[Bug] Preauthkey always requires a user #1177

New Issue

adam · 2025-12-29T02:28:44+01:00

adam commented

2025-12-29 02:28:44 +01:00

Originally created by @nblock on GitHub (Dec 20, 2025).

Is this a support request?

This is not a support request

Is there an existing issue for this?

I have searched the existing issues

Current Behavior

Creating a preauthkey with tags fails as it currently always requires a user:

$ headscale preauthkeys create --tags tag:foo,tag:bar
Error: required flag(s) "user" not set

In SaaS, one can create an auth key with tags defined. It seems to be sufficient to have those tags defined in the policy in the tagOwners section (note that no owner is defined on those tags):

{
	"tagOwners": {
		"tag:bar": [],
		"tag:foo": [],
	},
	"acls": [
		{
			"action": "accept",
			"src":    ["*"],
			"dst":    ["*:*"],
		}
}

In Headscale, if the preauthkey is assigned to a user:

 headscale preauthkeys list -u 1
ID | Key/Prefix                  | Reusable | Ephemeral | Used  | Expiration          | Created             | Tags   
1  | hskey-auth-CsLiZAFSkM2z-*** | false    | false     | false | 2025-12-20 17:01:54 | 2025-12-20 16:01:54 | tag:bar
   |                             |          |           |       |                     |                     | tag:foo

… it can't be used for non-interactive authentication:

$ tailscale up --login-server https://headscale.example.com --auth-key hskey-auth-CsLiZA... --advertise-tags=tag:bar,tag:foo
backend error: handling register with auth key: creating new node: requested tags [tag:bar tag:foo] are invalid or not permitted

It works with interactive auth (remove the --auth-key argument) or when no tags are advertised by the node (remove the --advertise-tags) argument.

Expected Behavior

Be able to create preauthkeys that are either assigned to a user or have tags. All other headscale preauthkeys subcommands such as list also require to pass a user.

Steps To Reproduce

Try to create a preauthkey with tag but without a user

Environment

- OS: Debian 13
- Headscale version: 0.28.0-beta.1
- Tailscale version: 1.92.3

Runtime environment

Headscale is behind a (reverse) proxy
Headscale runs in a container

Debug information

none

Originally created by @nblock on GitHub (Dec 20, 2025). ### Is this a support request? - [x] This is not a support request ### Is there an existing issue for this? - [x] I have searched the existing issues ### Current Behavior Creating a preauthkey with tags fails as it currently always requires a user: ```bash $ headscale preauthkeys create --tags tag:foo,tag:bar Error: required flag(s) "user" not set ``` In SaaS, one can create an auth key with tags defined. It seems to be sufficient to have those tags defined in the policy in the `tagOwners` section (note that *no owner* is defined on those tags): ```json5 { "tagOwners": { "tag:bar": [], "tag:foo": [], }, "acls": [ { "action": "accept", "src": ["*"], "dst": ["*:*"], } } ``` In Headscale, if the preauthkey is assigned to a user: ```bash headscale preauthkeys list -u 1 ID | Key/Prefix | Reusable | Ephemeral | Used | Expiration | Created | Tags 1 | hskey-auth-CsLiZAFSkM2z-*** | false | false | false | 2025-12-20 17:01:54 | 2025-12-20 16:01:54 | tag:bar | | | | | | | tag:foo ``` … it can't be used for non-interactive authentication: ```bash $ tailscale up --login-server https://headscale.example.com --auth-key hskey-auth-CsLiZA... --advertise-tags=tag:bar,tag:foo backend error: handling register with auth key: creating new node: requested tags [tag:bar tag:foo] are invalid or not permitted ``` It works with interactive auth (remove the `--auth-key` argument) or when no tags are advertised by the node (remove the `--advertise-tags`) argument. ### Expected Behavior Be able to create preauthkeys that are either assigned to a user or have tags. All other `headscale preauthkeys` subcommands such as list also require to pass a user. ### Steps To Reproduce Try to create a preauthkey with tag but without a user ### Environment ```markdown - OS: Debian 13 - Headscale version: 0.28.0-beta.1 - Tailscale version: 1.92.3 ``` ### Runtime environment - [ ] Headscale is behind a (reverse) proxy - [ ] Headscale runs in a container ### Debug information none

adam added the bug tailscale-feature-gap no-stale-bot tags labels 2025-12-29 02:28:44 +01:00

adam commented

2025-12-29 02:28:44 +01:00

@nblock commented on GitHub (Dec 20, 2025):

Node registration fails when tags are passed during client registration:

$ tailscale up --login-server https://headscale.example.com --auth-key hskey-auth-CsLiZA... --advertise-tags=tag:bar,tag:foo
backend error: handling register with auth key: creating new node: requested tags [tag:bar tag:foo] are invalid or not permitted

But it works when no tags are sent:

tailscale up --login-server https://headscale.example.com --auth-key hskey-auth-CsLiZA...

SaaS seems to ignore tags in that case and registration with both above invocations.

@nblock commented on GitHub (Dec 20, 2025): Node registration fails when tags are passed during client registration: ``` bash $ tailscale up --login-server https://headscale.example.com --auth-key hskey-auth-CsLiZA... --advertise-tags=tag:bar,tag:foo backend error: handling register with auth key: creating new node: requested tags [tag:bar tag:foo] are invalid or not permitted ``` But it works when no tags are sent: ```bash tailscale up --login-server https://headscale.example.com --auth-key hskey-auth-CsLiZA... ``` SaaS seems to ignore tags in that case and registration with both above invocations.

adam referenced this issue

2025-12-29 03:18:57 +01:00

[PR #1177] [MERGED] Updated changelog for v0.20.0 #1938

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#1177