[Bug] Unable to register ephemeral nodes using OIDC #1079

New Issue

adam · 2025-12-29T02:28:09+01:00

adam commented

2025-12-29 02:28:09 +01:00

Originally created by @zpuskaric on GitHub (Aug 6, 2025).

Is this a support request?

This is not a support request

Is there an existing issue for this?

I have searched the existing issues

Current Behavior

I am trying to create ephemeral node (Windows 10) by using OIDC.
As per Tailscale documentation that should be possible in 2 ways:

using preauth ephemeral keys
starting tailscaled with option "--state=mem:"

I would like to avoid preshared key in order to use 2FA provided by OIDC (Keycloak), the other problem with 1. is that I already have to have user registered to create preauth key (on first login Keycloak is set up to enable and configure 2FA).
I tried option 2. by starting tailscaled on windows with option "--state=mem:" but when I log in to headscale newly registered node is not ephemeral.

Expected Behavior

After starting tailscaled with option "--state=mem:" on a node and registering a node with headscale, node should be registered as ephemeral.

Steps To Reproduce

start headscale server
start tailscaled on client machine: tailscaled --state=mem:
run on client machine: tailscale login --login-server https://ts.example.org --accept-routes
go to URL returned by previous command and authenticate
headscale nodes list shows:
26 | NODE-030 | node-030 | [5UOSB] | [fVQNN] | test-user | 100.64.0.9, fd7a:115c:a1e0::9 | false | 2025-08-06 06:49:56 | 2026-02-02 06:44:34 | online | no

Environment

- OS: Debian 12
- Headscale version: 0.26.1
- Tailscale version: 1.86.2

Runtime environment

Headscale is behind a (reverse) proxy
Headscale runs in a container

Debug information

I know that there is disparity between headscale and Tailscale features, so my question is if this possibility is missing from headscale, is there some configuration needed, or is it a bug ?

Originally created by @zpuskaric on GitHub (Aug 6, 2025). ### Is this a support request? - [x] This is not a support request ### Is there an existing issue for this? - [x] I have searched the existing issues ### Current Behavior I am trying to create ephemeral node (Windows 10) by using OIDC. As per Tailscale documentation that should be possible in 2 ways: 1. using preauth ephemeral keys 2. starting tailscaled with option "--state=mem:" I would like to avoid preshared key in order to use 2FA provided by OIDC (Keycloak), the other problem with 1. is that I already have to have user registered to create preauth key (on first login Keycloak is set up to enable and configure 2FA). I tried option 2. by starting tailscaled on windows with option "--state=mem:" but when I log in to headscale newly registered node is not ephemeral. ### Expected Behavior After starting tailscaled with option "--state=mem:" on a node and registering a node with headscale, node should be registered as ephemeral. ### Steps To Reproduce - start headscale server - start tailscaled on client machine: tailscaled --state=mem: - run on client machine: tailscale login --login-server https://ts.example.org --accept-routes - go to URL returned by previous command and authenticate - headscale nodes list shows: - 26 | NODE-030 | node-030 | [5UOSB] | [fVQNN] | test-user | 100.64.0.9, fd7a:115c:a1e0::9 | **false** | 2025-08-06 06:49:56 | 2026-02-02 06:44:34 | online | no ### Environment ```markdown - OS: Debian 12 - Headscale version: 0.26.1 - Tailscale version: 1.86.2 ``` ### Runtime environment - [ ] Headscale is behind a (reverse) proxy - [ ] Headscale runs in a container ### Debug information I know that there is disparity between headscale and Tailscale features, so my question is if this possibility is missing from headscale, is there some configuration needed, or is it a bug ?

adam added the bug tailscale-feature-gap help wanted good first issue no-stale-bot OIDC labels 2025-12-29 02:28:09 +01:00

adam commented

2025-12-29 02:28:09 +01:00

@kradalby commented on GitHub (Sep 9, 2025):

It looks like this should be supported with the --state=mem: option and that we do not support it.

I suspect that if the option is passed to the client, there is a flag passed from the client when it registers and we are not checking it, so it will need some investigation. Should not be too hard when we know what to look for, a good starter issue.

@kradalby commented on GitHub (Sep 9, 2025): It looks like this [should be supported with the `--state=mem:` option](https://tailscale.com/kb/1111/ephemeral-nodes#can-i-create-an-ephemeral-node-without-an-auth-key) and that we do not support it. I suspect that if the option is passed to the client, there is a flag passed from the client when it registers and we are not checking it, so it will need some investigation. Should not be too hard when we know what to look for, a good starter issue.

adam commented

2025-12-29 02:28:09 +01:00

@zpuskaric commented on GitHub (Sep 18, 2025):

From nodes.go, lines 565 and 566 it looks like ephemeral nodes flag is set only if client registers with preauth key.

From tailscaled source it looks like it sets LoginFlags to controlclient.LoginEphemeral but I am not good enough in go to follow it further

Is it known what client sends in case of "--state=mem:" argument passed to tailscaled?
If not is there a way to log that information on headscale side?

@zpuskaric commented on GitHub (Sep 18, 2025): From nodes.go, lines 565 and 566 it looks like ephemeral nodes flag is set only if client registers with preauth key. From tailscaled source it looks like it sets LoginFlags to controlclient.LoginEphemeral but I am not good enough in go to follow it further Is it known what client sends in case of "--state=mem:" argument passed to tailscaled? If not is there a way to log that information on headscale side?

adam referenced this issue

2025-12-29 02:32:01 +01:00

[PR #1079] [CLOSED] docs(README): update contributors #1862

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#1079