[PR #1934] [CLOSED] re-construct OIDC config and flatten keycloak groups #2405

New Issue

adam · 2025-12-29T03:21:06+01:00

adam commented

2025-12-29 03:21:06 +01:00

📋 Pull Request Information

Original PR: https://github.com/juanfont/headscale/pull/1934
Author: @IamTaoChen
Created: 5/9/2024
Status: ❌ Closed

Base: main ← Head: dev_oidc

📝 Commits (8)

890d6e7 re-construct oidc config
51a257b change var name
77c6bca update example
bd78f56 fix bug
1e128fc username=email
d211b93 fix spell error: allowd -> allowed
901613a Merge branch 'main' into dev_oidc
39b34ad update oidc README.md

📊 Changes

6 files changed (+299 additions, -136 deletions)

View changed files

📝 config-example.yaml (+54 -38)
📝 docs/oidc.md (+54 -28)
📝 hscontrol/oidc.go (+66 -12)
📝 hscontrol/suite_test.go (+3 -1)
📝 hscontrol/types/config.go (+116 -54)
📝 integration/auth_oidc_test.go (+6 -3)

📄 Description

use the claims_map to extract the designed information by the name which was a fixed map. the username needs to be careful because now OIDC uses claim.username as USERNAME, if you want to keep same as before (Email), please set username=email .
combine allowed_domains,allowed_groups,allowed_userd to allowed
add misc to save the random thing. if you set misc.flatten_groups=true, it will try to flatten the groups. this is for keycloak which group format is "/group/subgroup".
The misc.strip_email_domain only works when the username is email format, e.g claims_map.usename=email

new OIDC config

oidc:
  only_start_if_oidc_is_available: true
  issuer: "https://auth.example.com/auth/realms/master"
  client_id: "YOUR_CLIENT_ID"
  client_secret: "YOUR_SECRET"
  #   # Alternatively, set `client_secret_path` to read the secret from the file.
  #   # It resolves environment variables, making integration to systemd's
  #   # `LoadCredential` straightforward:
  #   client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret"
  #   # client_secret and client_secret_path are mutually exclusive.
  #
  #   # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query
  #   # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email".
  # scope: ["openid", "profile", "email"]

  expiry:
    #
    #   # Use the expiry from the token received from OpenID when the user logged
    #   # in, this will typically lead to frequent need to reauthenticate and should
    #   # only been enabled if you know what you are doing.
    #   # Note: enabling this will cause `oidc.expiry.fixed_time` to be ignored.
    from_token: false
    #
    #   # The amount of time from a node is authenticated with OpenID until it
    #   # expires and needs to reauthenticate.
    #   # Setting the value to "0" will mean no expiry.
    fixed_time: 180d

  #   extra_params:
  #     domain_hint: example.com

  # allowd:
  #   domains:
  #     # List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the
  #     # authentication request will be rejected.
  #     - example.com
  #   groups:
  #     # List allowed groups. 
  #     - admins
  #   users:
  #     - admin@example.com

  #  Map claims from the OIDC token to the user object
  claims_map:
    name: name
    username: preferred_username
    email: email
    groups: groups
    

  #  some random configuration
  misc:
    # if the username is set to `email` then `strip_email_domain` is valid
    # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.
    # This will transform `first-name.last-name@example.com` to the user `first-name.last-name`
    # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following
    # user: `first-name.last-name.example.com`
    strip_email_domain: true
    # If `flatten_groups` is set to `true`, the groups claim will be flattened to a single level.
    # this is used for keycloak where the groups are nested. the groups format from keycloak is `group1/subgroup1/subgroup2`
    flatten_groups: true
    # If `flatten_splitter` is set to a string, the groups claim will be split by the string and flattened to a single level.
    flatten_splitter: "/"

have read the CONTRIBUTING.md file
raised a GitHub issue or discussed it on the projects chat beforehand
added unit tests
added integration tests
updated documentation if needed
updated CHANGELOG.md

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/juanfont/headscale/pull/1934 **Author:** [@IamTaoChen](https://github.com/IamTaoChen) **Created:** 5/9/2024 **Status:** ❌ Closed **Base:** `main` ← **Head:** `dev_oidc` --- ### 📝 Commits (8) - [`890d6e7`](https://github.com/juanfont/headscale/commit/890d6e73fbc5fd93f22ebf9d84c5b723b56381dd) re-construct oidc config - [`51a257b`](https://github.com/juanfont/headscale/commit/51a257b70061802295c4dbd350e2d6d84908546f) change var name - [`77c6bca`](https://github.com/juanfont/headscale/commit/77c6bcaccae645fe015c6c22aaa3e75bfeeb4c57) update example - [`bd78f56`](https://github.com/juanfont/headscale/commit/bd78f564b9210cf41caf3c70c4340dadac3a10d8) fix bug - [`1e128fc`](https://github.com/juanfont/headscale/commit/1e128fc854905e21691e925aca356cc936cad55e) username=email - [`d211b93`](https://github.com/juanfont/headscale/commit/d211b930eecc7effd0a47f24d2263e800b18f646) fix spell error: allowd -> allowed - [`901613a`](https://github.com/juanfont/headscale/commit/901613a24b0f2a1e44a32b4313f73a4e2af0075c) Merge branch 'main' into dev_oidc - [`39b34ad`](https://github.com/juanfont/headscale/commit/39b34ad1cb93f99851ed126bf3cd4f7b8407f31e) update oidc README.md ### 📊 Changes **6 files changed** (+299 additions, -136 deletions) <details> <summary>View changed files</summary> 📝 `config-example.yaml` (+54 -38) 📝 `docs/oidc.md` (+54 -28) 📝 `hscontrol/oidc.go` (+66 -12) 📝 `hscontrol/suite_test.go` (+3 -1) 📝 `hscontrol/types/config.go` (+116 -54) 📝 `integration/auth_oidc_test.go` (+6 -3) </details> ### 📄 Description  * use the `claims_map` to extract the designed information by the name which was a fixed map. the `username` needs to be careful because now OIDC uses `claim.username` as USERNAME, if you want to keep same as before (Email), please set `username=email` . * combine `allowed_domains`,`allowed_groups`,`allowed_userd` to `allowed` * add `misc` to save the random thing. if you set `misc.flatten_groups=true`, it will try to flatten the groups. this is for keycloak which group format is "/group/subgroup". * The `misc.strip_email_domain` only works when the `username` is email format, e.g `claims_map.usename=email` new OIDC config ```yaml oidc: only_start_if_oidc_is_available: true issuer: "https://auth.example.com/auth/realms/master" client_id: "YOUR_CLIENT_ID" client_secret: "YOUR_SECRET" # # Alternatively, set `client_secret_path` to read the secret from the file. # # It resolves environment variables, making integration to systemd's # # `LoadCredential` straightforward: # client_secret_path: "${CREDENTIALS_DIRECTORY}/oidc_client_secret" # # client_secret and client_secret_path are mutually exclusive. # # # Customize the scopes used in the OIDC flow, defaults to "openid", "profile" and "email" and add custom query # # parameters to the Authorize Endpoint request. Scopes default to "openid", "profile" and "email". # scope: ["openid", "profile", "email"] expiry: # # # Use the expiry from the token received from OpenID when the user logged # # in, this will typically lead to frequent need to reauthenticate and should # # only been enabled if you know what you are doing. # # Note: enabling this will cause `oidc.expiry.fixed_time` to be ignored. from_token: false # # # The amount of time from a node is authenticated with OpenID until it # # expires and needs to reauthenticate. # # Setting the value to "0" will mean no expiry. fixed_time: 180d # extra_params: # domain_hint: example.com # allowd: # domains: # # List allowed principal domains and/or users. If an authenticated user's domain is not in this list, the # # authentication request will be rejected. # - example.com # groups: # # List allowed groups. # - admins # users: # - admin@example.com # Map claims from the OIDC token to the user object claims_map: name: name username: preferred_username email: email groups: groups # some random configuration misc: # if the username is set to `email` then `strip_email_domain` is valid # If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed. # This will transform `first-name.last-name@example.com` to the user `first-name.last-name` # If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following # user: `first-name.last-name.example.com` strip_email_domain: true # If `flatten_groups` is set to `true`, the groups claim will be flattened to a single level. # this is used for keycloak where the groups are nested. the groups format from keycloak is `group1/subgroup1/subgroup2` flatten_groups: true # If `flatten_splitter` is set to a string, the groups claim will be split by the string and flattened to a single level. flatten_splitter: "/" ```  - [x] have read the [CONTRIBUTING.md](./CONTRIBUTING.md) file - [ ] raised a GitHub issue or discussed it on the projects chat beforehand - [ ] added unit tests - [ ] added integration tests - [ ] updated documentation if needed - [ ] updated CHANGELOG.md  --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

adam added the pull-request label 2025-12-29 03:21:06 +01:00

adam closed this issue

2025-12-29 03:21:06 +01:00

adam referenced this issue

2025-12-29 03:22:11 +01:00

[PR #2405] [MERGED] drop versions older than 1.62 #2646

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#2405