We’re using the “oidc” PROXY_ROLE_ASSIGNMENT_DRIVER with a proxy.yaml for role mappings. Everything is working as expected, except we never seem to actually gain administrator privileges in oCIS despite the logs saying we’ve successfully joined the “admin” role:
Sep 09 06:29:57 ip-10-10-10-237 ocis[52449]: {"level":"debug","service":"proxy","request-id":"<redacted>","userid":"<redacted>","ocisRole":"admin","role id":"<redacted>","time":"2024-09-09T06:29:57Z","line":"/home/ubuntu/ocis/services/proxy/pkg/userroles/oidcroles.go:100","message":"first matching role"}
Sep 09 06:29:57 ip-10-10-10-237 ocis[52449]: {"level":"debug","service":"proxy","request-id":"<redacted>","userid":"<redacted>","assignedRoleIds":[<redacted>"],"time":"2024-09-09T06:29:57Z","line":"/home/ubuntu/ocis/services/proxy/pkg/userroles/oidcroles.go:120","message":"Currently assigned roles"}
Here’s our proxy.yaml:
role_assignment:
driver: oidc
oidc_role_mapper:
role_claim: roles
role_mapping:
- role_name: admin
claim_value: ocisAdmin
We can’t get to the Administrator app in the application switcher and under the user profile it says “Group memberships: You are not part of any group”.
If we try and log in with the original admin account using the internal IdP we have the same issue, so it seems like the built-in “admin” role is somehow missing permissions? Any idea how to fix this… reset the built-in roles or otherwise force permissions onto a role without being able to access the Administrator app in the web interface?