OIDC auth in 0.16.2 fails with "Failed to decode id token claims" #312

New Issue

adam · 2025-12-29T01:26:34+01:00

adam commented

2025-12-29 01:26:34 +01:00

Originally created by @kyhwana on GitHub (Aug 16, 2022).

Bug description
After upgrading from 0.16.0 to 0.16.2 users are unable to authenticate using azure oidc, they get the error Failed to decode id token claims
In the logs is the following error:

Aug 16 14:16:32 <machinefqd>  headscale[1125980]: 2022-08-16T02:16:32Z ERR home/runner/work/headscale/headscale/oidc.go:324 > Failed to decode id token claims error="json: Unmarshal(non-pointer headscale.IDTokenClaims)"

Is this related to the changed line in oidc.go? if err := idToken.Claims(claims); err != nil {
To Reproduce

Have a user log out of the tailscale client then reauthenticate, using Azure AD OIDC. When the browser window opens it will attempt to auth via AAD and fail with the above error.

Context info
Headscale version 0.16.2.
tailscale client version 1.28.0

Originally created by @kyhwana on GitHub (Aug 16, 2022).  **Bug description** After upgrading from 0.16.0 to 0.16.2 users are unable to authenticate using azure oidc, they get the error ```Failed to decode id token claims``` In the logs is the following error: ``` Aug 16 14:16:32 <machinefqd> headscale[1125980]: 2022-08-16T02:16:32Z ERR home/runner/work/headscale/headscale/oidc.go:324 > Failed to decode id token claims error="json: Unmarshal(non-pointer headscale.IDTokenClaims)" ``` Is this related to the changed line in oidc.go? ``` if err := idToken.Claims(claims); err != nil { ``` **To Reproduce** Have a user log out of the tailscale client then reauthenticate, using Azure AD OIDC. When the browser window opens it will attempt to auth via AAD and fail with the above error. **Context info** Headscale version 0.16.2. tailscale client version 1.28.0

adam added the bug label 2025-12-29 01:26:34 +01:00

adam closed this issue

2025-12-29 01:26:35 +01:00

adam commented

2025-12-29 01:26:35 +01:00

@mannp commented on GitHub (Aug 16, 2022):

Just had the same issue here with a previously working keycloak instance.

2022-08-16T14:03:08Z ERR go/src/headscale/oidc.go:324 > Failed to decode id token claims error="json: Unmarshal(non-pointer headscale.IDTokenClaims)"

@mannp commented on GitHub (Aug 16, 2022): Just had the same issue here with a previously working keycloak instance. `2022-08-16T14:03:08Z ERR go/src/headscale/oidc.go:324 > Failed to decode id token claims error="json: Unmarshal(non-pointer headscale.IDTokenClaims)"`

adam commented

2025-12-29 01:26:35 +01:00

@victorhooi commented on GitHub (Aug 17, 2022):

Yup, I have the same issue as well on 0.16.2, and am getting the same error message.

I'm using OIDC with Google OAuth.

Is there some workaround we can use for now, or is this relatively easy to patch?

@victorhooi commented on GitHub (Aug 17, 2022): Yup, I have the same issue as well on 0.16.2, and am getting the same error message. I'm using OIDC with Google OAuth. Is there some workaround we can use for now, or is this relatively easy to patch?

adam commented

2025-12-29 01:26:35 +01:00

@mannp commented on GitHub (Aug 17, 2022):

I went back to 0.16.1 and did have the same error, so went back to 0.16.0 and was able to login correctly.

@mannp commented on GitHub (Aug 17, 2022): I went back to 0.16.1 and did have the same error, so went back to 0.16.0 and was able to login correctly.

adam commented

2025-12-29 01:26:36 +01:00

@juanfont commented on GitHub (Aug 17, 2022):

Hey people, we have merged a fix in main already.

Can you give a try before we release 0.16.3?

@juanfont commented on GitHub (Aug 17, 2022): Hey people, we have merged a fix in main already. Can you give a try before we release 0.16.3?

adam commented

2025-12-29 01:26:36 +01:00

@victorhooi commented on GitHub (Aug 17, 2022):

I'm willing to try - is there a place we can download latest built binaries? (AMD64 in my case).

@victorhooi commented on GitHub (Aug 17, 2022): I'm willing to try - is there a place we can download latest built binaries? (AMD64 in my case).

adam commented

2025-12-29 01:26:36 +01:00

@mannp commented on GitHub (Aug 17, 2022):

Still using docker and some Kubernetes for all of my infra, so not so easy to try without a pre-release docker img (which I appreciate is a hassle to create each time).

@mannp commented on GitHub (Aug 17, 2022): > Still using docker and some Kubernetes for all of my infra, so not so easy to try without a pre-release docker img (which I appreciate is a hassle to create each time).

adam commented

2025-12-29 01:26:36 +01:00

@kyhwana commented on GitHub (Aug 18, 2022):

I built the main repo and updated.
When logging a user out (windows client) and then logging back in via oidc azure AD, I get the error
Aug 18 09:49:46 <headscalehost> headscale[1601506]: 2022-08-17T21:49:46Z DBG Machine registration has expired. Sending a authurl to register machine=<machine name>
Deleting the machine (which headscale nodes list says is expired?) and then reauthenticating works OK.

@kyhwana commented on GitHub (Aug 18, 2022): I built the main repo and updated. When logging a user out (windows client) and then logging back in via oidc azure AD, I get the error ```Aug 18 09:49:46 <headscalehost> headscale[1601506]: 2022-08-17T21:49:46Z DBG Machine registration has expired. Sending a authurl to register machine=<machine name>``` Deleting the machine (which headscale nodes list says is expired?) and then reauthenticating works OK.

adam commented

2025-12-29 01:26:37 +01:00

@juanfont commented on GitHub (Aug 18, 2022):

@kyhwana thanks for checking out. I will close this issue and open a new one on the registration.

@juanfont commented on GitHub (Aug 18, 2022): @kyhwana thanks for checking out. I will close this issue and open a new one on the registration.

adam referenced this issue

2025-12-29 02:29:52 +01:00

[PR #312] [MERGED] poll: fix swapped machine<->namespace labels #1375

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#312