[Bug] nodes are duplicated after expiry and reauth #1047

New Issue

adam · 2025-12-29T02:27:55+01:00

adam commented

2025-12-29 02:27:55 +01:00

Originally created by @bobelev on GitHub (Jun 20, 2025).

Is this a support request?

This is not a support request

Is there an existing issue for this?

I have searched the existing issues

Current Behavior

A new node is created when the user performs a re-auth after the node has expired.

Expected Behavior

Reauthenticated users should not create new nodes.

Steps To Reproduce

oicd config

oidc:
  only_start_if_oidc_is_available: true
  issuer: …
  client_id: headscale-users
  expiry: 4d
  use_expiry_from_token: false
  scope: ["openid", "profile", "email"]
  allowed_groups:
  - vpn-users

Environment

- OS: 24.04
- Headscale version: 0.26.0
- Tailscale version: 0.82.•

Runtime environment

Headscale is behind a (reverse) proxy
Headscale runs in a container

Debug information

I've dumped current nodes from my installation and printed duplicates:

duplicates: dict[str, list[Node]] = {}
    for node_data in data:
        node = Node(**node_data)
        if node.machine_key not in duplicates:
            duplicates[node.machine_key] = []
        duplicates[node.machine_key].append(node)

    for mk, nodes in duplicates.items():
        if len(nodes) > 1:
            print(f'{mk[:10]} has {len(nodes)} nodes')
            for node in nodes:
                print(f'\t{node.given_name}:'
                      f' last_seen:{datetime.fromtimestamp(node.last_seen["seconds"])}'
                      f' expiry:{datetime.fromtimestamp(node.expiry["seconds"])}'
                      f' created_at:{datetime.fromtimestamp(node.created_at["seconds"])}')

mkey:e826b has 2 nodes
	somebody-ckdxrp1y: last_seen:2025-06-20 00:54:55 expiry:2025-06-20 09:46:44 created_at:2025-06-16 09:46:44
	somebody-m5joip2c: last_seen:2025-06-20 10:33:31 expiry:2025-06-24 09:55:47 created_at:2025-06-20 09:55:47

mkey:17409 has 2 nodes
	someoneelse-q6lr-lqanoetd: last_seen:2025-06-20 10:43:48 expiry:2025-06-24 10:46:23 created_at:2025-06-20 10:46:24
	someoneelse-q6lr-ldubzxhv: last_seen:2025-06-20 10:54:42 expiry:2025-06-24 10:49:42 created_at:2025-06-20 10:49:42

Originally created by @bobelev on GitHub (Jun 20, 2025). ### Is this a support request? - [x] This is not a support request ### Is there an existing issue for this? - [x] I have searched the existing issues ### Current Behavior A new node is created when the user performs a re-auth after the node has expired. ### Expected Behavior Reauthenticated users should not create new nodes. ### Steps To Reproduce oicd config ``` oidc: only_start_if_oidc_is_available: true issuer: … client_id: headscale-users expiry: 4d use_expiry_from_token: false scope: ["openid", "profile", "email"] allowed_groups: - vpn-users ``` ### Environment ```markdown - OS: 24.04 - Headscale version: 0.26.0 - Tailscale version: 0.82.• ``` ### Runtime environment - [x] Headscale is behind a (reverse) proxy - [ ] Headscale runs in a container ### Debug information I've dumped current nodes from my installation and printed duplicates: <details> ``` duplicates: dict[str, list[Node]] = {} for node_data in data: node = Node(**node_data) if node.machine_key not in duplicates: duplicates[node.machine_key] = [] duplicates[node.machine_key].append(node) for mk, nodes in duplicates.items(): if len(nodes) > 1: print(f'{mk[:10]} has {len(nodes)} nodes') for node in nodes: print(f'\t{node.given_name}:' f' last_seen:{datetime.fromtimestamp(node.last_seen["seconds"])}' f' expiry:{datetime.fromtimestamp(node.expiry["seconds"])}' f' created_at:{datetime.fromtimestamp(node.created_at["seconds"])}') ``` </details> ``` mkey:e826b has 2 nodes somebody-ckdxrp1y: last_seen:2025-06-20 00:54:55 expiry:2025-06-20 09:46:44 created_at:2025-06-16 09:46:44 somebody-m5joip2c: last_seen:2025-06-20 10:33:31 expiry:2025-06-24 09:55:47 created_at:2025-06-20 09:55:47 mkey:17409 has 2 nodes someoneelse-q6lr-lqanoetd: last_seen:2025-06-20 10:43:48 expiry:2025-06-24 10:46:23 created_at:2025-06-20 10:46:24 someoneelse-q6lr-ldubzxhv: last_seen:2025-06-20 10:54:42 expiry:2025-06-24 10:49:42 created_at:2025-06-20 10:49:42 ```

adam added the bug OIDC labels 2025-12-29 02:27:55 +01:00

adam closed this issue

2025-12-29 02:27:56 +01:00

adam commented

2025-12-29 02:27:56 +01:00

@spymobilfon commented on GitHub (Jun 20, 2025):

Yes, I have the same issue

@spymobilfon commented on GitHub (Jun 20, 2025): Yes, I have the same issue

adam commented

2025-12-29 02:27:56 +01:00

@nblock commented on GitHub (Jun 21, 2025):

A new node is created when the user performs a re-auth after the node has expired.

Does this also create a new user after reauth or just a new node assigned to a previously existing user?

@nblock commented on GitHub (Jun 21, 2025): > A new node is created when the user performs a re-auth after the node has expired. Does this also create a new user after reauth or just a new node assigned to a previously existing user?

adam commented

2025-12-29 02:27:56 +01:00

@bobelev commented on GitHub (Jun 23, 2025):

The user stays the same. I found where the issue is. When we use GetNodeByMachineKey in RegisterNode, it only returns the first match in the database. But it should actually return a list of nodes.

After I upgraded from 0.23 to the latest version, I still have some leftover users and nodes with the same machine keys. Code checks new oidc users against existing legacy users and decides to create a new node.

I guess this is also not very good for new installations because users can change accounts within the same machine.

@bobelev commented on GitHub (Jun 23, 2025): The user stays the same. I found where the issue is. When we use `GetNodeByMachineKey` in `RegisterNode`, it only returns the first match in the database. But it should actually return a list of nodes. After I upgraded from 0.23 to the latest version, I still have some leftover users and nodes with the same machine keys. Code checks new oidc users against existing legacy users and decides to create a new node. I guess this is also not very good for new installations because users can change accounts within the same machine.

adam commented

2025-12-29 02:27:56 +01:00

@uonr commented on GitHub (Jul 6, 2025):

@nblock

Does this also create a new user after reauth or just a new node assigned to a previously existing user?

In my case, it creates a new user after reauth, should I open a new issue and there are any workaround?

After reauth:

100.64.0.52     susumi               me@          macOS   -

Before:

100.64.0.20     troia                me.yuru.me   windows offline
100.64.0.33     troie                me.yuru.me   windows offline
100.64.0.10     uilp                 me.yuru.me   iOS     -

@uonr commented on GitHub (Jul 6, 2025): @nblock > Does this also create a new user after reauth or just a new node assigned to a previously existing user? In my case, it creates a new user after reauth, should I open a new issue and there are any workaround? After reauth: ``` 100.64.0.52 susumi me@ macOS - ``` Before: ``` 100.64.0.20 troia me.yuru.me windows offline 100.64.0.33 troie me.yuru.me windows offline 100.64.0.10 uilp me.yuru.me iOS - ```

adam commented

2025-12-29 02:27:56 +01:00

@uonr commented on GitHub (Jul 6, 2025):

@nblock

Does this also create a new user after reauth or just a new node assigned to a previously existing user?

In my case, it creates a new user after reauth, should I open a new issue and there are any workaround?

After reauth:
100.64.0.52     susumi               me@          macOS   -
Before:
100.64.0.20     troia                me.yuru.me   windows offline
100.64.0.33     troie                me.yuru.me   windows offline
100.64.0.10     uilp                 me.yuru.me   iOS     -

I fixed this issue. Because NixOS skipped Headscale 0.24 between two stable releases, the map_legacy_users option was disabled before it had a chance to be enabled. Manually enabling it resolved the problem.

@uonr commented on GitHub (Jul 6, 2025): > [@nblock](https://github.com/nblock) > > > Does this also create a new user after reauth or just a new node assigned to a previously existing user? > > In my case, it creates a new user after reauth, should I open a new issue and there are any workaround? > > After reauth: > > ``` > 100.64.0.52 susumi me@ macOS - > ``` > > Before: > > ``` > 100.64.0.20 troia me.yuru.me windows offline > 100.64.0.33 troie me.yuru.me windows offline > 100.64.0.10 uilp me.yuru.me iOS - > ``` I fixed this issue. Because NixOS skipped Headscale 0.24 between two stable releases, the map_legacy_users option was disabled before it had a chance to be enabled. Manually enabling it resolved the problem.

adam commented

2025-12-29 02:27:57 +01:00

@kradalby commented on GitHub (Sep 10, 2025):

After I upgraded from 0.23 to the latest version, I still have some leftover users and nodes with the same machine keys. Code checks new oidc users against existing legacy users and decides to create a new node.

Did this mean you skipped over everything in between? did you look at the map_legacy_users option mentioned in the previous comment?

@kradalby commented on GitHub (Sep 10, 2025): > After I upgraded from 0.23 to the latest version, I still have some leftover users and nodes with the same machine keys. Code checks new oidc users against existing legacy users and decides to create a new node. Did this mean you skipped over everything in between? did you look at the `map_legacy_users` option mentioned in the previous comment?

adam commented

2025-12-29 02:27:57 +01:00

@kradalby commented on GitHub (Sep 12, 2025):

I'm going to close this as most likely an issue of skipping versions which had changelog notes about step by step migration.

If this is not the case, and the issue persist in the next release, open a new issue with as much debug info as possible.

@kradalby commented on GitHub (Sep 12, 2025): I'm going to close this as most likely an issue of skipping versions which had changelog notes about step by step migration. If this is not the case, and the issue persist in the next release, open a new issue with as much debug info as possible.

adam referenced this issue

2025-12-29 02:31:55 +01:00

[PR #1047] [CLOSED] docs(README): update contributors #1840

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#1047