry-10">16.0.1.1.0 2024-02-28</a></li>
+<li><a class="reference internal" href="#section-4" id="toc-entry-11">16.0.1.0.2 2023-11-16</a></li>
+<li><a class="reference internal" href="#section-5" id="toc-entry-12">16.0.1.0.1 2023-10-09</a></li>
+<li><a class="reference internal" href="#section-6" id="toc-entry-13">16.0.1.0.0 2023-01-27</a></li>
+<li><a class="reference internal" href="#section-7" id="toc-entry-14">15.0.1.0.0 2023-01-06</a></li>
+<li><a class="reference internal" href="#section-8" id="toc-entry-15">14.0.1.0.0 2021-12-10</a></li>
+<li><a class="reference internal" href="#section-9" id="toc-entry-16">13.0.1.0.0 2020-04-10</a></li>
+<li><a class="reference internal" href="#section-10" id="toc-entry-17">10.0.1.0.0 2018-10-05</a></li>
 </ul>
 </li>
-<li><a class="reference internal" href="#bug-tracker" id="toc-entry-17">Bug Tracker</a></li>
-<li><a class="reference internal" href="#credits" id="toc-entry-18">Credits</a><ul>
-<li><a class="reference internal" href="#authors" id="toc-entry-19">Authors</a></li>
-<li><a class="reference internal" href="#contributors" id="toc-entry-20">Contributors</a></li>
-<li><a class="reference internal" href="#maintainers" id="toc-entry-21">Maintainers</a></li>
+<li><a class="reference internal" href="#bug-tracker" id="toc-entry-18">Bug Tracker</a></li>
+<li><a class="reference internal" href="#credits" id="toc-entry-19">Credits</a><ul>
+<li><a class="reference internal" href="#authors" id="toc-entry-20">Authors</a></li>
+<li><a class="reference internal" href="#contributors" id="toc-entry-21">Contributors</a></li>
+<li><a class="reference internal" href="#maintainers" id="toc-entry-22">Maintainers</a></li>
 </ul>
 </li>
 </ul>
@@ -428,8 +429,8 @@ <h2><a class="toc-backref" href="#toc-entry-3">Setup for Microsoft Azure</a></h2
 documentation</a>
 for more information):</li>
 </ol>
-<p><img alt="image" src="https://raw.githubusercontent.com/OCA/server-auth/17.0/auth_oidc/static/description/oauth-microsoft_azure-api_permissions.png" /></p>
-<p><img alt="image1" src="https://raw.githubusercontent.com/OCA/server-auth/17.0/auth_oidc/static/description/oauth-microsoft_azure-optional_claims.png" /></p>
+<p><img alt="image" src="https://raw.githubusercontent.com/OCA/server-auth/18.0/auth_oidc/static/description/oauth-microsoft_azure-api_permissions.png" /></p>
+<p><img alt="image1" src="https://raw.githubusercontent.com/OCA/server-auth/18.0/auth_oidc/static/description/oauth-microsoft_azure-optional_claims.png" /></p>
 <p>Single tenant provider limits the access to user of your tenant, while
 Multitenants allow access for all AzureAD users, so user of foreign
 companies can use their AzureAD login without an guest account.</p>
@@ -447,7 +448,7 @@ <h2><a class="toc-backref" href="#toc-entry-3">Setup for Microsoft Azure</a></h2
 <li>Allowed: yes</li>
 <li>replace {tenant_id} in urls with your Azure tenant id</li>
 </ul>
-<p><img alt="image2" src="https://raw.githubusercontent.com/OCA/server-auth/17.0/auth_oidc/static/description/odoo-azure_ad_multitenant.png" /></p>
+<p><img alt="image2" src="https://raw.githubusercontent.com/OCA/server-auth/18.0/auth_oidc/static/description/odoo-azure_ad_multitenant.png" /></p>
 </div>
 <div class="section" id="setup-for-keycloak">
 <h2><a class="toc-backref" href="#toc-entry-4">Setup for Keycloak</a></h2>
@@ -498,72 +499,78 @@ <h1><a class="toc-backref" href="#toc-entry-6">Known issues / Roadmap</a></h1>
 <div class="section" id="changelog">
 <h1><a class="toc-backref" href="#toc-entry-7">Changelog</a></h1>
 <div class="section" id="section-1">
-<h2><a class="toc-backref" href="#toc-entry-8">17.0.1.0.0 2024-03-20</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-8">18.0.1.0.0 2024-10-09</a></h2>
 <ul class="simple">
-<li>Odoo 17 migration</li>
+<li>Odoo 18 migration</li>
 </ul>
 </div>
 <div class="section" id="section-2">
-<h2><a class="toc-backref" href="#toc-entry-9">16.0.1.1.0 2024-02-28</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-9">17.0.1.0.0 2024-03-20</a></h2>
 <ul class="simple">
-<li>Forward port OpenID Connect fixes from 15.0 to 16.0</li>
+<li>Odoo 17 migration</li>
 </ul>
 </div>
 <div class="section" id="section-3">
-<h2><a class="toc-backref" href="#toc-entry-10">16.0.1.0.2 2023-11-16</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-10">16.0.1.1.0 2024-02-28</a></h2>
 <ul class="simple">
-<li>Readme link updates</li>
+<li>Forward port OpenID Connect fixes from 15.0 to 16.0</li>
 </ul>
 </div>
 <div class="section" id="section-4">
-<h2><a class="toc-backref" href="#toc-entry-11">16.0.1.0.1 2023-10-09</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-11">16.0.1.0.2 2023-11-16</a></h2>
 <ul class="simple">
-<li>Add AzureAD code flow provider</li>
+<li>Readme link updates</li>
 </ul>
 </div>
 <div class="section" id="section-5">
-<h2><a class="toc-backref" href="#toc-entry-12">16.0.1.0.0 2023-01-27</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-12">16.0.1.0.1 2023-10-09</a></h2>
 <ul class="simple">
-<li>Odoo 16 migration</li>
+<li>Add AzureAD code flow provider</li>
 </ul>
 </div>
 <div class="section" id="section-6">
-<h2><a class="toc-backref" href="#toc-entry-13">15.0.1.0.0 2023-01-06</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-13">16.0.1.0.0 2023-01-27</a></h2>
 <ul class="simple">
-<li>Odoo 15 migration</li>
+<li>Odoo 16 migration</li>
 </ul>
 </div>
 <div class="section" id="section-7">
-<h2><a class="toc-backref" href="#toc-entry-14">14.0.1.0.0 2021-12-10</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-14">15.0.1.0.0 2023-01-06</a></h2>
 <ul class="simple">
-<li>Odoo 14 migration</li>
+<li>Odoo 15 migration</li>
 </ul>
 </div>
 <div class="section" id="section-8">
-<h2><a class="toc-backref" href="#toc-entry-15">13.0.1.0.0 2020-04-10</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-15">14.0.1.0.0 2021-12-10</a></h2>
 <ul class="simple">
-<li>Odoo 13 migration, add authorization code flow.</li>
+<li>Odoo 14 migration</li>
 </ul>
 </div>
 <div class="section" id="section-9">
-<h2><a class="toc-backref" href="#toc-entry-16">10.0.1.0.0 2018-10-05</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-16">13.0.1.0.0 2020-04-10</a></h2>
+<ul class="simple">
+<li>Odoo 13 migration, add authorization code flow.</li>
+</ul>
+</div>
+<div class="section" id="section-10">
+<h2><a class="toc-backref" href="#toc-entry-17">10.0.1.0.0 2018-10-05</a></h2>
 <ul class="simple">
 <li>Initial implementation</li>
 </ul>
 </div>
 </div>
 <div class="section" id="bug-tracker">
-<h1><a class="toc-backref" href="#toc-entry-17">Bug Tracker</a></h1>
+<h1><a class="toc-backref" href="#toc-entry-18">Bug Tracker</a></h1>
 <p>Bugs are tracked on <a class="reference external" href="https://github.com/OCA/server-auth/issues">GitHub Issues</a>.
 In case of trouble, please check there if your issue has already been reported.
 If you spotted it first, help us to smash it by providing a detailed and welcomed
-<a class="reference external" href="https://github.com/OCA/server-auth/issues/new?body=module:%20auth_oidc%0Aversion:%2017.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**">feedback</a>.</p>
+<a class="reference external" href="https://github.com/OCA/server-auth/issues/new?body=module:%20auth_oidc%0Aversion:%2018.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**">feedback</a>.</p>
 <p>Do not contact contributors directly about support or help with technical issues.</p>
 </div>
 <div class="section" id="credits">
-<h1><a class="toc-backref" href="#toc-entry-18">Credits</a></h1>
+<h1><a class="toc-backref" href="#toc-entry-19">Credits</a></h1>
 <div class="section" id="authors">
-<h2><a class="toc-backref" href="#toc-entry-19">Authors</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-20">Authors</a></h2>
 <ul class="simple">
 <li>ICTSTUDIO</li>
 <li>André Schenkels</li>
@@ -571,7 +578,7 @@ <h2><a class="toc-backref" href="#toc-entry-19">Authors</a></h2>
 </ul>
 </div>
 <div class="section" id="contributors">
-<h2><a class="toc-backref" href="#toc-entry-20">Contributors</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-21">Contributors</a></h2>
 <ul class="simple">
 <li>Alexandre Fayolle &lt;<a class="reference external" href="mailto:alexandre.fayolle&#64;camptocamp.com">alexandre.fayolle&#64;camptocamp.com</a>&gt;</li>
 <li>Stéphane Bidoul &lt;<a class="reference external" href="mailto:stephane.bidoul&#64;acsone.eu">stephane.bidoul&#64;acsone.eu</a>&gt;</li>
@@ -580,7 +587,7 @@ <h2><a class="toc-backref" href="#toc-entry-20">Contributors</a></h2>
 </ul>
 </div>
 <div class="section" id="maintainers">
-<h2><a class="toc-backref" href="#toc-entry-21">Maintainers</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-22">Maintainers</a></h2>
 <p>This module is maintained by the OCA.</p>
 <a class="reference external image-reference" href="https://odoo-community.org"><img alt="Odoo Community Association" src="https://odoo-community.org/logo.png" /></a>
 <p>OCA, or the Odoo Community Association, is a nonprofit organization whose
@@ -588,7 +595,7 @@ <h2><a class="toc-backref" href="#toc-entry-21">Maintainers</a></h2>
 promote its widespread use.</p>
 <p>Current <a class="reference external" href="https://odoo-community.org/page/maintainer-role">maintainer</a>:</p>
 <p><a class="reference external image-reference" href="https://github.com/sbidoul"><img alt="sbidoul" src="https://github.com/sbidoul.png?size=40px" /></a></p>
-<p>This module is part of the <a class="reference external" href="https://github.com/OCA/server-auth/tree/17.0/auth_oidc">OCA/server-auth</a> project on GitHub.</p>
+<p>This module is part of the <a class="reference external" href="https://github.com/OCA/server-auth/tree/18.0/auth_oidc">OCA/server-auth</a> project on GitHub.</p>
 <p>You are welcome to contribute. To learn how please visit <a class="reference external" href="https://odoo-community.org/page/Contribute">https://odoo-community.org/page/Contribute</a>.</p>
 </div>
 </div>
diff --git a/auth_oidc/tests/test_auth_oidc_auth_code.py b/auth_oidc/tests/test_auth_oidc_auth_code.py
index a1a08b0a71..a833407ad4 100644
--- a/auth_oidc/tests/test_auth_oidc_auth_code.py
+++ b/auth_oidc/tests/test_auth_oidc_auth_code.py
@@ -3,6 +3,7 @@
 
 import contextlib
 import json
+import logging
 from urllib.parse import parse_qs, urlparse
 
 import responses
@@ -20,7 +21,7 @@
 
 from ..controllers.main import OpenIDLogin
 
-BASE_URL = "http://localhost:%s" % odoo.tools.config["http_port"]
+BASE_URL = f"http://localhost:{odoo.tools.config['http_port']}"
 
 
 @contextlib.contextmanager
@@ -241,12 +242,22 @@ def test_login_without_any_key(self):
             keys=[],
         )
 
-        with self.assertRaises(AccessDenied):
-            with MockRequest(self.env):
-                self.env["res.users"].auth_oauth(
-                    self.provider_rec.id,
-                    {"state": json.dumps({})},
-                )
+        with (
+            self.assertRaises(AccessDenied),
+            MockRequest(self.env),
+            self.assertLogs(level=logging.ERROR) as logs,
+        ):
+            self.env["res.users"].auth_oauth(
+                self.provider_rec.id,
+                {"state": json.dumps({})},
+            )
+        self.assertEqual(len(logs.records), 1)
+        self.assertEqual(logs.records[0].levelno, logging.ERROR)
+        self.assertEqual(
+            "ERROR:odoo.addons.auth_oidc.models.res_users:user_id claim not found in"
+            " id_token (after mapping).",
+            logs.output[0],
+        )
 
     @responses.activate
     def test_login_with_multiple_keys_in_jwks(self):

From e26e9bb8722bb1ca6863712d00e40844a894c8dd Mon Sep 17 00:00:00 2001
From: oca-ci <oca-ci@odoo-community.org>
Date: Wed, 23 Oct 2024 13:14:34 +0000
Subject: [PATCH 40/46] [UPD] Update auth_oidc.pot

---
 auth_oidc/i18n/auth_oidc.pot | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/auth_oidc/i18n/auth_oidc.pot b/auth_oidc/i18n/auth_oidc.pot
index 630ac018ee..d5aa8dd5a8 100644
--- a/auth_oidc/i18n/auth_oidc.pot
+++ b/auth_oidc/i18n/auth_oidc.pot
@@ -4,7 +4,7 @@
 #
 msgid ""
 msgstr ""
-"Project-Id-Version: Odoo Server 17.0\n"
+"Project-Id-Version: Odoo Server 18.0\n"
 "Report-Msgid-Bugs-To: \n"
 "Last-Translator: \n"
 "Language-Team: \n"

From 926a5d32b83e202547d2ba2f03a3f56b8ddd1b9e Mon Sep 17 00:00:00 2001
From: OCA-git-bot <oca-git-bot@odoo-community.org>
Date: Wed, 23 Oct 2024 13:16:41 +0000
Subject: [PATCH 41/46] [BOT] post-merge updates

---
 auth_oidc/README.rst                    | 88 ++++++++++++-------------
 auth_oidc/static/description/index.html | 13 ++--
 2 files changed, 52 insertions(+), 49 deletions(-)

diff --git a/auth_oidc/README.rst b/auth_oidc/README.rst
index de5411ac46..0f673d13c0 100644
--- a/auth_oidc/README.rst
+++ b/auth_oidc/README.rst
@@ -7,7 +7,7 @@ Authentication OpenID Connect
    !! This file is generated by oca-gen-addon-readme !!
    !! changes will be overwritten.                   !!
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-   !! source digest: sha256:e65c1c978ca0266a8e54f8121675cbf710359cf407413e35518f670be9c9753f
+   !! source digest: sha256:cd754fc72d2039d02ab1b8aec98af43fb9543c9a70f2150ab6e482954e4e83d6
    !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 
 .. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
@@ -75,18 +75,18 @@ Single tenant provider limits the access to user of your tenant, while
 Multitenants allow access for all AzureAD users, so user of foreign
 companies can use their AzureAD login without an guest account.
 
-- Provider Name: Azure AD Single Tenant
-- Client ID: Application (client) id
-- Client Secret: Client secret
-- Allowed: yes
+-  Provider Name: Azure AD Single Tenant
+-  Client ID: Application (client) id
+-  Client Secret: Client secret
+-  Allowed: yes
 
 or
 
-- Provider Name: Azure AD Multitenant
-- Client ID: Application (client) id
-- Client Secret: Client secret
-- Allowed: yes
-- replace {tenant_id} in urls with your Azure tenant id
+-  Provider Name: Azure AD Multitenant
+-  Client ID: Application (client) id
+-  Client Secret: Client secret
+-  Allowed: yes
+-  replace {tenant_id} in urls with your Azure tenant id
 
 |image2|
 
@@ -106,22 +106,22 @@ In Keycloak:
 
 In Odoo, create a new Oauth Provider with the following parameters:
 
-- Provider name: Keycloak (or any name you like that identify your
-  keycloak provider)
-- Auth Flow: OpenID Connect (authorization code flow)
-- Client ID: the same Client ID you entered when configuring the client
-  in Keycloak
-- Client Secret: found in keycloak on the client Credentials tab
-- Allowed: yes
-- Body: the link text to appear on the login page, such as Login with
-  Keycloak
-- Scope: openid email
-- Authentication URL: The "authorization_endpoint" URL found in the
-  OpenID Endpoint Configuration of your Keycloak realm
-- Token URL: The "token_endpoint" URL found in the OpenID Endpoint
-  Configuration of your Keycloak realm
-- JWKS URL: The "jwks_uri" URL found in the OpenID Endpoint
-  Configuration of your Keycloak realm
+-  Provider name: Keycloak (or any name you like that identify your
+   keycloak provider)
+-  Auth Flow: OpenID Connect (authorization code flow)
+-  Client ID: the same Client ID you entered when configuring the client
+   in Keycloak
+-  Client Secret: found in keycloak on the client Credentials tab
+-  Allowed: yes
+-  Body: the link text to appear on the login page, such as Login with
+   Keycloak
+-  Scope: openid email
+-  Authentication URL: The "authorization_endpoint" URL found in the
+   OpenID Endpoint Configuration of your Keycloak realm
+-  Token URL: The "token_endpoint" URL found in the OpenID Endpoint
+   Configuration of your Keycloak realm
+-  JWKS URL: The "jwks_uri" URL found in the OpenID Endpoint
+   Configuration of your Keycloak realm
 
 .. |image| image:: https://raw.githubusercontent.com/OCA/server-auth/18.0/auth_oidc/static/description/oauth-microsoft_azure-api_permissions.png
 .. |image1| image:: https://raw.githubusercontent.com/OCA/server-auth/18.0/auth_oidc/static/description/oauth-microsoft_azure-optional_claims.png
@@ -135,10 +135,10 @@ On the login page, click on the authentication provider you configured.
 Known issues / Roadmap
 ======================
 
-- When going to the login screen, check for a existing token and do a
-  direct login without the clicking on the SSO link
-- When doing a logout an extra option to also logout at the SSO
-  provider.
+-  When going to the login screen, check for a existing token and do a
+   direct login without the clicking on the SSO link
+-  When doing a logout an extra option to also logout at the SSO
+   provider.
 
 Changelog
 =========
@@ -146,52 +146,52 @@ Changelog
 18.0.1.0.0 2024-10-09
 ---------------------
 
-- Odoo 18 migration
+-  Odoo 18 migration
 
 17.0.1.0.0 2024-03-20
 ---------------------
 
-- Odoo 17 migration
+-  Odoo 17 migration
 
 16.0.1.1.0 2024-02-28
 ---------------------
 
-- Forward port OpenID Connect fixes from 15.0 to 16.0
+-  Forward port OpenID Connect fixes from 15.0 to 16.0
 
 16.0.1.0.2 2023-11-16
 ---------------------
 
-- Readme link updates
+-  Readme link updates
 
 16.0.1.0.1 2023-10-09
 ---------------------
 
-- Add AzureAD code flow provider
+-  Add AzureAD code flow provider
 
 16.0.1.0.0 2023-01-27
 ---------------------
 
-- Odoo 16 migration
+-  Odoo 16 migration
 
 15.0.1.0.0 2023-01-06
 ---------------------
 
-- Odoo 15 migration
+-  Odoo 15 migration
 
 14.0.1.0.0 2021-12-10
 ---------------------
 
-- Odoo 14 migration
+-  Odoo 14 migration
 
 13.0.1.0.0 2020-04-10
 ---------------------
 
-- Odoo 13 migration, add authorization code flow.
+-  Odoo 13 migration, add authorization code flow.
 
 10.0.1.0.0 2018-10-05
 ---------------------
 
-- Initial implementation
+-  Initial implementation
 
 Bug Tracker
 ===========
@@ -216,10 +216,10 @@ Authors
 Contributors
 ------------
 
-- Alexandre Fayolle <alexandre.fayolle@camptocamp.com>
-- Stéphane Bidoul <stephane.bidoul@acsone.eu>
-- David Jaen <david.jaen.revert@gmail.com>
-- Andreas Perhab <andreas.perhab@wt-io-it.at>
+-  Alexandre Fayolle <alexandre.fayolle@camptocamp.com>
+-  Stéphane Bidoul <stephane.bidoul@acsone.eu>
+-  David Jaen <david.jaen.revert@gmail.com>
+-  Andreas Perhab <andreas.perhab@wt-io-it.at>
 
 Maintainers
 -----------
diff --git a/auth_oidc/static/description/index.html b/auth_oidc/static/description/index.html
index 7b4f908f30..8af7befc5e 100644
--- a/auth_oidc/static/description/index.html
+++ b/auth_oidc/static/description/index.html
@@ -8,10 +8,11 @@
 
 /*
 :Author: David Goodger (goodger@python.org)
-:Id: $Id: html4css1.css 8954 2022-01-20 10:10:25Z milde $
+:Id: $Id: html4css1.css 9511 2024-01-13 09:50:07Z milde $
 :Copyright: This stylesheet has been placed in the public domain.
 
 Default cascading style sheet for the HTML output of Docutils.
+Despite the name, some widely supported CSS2 features are used.
 
 See https://docutils.sourceforge.io/docs/howto/html-stylesheets.html for how to
 customize this style sheet.
@@ -274,7 +275,7 @@
   margin-left: 2em ;
   margin-right: 2em }
 
-pre.code .ln { color: grey; } /* line numbers */
+pre.code .ln { color: gray; } /* line numbers */
 pre.code, code { background-color: #eeeeee }
 pre.code .comment, code .comment { color: #5C6576 }
 pre.code .keyword, code .keyword { color: #3B0D06; font-weight: bold }
@@ -300,7 +301,7 @@
 span.pre {
   white-space: pre }
 
-span.problematic {
+span.problematic, pre.problematic {
   color: red }
 
 span.section-subtitle {
@@ -366,7 +367,7 @@ <h1 class="title">Authentication OpenID Connect</h1>
 !! This file is generated by oca-gen-addon-readme !!
 !! changes will be overwritten.                   !!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-!! source digest: sha256:e65c1c978ca0266a8e54f8121675cbf710359cf407413e35518f670be9c9753f
+!! source digest: sha256:cd754fc72d2039d02ab1b8aec98af43fb9543c9a70f2150ab6e482954e4e83d6
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->
 <p><a class="reference external image-reference" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external image-reference" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/licence-AGPL--3-blue.png" /></a> <a class="reference external image-reference" href="https://github.com/OCA/server-auth/tree/18.0/auth_oidc"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external image-reference" href="https://translation.odoo-community.org/projects/server-auth-18-0/server-auth-18-0-auth_oidc"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external image-reference" href="https://runboat.odoo-community.org/builds?repo=OCA/server-auth&amp;target_branch=18.0"><img alt="Try me on Runboat" src="https://img.shields.io/badge/runboat-Try%20me-875A7B.png" /></a></p>
 <p>This module allows users to login through an OpenID Connect provider
@@ -589,7 +590,9 @@ <h2><a class="toc-backref" href="#toc-entry-21">Contributors</a></h2>
 <div class="section" id="maintainers">
 <h2><a class="toc-backref" href="#toc-entry-22">Maintainers</a></h2>
 <p>This module is maintained by the OCA.</p>
-<a class="reference external image-reference" href="https://odoo-community.org"><img alt="Odoo Community Association" src="https://odoo-community.org/logo.png" /></a>
+<a class="reference external image-reference" href="https://odoo-community.org">
+<img alt="Odoo Community Association" src="https://odoo-community.org/logo.png" />
+</a>
 <p>OCA, or the Odoo Community Association, is a nonprofit organization whose
 mission is to support the collaborative development of Odoo features and
 promote its widespread use.</p>

From 7e519e2b341002476da54a77154f0aa525f6e229 Mon Sep 17 00:00:00 2001
From: Weblate <noreply@weblate.org>
Date: Wed, 23 Oct 2024 14:51:39 +0000
Subject: [PATCH 42/46] Update translation files

Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Translation: server-auth-18.0/server-auth-18.0-auth_oidc
Translate-URL: https://translation.odoo-community.org/projects/server-auth-18-0/server-auth-18-0-auth_oidc/
---
 auth_oidc/i18n/it.po    | 6 +++---
 auth_oidc/i18n/zh_CN.po | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/auth_oidc/i18n/it.po b/auth_oidc/i18n/it.po
index e4f38a45a8..27ba50de2f 100644
--- a/auth_oidc/i18n/it.po
+++ b/auth_oidc/i18n/it.po
@@ -75,9 +75,9 @@ msgstr "Richiesto per OpenID Connect."
 #. module: auth_oidc
 #: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__token_map
 msgid ""
-"Some Oauth providers don't map keys in their responses exactly as required."
-"  It is important to ensure user_id and email at least are mapped. For "
-"OpenID Connect user_id is the sub key in the standard."
+"Some Oauth providers don't map keys in their responses exactly as required.  "
+"It is important to ensure user_id and email at least are mapped. For OpenID "
+"Connect user_id is the sub key in the standard."
 msgstr ""
 "Alcuni Provider Oauth non mappano le chiavi nelle loro risposte esattamente "
 "come richiesto.   È importante assicurare che almeno user_id ed e-mail siano "
diff --git a/auth_oidc/i18n/zh_CN.po b/auth_oidc/i18n/zh_CN.po
index f4249bed9a..4914868566 100644
--- a/auth_oidc/i18n/zh_CN.po
+++ b/auth_oidc/i18n/zh_CN.po
@@ -75,9 +75,9 @@ msgstr "OpenID Connect 所需。"
 #. module: auth_oidc
 #: model:ir.model.fields,help:auth_oidc.field_auth_oauth_provider__token_map
 msgid ""
-"Some Oauth providers don't map keys in their responses exactly as required."
-"  It is important to ensure user_id and email at least are mapped. For "
-"OpenID Connect user_id is the sub key in the standard."
+"Some Oauth providers don't map keys in their responses exactly as required.  "
+"It is important to ensure user_id and email at least are mapped. For OpenID "
+"Connect user_id is the sub key in the standard."
 msgstr ""
 "一些 OAuth 提供者在其响应中并没有完全按照要求映射键。至少需要确保 user_id 和 "
 "email 被映射。对于 OpenID Connect，user_id 是标准中的 sub 键。"

From 2b661e3fee58cd1f07565037055cd66865039a7d Mon Sep 17 00:00:00 2001
From: IsabelAForgeFlow <isabel.andreu@forgeflow.com>
Date: Mon, 10 Mar 2025 15:40:45 +0100
Subject: [PATCH 43/46] [MIG] password_security: Migration to 18.0

---
 auth_oidc/tests/test_auth_oidc_auth_code.py | 16 +++++++---------
 1 file changed, 7 insertions(+), 9 deletions(-)

diff --git a/auth_oidc/tests/test_auth_oidc_auth_code.py b/auth_oidc/tests/test_auth_oidc_auth_code.py
index a833407ad4..27da38c779 100644
--- a/auth_oidc/tests/test_auth_oidc_auth_code.py
+++ b/auth_oidc/tests/test_auth_oidc_auth_code.py
@@ -242,15 +242,13 @@ def test_login_without_any_key(self):
             keys=[],
         )
 
-        with (
-            self.assertRaises(AccessDenied),
-            MockRequest(self.env),
-            self.assertLogs(level=logging.ERROR) as logs,
-        ):
-            self.env["res.users"].auth_oauth(
-                self.provider_rec.id,
-                {"state": json.dumps({})},
-            )
+        with self.assertRaises(AccessDenied):
+            with MockRequest(self.env):
+                with self.assertLogs(level=logging.ERROR) as logs:
+                    self.env["res.users"].auth_oauth(
+                        self.provider_rec.id,
+                        {"state": json.dumps({})},
+                    )
         self.assertEqual(len(logs.records), 1)
         self.assertEqual(logs.records[0].levelno, logging.ERROR)
         self.assertEqual(

From 0eb6a84609959d8320d87928608abb91285483b5 Mon Sep 17 00:00:00 2001
From: Filippo <filippolmt@gmail.com>
Date: Mon, 4 Aug 2025 15:56:43 +0200
Subject: [PATCH 44/46] Fix typo in Italian translation for "Log in with
 Microsoft"

---
 auth_oidc/i18n/it.po | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/auth_oidc/i18n/it.po b/auth_oidc/i18n/it.po
index 27ba50de2f..a853800279 100644
--- a/auth_oidc/i18n/it.po
+++ b/auth_oidc/i18n/it.po
@@ -40,7 +40,7 @@ msgstr "URL JWKS"
 #: model:auth.oauth.provider,body:auth_oidc.provider_azuread_multi
 #: model:auth.oauth.provider,body:auth_oidc.provider_azuread_single
 msgid "Log in with Microsoft"
-msgstr "Accedi con Mcrosoft"
+msgstr "Accedi con Microsoft"
 
 #. module: auth_oidc
 #: model:ir.model.fields.selection,name:auth_oidc.selection__auth_oauth_provider__flow__access_token

From dac94fd42e5b725e451a92f8499442dcd6f73c0f Mon Sep 17 00:00:00 2001
From: Andreas Perhab <andreas.perhab@wt-io-it.at>
Date: Wed, 1 Oct 2025 13:11:24 +0200
Subject: [PATCH 45/46] [IMP] auth_oidc: pre-commit auto fixes

---
 auth_oidc/README.rst                    | 110 ++++++++++++------------
 auth_oidc/__manifest__.py               |   4 +-
 auth_oidc/static/description/index.html |  68 ++++++++-------
 requirements.txt                        |   2 +
 4 files changed, 97 insertions(+), 87 deletions(-)
 create mode 100644 requirements.txt

diff --git a/auth_oidc/README.rst b/auth_oidc/README.rst
index 0f673d13c0..ba90958edc 100644
--- a/auth_oidc/README.rst
+++ b/auth_oidc/README.rst
@@ -1,3 +1,7 @@
+.. image:: https://odoo-community.org/readme-banner-image
+   :target: https://odoo-community.org/get-involved?utm_source=readme
+   :alt: Odoo Community Association
+
 =============================
 Authentication OpenID Connect
 =============================
@@ -13,17 +17,17 @@ Authentication OpenID Connect
 .. |badge1| image:: https://img.shields.io/badge/maturity-Beta-yellow.png
     :target: https://odoo-community.org/page/development-status
     :alt: Beta
-.. |badge2| image:: https://img.shields.io/badge/licence-AGPL--3-blue.png
+.. |badge2| image:: https://img.shields.io/badge/license-AGPL--3-blue.png
     :target: http://www.gnu.org/licenses/agpl-3.0-standalone.html
     :alt: License: AGPL-3
 .. |badge3| image:: https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github
-    :target: https://github.com/OCA/server-auth/tree/18.0/auth_oidc
+    :target: https://github.com/OCA/server-auth/tree/19.0/auth_oidc
     :alt: OCA/server-auth
 .. |badge4| image:: https://img.shields.io/badge/weblate-Translate%20me-F47D42.png
-    :target: https://translation.odoo-community.org/projects/server-auth-18-0/server-auth-18-0-auth_oidc
+    :target: https://translation.odoo-community.org/projects/server-auth-19-0/server-auth-19-0-auth_oidc
     :alt: Translate me on Weblate
 .. |badge5| image:: https://img.shields.io/badge/runboat-Try%20me-875A7B.png
-    :target: https://runboat.odoo-community.org/builds?repo=OCA/server-auth&target_branch=18.0
+    :target: https://runboat.odoo-community.org/builds?repo=OCA/server-auth&target_branch=19.0
     :alt: Try me on Runboat
 
 |badge1| |badge2| |badge3| |badge4| |badge5|
@@ -75,18 +79,18 @@ Single tenant provider limits the access to user of your tenant, while
 Multitenants allow access for all AzureAD users, so user of foreign
 companies can use their AzureAD login without an guest account.
 
--  Provider Name: Azure AD Single Tenant
--  Client ID: Application (client) id
--  Client Secret: Client secret
--  Allowed: yes
+- Provider Name: Azure AD Single Tenant
+- Client ID: Application (client) id
+- Client Secret: Client secret
+- Allowed: yes
 
 or
 
--  Provider Name: Azure AD Multitenant
--  Client ID: Application (client) id
--  Client Secret: Client secret
--  Allowed: yes
--  replace {tenant_id} in urls with your Azure tenant id
+- Provider Name: Azure AD Multitenant
+- Client ID: Application (client) id
+- Client Secret: Client secret
+- Allowed: yes
+- replace {tenant_id} in urls with your Azure tenant id
 
 |image2|
 
@@ -106,26 +110,26 @@ In Keycloak:
 
 In Odoo, create a new Oauth Provider with the following parameters:
 
--  Provider name: Keycloak (or any name you like that identify your
-   keycloak provider)
--  Auth Flow: OpenID Connect (authorization code flow)
--  Client ID: the same Client ID you entered when configuring the client
-   in Keycloak
--  Client Secret: found in keycloak on the client Credentials tab
--  Allowed: yes
--  Body: the link text to appear on the login page, such as Login with
-   Keycloak
--  Scope: openid email
--  Authentication URL: The "authorization_endpoint" URL found in the
-   OpenID Endpoint Configuration of your Keycloak realm
--  Token URL: The "token_endpoint" URL found in the OpenID Endpoint
-   Configuration of your Keycloak realm
--  JWKS URL: The "jwks_uri" URL found in the OpenID Endpoint
-   Configuration of your Keycloak realm
-
-.. |image| image:: https://raw.githubusercontent.com/OCA/server-auth/18.0/auth_oidc/static/description/oauth-microsoft_azure-api_permissions.png
-.. |image1| image:: https://raw.githubusercontent.com/OCA/server-auth/18.0/auth_oidc/static/description/oauth-microsoft_azure-optional_claims.png
-.. |image2| image:: https://raw.githubusercontent.com/OCA/server-auth/18.0/auth_oidc/static/description/odoo-azure_ad_multitenant.png
+- Provider name: Keycloak (or any name you like that identify your
+  keycloak provider)
+- Auth Flow: OpenID Connect (authorization code flow)
+- Client ID: the same Client ID you entered when configuring the client
+  in Keycloak
+- Client Secret: found in keycloak on the client Credentials tab
+- Allowed: yes
+- Body: the link text to appear on the login page, such as Login with
+  Keycloak
+- Scope: openid email
+- Authentication URL: The "authorization_endpoint" URL found in the
+  OpenID Endpoint Configuration of your Keycloak realm
+- Token URL: The "token_endpoint" URL found in the OpenID Endpoint
+  Configuration of your Keycloak realm
+- JWKS URL: The "jwks_uri" URL found in the OpenID Endpoint
+  Configuration of your Keycloak realm
+
+.. |image| image:: https://raw.githubusercontent.com/OCA/server-auth/19.0/auth_oidc/static/description/oauth-microsoft_azure-api_permissions.png
+.. |image1| image:: https://raw.githubusercontent.com/OCA/server-auth/19.0/auth_oidc/static/description/oauth-microsoft_azure-optional_claims.png
+.. |image2| image:: https://raw.githubusercontent.com/OCA/server-auth/19.0/auth_oidc/static/description/odoo-azure_ad_multitenant.png
 
 Usage
 =====
@@ -135,10 +139,10 @@ On the login page, click on the authentication provider you configured.
 Known issues / Roadmap
 ======================
 
--  When going to the login screen, check for a existing token and do a
-   direct login without the clicking on the SSO link
--  When doing a logout an extra option to also logout at the SSO
-   provider.
+- When going to the login screen, check for a existing token and do a
+  direct login without the clicking on the SSO link
+- When doing a logout an extra option to also logout at the SSO
+  provider.
 
 Changelog
 =========
@@ -146,52 +150,52 @@ Changelog
 18.0.1.0.0 2024-10-09
 ---------------------
 
--  Odoo 18 migration
+- Odoo 18 migration
 
 17.0.1.0.0 2024-03-20
 ---------------------
 
--  Odoo 17 migration
+- Odoo 17 migration
 
 16.0.1.1.0 2024-02-28
 ---------------------
 
--  Forward port OpenID Connect fixes from 15.0 to 16.0
+- Forward port OpenID Connect fixes from 15.0 to 16.0
 
 16.0.1.0.2 2023-11-16
 ---------------------
 
--  Readme link updates
+- Readme link updates
 
 16.0.1.0.1 2023-10-09
 ---------------------
 
--  Add AzureAD code flow provider
+- Add AzureAD code flow provider
 
 16.0.1.0.0 2023-01-27
 ---------------------
 
--  Odoo 16 migration
+- Odoo 16 migration
 
 15.0.1.0.0 2023-01-06
 ---------------------
 
--  Odoo 15 migration
+- Odoo 15 migration
 
 14.0.1.0.0 2021-12-10
 ---------------------
 
--  Odoo 14 migration
+- Odoo 14 migration
 
 13.0.1.0.0 2020-04-10
 ---------------------
 
--  Odoo 13 migration, add authorization code flow.
+- Odoo 13 migration, add authorization code flow.
 
 10.0.1.0.0 2018-10-05
 ---------------------
 
--  Initial implementation
+- Initial implementation
 
 Bug Tracker
 ===========
@@ -199,7 +203,7 @@ Bug Tracker
 Bugs are tracked on `GitHub Issues <https://github.com/OCA/server-auth/issues>`_.
 In case of trouble, please check there if your issue has already been reported.
 If you spotted it first, help us to smash it by providing a detailed and welcomed
-`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_oidc%0Aversion:%2018.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
+`feedback <https://github.com/OCA/server-auth/issues/new?body=module:%20auth_oidc%0Aversion:%2019.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**>`_.
 
 Do not contact contributors directly about support or help with technical issues.
 
@@ -216,10 +220,10 @@ Authors
 Contributors
 ------------
 
--  Alexandre Fayolle <alexandre.fayolle@camptocamp.com>
--  Stéphane Bidoul <stephane.bidoul@acsone.eu>
--  David Jaen <david.jaen.revert@gmail.com>
--  Andreas Perhab <andreas.perhab@wt-io-it.at>
+- Alexandre Fayolle <alexandre.fayolle@camptocamp.com>
+- Stéphane Bidoul <stephane.bidoul@acsone.eu>
+- David Jaen <david.jaen.revert@gmail.com>
+- Andreas Perhab <andreas.perhab@wt-io-it.at>
 
 Maintainers
 -----------
@@ -242,6 +246,6 @@ Current `maintainer <https://odoo-community.org/page/maintainer-role>`__:
 
 |maintainer-sbidoul| 
 
-This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/18.0/auth_oidc>`_ project on GitHub.
+This module is part of the `OCA/server-auth <https://github.com/OCA/server-auth/tree/19.0/auth_oidc>`_ project on GitHub.
 
 You are welcome to contribute. To learn how please visit https://odoo-community.org/page/Contribute.
diff --git a/auth_oidc/__manifest__.py b/auth_oidc/__manifest__.py
index f6897d2f7b..707cc792df 100644
--- a/auth_oidc/__manifest__.py
+++ b/auth_oidc/__manifest__.py
@@ -7,9 +7,7 @@
     "version": "18.0.1.0.0",
     "license": "AGPL-3",
     "author": (
-        "ICTSTUDIO, André Schenkels, "
-        "ACSONE SA/NV, "
-        "Odoo Community Association (OCA)"
+        "ICTSTUDIO, André Schenkels, ACSONE SA/NV, Odoo Community Association (OCA)"
     ),
     "maintainers": ["sbidoul"],
     "website": "https://github.com/OCA/server-auth",
diff --git a/auth_oidc/static/description/index.html b/auth_oidc/static/description/index.html
index 8af7befc5e..3fee687da0 100644
--- a/auth_oidc/static/description/index.html
+++ b/auth_oidc/static/description/index.html
@@ -3,7 +3,7 @@
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
 <meta name="generator" content="Docutils: https://docutils.sourceforge.io/" />
-<title>Authentication OpenID Connect</title>
+<title>README.rst</title>
 <style type="text/css">
 
 /*
@@ -360,16 +360,21 @@
 </style>
 </head>
 <body>
-<div class="document" id="authentication-openid-connect">
-<h1 class="title">Authentication OpenID Connect</h1>
+<div class="document">
 
+
+<a class="reference external image-reference" href="https://odoo-community.org/get-involved?utm_source=readme">
+<img alt="Odoo Community Association" src="https://odoo-community.org/readme-banner-image" />
+</a>
+<div class="section" id="authentication-openid-connect">
+<h1>Authentication OpenID Connect</h1>
 <!-- !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !! This file is generated by oca-gen-addon-readme !!
 !! changes will be overwritten.                   !!
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
 !! source digest: sha256:cd754fc72d2039d02ab1b8aec98af43fb9543c9a70f2150ab6e482954e4e83d6
 !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! -->
-<p><a class="reference external image-reference" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external image-reference" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/licence-AGPL--3-blue.png" /></a> <a class="reference external image-reference" href="https://github.com/OCA/server-auth/tree/18.0/auth_oidc"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external image-reference" href="https://translation.odoo-community.org/projects/server-auth-18-0/server-auth-18-0-auth_oidc"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external image-reference" href="https://runboat.odoo-community.org/builds?repo=OCA/server-auth&amp;target_branch=18.0"><img alt="Try me on Runboat" src="https://img.shields.io/badge/runboat-Try%20me-875A7B.png" /></a></p>
+<p><a class="reference external image-reference" href="https://odoo-community.org/page/development-status"><img alt="Beta" src="https://img.shields.io/badge/maturity-Beta-yellow.png" /></a> <a class="reference external image-reference" href="http://www.gnu.org/licenses/agpl-3.0-standalone.html"><img alt="License: AGPL-3" src="https://img.shields.io/badge/license-AGPL--3-blue.png" /></a> <a class="reference external image-reference" href="https://github.com/OCA/server-auth/tree/19.0/auth_oidc"><img alt="OCA/server-auth" src="https://img.shields.io/badge/github-OCA%2Fserver--auth-lightgray.png?logo=github" /></a> <a class="reference external image-reference" href="https://translation.odoo-community.org/projects/server-auth-19-0/server-auth-19-0-auth_oidc"><img alt="Translate me on Weblate" src="https://img.shields.io/badge/weblate-Translate%20me-F47D42.png" /></a> <a class="reference external image-reference" href="https://runboat.odoo-community.org/builds?repo=OCA/server-auth&amp;target_branch=19.0"><img alt="Try me on Runboat" src="https://img.shields.io/badge/runboat-Try%20me-875A7B.png" /></a></p>
 <p>This module allows users to login through an OpenID Connect provider
 using the authorization code flow or implicit flow.</p>
 <p>Note the implicit flow is not recommended because it exposes access
@@ -408,15 +413,15 @@ <h1 class="title">Authentication OpenID Connect</h1>
 </ul>
 </div>
 <div class="section" id="installation">
-<h1><a class="toc-backref" href="#toc-entry-1">Installation</a></h1>
+<h2><a class="toc-backref" href="#toc-entry-1">Installation</a></h2>
 <p>This module depends on the
 <a class="reference external" href="https://pypi.org/project/python-jose/">python-jose</a> library, not to
 be confused with <tt class="docutils literal">jose</tt> which is also available on PyPI.</p>
 </div>
 <div class="section" id="configuration">
-<h1><a class="toc-backref" href="#toc-entry-2">Configuration</a></h1>
+<h2><a class="toc-backref" href="#toc-entry-2">Configuration</a></h2>
 <div class="section" id="setup-for-microsoft-azure">
-<h2><a class="toc-backref" href="#toc-entry-3">Setup for Microsoft Azure</a></h2>
+<h3><a class="toc-backref" href="#toc-entry-3">Setup for Microsoft Azure</a></h3>
 <p>Example configuration with OpenID Connect authorization code flow.</p>
 <ol class="arabic simple">
 <li>configure a new web application in Azure with OpenID and code flow
@@ -430,8 +435,8 @@ <h2><a class="toc-backref" href="#toc-entry-3">Setup for Microsoft Azure</a></h2
 documentation</a>
 for more information):</li>
 </ol>
-<p><img alt="image" src="https://raw.githubusercontent.com/OCA/server-auth/18.0/auth_oidc/static/description/oauth-microsoft_azure-api_permissions.png" /></p>
-<p><img alt="image1" src="https://raw.githubusercontent.com/OCA/server-auth/18.0/auth_oidc/static/description/oauth-microsoft_azure-optional_claims.png" /></p>
+<p><img alt="image" src="https://raw.githubusercontent.com/OCA/server-auth/19.0/auth_oidc/static/description/oauth-microsoft_azure-api_permissions.png" /></p>
+<p><img alt="image1" src="https://raw.githubusercontent.com/OCA/server-auth/19.0/auth_oidc/static/description/oauth-microsoft_azure-optional_claims.png" /></p>
 <p>Single tenant provider limits the access to user of your tenant, while
 Multitenants allow access for all AzureAD users, so user of foreign
 companies can use their AzureAD login without an guest account.</p>
@@ -449,10 +454,10 @@ <h2><a class="toc-backref" href="#toc-entry-3">Setup for Microsoft Azure</a></h2
 <li>Allowed: yes</li>
 <li>replace {tenant_id} in urls with your Azure tenant id</li>
 </ul>
-<p><img alt="image2" src="https://raw.githubusercontent.com/OCA/server-auth/18.0/auth_oidc/static/description/odoo-azure_ad_multitenant.png" /></p>
+<p><img alt="image2" src="https://raw.githubusercontent.com/OCA/server-auth/19.0/auth_oidc/static/description/odoo-azure_ad_multitenant.png" /></p>
 </div>
 <div class="section" id="setup-for-keycloak">
-<h2><a class="toc-backref" href="#toc-entry-4">Setup for Keycloak</a></h2>
+<h3><a class="toc-backref" href="#toc-entry-4">Setup for Keycloak</a></h3>
 <p>Example configuration with OpenID Connect authorization code flow.</p>
 <p>In Keycloak:</p>
 <ol class="arabic simple">
@@ -485,11 +490,11 @@ <h2><a class="toc-backref" href="#toc-entry-4">Setup for Keycloak</a></h2>
 </div>
 </div>
 <div class="section" id="usage">
-<h1><a class="toc-backref" href="#toc-entry-5">Usage</a></h1>
+<h2><a class="toc-backref" href="#toc-entry-5">Usage</a></h2>
 <p>On the login page, click on the authentication provider you configured.</p>
 </div>
 <div class="section" id="known-issues-roadmap">
-<h1><a class="toc-backref" href="#toc-entry-6">Known issues / Roadmap</a></h1>
+<h2><a class="toc-backref" href="#toc-entry-6">Known issues / Roadmap</a></h2>
 <ul class="simple">
 <li>When going to the login screen, check for a existing token and do a
 direct login without the clicking on the SSO link</li>
@@ -498,80 +503,80 @@ <h1><a class="toc-backref" href="#toc-entry-6">Known issues / Roadmap</a></h1>
 </ul>
 </div>
 <div class="section" id="changelog">
-<h1><a class="toc-backref" href="#toc-entry-7">Changelog</a></h1>
+<h2><a class="toc-backref" href="#toc-entry-7">Changelog</a></h2>
 <div class="section" id="section-1">
-<h2><a class="toc-backref" href="#toc-entry-8">18.0.1.0.0 2024-10-09</a></h2>
+<h3><a class="toc-backref" href="#toc-entry-8">18.0.1.0.0 2024-10-09</a></h3>
 <ul class="simple">
 <li>Odoo 18 migration</li>
 </ul>
 </div>
 <div class="section" id="section-2">
-<h2><a class="toc-backref" href="#toc-entry-9">17.0.1.0.0 2024-03-20</a></h2>
+<h3><a class="toc-backref" href="#toc-entry-9">17.0.1.0.0 2024-03-20</a></h3>
 <ul class="simple">
 <li>Odoo 17 migration</li>
 </ul>
 </div>
 <div class="section" id="section-3">
-<h2><a class="toc-backref" href="#toc-entry-10">16.0.1.1.0 2024-02-28</a></h2>
+<h3><a class="toc-backref" href="#toc-entry-10">16.0.1.1.0 2024-02-28</a></h3>
 <ul class="simple">
 <li>Forward port OpenID Connect fixes from 15.0 to 16.0</li>
 </ul>
 </div>
 <div class="section" id="section-4">
-<h2><a class="toc-backref" href="#toc-entry-11">16.0.1.0.2 2023-11-16</a></h2>
+<h3><a class="toc-backref" href="#toc-entry-11">16.0.1.0.2 2023-11-16</a></h3>
 <ul class="simple">
 <li>Readme link updates</li>
 </ul>
 </div>
 <div class="section" id="section-5">
-<h2><a class="toc-backref" href="#toc-entry-12">16.0.1.0.1 2023-10-09</a></h2>
+<h3><a class="toc-backref" href="#toc-entry-12">16.0.1.0.1 2023-10-09</a></h3>
 <ul class="simple">
 <li>Add AzureAD code flow provider</li>
 </ul>
 </div>
 <div class="section" id="section-6">
-<h2><a class="toc-backref" href="#toc-entry-13">16.0.1.0.0 2023-01-27</a></h2>
+<h3><a class="toc-backref" href="#toc-entry-13">16.0.1.0.0 2023-01-27</a></h3>
 <ul class="simple">
 <li>Odoo 16 migration</li>
 </ul>
 </div>
 <div class="section" id="section-7">
-<h2><a class="toc-backref" href="#toc-entry-14">15.0.1.0.0 2023-01-06</a></h2>
+<h3><a class="toc-backref" href="#toc-entry-14">15.0.1.0.0 2023-01-06</a></h3>
 <ul class="simple">
 <li>Odoo 15 migration</li>
 </ul>
 </div>
 <div class="section" id="section-8">
-<h2><a class="toc-backref" href="#toc-entry-15">14.0.1.0.0 2021-12-10</a></h2>
+<h3><a class="toc-backref" href="#toc-entry-15">14.0.1.0.0 2021-12-10</a></h3>
 <ul class="simple">
 <li>Odoo 14 migration</li>
 </ul>
 </div>
 <div class="section" id="section-9">
-<h2><a class="toc-backref" href="#toc-entry-16">13.0.1.0.0 2020-04-10</a></h2>
+<h3><a class="toc-backref" href="#toc-entry-16">13.0.1.0.0 2020-04-10</a></h3>
 <ul class="simple">
 <li>Odoo 13 migration, add authorization code flow.</li>
 </ul>
 </div>
 <div class="section" id="section-10">
-<h2><a class="toc-backref" href="#toc-entry-17">10.0.1.0.0 2018-10-05</a></h2>
+<h3><a class="toc-backref" href="#toc-entry-17">10.0.1.0.0 2018-10-05</a></h3>
 <ul class="simple">
 <li>Initial implementation</li>
 </ul>
 </div>
 </div>
 <div class="section" id="bug-tracker">
-<h1><a class="toc-backref" href="#toc-entry-18">Bug Tracker</a></h1>
+<h2><a class="toc-backref" href="#toc-entry-18">Bug Tracker</a></h2>
 <p>Bugs are tracked on <a class="reference external" href="https://github.com/OCA/server-auth/issues">GitHub Issues</a>.
 In case of trouble, please check there if your issue has already been reported.
 If you spotted it first, help us to smash it by providing a detailed and welcomed
-<a class="reference external" href="https://github.com/OCA/server-auth/issues/new?body=module:%20auth_oidc%0Aversion:%2018.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**">feedback</a>.</p>
+<a class="reference external" href="https://github.com/OCA/server-auth/issues/new?body=module:%20auth_oidc%0Aversion:%2019.0%0A%0A**Steps%20to%20reproduce**%0A-%20...%0A%0A**Current%20behavior**%0A%0A**Expected%20behavior**">feedback</a>.</p>
 <p>Do not contact contributors directly about support or help with technical issues.</p>
 </div>
 <div class="section" id="credits">
-<h1><a class="toc-backref" href="#toc-entry-19">Credits</a></h1>
+<h2><a class="toc-backref" href="#toc-entry-19">Credits</a></h2>
 <div class="section" id="authors">
-<h2><a class="toc-backref" href="#toc-entry-20">Authors</a></h2>
+<h3><a class="toc-backref" href="#toc-entry-20">Authors</a></h3>
 <ul class="simple">
 <li>ICTSTUDIO</li>
 <li>André Schenkels</li>
@@ -579,7 +584,7 @@ <h2><a class="toc-backref" href="#toc-entry-20">Authors</a></h2>
 </ul>
 </div>
 <div class="section" id="contributors">
-<h2><a class="toc-backref" href="#toc-entry-21">Contributors</a></h2>
+<h3><a class="toc-backref" href="#toc-entry-21">Contributors</a></h3>
 <ul class="simple">
 <li>Alexandre Fayolle &lt;<a class="reference external" href="mailto:alexandre.fayolle&#64;camptocamp.com">alexandre.fayolle&#64;camptocamp.com</a>&gt;</li>
 <li>Stéphane Bidoul &lt;<a class="reference external" href="mailto:stephane.bidoul&#64;acsone.eu">stephane.bidoul&#64;acsone.eu</a>&gt;</li>
@@ -588,7 +593,7 @@ <h2><a class="toc-backref" href="#toc-entry-21">Contributors</a></h2>
 </ul>
 </div>
 <div class="section" id="maintainers">
-<h2><a class="toc-backref" href="#toc-entry-22">Maintainers</a></h2>
+<h3><a class="toc-backref" href="#toc-entry-22">Maintainers</a></h3>
 <p>This module is maintained by the OCA.</p>
 <a class="reference external image-reference" href="https://odoo-community.org">
 <img alt="Odoo Community Association" src="https://odoo-community.org/logo.png" />
@@ -598,10 +603,11 @@ <h2><a class="toc-backref" href="#toc-entry-22">Maintainers</a></h2>
 promote its widespread use.</p>
 <p>Current <a class="reference external" href="https://odoo-community.org/page/maintainer-role">maintainer</a>:</p>
 <p><a class="reference external image-reference" href="https://github.com/sbidoul"><img alt="sbidoul" src="https://github.com/sbidoul.png?size=40px" /></a></p>
-<p>This module is part of the <a class="reference external" href="https://github.com/OCA/server-auth/tree/18.0/auth_oidc">OCA/server-auth</a> project on GitHub.</p>
+<p>This module is part of the <a class="reference external" href="https://github.com/OCA/server-auth/tree/19.0/auth_oidc">OCA/server-auth</a> project on GitHub.</p>
 <p>You are welcome to contribute. To learn how please visit <a class="reference external" href="https://odoo-community.org/page/Contribute">https://odoo-community.org/page/Contribute</a>.</p>
 </div>
 </div>
 </div>
+</div>
 </body>
 </html>
diff --git a/requirements.txt b/requirements.txt
new file mode 100644
index 0000000000..13c8fbb434
--- /dev/null
+++ b/requirements.txt
@@ -0,0 +1,2 @@
+# generated from manifests external_dependencies
+python-jose

From 554b50d864d7b684d3053a25b2e21a80c5e96acd Mon Sep 17 00:00:00 2001
From: Andreas Perhab <andreas.perhab@wt-io-it.at>
Date: Wed, 1 Oct 2025 13:19:28 +0200
Subject: [PATCH 46/46] [MIG] auth_oidc: Migration to 19.0

---
 auth_oidc/README.rst                        |  5 ++
 auth_oidc/__manifest__.py                   |  2 +-
 auth_oidc/demo/local_keycloak.xml           |  2 +-
 auth_oidc/readme/HISTORY.md                 |  4 +
 auth_oidc/static/description/index.html     | 85 +++++++++++----------
 auth_oidc/tests/test_auth_oidc_auth_code.py | 25 ++++--
 test-requirements.txt                       |  1 +
 7 files changed, 78 insertions(+), 46 deletions(-)
 create mode 100644 test-requirements.txt

diff --git a/auth_oidc/README.rst b/auth_oidc/README.rst
index ba90958edc..c042a56932 100644
--- a/auth_oidc/README.rst
+++ b/auth_oidc/README.rst
@@ -147,6 +147,11 @@ Known issues / Roadmap
 Changelog
 =========
 
+19.0.1.0.0 2025-10-01
+---------------------
+
+- Odoo 19 migration
+
 18.0.1.0.0 2024-10-09
 ---------------------
 
diff --git a/auth_oidc/__manifest__.py b/auth_oidc/__manifest__.py
index 707cc792df..0671c99136 100644
--- a/auth_oidc/__manifest__.py
+++ b/auth_oidc/__manifest__.py
@@ -4,7 +4,7 @@
 
 {
     "name": "Authentication OpenID Connect",
-    "version": "18.0.1.0.0",
+    "version": "19.0.1.0.0",
     "license": "AGPL-3",
     "author": (
         "ICTSTUDIO, André Schenkels, ACSONE SA/NV, Odoo Community Association (OCA)"
diff --git a/auth_oidc/demo/local_keycloak.xml b/auth_oidc/demo/local_keycloak.xml
index 919754db99..fe1ebe1ba8 100644
--- a/auth_oidc/demo/local_keycloak.xml
+++ b/auth_oidc/demo/local_keycloak.xml
@@ -2,7 +2,7 @@
     <record id="local_keycloak" model="auth.oauth.provider">
         <field name="name">keycloak:8080 on localhost</field>
         <field name="flow">id_token_code</field>
-        <field name="client_id">auth_oidc-test</field>
+        <field name="client_id">auth_oidc-keycloak</field>
         <field name="token_map">preferred_username:user_id</field>
         <field name="body">keycloak:8080 on localhost</field>
         <field name="enabled" eval="True" />
diff --git a/auth_oidc/readme/HISTORY.md b/auth_oidc/readme/HISTORY.md
index 48ad92f7f1..cff42d2e3c 100644
--- a/auth_oidc/readme/HISTORY.md
+++ b/auth_oidc/readme/HISTORY.md
@@ -1,3 +1,7 @@
+## 19.0.1.0.0 2025-10-01
+
+- Odoo 19 migration
+
 ## 18.0.1.0.0 2024-10-09
 
 - Odoo 18 migration
diff --git a/auth_oidc/static/description/index.html b/auth_oidc/static/description/index.html
index 3fee687da0..f1550a6839 100644
--- a/auth_oidc/static/description/index.html
+++ b/auth_oidc/static/description/index.html
@@ -391,23 +391,24 @@ <h1>Authentication OpenID Connect</h1>
 <li><a class="reference internal" href="#usage" id="toc-entry-5">Usage</a></li>
 <li><a class="reference internal" href="#known-issues-roadmap" id="toc-entry-6">Known issues / Roadmap</a></li>
 <li><a class="reference internal" href="#changelog" id="toc-entry-7">Changelog</a><ul>
-<li><a class="reference internal" href="#section-1" id="toc-entry-8">18.0.1.0.0 2024-10-09</a></li>
-<li><a class="reference internal" href="#section-2" id="toc-entry-9">17.0.1.0.0 2024-03-20</a></li>
-<li><a class="reference internal" href="#section-3" id="toc-entry-10">16.0.1.1.0 2024-02-28</a></li>
-<li><a class="reference internal" href="#section-4" id="toc-entry-11">16.0.1.0.2 2023-11-16</a></li>
-<li><a class="reference internal" href="#section-5" id="toc-entry-12">16.0.1.0.1 2023-10-09</a></li>
-<li><a class="reference internal" href="#section-6" id="toc-entry-13">16.0.1.0.0 2023-01-27</a></li>
-<li><a class="reference internal" href="#section-7" id="toc-entry-14">15.0.1.0.0 2023-01-06</a></li>
-<li><a class="reference internal" href="#section-8" id="toc-entry-15">14.0.1.0.0 2021-12-10</a></li>
-<li><a class="reference internal" href="#section-9" id="toc-entry-16">13.0.1.0.0 2020-04-10</a></li>
-<li><a class="reference internal" href="#section-10" id="toc-entry-17">10.0.1.0.0 2018-10-05</a></li>
+<li><a class="reference internal" href="#section-1" id="toc-entry-8">19.0.1.0.0 2025-10-01</a></li>
+<li><a class="reference internal" href="#section-2" id="toc-entry-9">18.0.1.0.0 2024-10-09</a></li>
+<li><a class="reference internal" href="#section-3" id="toc-entry-10">17.0.1.0.0 2024-03-20</a></li>
+<li><a class="reference internal" href="#section-4" id="toc-entry-11">16.0.1.1.0 2024-02-28</a></li>
+<li><a class="reference internal" href="#section-5" id="toc-entry-12">16.0.1.0.2 2023-11-16</a></li>
+<li><a class="reference internal" href="#section-6" id="toc-entry-13">16.0.1.0.1 2023-10-09</a></li>
+<li><a class="reference internal" href="#section-7" id="toc-entry-14">16.0.1.0.0 2023-01-27</a></li>
+<li><a class="reference internal" href="#section-8" id="toc-entry-15">15.0.1.0.0 2023-01-06</a></li>
+<li><a class="reference internal" href="#section-9" id="toc-entry-16">14.0.1.0.0 2021-12-10</a></li>
+<li><a class="reference internal" href="#section-10" id="toc-entry-17">13.0.1.0.0 2020-04-10</a></li>
+<li><a class="reference internal" href="#section-11" id="toc-entry-18">10.0.1.0.0 2018-10-05</a></li>
 </ul>
 </li>
-<li><a class="reference internal" href="#bug-tracker" id="toc-entry-18">Bug Tracker</a></li>
-<li><a class="reference internal" href="#credits" id="toc-entry-19">Credits</a><ul>
-<li><a class="reference internal" href="#authors" id="toc-entry-20">Authors</a></li>
-<li><a class="reference internal" href="#contributors" id="toc-entry-21">Contributors</a></li>
-<li><a class="reference internal" href="#maintainers" id="toc-entry-22">Maintainers</a></li>
+<li><a class="reference internal" href="#bug-tracker" id="toc-entry-19">Bug Tracker</a></li>
+<li><a class="reference internal" href="#credits" id="toc-entry-20">Credits</a><ul>
+<li><a class="reference internal" href="#authors" id="toc-entry-21">Authors</a></li>
+<li><a class="reference internal" href="#contributors" id="toc-entry-22">Contributors</a></li>
+<li><a class="reference internal" href="#maintainers" id="toc-entry-23">Maintainers</a></li>
 </ul>
 </li>
 </ul>
@@ -505,68 +506,74 @@ <h2><a class="toc-backref" href="#toc-entry-6">Known issues / Roadmap</a></h2>
 <div class="section" id="changelog">
 <h2><a class="toc-backref" href="#toc-entry-7">Changelog</a></h2>
 <div class="section" id="section-1">
-<h3><a class="toc-backref" href="#toc-entry-8">18.0.1.0.0 2024-10-09</a></h3>
+<h3><a class="toc-backref" href="#toc-entry-8">19.0.1.0.0 2025-10-01</a></h3>
 <ul class="simple">
-<li>Odoo 18 migration</li>
+<li>Odoo 19 migration</li>
 </ul>
 </div>
 <div class="section" id="section-2">
-<h3><a class="toc-backref" href="#toc-entry-9">17.0.1.0.0 2024-03-20</a></h3>
+<h3><a class="toc-backref" href="#toc-entry-9">18.0.1.0.0 2024-10-09</a></h3>
 <ul class="simple">
-<li>Odoo 17 migration</li>
+<li>Odoo 18 migration</li>
 </ul>
 </div>
 <div class="section" id="section-3">
-<h3><a class="toc-backref" href="#toc-entry-10">16.0.1.1.0 2024-02-28</a></h3>
+<h3><a class="toc-backref" href="#toc-entry-10">17.0.1.0.0 2024-03-20</a></h3>
 <ul class="simple">
-<li>Forward port OpenID Connect fixes from 15.0 to 16.0</li>
+<li>Odoo 17 migration</li>
 </ul>
 </div>
 <div class="section" id="section-4">
-<h3><a class="toc-backref" href="#toc-entry-11">16.0.1.0.2 2023-11-16</a></h3>
+<h3><a class="toc-backref" href="#toc-entry-11">16.0.1.1.0 2024-02-28</a></h3>
 <ul class="simple">
-<li>Readme link updates</li>
+<li>Forward port OpenID Connect fixes from 15.0 to 16.0</li>
 </ul>
 </div>
 <div class="section" id="section-5">
-<h3><a class="toc-backref" href="#toc-entry-12">16.0.1.0.1 2023-10-09</a></h3>
+<h3><a class="toc-backref" href="#toc-entry-12">16.0.1.0.2 2023-11-16</a></h3>
 <ul class="simple">
-<li>Add AzureAD code flow provider</li>
+<li>Readme link updates</li>
 </ul>
 </div>
 <div class="section" id="section-6">
-<h3><a class="toc-backref" href="#toc-entry-13">16.0.1.0.0 2023-01-27</a></h3>
+<h3><a class="toc-backref" href="#toc-entry-13">16.0.1.0.1 2023-10-09</a></h3>
 <ul class="simple">
-<li>Odoo 16 migration</li>
+<li>Add AzureAD code flow provider</li>
 </ul>
 </div>
 <div class="section" id="section-7">
-<h3><a class="toc-backref" href="#toc-entry-14">15.0.1.0.0 2023-01-06</a></h3>
+<h3><a class="toc-backref" href="#toc-entry-14">16.0.1.0.0 2023-01-27</a></h3>
 <ul class="simple">
-<li>Odoo 15 migration</li>
+<li>Odoo 16 migration</li>
 </ul>
 </div>
 <div class="section" id="section-8">
-<h3><a class="toc-backref" href="#toc-entry-15">14.0.1.0.0 2021-12-10</a></h3>
+<h3><a class="toc-backref" href="#toc-entry-15">15.0.1.0.0 2023-01-06</a></h3>
 <ul class="simple">
-<li>Odoo 14 migration</li>
+<li>Odoo 15 migration</li>
 </ul>
 </div>
 <div class="section" id="section-9">
-<h3><a class="toc-backref" href="#toc-entry-16">13.0.1.0.0 2020-04-10</a></h3>
+<h3><a class="toc-backref" href="#toc-entry-16">14.0.1.0.0 2021-12-10</a></h3>
 <ul class="simple">
-<li>Odoo 13 migration, add authorization code flow.</li>
+<li>Odoo 14 migration</li>
 </ul>
 </div>
 <div class="section" id="section-10">
-<h3><a class="toc-backref" href="#toc-entry-17">10.0.1.0.0 2018-10-05</a></h3>
+<h3><a class="toc-backref" href="#toc-entry-17">13.0.1.0.0 2020-04-10</a></h3>
+<ul class="simple">
+<li>Odoo 13 migration, add authorization code flow.</li>
+</ul>
+</div>
+<div class="section" id="section-11">
+<h3><a class="toc-backref" href="#toc-entry-18">10.0.1.0.0 2018-10-05</a></h3>
 <ul class="simple">
 <li>Initial implementation</li>
 </ul>
 </div>
 </div>
 <div class="section" id="bug-tracker">
-<h2><a class="toc-backref" href="#toc-entry-18">Bug Tracker</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-19">Bug Tracker</a></h2>
 <p>Bugs are tracked on <a class="reference external" href="https://github.com/OCA/server-auth/issues">GitHub Issues</a>.
 In case of trouble, please check there if your issue has already been reported.
 If you spotted it first, help us to smash it by providing a detailed and welcomed
@@ -574,9 +581,9 @@ <h2><a class="toc-backref" href="#toc-entry-18">Bug Tracker</a></h2>
 <p>Do not contact contributors directly about support or help with technical issues.</p>
 </div>
 <div class="section" id="credits">
-<h2><a class="toc-backref" href="#toc-entry-19">Credits</a></h2>
+<h2><a class="toc-backref" href="#toc-entry-20">Credits</a></h2>
 <div class="section" id="authors">
-<h3><a class="toc-backref" href="#toc-entry-20">Authors</a></h3>
+<h3><a class="toc-backref" href="#toc-entry-21">Authors</a></h3>
 <ul class="simple">
 <li>ICTSTUDIO</li>
 <li>André Schenkels</li>
@@ -584,7 +591,7 @@ <h3><a class="toc-backref" href="#toc-entry-20">Authors</a></h3>
 </ul>
 </div>
 <div class="section" id="contributors">
-<h3><a class="toc-backref" href="#toc-entry-21">Contributors</a></h3>
+<h3><a class="toc-backref" href="#toc-entry-22">Contributors</a></h3>
 <ul class="simple">
 <li>Alexandre Fayolle &lt;<a class="reference external" href="mailto:alexandre.fayolle&#64;camptocamp.com">alexandre.fayolle&#64;camptocamp.com</a>&gt;</li>
 <li>Stéphane Bidoul &lt;<a class="reference external" href="mailto:stephane.bidoul&#64;acsone.eu">stephane.bidoul&#64;acsone.eu</a>&gt;</li>
@@ -593,7 +600,7 @@ <h3><a class="toc-backref" href="#toc-entry-21">Contributors</a></h3>
 </ul>
 </div>
 <div class="section" id="maintainers">
-<h3><a class="toc-backref" href="#toc-entry-22">Maintainers</a></h3>
+<h3><a class="toc-backref" href="#toc-entry-23">Maintainers</a></h3>
 <p>This module is maintained by the OCA.</p>
 <a class="reference external image-reference" href="https://odoo-community.org">
 <img alt="Odoo Community Association" src="https://odoo-community.org/logo.png" />
diff --git a/auth_oidc/tests/test_auth_oidc_auth_code.py b/auth_oidc/tests/test_auth_oidc_auth_code.py
index 27da38c779..40d2170b5f 100644
--- a/auth_oidc/tests/test_auth_oidc_auth_code.py
+++ b/auth_oidc/tests/test_auth_oidc_auth_code.py
@@ -17,7 +17,7 @@
 from odoo.exceptions import AccessDenied
 from odoo.tests import common
 
-from odoo.addons.website.tools import MockRequest as _MockRequest
+from odoo.addons.http_routing.tests.common import MockRequest as _MockRequest
 
 from ..controllers.main import OpenIDLogin
 
@@ -70,9 +70,19 @@ def _generate_key():
 
     def setUp(self):
         super().setUp()
-        # search our test provider and bind the demo user to it
-        self.provider_rec = self.env["auth.oauth.provider"].search(
-            [("client_id", "=", "auth_oidc-test")]
+        # set up our test provider to bind the test user to it
+        self.provider_rec = self.env["auth.oauth.provider"].create(
+            {
+                "name": "OAuth Provider for TestAuthOIDCAuthorizationCodeFlow",
+                "client_id": "auth_oidc-test",
+                "enabled": True,
+                "body": "Config of an oauth provider for tests",
+                "scope": "openid email",
+                "flow": "id_token_code",
+                "auth_endpoint": "http://localhost:8080/auth/realms/master/protocol/openid-connect/auth",
+                "token_endpoint": "http://localhost:8080/auth/realms/master/protocol/openid-connect/token",
+                "jwks_uri": "http://localhost:8080/auth/realms/master/protocol/openid-connect/certs",
+            }
         )
         self.assertEqual(len(self.provider_rec), 1)
 
@@ -98,7 +108,12 @@ def test_auth_link(self):
             self.assertEqual(params["redirect_uri"], [BASE_URL + "/auth_oauth/signin"])
 
     def _prepare_login_test_user(self):
-        user = self.env.ref("base.user_demo")
+        user = self.env["res.users"].create(
+            {
+                "login": "auth_oidc_test_user",
+                "name": "Auth OIDC Test User",
+            }
+        )
         user.write({"oauth_provider_id": self.provider_rec.id, "oauth_uid": user.login})
         return user
 
diff --git a/test-requirements.txt b/test-requirements.txt
new file mode 100644
index 0000000000..2cb24f43db
--- /dev/null
+++ b/test-requirements.txt
@@ -0,0 +1 @@
+responses