[PR #227] [MERGED] Simplify and improve register/reauth flow #1332

New Issue

adam · 2025-12-29T02:29:44+01:00

adam commented

2025-12-29 02:29:44 +01:00

📋 Pull Request Information

Original PR: https://github.com/juanfont/headscale/pull/227
Author: @kradalby
Created: 11/17/2021
Status: ✅ Merged
Merged: 11/24/2021
Merged by: @kradalby

Base: main ← Head: expired-issue

📝 Commits (10+)

35c3fe9 Move registration workflow into functions
a8a8f01 Make "authKey" a constant
50dcb8b Use valid handler for registered authkey machines
981f712 Remove unused param
58d1255 Remove unneeded returns
106b1e7 Create constants for other reg methods
9aac1fb Remove expiry logic, this needs to be redone
6a9dd20 Remove expiry logic, this needs to be redone
1c7aff5 Add expired column to machine list command
f85a77e Remove println statement

📊 Changes

26 files changed (+1305 additions, -537 deletions)

View changed files

📝 .golangci.yaml (+6 -3)
📝 acls_test.go (+2 -2)
📝 api.go (+274 -190)
📝 app.go (+17 -9)
📝 app_test.go (+5 -0)
📝 cli_test.go (+8 -9)
📝 cmd/headscale/cli/nodes.go (+78 -10)
📝 cmd/headscale/cli/utils.go (+0 -27)
📝 dns_test.go (+8 -8)
📝 gen/go/headscale/v1/headscale.pb.go (+109 -96)
📝 gen/go/headscale/v1/headscale.pb.gw.go (+99 -0)
📝 gen/go/headscale/v1/headscale_grpc.pb.go (+36 -0)
📝 gen/go/headscale/v1/machine.pb.go (+237 -108)
📝 gen/openapiv2/headscale/v1/headscale.swagger.json (+39 -0)
📝 grpcv1.go (+21 -0)
📝 integration_cli_test.go (+127 -0)
📝 machine.go (+75 -35)
📝 machine_test.go (+40 -5)
📝 namespaces_test.go (+5 -5)
📝 oidc.go (+94 -19)

...and 6 more files

📄 Description

This PR addresses a series of issues with OpenID Connect (oidc), the register workflow, the reauthentication workflow and the concept of expiry.

oidc introduced some broken expiry behaviour which broke both pre auth key machines and CLI registered machines. This was done by adding a maximum expiry, where we previously had none.

This PR removes that and in general fixes issues that was discovered hunting for the bugs:

Registration flow is now split up into function so its easier to follow
Add support for reauthentication of nodes (if expired)
Add support for client which sends "requested expiry"
Add expire command to allow users to force nodes to reauthenticate
Only send list of "valid" (registered and not expired) nodes to client on update
The oidc support seem to work pretty well (I use it on my prod setup)

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/juanfont/headscale/pull/227 **Author:** [@kradalby](https://github.com/kradalby) **Created:** 11/17/2021 **Status:** ✅ Merged **Merged:** 11/24/2021 **Merged by:** [@kradalby](https://github.com/kradalby) **Base:** `main` ← **Head:** `expired-issue` --- ### 📝 Commits (10+) - [`35c3fe9`](https://github.com/juanfont/headscale/commit/35c3fe96083baaca8a1f25d1b8f42e3bfef4e5e9) Move registration workflow into functions - [`a8a8f01`](https://github.com/juanfont/headscale/commit/a8a8f01429af9897b87d03235faa31197ee18c40) Make "authKey" a constant - [`50dcb8b`](https://github.com/juanfont/headscale/commit/50dcb8bb753210dd5bee08e9079f64fa2cfe3e5a) Use valid handler for registered authkey machines - [`981f712`](https://github.com/juanfont/headscale/commit/981f712660746ac692255929ed62a29f5167321d) Remove unused param - [`58d1255`](https://github.com/juanfont/headscale/commit/58d12553577a98f4371ebfd0f9409a2f03ab9543) Remove unneeded returns - [`106b1e7`](https://github.com/juanfont/headscale/commit/106b1e7e8d35ef7deae2dc2c2cbe27e1c60d3e3e) Create constants for other reg methods - [`9aac1fb`](https://github.com/juanfont/headscale/commit/9aac1fb255f25473cc5a2890eebce128dbc97dc3) Remove expiry logic, this needs to be redone - [`6a9dd20`](https://github.com/juanfont/headscale/commit/6a9dd2029e0985e5cbde1d11bdae16f3625b3ac1) Remove expiry logic, this needs to be redone - [`1c7aff5`](https://github.com/juanfont/headscale/commit/1c7aff5dd912d89e4c571e93369517928a71db55) Add expired column to machine list command - [`f85a77e`](https://github.com/juanfont/headscale/commit/f85a77edb5110fca8f880793abbb98d1a6169c68) Remove println statement ### 📊 Changes **26 files changed** (+1305 additions, -537 deletions) <details> <summary>View changed files</summary> 📝 `.golangci.yaml` (+6 -3) 📝 `acls_test.go` (+2 -2) 📝 `api.go` (+274 -190) 📝 `app.go` (+17 -9) 📝 `app_test.go` (+5 -0) 📝 `cli_test.go` (+8 -9) 📝 `cmd/headscale/cli/nodes.go` (+78 -10) 📝 `cmd/headscale/cli/utils.go` (+0 -27) 📝 `dns_test.go` (+8 -8) 📝 `gen/go/headscale/v1/headscale.pb.go` (+109 -96) 📝 `gen/go/headscale/v1/headscale.pb.gw.go` (+99 -0) 📝 `gen/go/headscale/v1/headscale_grpc.pb.go` (+36 -0) 📝 `gen/go/headscale/v1/machine.pb.go` (+237 -108) 📝 `gen/openapiv2/headscale/v1/headscale.swagger.json` (+39 -0) 📝 `grpcv1.go` (+21 -0) 📝 `integration_cli_test.go` (+127 -0) 📝 `machine.go` (+75 -35) 📝 `machine_test.go` (+40 -5) 📝 `namespaces_test.go` (+5 -5) 📝 `oidc.go` (+94 -19) _...and 6 more files_ </details> ### 📄 Description This PR addresses a series of issues with OpenID Connect (oidc), the register workflow, the reauthentication workflow and the concept of expiry. oidc introduced some broken expiry behaviour which broke both pre auth key machines and CLI registered machines. This was done by adding a maximum expiry, where we previously had none. This PR removes that and in general fixes issues that was discovered hunting for the bugs: - Registration flow is now split up into function so its easier to follow - Add support for reauthentication of nodes (if expired) - Add support for client which sends "requested expiry" - Add expire command to allow users to force nodes to reauthenticate - Only send list of "valid" (registered and not expired) nodes to client on update - The oidc support seem to work pretty well (I use it on my prod setup) --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

adam added the pull-request label 2025-12-29 02:29:44 +01:00

adam closed this issue

2025-12-29 02:29:44 +01:00

adam referenced this issue

2025-12-29 03:19:31 +01:00

[PR #1332] [CLOSED] docs(README): update contributors #2043

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#1332