[BUG] Assigned user roles cannot be unassigned

[Confushion]

Expected
When removing a role for a user in the IDP backend, it should also be removed from the Nexus user.

Actual
The Nexus user keeps having the previously role assigned.

Relevant Versions
Nexus version: 3.76.0
Plugin version: 3.3.0

Additional information
My guess is that on login, the previously stored user-roles should be cleared from the database before adding the roles that are passed in the login-token.
Else there won't be any way to remove a role from a user (besides manually removing the role-record from the H2 database itself with h2-cli ...)

[tumbl3w33d]

Hi,

sorry for the late reply. I want to make sure I understood the problem correctly, so I will describe a scenario with my own words and you can confirm that this is what you meant:

• you login to Nexus UI having group (A, B, C) in the identity provider
• you've created an external role mapping in Nexus that maps group C to a Nexus role (let's call it 'IdP_C')
• you navigate to the user menu in the admin section and see that your user (in the OAuth2Proxy source) has this group automatically assigned by the group sync of the plugin
• you remove the group C from your IdP user
• you open the Nexus UI again and expect the group assignment of 'IdP_C' to be gone

As long as your old IdP session from before the group adjustment is alive, it probably also contains the group C, at least that's the case with my IdP. To actually see the effect I need to actively renew my IdP session (i.e. sign out) and then visit Nexus again. It's best if you also clear your Nexus (and OAuth2 Proxy) session to make sure there are no leftovers. Then you should see (at least my try to reproduce your issue confirmed that) that the assignment of group 'IdP_C' for your user is gone. The logs also show that with a line like: deleted role edcd6a74-3bdf-467a-bcad-8433a6102952 from user x.y.