OIDC Groups broken

[fionera]

NetBox version

v3.2.7

Python version

3.10

Steps to Reproduce

1. Setup empty Netbox-Docker with extra.py to connect to oidc

	"extra.py": """
			REMOTE_AUTH_ENABLED=True
			REMOTE_AUTH_AUTO_CREATE_USER=True
			REMOTE_AUTH_BACKEND="social_core.backends.open_id_connect.OpenIdConnectAuth"
			SOCIAL_AUTH_OIDC_OIDC_ENDPOINT = '...'
			SOCIAL_AUTH_OIDC_SCOPE = ['openid', 'profile', 'email']
			SOCIAL_AUTH_OIDC_USERNAME_KEY = 'username'
			SOCIAL_AUTH_OIDC_IGNORE_DEFAULT_SCOPE = True
			SOCIAL_AUTH_OIDC_KEY = '...'
			SOCIAL_AUTH_OIDC_SECRET = '...'
			"""

2. Try logging in and authorize at OIDC
3. observe the TypeError

I also already tried creating all groups that are presented in the oidc response without any luck

Expected Behavior

The User is able to login and have the correct groups assigned

Observed Behavior

<class 'TypeError'>

Direct assignment to the forward side of a many-to-many set is prohibited. Use groups.set() instead.

Python version: 3.10.4 NetBox version: 3.2.7

[jeremystretch]

Thank you for opening a bug report. Unfortunately, the information you have provided is not sufficient for someone else to attempt to reproduce the reported behavior. Remember, each bug report must include detailed steps that someone else can follow on a clean, empty NetBox installation to reproduce the exact problem you're experiencing. These instructions should include the creation of any involved objects, any configuration changes, and complete accounting of the actions being taken. Also be sure that your report does not reference data on the public NetBox demo, as that is subject to change at any time by an outside party and cannot be relied upon for bug reports.

[fionera]

I updated the Issue but dont really know how far i should go regarding the steps. I am using a plain Authentik Installation and connected it to Netbox via OIDC.

[kkthxbye-code]

@fionera - Please provide the full stack trace from the logs.

[github-actions[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. NetBox is governed by a small group of core maintainers which means not all opened issues may receive direct feedback. Do not attempt to circumvent this process by "bumping" the issue; doing so will result in its immediate closure and you may be barred from participating in any future discussions. Please see our contributing guide.

[kkthxbye-code]

Closing this as there's been no response to the request for a stack trace.

[lukasbableck]

I have the same problem. I'm using authentik too. Netbox Version: 3.3.8 Python Version: 3.10.6

Here is the stacktrace:

Traceback (most recent call last):
  File "/opt/netbox/venv/lib/python3.10/site-packages/django/core/handlers/exception.py", line 55, in inner
    response = get_response(request)
  File "/opt/netbox/venv/lib/python3.10/site-packages/django/core/handlers/base.py", line 197, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/django/views/decorators/cache.py", line 62, in _wrapped_view_func
    response = view_func(request, *args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/django/views/decorators/csrf.py", line 54, in wrapped_view
    return view_func(*args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_django/utils.py", line 46, in wrapper
    return func(request, backend, *args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_django/views.py", line 31, in complete
    return do_complete(request.backend, _do_login, user=request.user,
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/actions.py", line 45, in do_complete
    user = backend.complete(user=user, *args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/backends/base.py", line 40, in complete
    return self.auth_complete(*args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/utils.py", line 247, in wrapper
    return func(*args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/backends/oauth.py", line 401, in auth_complete
    return self.do_auth(response['access_token'], response=response,
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/utils.py", line 247, in wrapper
    return func(*args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/backends/oauth.py", line 413, in do_auth
    return self.strategy.authenticate(*args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_django/strategy.py", line 105, in authenticate
    return authenticate(*args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/django/views/decorators/debug.py", line 42, in sensitive_variables_wrapper
    return func(*func_args, **func_kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/django/contrib/auth/__init__.py", line 77, in authenticate
    user = backend.authenticate(request, **credentials)
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/backends/base.py", line 80, in authenticate
    return self.pipeline(pipeline, *args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/backends/base.py", line 83, in pipeline
    out = self.run_pipeline(pipeline, pipeline_index, *args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/backends/base.py", line 113, in run_pipeline
    result = func(*args, **out) or {}
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/pipeline/user.py", line 119, in user_details
    setattr(user, name, value)
  File "/opt/netbox/venv/lib/python3.10/site-packages/django/db/models/fields/related_descriptors.py", line 595, in __set__
    raise TypeError(
TypeError: Direct assignment to the forward side of a many-to-many set is prohibited. Use groups.set() instead.```

[hanbinloop]

I same question

[hanbinloop]

我也有同样的问题。我也在使用 authentik。 Netbox 版本：3.3.8 Python 版本：3.10.6

这是堆栈跟踪：

Traceback (most recent call last):
  File "/opt/netbox/venv/lib/python3.10/site-packages/django/core/handlers/exception.py", line 55, in inner
    response = get_response(request)
  File "/opt/netbox/venv/lib/python3.10/site-packages/django/core/handlers/base.py", line 197, in _get_response
    response = wrapped_callback(request, *callback_args, **callback_kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/django/views/decorators/cache.py", line 62, in _wrapped_view_func
    response = view_func(request, *args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/django/views/decorators/csrf.py", line 54, in wrapped_view
    return view_func(*args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_django/utils.py", line 46, in wrapper
    return func(request, backend, *args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_django/views.py", line 31, in complete
    return do_complete(request.backend, _do_login, user=request.user,
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/actions.py", line 45, in do_complete
    user = backend.complete(user=user, *args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/backends/base.py", line 40, in complete
    return self.auth_complete(*args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/utils.py", line 247, in wrapper
    return func(*args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/backends/oauth.py", line 401, in auth_complete
    return self.do_auth(response['access_token'], response=response,
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/utils.py", line 247, in wrapper
    return func(*args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/backends/oauth.py", line 413, in do_auth
    return self.strategy.authenticate(*args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_django/strategy.py", line 105, in authenticate
    return authenticate(*args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/django/views/decorators/debug.py", line 42, in sensitive_variables_wrapper
    return func(*func_args, **func_kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/django/contrib/auth/__init__.py", line 77, in authenticate
    user = backend.authenticate(request, **credentials)
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/backends/base.py", line 80, in authenticate
    return self.pipeline(pipeline, *args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/backends/base.py", line 83, in pipeline
    out = self.run_pipeline(pipeline, pipeline_index, *args, **kwargs)
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/backends/base.py", line 113, in run_pipeline
    result = func(*args, **out) or {}
  File "/opt/netbox/venv/lib/python3.10/site-packages/social_core/pipeline/user.py", line 119, in user_details
    setattr(user, name, value)
  File "/opt/netbox/venv/lib/python3.10/site-packages/django/db/models/fields/related_descriptors.py", line 595, in __set__
    raise TypeError(
TypeError: Direct assignment to the forward side of a many-to-many set is prohibited. Use groups.set() instead.```

Hi，Have you solved it yet

[JacoboDominguez]

Same problem here, it looks as the groups property from the oidc is empty and the django social plugin tries to populate it in "social_core/pipeline/user.py", line 119". You can ensure that a groups scope is returned by your OIDC provider or as a workaroung protect the groups (no updates after login) field adding to your config: SOCIAL_AUTH_PROTECTED_USER_FIELDS=["groups"]