starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-03-21 08:59:19 +01:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity

Deployed acddd731 to development with MkDocs 1.6.1 and mike 2.1.3

Browse Source
This commit is contained in:
github-actions
2026-03-01 08:25:29 +00:00
parent c56a93a6d7
commit dea02c58ed
7 changed files with 40 additions and 40 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
development/ref/oidc/index.html
View File

@@ -43,8 +43,8 @@
</span><span id=__span-7-3><a id=__codelineno-7-3 name=__codelineno-7-3 href=#__codelineno-7-3></a><span class=w> </span><span class=nt>client_id</span><span class=p>:</span><span class=w> </span><span class=s>&quot;headscale&quot;</span>
</span><span id=__span-7-4><a id=__codelineno-7-4 name=__codelineno-7-4 href=#__codelineno-7-4></a><span class=w> </span><span class=nt>client_secret</span><span class=p>:</span><span class=w> </span><span class=s>&quot;generated-secret&quot;</span>
</span><span id=__span-7-5><a id=__codelineno-7-5 name=__codelineno-7-5 href=#__codelineno-7-5></a><span class=hll><span class=w> </span><span class=nt>use_expiry_from_token</span><span class=p>:</span><span class=w> </span><span class="l l-Scalar l-Scalar-Plain">true</span>
</span></span></code></pre></div> </div> </div> </div> <div class="admonition tip"> <p class=admonition-title>Expire a node and force re-authentication</p> <p>A node can be expired immediately via: <div class="language-console highlight"><pre><span></span><code><span id=__span-8-1><a id=__codelineno-8-1 name=__codelineno-8-1 href=#__codelineno-8-1></a><span class=go>headscale node expire -i &lt;NODE_ID&gt;</span>
</span></code></pre></div></p> </div> <h3 id=reference-a-user-in-the-policy>Reference a user in the policy<a class=headerlink href=#reference-a-user-in-the-policy title="Permanent link">&para;</a></h3> <p>You may refer to users in the Headscale policy via:</p> <ul> <li>Email address</li> <li>Username</li> <li>Provider identifier (this value is currently only available from the <a href=../api/ >API</a>, database or directly from your identity provider)</li> </ul> <div class="admonition note"> <p class=admonition-title>A user identifier in the policy must contain a single <code>@</code></p> <p>The Headscale policy requires a single <code>@</code> to reference a user. If the username or provider identifier doesn't already contain a single <code>@</code>, it needs to be appended at the end. For example: the username <code>ssmith</code> has to be written as <code>ssmith@</code> to be correctly identified as user within the policy.</p> </div> <div class="admonition warning"> <p class=admonition-title>Email address or username might be updated by users</p> <p>Many identity providers allow users to update their own profile. Depending on the identity provider and its configuration, the values for username or email address might change over time. This might have unexpected consequences for Headscale where a policy might no longer work or a user might obtain more access by hijacking an existing username or email address.</p> </div> <div class="admonition tip"> <p class=admonition-title>Howto use the provider identifier in the policy</p> <p>The provider identifier uniquely identifies an OIDC user and a well-behaving identity provider guarantees that this value never changes for a particular user. It is usually an opaque and long string and its value is currently only available from the <a href=../api/ >API</a>, database or directly from your identity provider).</p> <p>Use the <a href=../api/ >API</a> with the <code>/api/v1/user</code> endpoint to fetch the provider identifier (<code>providerId</code>). The value (be sure to append an <code>@</code> in case the provider identifier doesn't already contain an <code>@</code> somewhere) can be used directly to reference a user in the policy. To improve readability of the policy, one may use the <code>groups</code> section as an alias:</p> <div class="language-json highlight"><pre><span></span><code><span id=__span-9-1><a id=__codelineno-9-1 name=__codelineno-9-1 href=#__codelineno-9-1></a><span class=p>{</span>
</span></span></code></pre></div> </div> </div> </div> <div class="admonition tip"> <p class=admonition-title>Expire a node and force re-authentication</p> <p>A node can be expired immediately via:</p> <div class="language-console highlight"><pre><span></span><code><span id=__span-8-1><a id=__codelineno-8-1 name=__codelineno-8-1 href=#__codelineno-8-1></a><span class=go>headscale node expire -i &lt;NODE_ID&gt;</span>
</span></code></pre></div> </div> <h3 id=reference-a-user-in-the-policy>Reference a user in the policy<a class=headerlink href=#reference-a-user-in-the-policy title="Permanent link">&para;</a></h3> <p>You may refer to users in the Headscale policy via:</p> <ul> <li>Email address</li> <li>Username</li> <li>Provider identifier (this value is currently only available from the <a href=../api/ >API</a>, database or directly from your identity provider)</li> </ul> <div class="admonition note"> <p class=admonition-title>A user identifier in the policy must contain a single <code>@</code></p> <p>The Headscale policy requires a single <code>@</code> to reference a user. If the username or provider identifier doesn't already contain a single <code>@</code>, it needs to be appended at the end. For example: the username <code>ssmith</code> has to be written as <code>ssmith@</code> to be correctly identified as user within the policy.</p> </div> <div class="admonition warning"> <p class=admonition-title>Email address or username might be updated by users</p> <p>Many identity providers allow users to update their own profile. Depending on the identity provider and its configuration, the values for username or email address might change over time. This might have unexpected consequences for Headscale where a policy might no longer work or a user might obtain more access by hijacking an existing username or email address.</p> </div> <div class="admonition tip"> <p class=admonition-title>Howto use the provider identifier in the policy</p> <p>The provider identifier uniquely identifies an OIDC user and a well-behaving identity provider guarantees that this value never changes for a particular user. It is usually an opaque and long string and its value is currently only available from the <a href=../api/ >API</a>, database or directly from your identity provider).</p> <p>Use the <a href=../api/ >API</a> with the <code>/api/v1/user</code> endpoint to fetch the provider identifier (<code>providerId</code>). The value (be sure to append an <code>@</code> in case the provider identifier doesn't already contain an <code>@</code> somewhere) can be used directly to reference a user in the policy. To improve readability of the policy, one may use the <code>groups</code> section as an alias:</p> <div class="language-json highlight"><pre><span></span><code><span id=__span-9-1><a id=__codelineno-9-1 name=__codelineno-9-1 href=#__codelineno-9-1></a><span class=p>{</span>
</span><span id=__span-9-2><a id=__codelineno-9-2 name=__codelineno-9-2 href=#__codelineno-9-2></a><span class=w> </span><span class=nt>&quot;groups&quot;</span><span class=p>:</span><span class=w> </span><span class=p>{</span>
</span><span id=__span-9-3><a id=__codelineno-9-3 name=__codelineno-9-3 href=#__codelineno-9-3></a><span class=w> </span><span class=nt>&quot;group:alice&quot;</span><span class=p>:</span><span class=w> </span><span class=p>[</span>
</span><span id=__span-9-4><a id=__codelineno-9-4 name=__codelineno-9-4 href=#__codelineno-9-4></a><span class=w> </span><span class=s2>&quot;https://soo.example.com/oauth2/openid/59ac9125-c31b-46c5-814e-06242908cf57@&quot;</span>