[PR #2337] [MERGED] use dedicated registration ID for auth flow #2613

New Issue

adam · 2025-12-29T03:22:02+01:00

adam commented

2025-12-29 03:22:02 +01:00

📋 Pull Request Information

Original PR: https://github.com/juanfont/headscale/pull/2337
Author: @kradalby
Created: 1/10/2025
Status: ✅ Merged
Merged: 1/26/2025
Merged by: @kradalby

Base: main ← Head: kradalby/relogin-oidc

📝 Commits (10+)

ece8a7c move auth_noise into noise
2ef6f3d more debug logging for logout
81fa351 general version of waitForBackendState
000b709 scenario func to create a single node
4a70e13 util: correctly truncate randomurl string
f59c5e0 DRY up do login URL
6440c1e Add registrationID type
902cf60 use registration ID in reg flow, support followup
f6be407 add GetNodeByNodeKey lookup
7f271e1 move refresh logic to db layer

📊 Changes

26 files changed (+583 additions, -583 deletions)

View changed files

📝 cmd/headscale/cli/debug.go (+4 -5)
📝 cmd/headscale/cli/nodes.go (+2 -2)
📝 hscontrol/app.go (+3 -3)
📝 hscontrol/auth.go (+89 -46)
➖ hscontrol/auth_noise.go (+0 -56)
📝 hscontrol/db/db.go (+2 -2)
📝 hscontrol/db/db_test.go (+2 -2)
📝 hscontrol/db/node.go (+89 -42)
📝 hscontrol/grpcv1.go (+19 -20)
📝 hscontrol/handlers.go (+12 -58)
📝 hscontrol/noise.go (+64 -21)
📝 hscontrol/oidc.go (+63 -104)
📝 hscontrol/templates/register_web.go (+3 -2)
📝 hscontrol/types/common.go (+39 -0)
📝 hscontrol/util/string.go (+2 -1)
📝 integration/auth_oidc_test.go (+46 -60)
📝 integration/auth_web_flow_test.go (+8 -37)
📝 integration/cli_test.go (+54 -57)
📝 integration/derp_verify_endpoint_test.go (+0 -1)
📝 integration/dns_test.go (+0 -1)

...and 6 more files

📄 Description

This PR moves the authentication flow away from using MachineKeys (previously also NodeKey). These are not suitable as the machine might be registered multiple times (multiple users, same machine).

We probably should have done this from the beginning, all register IDs are now short live, and only used for the registration purpose.

This also implements the missing followup part of registration which holds the connection open until a node has been registered.

This is step 1 to fix #2327 where user login does not work as expected, potentially logging in the wrong user.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/juanfont/headscale/pull/2337 **Author:** [@kradalby](https://github.com/kradalby) **Created:** 1/10/2025 **Status:** ✅ Merged **Merged:** 1/26/2025 **Merged by:** [@kradalby](https://github.com/kradalby) **Base:** `main` ← **Head:** `kradalby/relogin-oidc` --- ### 📝 Commits (10+) - [`ece8a7c`](https://github.com/juanfont/headscale/commit/ece8a7cdcb288372b837b3c9a4cf51a5ea87ed65) move auth_noise into noise - [`2ef6f3d`](https://github.com/juanfont/headscale/commit/2ef6f3d66a48f4a20ed32b3214e9ed99741042e7) more debug logging for logout - [`81fa351`](https://github.com/juanfont/headscale/commit/81fa35185050f11bf5cdc601b388d1a52518d8fa) general version of waitForBackendState - [`000b709`](https://github.com/juanfont/headscale/commit/000b7090164aee2847744d226e9fc3caad7f3dc5) scenario func to create a single node - [`4a70e13`](https://github.com/juanfont/headscale/commit/4a70e13ef9de1f73a38593f139e1196f2d14b25e) util: correctly truncate randomurl string - [`f59c5e0`](https://github.com/juanfont/headscale/commit/f59c5e037944b681f6adfa16d70e860e3631ff12) DRY up do login URL - [`6440c1e`](https://github.com/juanfont/headscale/commit/6440c1e345d91c7dd8d1e2f41100618994b5dc26) Add registrationID type - [`902cf60`](https://github.com/juanfont/headscale/commit/902cf60cae8106b13aa4311a4c639cbdd7809499) use registration ID in reg flow, support followup - [`f6be407`](https://github.com/juanfont/headscale/commit/f6be407ad7ef96b44e72bde0a1f49bd3bb0f75a1) add GetNodeByNodeKey lookup - [`7f271e1`](https://github.com/juanfont/headscale/commit/7f271e10bed152c67bc9d4ce55d7801dd2cd4e3e) move refresh logic to db layer ### 📊 Changes **26 files changed** (+583 additions, -583 deletions) <details> <summary>View changed files</summary> 📝 `cmd/headscale/cli/debug.go` (+4 -5) 📝 `cmd/headscale/cli/nodes.go` (+2 -2) 📝 `hscontrol/app.go` (+3 -3) 📝 `hscontrol/auth.go` (+89 -46) ➖ `hscontrol/auth_noise.go` (+0 -56) 📝 `hscontrol/db/db.go` (+2 -2) 📝 `hscontrol/db/db_test.go` (+2 -2) 📝 `hscontrol/db/node.go` (+89 -42) 📝 `hscontrol/grpcv1.go` (+19 -20) 📝 `hscontrol/handlers.go` (+12 -58) 📝 `hscontrol/noise.go` (+64 -21) 📝 `hscontrol/oidc.go` (+63 -104) 📝 `hscontrol/templates/register_web.go` (+3 -2) 📝 `hscontrol/types/common.go` (+39 -0) 📝 `hscontrol/util/string.go` (+2 -1) 📝 `integration/auth_oidc_test.go` (+46 -60) 📝 `integration/auth_web_flow_test.go` (+8 -37) 📝 `integration/cli_test.go` (+54 -57) 📝 `integration/derp_verify_endpoint_test.go` (+0 -1) 📝 `integration/dns_test.go` (+0 -1) _...and 6 more files_ </details> ### 📄 Description This PR moves the authentication flow away from using MachineKeys (previously also NodeKey). These are not suitable as the machine might be registered multiple times (multiple users, same machine). We probably should have done this from the beginning, all register IDs are now short live, and only used for the registration purpose. This also implements the missing followup part of registration which holds the connection open until a node has been registered. This is step 1 to fix #2327 where user login does not work as expected, potentially logging in the wrong user. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

adam added the pull-request label 2025-12-29 03:22:02 +01:00

adam closed this issue

2025-12-29 03:22:02 +01:00

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#2613