[PR #2663] [MERGED] OIDC: Query userinfo endpoint before verifying user #2789

New Issue

adam · 2025-12-29T04:18:58+01:00

adam commented

2025-12-29 04:18:58 +01:00

📋 Pull Request Information

Original PR: https://github.com/juanfont/headscale/pull/2663
Author: @fredrikekre
Created: 6/27/2025
Status: ✅ Merged
Merged: 8/11/2025
Merged by: @nblock

Base: main ← Head: fe/userinfo-groups

📝 Commits (1)

24e964c OIDC: Query userinfo endpoint before verifying user

📊 Changes

3 files changed (+34 additions, -24 deletions)

View changed files

📝 CHANGELOG.md (+4 -0)
📝 hscontrol/oidc.go (+29 -24)
📝 hscontrol/types/users.go (+1 -0)

📄 Description

This patch includes some changes to the OIDC integration in particular:

Make sure that userinfo claims are queried before comparing the user with the configured allowed groups, email and email domain.
Update user with group claim from the userinfo endpoint which is required for allowed groups to work correctly. This is essentially a continuation of #2545.
Let userinfo claims take precedence over id token claims.

With these changes I have verified that Headscale works as expected together with Authelia without the documented escape hatch 0, i.e. everything works even if the id token only contain the iss and sub claims.

have read the CONTRIBUTING.md file
raised a GitHub issue or discussed it on the projects chat beforehand
added unit tests
added integration tests
updated documentation if needed
updated CHANGELOG.md

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/juanfont/headscale/pull/2663 **Author:** [@fredrikekre](https://github.com/fredrikekre) **Created:** 6/27/2025 **Status:** ✅ Merged **Merged:** 8/11/2025 **Merged by:** [@nblock](https://github.com/nblock) **Base:** `main` ← **Head:** `fe/userinfo-groups` --- ### 📝 Commits (1) - [`24e964c`](https://github.com/juanfont/headscale/commit/24e964ccbcda61d73011f5712ca7878800bfb00b) OIDC: Query userinfo endpoint before verifying user ### 📊 Changes **3 files changed** (+34 additions, -24 deletions) <details> <summary>View changed files</summary> 📝 `CHANGELOG.md` (+4 -0) 📝 `hscontrol/oidc.go` (+29 -24) 📝 `hscontrol/types/users.go` (+1 -0) </details> ### 📄 Description This patch includes some changes to the OIDC integration in particular: - Make sure that userinfo claims are queried *before* comparing the user with the configured allowed groups, email and email domain. - Update user with group claim from the userinfo endpoint which is required for allowed groups to work correctly. This is essentially a continuation of #2545. - Let userinfo claims take precedence over id token claims. With these changes I have verified that Headscale works as expected together with Authelia without the documented escape hatch [0], i.e. everything works even if the id token only contain the iss and sub claims. [0]: https://www.authelia.com/integration/openid-connect/headscale/#configuration-escape-hatch   - [x] have read the [CONTRIBUTING.md](./CONTRIBUTING.md) file - [x] raised a GitHub issue or discussed it on the projects chat beforehand - [ ] added unit tests - [ ] added integration tests - [ ] updated documentation if needed - [x] updated CHANGELOG.md  --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

adam added the pull-request label 2025-12-29 04:18:58 +01:00

adam closed this issue

2025-12-29 04:18:59 +01:00

adam referenced this issue

2025-12-29 04:19:24 +01:00

[PR #2789] [MERGED] feat: add autogroup:self #2862

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#2789