[BUG] Roles of Nexus default user realm not being applied

[eirisdg]

Expected
I've seted up the authentication with the plugin and Authentik as Oauth Proxy.
Everything is fine (except logout button, but I've seen a PR about it), but role assignment is not working propertly.
I've logged in via Oauth, given 'nx-admin' role, but... it can't see anything.

But... it has no admin menu

Relevant Versions
Nexus version: 3.75.1-01
Plugin version: 3.2.0

[tumbl3w33d]

While that might work (I would need to test it myself) the idea is to create an 'external role mapping' which connects a group/role that the user assumed in the identity provider with a Nexus equivalent. E.g., my operators have the administrator group in the IdP and I map it to a role in Nexus which includes nx-admin. Have you passed along group information via header? It is expected to be a comma separated list.

Make sure you created a new Nexus session after you directly assigned that original Nexus role. Might fix the issue. You can currently only logout by deleting cookies.

[eirisdg]

While that might work (I would need to test it myself) the idea is to create an 'external role mapping' which connects a group/role that the user assumed in the identity provider with a Nexus equivalent. E.g., my operators have the administrator group in the IdP and I map it to a role in Nexus which includes nx-admin. Have you passed along group information via header? It is expected to be a comma separated list.

Make sure you created a new Nexus session after you directly assigned that original Nexus role. Might fix the issue. You can currently only logout by deleting cookies.

You are right. If you map the groups, the role is applied successful.

BTW, the group mapping is optional parameter, so it should work without group.

[tumbl3w33d]

I can confirm, this functionality was lost at some point. I guess we lost it when moving from Nexus' local user db to own tables for the user objects. Before, it was a side-effect that roles from the default realm kept being applied and all we needed to make sure is to not remove them in the sync process. Now it is the other way around: During the group sync, we would need to look for role assignments from the default user management.

Since the (idp) role mapping itself works, I guess this is not urgent and most users probably prefer that to manual local assignments anyway.

BTW, the group mapping is optional parameter, so it should work without group.

You mean it is or should be optional to pass group information in from the idp? I must admit, I have only paid attention to the case that it is available and as long as this bug persists it is kind of required to make the setup usable.

[eirisdg]

I can confirm, this functionality was lost at some point. I guess we lost it when moving from Nexus' local user db to own tables for the user objects. Before, it was a side-effect that roles from the default realm kept being applied and all we needed to make sure is to not remove them in the sync process. Now it is the other way around: During the group sync, we would need to look for role assignments from the default user management.

Since the (idp) role mapping itself works, I guess this is not urgent and most users probably prefer that to manual local assignments anyway.

BTW, the group mapping is optional parameter, so it should work without group.

You mean it is or should be optional to pass group information in from the idp? I must admit, I have only paid attention to the case that it is available and as long as this bug persists it is kind of required to make the setup usable.

Of course, I also think that all the attention should be focused on making the plugin as stable as possible for the use cases it's designed for. However, it might be interesting to correct the documentation and indicate that group mapping is mandatory and not optional.

I understand that efforts are directed where most people need them, but this change would avoid hours of testing.