[Feature] transitional page before redirecting to OIDC provider #1022

New Issue

adam · 2025-12-29T02:27:39+01:00

adam commented

2025-12-29 02:27:39 +01:00

Originally created by @hdhoang on GitHub (May 15, 2025).

Use case

With OIDC enabled, headscale /register/<code> link goes directly to the OIDC provider's stateful URL. This URL cannot be copied & continued on another device (eg high-trust device, or non-default browser with authenticated session).

Current situation hinders headscale-enabled login on eg android TV.

Commandline tailscale client has --qr to pause at the register link with a QR code to scan:


To authenticate, visit:

        https://headscale.example/register/<code>

██████████████████████████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████████████████████████
████████              ██        ████  ██  ██    ██████  ████              ████████
████████  ██████████  ██  ████    ██  ██    ██████████    ██  ██████████  ████████
████████  ██      ██  ████████  ██    ████████    ██      ██  ██      ██  ████████
████████  ██      ██  ██          ████  ██              ████  ██      ██  ████████

Description

tailscale's https://login.tailscale.com/a/<code> redirects to https://login.tailscale.com/login?next_url=%2Fa%2F<code>&refresh=true, which can be continued elsewhere. Optionally, a &qr parameter allows transporting the page to a high-trust device easily.

Versions:

headscale 0.26 (thanks for the great beta tests)
tailscale 1.82.x (android, linux)
KB 1336 https://tailscale.com/kb/1336/device-add-qr-code

Contribution

I can write the design doc for this feature
I can contribute this feature

How can it be implemented?

A new intersitial template in /assets/, with QR code for itself, and a single "Continue with 'OIDC Provider Name'" or clickable url.

Replace the redirect in with that template, while still waiting for return authcode, around hscontrol/oidc.go debug message "Redirecting to %s for authentication"

We may need a field in config for the pretty name, or pick out the domain from issuer path.

Originally created by @hdhoang on GitHub (May 15, 2025). ### Use case With OIDC enabled, headscale `/register/<code>` link goes directly to the OIDC provider's stateful URL. This URL cannot be copied & continued on another device (eg high-trust device, or non-default browser with authenticated session). Current situation hinders headscale-enabled login on eg android TV. Commandline tailscale client has `--qr` to pause at the register link with a QR code to scan: ```console To authenticate, visit: https://headscale.example/register/<code> ██████████████████████████████████████████████████████████████████████████████████ ██████████████████████████████████████████████████████████████████████████████████ ██████████████████████████████████████████████████████████████████████████████████ ██████████████████████████████████████████████████████████████████████████████████ ████████ ██ ████ ██ ██ ██████ ████ ████████ ████████ ██████████ ██ ████ ██ ██ ██████████ ██ ██████████ ████████ ████████ ██ ██ ████████ ██ ████████ ██ ██ ██ ██ ████████ ████████ ██ ██ ██ ████ ██ ████ ██ ██ ████████ ``` ### Description tailscale's `https://login.tailscale.com/a/<code>` redirects to `https://login.tailscale.com/login?next_url=%2Fa%2F<code>&refresh=true`, which can be continued elsewhere. Optionally, a `&qr` parameter allows transporting the page to a high-trust device easily. Versions: - headscale 0.26 (thanks for the great beta tests) - tailscale 1.82.x (android, linux) - KB 1336 https://tailscale.com/kb/1336/device-add-qr-code ### Contribution - [x] I can write the design doc for this feature - [ ] I can contribute this feature ### How can it be implemented? A new intersitial template in `/assets/`, with QR code for itself, and a single "Continue with 'OIDC Provider Name'" or clickable url. Replace the redirect in with that template, while still waiting for return authcode, around `hscontrol/oidc.go` debug message `"Redirecting to %s for authentication"` We may need a field in config for the pretty name, or pick out the domain from `issuer` path.

adam added the enhancement stale labels 2025-12-29 02:27:39 +01:00

adam closed this issue

2025-12-29 02:27:39 +01:00

adam commented

2025-12-29 02:27:40 +01:00

@hdhoang commented on GitHub (May 15, 2025):

More complicatedly, the page can accept an authkey as an alternative. Current mobile app design doesn't allow using both alternate server and authkey (they are exclusive items on 1 menu.

That can open up non-oidc usecases like with full clients. I'm not sure how it can fit with oidc.go anymore. Something more natural on the apps side

@hdhoang commented on GitHub (May 15, 2025): More complicatedly, the page can accept an authkey as an alternative. Current mobile app design doesn't allow using both alternate server and authkey (they are [exclusive items on 1 menu](https://github.com/tailscale/tailscale-android/blob/d3f34c579decb2a543839d90ea0759b31db1d2c0/android/src/main/java/com/tailscale/ipn/ui/view/CustomLogin.kt#L45). That can open up non-oidc usecases like with full clients. I'm not sure how it can fit with `oidc.go` anymore. Something more natural on the apps side

adam commented

2025-12-29 02:27:40 +01:00

@github-actions[bot] commented on GitHub (Aug 14, 2025):

This issue is stale because it has been open for 90 days with no activity.

@github-actions[bot] commented on GitHub (Aug 14, 2025): This issue is stale because it has been open for 90 days with no activity.

adam commented

2025-12-29 02:27:40 +01:00

@github-actions[bot] commented on GitHub (Aug 22, 2025):

This issue was closed because it has been inactive for 14 days since being marked as stale.

@github-actions[bot] commented on GitHub (Aug 22, 2025): This issue was closed because it has been inactive for 14 days since being marked as stale.

adam referenced this issue

2025-12-29 02:31:51 +01:00

[PR #1022] [CLOSED] Fix linting issues warning incorrect t.Parallel() calls in tests #1822

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#1022