starred/netbox
1
0
Fork 0
mirror of https://github.com/netbox-community/netbox.git synced 2026-01-11 21:10:29 +01:00
Code Issues 273 Packages Projects Releases 10 Wiki Activity

OIDC Groups broken #6779

New Issue
Closed
opened 2025-12-29 19:45:18 +01:00 by adam · 9 comments
adam commented 2025-12-29 19:45:18 +01:00
Owner
Copy Link

Originally created by @fionera on GitHub (Aug 8, 2022).

NetBox version

v3.2.7

Python version

3.10

Steps to Reproduce

  1. Setup empty Netbox-Docker with extra.py to connect to oidc
	"extra.py": """
			REMOTE_AUTH_ENABLED=True
			REMOTE_AUTH_AUTO_CREATE_USER=True
			REMOTE_AUTH_BACKEND="social_core.backends.open_id_connect.OpenIdConnectAuth"
			SOCIAL_AUTH_OIDC_OIDC_ENDPOINT = '...'
			SOCIAL_AUTH_OIDC_SCOPE = ['openid', 'profile', 'email']
			SOCIAL_AUTH_OIDC_USERNAME_KEY = 'username'
			SOCIAL_AUTH_OIDC_IGNORE_DEFAULT_SCOPE = True
			SOCIAL_AUTH_OIDC_KEY = '...'
			SOCIAL_AUTH_OIDC_SECRET = '...'
			"""
  1. Try logging in and authorize at OIDC
  2. observe the TypeError

I also already tried creating all groups that are presented in the oidc response without any luck

Expected Behavior

The User is able to login and have the correct groups assigned

Observed Behavior

<class 'TypeError'>

Direct assignment to the forward side of a many-to-many set is prohibited. Use groups.set() instead.

Python version: 3.10.4
NetBox version: 3.2.7

Originally created by @fionera on GitHub (Aug 8, 2022). ### NetBox version v3.2.7 ### Python version 3.10 ### Steps to Reproduce 1. Setup empty Netbox-Docker with extra.py to connect to oidc ``` "extra.py": """ REMOTE_AUTH_ENABLED=True REMOTE_AUTH_AUTO_CREATE_USER=True REMOTE_AUTH_BACKEND="social_core.backends.open_id_connect.OpenIdConnectAuth" SOCIAL_AUTH_OIDC_OIDC_ENDPOINT = '...' SOCIAL_AUTH_OIDC_SCOPE = ['openid', 'profile', 'email'] SOCIAL_AUTH_OIDC_USERNAME_KEY = 'username' SOCIAL_AUTH_OIDC_IGNORE_DEFAULT_SCOPE = True SOCIAL_AUTH_OIDC_KEY = '...' SOCIAL_AUTH_OIDC_SECRET = '...' """ ``` 2. Try logging in and authorize at OIDC 3. observe the TypeError I also already tried creating all groups that are presented in the oidc response without any luck ### Expected Behavior The User is able to login and have the correct groups assigned ### Observed Behavior <class 'TypeError'> Direct assignment to the forward side of a many-to-many set is prohibited. Use groups.set() instead. Python version: 3.10.4 NetBox version: 3.2.7
adam added the type: bug label 2025-12-29 19:45:18 +01:00
adam closed this issue 2025-12-29 19:45:19 +01:00
adam commented 2025-12-29 19:45:19 +01:00
Author
Owner
Copy Link

@jeremystretch commented on GitHub (Aug 8, 2022):

Thank you for opening a bug report. Unfortunately, the information you have provided is not sufficient for someone else to attempt to reproduce the reported behavior. Remember, each bug report must include detailed steps that someone else can follow on a clean, empty NetBox installation to reproduce the exact problem you're experiencing. These instructions should include the creation of any involved objects, any configuration changes, and complete accounting of the actions being taken. Also be sure that your report does not reference data on the public NetBox demo, as that is subject to change at any time by an outside party and cannot be relied upon for bug reports.

@jeremystretch commented on GitHub (Aug 8, 2022): Thank you for opening a bug report. Unfortunately, the information you have provided is not sufficient for someone else to attempt to reproduce the reported behavior. Remember, each bug report must include detailed steps that someone else can follow on a clean, empty NetBox installation to reproduce the exact problem you're experiencing. These instructions should include the creation of any involved objects, any configuration changes, and complete accounting of the actions being taken. Also be sure that your report does not reference data on the public NetBox demo, as that is subject to change at any time by an outside party and cannot be relied upon for bug reports.
adam commented 2025-12-29 19:45:19 +01:00
Author
Owner
Copy Link

@fionera commented on GitHub (Aug 10, 2022):

I updated the Issue but dont really know how far i should go regarding the steps. I am using a plain Authentik Installation and connected it to Netbox via OIDC.

@fionera commented on GitHub (Aug 10, 2022): I updated the Issue but dont really know how far i should go regarding the steps. I am using a plain Authentik Installation and connected it to Netbox via OIDC.
adam commented 2025-12-29 19:45:20 +01:00
Author
Owner
Copy Link

@kkthxbye-code commented on GitHub (Sep 1, 2022):

@fionera - Please provide the full stack trace from the logs.

@kkthxbye-code commented on GitHub (Sep 1, 2022): @fionera - Please provide the full stack trace from the logs.
adam commented 2025-12-29 19:45:20 +01:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (Nov 1, 2022):

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. NetBox is governed by a small group of core maintainers which means not all opened issues may receive direct feedback. Do not attempt to circumvent this process by "bumping" the issue; doing so will result in its immediate closure and you may be barred from participating in any future discussions. Please see our contributing guide.

@github-actions[bot] commented on GitHub (Nov 1, 2022): This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. NetBox is governed by a small group of core maintainers which means not all opened issues may receive direct feedback. **Do not** attempt to circumvent this process by "bumping" the issue; doing so will result in its immediate closure and you may be barred from participating in any future discussions. Please see our [contributing guide](https://github.com/netbox-community/netbox/blob/develop/CONTRIBUTING.md).
adam commented 2025-12-29 19:45:20 +01:00
Author
Owner
Copy Link

@kkthxbye-code commented on GitHub (Nov 1, 2022):

Closing this as there's been no response to the request for a stack trace.

@kkthxbye-code commented on GitHub (Nov 1, 2022): Closing this as there's been no response to the request for a stack trace.
adam commented 2025-12-29 19:45:20 +01:00
Author
Owner
Copy Link

@lukasbableck commented on GitHub (Nov 30, 2022):

I have the same problem. I'm using authentik too.
Netbox Version: 3.3.8
Python Version: 3.10.6

Here is the stacktrace:

Traceback (most recent call last):
  File "/opt/netbox/venv/lib/python3.10/site-packages/django/core/handlers/exception.py", line 55, in inner
    response = get_response(request)
  File "/opt/netbox/venv/lib/python3.10/site-packages/django/core/handlers/base.py", line 197, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/django/views/decorators/cache.py", line 62, in _wrapped_view_func
    response = view_func(request, *args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/django/views/decorators/csrf.py", line 54, in wrapped_view
    return view_func(*args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_django/utils.py", line 46, in wrapper
    return func(request, backend, *args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_django/views.py", line 31, in complete
    return do_complete(request.backend, _do_login, user=request.user,
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/actions.py", line 45, in do_complete
    user = backend.complete(user=user, *args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/backends/base.py", line 40, in complete
    return self.auth_complete(*args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/utils.py", line 247, in wrapper
    return func(*args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/backends/oauth.py", line 401, in auth_complete
    return self.do_auth(response['access_token'], response=response,
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/utils.py", line 247, in wrapper
    return func(*args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/backends/oauth.py", line 413, in do_auth
    return self.strategy.authenticate(*args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_django/strategy.py", line 105, in authenticate
    return authenticate(*args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/django/views/decorators/debug.py", line 42, in sensitive_variables_wrapper
    return func(*func_args, **func_kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/django/contrib/auth/__init__.py", line 77, in authenticate
    user = backend.authenticate(request, **credentials)
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/backends/base.py", line 80, in authenticate
    return self.pipeline(pipeline, *args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/backends/base.py", line 83, in pipeline
    out = self.run_pipeline(pipeline, pipeline_index, *args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/backends/base.py", line 113, in run_pipeline
    result = func(*args, **out) or {}
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/pipeline/user.py", line 119, in user_details
    setattr(user, name, value)
  File "/opt/netbox/venv/lib/python3.10/site-packages/django/db/models/fields/related_descriptors.py", line 595, in __set__
    raise TypeError(
TypeError: Direct assignment to the forward side of a many-to-many set is prohibited. Use groups.set() instead.```
@lukasbableck commented on GitHub (Nov 30, 2022): I have the same problem. I'm using authentik too. Netbox Version: 3.3.8 Python Version: 3.10.6 Here is the stacktrace: ```Internal Server Error: /oauth/complete/oidc/ Traceback (most recent call last): File "/opt/netbox/venv/lib/python3.10/site-packages/django/core/handlers/exception.py", line 55, in inner response = get_response(request) File "/opt/netbox/venv/lib/python3.10/site-packages/django/core/handlers/base.py", line 197, in _get_response response = wrapped_callback(request, *callback_args, **callback_kwargs) File "/opt/netbox/venv/lib/python3.10/site-packages/django/views/decorators/cache.py", line 62, in _wrapped_view_func response = view_func(request, *args, **kwargs) File "/opt/netbox/venv/lib/python3.10/site-packages/django/views/decorators/csrf.py", line 54, in wrapped_view return view_func(*args, **kwargs) File "/opt/netbox/venv/lib/python3.10/site-packages/social_django/utils.py", line 46, in wrapper return func(request, backend, *args, **kwargs) File "/opt/netbox/venv/lib/python3.10/site-packages/social_django/views.py", line 31, in complete return do_complete(request.backend, _do_login, user=request.user, File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/actions.py", line 45, in do_complete user = backend.complete(user=user, *args, **kwargs) File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/backends/base.py", line 40, in complete return self.auth_complete(*args, **kwargs) File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/utils.py", line 247, in wrapper return func(*args, **kwargs) File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/backends/oauth.py", line 401, in auth_complete return self.do_auth(response['access_token'], response=response, File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/utils.py", line 247, in wrapper return func(*args, **kwargs) File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/backends/oauth.py", line 413, in do_auth return self.strategy.authenticate(*args, **kwargs) File "/opt/netbox/venv/lib/python3.10/site-packages/social_django/strategy.py", line 105, in authenticate return authenticate(*args, **kwargs) File "/opt/netbox/venv/lib/python3.10/site-packages/django/views/decorators/debug.py", line 42, in sensitive_variables_wrapper return func(*func_args, **func_kwargs) File "/opt/netbox/venv/lib/python3.10/site-packages/django/contrib/auth/__init__.py", line 77, in authenticate user = backend.authenticate(request, **credentials) File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/backends/base.py", line 80, in authenticate return self.pipeline(pipeline, *args, **kwargs) File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/backends/base.py", line 83, in pipeline out = self.run_pipeline(pipeline, pipeline_index, *args, **kwargs) File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/backends/base.py", line 113, in run_pipeline result = func(*args, **out) or {} File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/pipeline/user.py", line 119, in user_details setattr(user, name, value) File "/opt/netbox/venv/lib/python3.10/site-packages/django/db/models/fields/related_descriptors.py", line 595, in __set__ raise TypeError( TypeError: Direct assignment to the forward side of a many-to-many set is prohibited. Use groups.set() instead.```
adam commented 2025-12-29 19:45:20 +01:00
Author
Owner
Copy Link

@hanbinloop commented on GitHub (Feb 10, 2023):

I same question

@hanbinloop commented on GitHub (Feb 10, 2023): I same question
adam commented 2025-12-29 19:45:20 +01:00
Author
Owner
Copy Link

@hanbinloop commented on GitHub (Feb 10, 2023):

我也有同样的问题。我也在使用 authentik。 Netbox 版本:3.3.8 Python 版本:3.10.6

这是堆栈跟踪:

Traceback (most recent call last):
  File "/opt/netbox/venv/lib/python3.10/site-packages/django/core/handlers/exception.py", line 55, in inner
    response = get_response(request)
  File "/opt/netbox/venv/lib/python3.10/site-packages/django/core/handlers/base.py", line 197, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/django/views/decorators/cache.py", line 62, in _wrapped_view_func
    response = view_func(request, *args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/django/views/decorators/csrf.py", line 54, in wrapped_view
    return view_func(*args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_django/utils.py", line 46, in wrapper
    return func(request, backend, *args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_django/views.py", line 31, in complete
    return do_complete(request.backend, _do_login, user=request.user,
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/actions.py", line 45, in do_complete
    user = backend.complete(user=user, *args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/backends/base.py", line 40, in complete
    return self.auth_complete(*args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/utils.py", line 247, in wrapper
    return func(*args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/backends/oauth.py", line 401, in auth_complete
    return self.do_auth(response['access_token'], response=response,
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/utils.py", line 247, in wrapper
    return func(*args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/backends/oauth.py", line 413, in do_auth
    return self.strategy.authenticate(*args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_django/strategy.py", line 105, in authenticate
    return authenticate(*args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/django/views/decorators/debug.py", line 42, in sensitive_variables_wrapper
    return func(*func_args, **func_kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/django/contrib/auth/__init__.py", line 77, in authenticate
    user = backend.authenticate(request, **credentials)
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/backends/base.py", line 80, in authenticate
    return self.pipeline(pipeline, *args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/backends/base.py", line 83, in pipeline
    out = self.run_pipeline(pipeline, pipeline_index, *args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/backends/base.py", line 113, in run_pipeline
    result = func(*args, **out) or {}
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/pipeline/user.py", line 119, in user_details
    setattr(user, name, value)
  File "/opt/netbox/venv/lib/python3.10/site-packages/django/db/models/fields/related_descriptors.py", line 595, in __set__
    raise TypeError(
TypeError: Direct assignment to the forward side of a many-to-many set is prohibited. Use groups.set() instead.```

Hi,Have you solved it yet

@hanbinloop commented on GitHub (Feb 10, 2023): > 我也有同样的问题。我也在使用 authentik。 Netbox 版本:3.3.8 Python 版本:3.10.6 > > 这是堆栈跟踪: > > ``` > Traceback (most recent call last): > File "/opt/netbox/venv/lib/python3.10/site-packages/django/core/handlers/exception.py", line 55, in inner > response = get_response(request) > File "/opt/netbox/venv/lib/python3.10/site-packages/django/core/handlers/base.py", line 197, in _get_response > response = wrapped_callback(request, *callback_args, **callback_kwargs) > File "/opt/netbox/venv/lib/python3.10/site-packages/django/views/decorators/cache.py", line 62, in _wrapped_view_func > response = view_func(request, *args, **kwargs) > File "/opt/netbox/venv/lib/python3.10/site-packages/django/views/decorators/csrf.py", line 54, in wrapped_view > return view_func(*args, **kwargs) > File "/opt/netbox/venv/lib/python3.10/site-packages/social_django/utils.py", line 46, in wrapper > return func(request, backend, *args, **kwargs) > File "/opt/netbox/venv/lib/python3.10/site-packages/social_django/views.py", line 31, in complete > return do_complete(request.backend, _do_login, user=request.user, > File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/actions.py", line 45, in do_complete > user = backend.complete(user=user, *args, **kwargs) > File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/backends/base.py", line 40, in complete > return self.auth_complete(*args, **kwargs) > File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/utils.py", line 247, in wrapper > return func(*args, **kwargs) > File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/backends/oauth.py", line 401, in auth_complete > return self.do_auth(response['access_token'], response=response, > File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/utils.py", line 247, in wrapper > return func(*args, **kwargs) > File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/backends/oauth.py", line 413, in do_auth > return self.strategy.authenticate(*args, **kwargs) > File "/opt/netbox/venv/lib/python3.10/site-packages/social_django/strategy.py", line 105, in authenticate > return authenticate(*args, **kwargs) > File "/opt/netbox/venv/lib/python3.10/site-packages/django/views/decorators/debug.py", line 42, in sensitive_variables_wrapper > return func(*func_args, **func_kwargs) > File "/opt/netbox/venv/lib/python3.10/site-packages/django/contrib/auth/__init__.py", line 77, in authenticate > user = backend.authenticate(request, **credentials) > File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/backends/base.py", line 80, in authenticate > return self.pipeline(pipeline, *args, **kwargs) > File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/backends/base.py", line 83, in pipeline > out = self.run_pipeline(pipeline, pipeline_index, *args, **kwargs) > File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/backends/base.py", line 113, in run_pipeline > result = func(*args, **out) or {} > File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/pipeline/user.py", line 119, in user_details > setattr(user, name, value) > File "/opt/netbox/venv/lib/python3.10/site-packages/django/db/models/fields/related_descriptors.py", line 595, in __set__ > raise TypeError( > TypeError: Direct assignment to the forward side of a many-to-many set is prohibited. Use groups.set() instead.``` > ``` Hi,Have you solved it yet
adam commented 2025-12-29 19:45:21 +01:00
Author
Owner
Copy Link

@JacoboDominguez commented on GitHub (Feb 27, 2023):

Same problem here, it looks as the groups property from the oidc is empty and the django social plugin tries to populate it in "social_core/pipeline/user.py", line 119".
You can ensure that a groups scope is returned by your OIDC provider or as a workaroung protect the groups (no updates after login) field adding to your config:
SOCIAL_AUTH_PROTECTED_USER_FIELDS=["groups"]

@JacoboDominguez commented on GitHub (Feb 27, 2023): Same problem here, it looks as the groups property from the oidc is empty and the django social plugin tries to populate it in "social_core/pipeline/user.py", line 119". You can ensure that a groups scope is returned by your OIDC provider or as a workaroung protect the groups (no updates after login) field adding to your config: SOCIAL_AUTH_PROTECTED_USER_FIELDS=["groups"]
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
beta
breaking change
complexity: high
complexity: low
complexity: medium
needs milestone
netbox
pending closure
plugin candidate
pull-request
Mirrored from GitHub Pull Request
 severity: high
severity: low
severity: medium
status: accepted
status: backlog
status: blocked
status: duplicate
status: needs owner
status: needs triage
status: revisions needed
status: under review
topic: GraphQL
topic: Internationalization
topic: OpenAPI
topic: UI/UX
topic: cabling
topic: event rules
topic: htmx navigation
topic: industrialization
topic: migrations
topic: plugins
topic: scripts
topic: templating
topic: testing
type: bug
type: deprecation
type: documentation
type: feature
type: housekeeping
type: translation
No Label type: bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/netbox#6779
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?