starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-01-11 20:00:28 +01:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity

OIDC Tailscale logout prevents future logins - unless node is manually deleted and node ID is incremented #617

New Issue
Closed
opened 2025-12-29 02:21:14 +01:00 by adam · 1 comment
adam commented 2025-12-29 02:21:14 +01:00
Owner
Copy Link

Originally created by @felixn-unity on GitHub (Jan 29, 2024).

Bug description and To Reproduce

After intial OIDC login using Okta and Ubuntu client - all is good and connected

9 | parsec-sto-p01 | parsec-sto-p01 | [eH3Gg] | [O5xet] | felix | 100.64.0.1, fd7a:115c:a1e0::1 | false | 2024-01-29 18:39:35 | 2024-07-27 18:39:35 | online | no

When using "tailscale logout" node is set to "expired" and "offline" - all is good and disconnected

9 | parsec-sto-p01 | parsec-sto-p01 | [eH3Gg] | [O5xet] | felix | 100.64.0.1, fd7a:115c:a1e0::1 | false | 2024-01-29 18:39:51 | 2024-01-29 18:39:52 | offline | yes

Trying to reconnect with "tailscale up --login-server https://cloud.xxxx.yy --reset" - Web OIDC flow is ok, Ubuntu client just hangs

headscale-1 | 2024-01-29T18:41:42Z DBG go/src/headscale/hscontrol/oidc.go:102 > Received oidc register call machine_key=mkey:787dc6830b29f29b5c78c1e5e9678be22b5675109e77a372defdd2518a144d50 ok=true
headscale-1 | 2024-01-29T18:41:42Z DBG Redirecting to https://trial-5107038.okta.com/oauth2/v1/authorize?client_id=0oab2ph6iz3xPp6Xs697&redirect_uri=https%3A%2F%2Fcloud.xxxx.yy%2Foidc%2Fcallback&response_type=code&scope=openid+profile+email&state=02f3fa1ce4075237cf69d9fd130e1893 for authentication
headscale-1 | 2024-01-29T18:41:42Z DBG go/src/headscale/hscontrol/oidc.go:102 > Received oidc register call machine_key=mkey:787dc6830b29f29b5c78c1e5e9678be22b5675109e77a372defdd2518a144d50 ok=true
headscale-1 | 2024-01-29T18:41:42Z DBG Redirecting to https://trial-5107038.okta.com/oauth2/v1/authorize?client_id=0oab2ph6iz3xPp6Xs697&redirect_uri=https%3A%2F%2Fcloud.xxxx.yy%2Foidc%2Fcallback&response_type=code&scope=openid+profile+email&state=cd5603f60cbc34ecaa4c7429ffb1d620 for authentication
headscale-1 | 2024-01-29T18:41:43Z ERR noise upgrade failed error="noise handshake failed: decrypting machine key: chacha20poly1305: message authentication failed"
headscale-1 | 2024/01/29 18:41:43 http: response.WriteHeader on hijacked connection from github.com/juanfont/headscale/hscontrol.(*Headscale).NoiseUpgradeHandler (noise.go:84)
headscale-1 | 2024/01/29 18:41:43 http: response.Write on hijacked connection from fmt.Fprintln (print.go:305)
headscale-1 | 2024-01-29T18:41:46Z DBG New noise client cap_ver=85 handler=/key
headscale-1 | 2024-01-29T18:41:46Z DBG successfully refreshed node expiresAt="2024-07-27 18:41:46.737673873 +0000 UTC m=+15553611.235251311" node=parsec-sto-p01
headscale-1 | 2024-01-29T18:41:52Z DBG New noise client cap_ver=85 handler=/key
headscale-1 | 2024-01-29T18:41:57Z DBG New noise client cap_ver=85 handler=/key

9 | parsec-sto-p01 | parsec-sto-p01 | [eH3Gg] | [O5xet] | felix | 100.64.0.1, fd7a:115c:a1e0::1 | false | 2024-01-29 18:39:51 | 2024-07-27 18:41:46 | offline | no

"docker exec headscale-headscale-1 headscale nodes delete -i 9 --force"

"systemctl restart tailscaled.service && tailscale up --login-server https://cloud.xxxx.yy"

9 | parsec-sto-p01 | parsec-sto-p01 | [eH3Gg] | [FgWr6] | felix | 100.64.0.1, fd7a:115c:a1e0::1 | false | 2024-01-29 18:39:51 | 2024-07-27 18:44:09 | offline | no

Still no go...

"docker exec headscale-headscale-1 headscale nodes delete -i 9 --force"

"systemctl restart tailscaled.service && tailscale up --login-server https://cloud.xxxx.yy"

10 | parsec-sto-p01 | parsec-sto-p01 | [eH3Gg] | [Csd42] | felix | 100.64.0.1, fd7a:115c:a1e0::1 | false | 2024-01-29 18:45:54 | 2024-07-27 18:45:50 | online | no

Then all is good and connected, so it seems like it will only work when node ID is different

Environment

I can see docker and reverse proxy is not supported, I will try and replicate it native - but for now, if anyone have any clues do let me know :)

Docker "image: headscale/headscale:0.23.0-alpha3"
Client Ubuntu and Tailscale client version 1.58.2

  • Headscale is behind a (reverse) proxy
  • Headscale runs in a container
Originally created by @felixn-unity on GitHub (Jan 29, 2024). ## Bug description and To Reproduce After intial OIDC login using Okta and Ubuntu client - all is good and connected 9 | parsec-sto-p01 | parsec-sto-p01 | [eH3Gg] | [O5xet] | felix | 100.64.0.1, fd7a:115c:a1e0::1 | false | 2024-01-29 18:39:35 | 2024-07-27 18:39:35 | online | no When using "tailscale logout" node is set to "expired" and "offline" - all is good and disconnected 9 | parsec-sto-p01 | parsec-sto-p01 | [eH3Gg] | [O5xet] | felix | 100.64.0.1, fd7a:115c:a1e0::1 | false | 2024-01-29 18:39:51 | 2024-01-29 18:39:52 | offline | yes Trying to reconnect with "tailscale up --login-server https://cloud.xxxx.yy --reset" - Web OIDC flow is ok, Ubuntu client just hangs headscale-1 | 2024-01-29T18:41:42Z DBG go/src/headscale/hscontrol/oidc.go:102 > Received oidc register call machine_key=mkey:787dc6830b29f29b5c78c1e5e9678be22b5675109e77a372defdd2518a144d50 ok=true headscale-1 | 2024-01-29T18:41:42Z DBG Redirecting to https://trial-5107038.okta.com/oauth2/v1/authorize?client_id=0oab2ph6iz3xPp6Xs697&redirect_uri=https%3A%2F%2Fcloud.xxxx.yy%2Foidc%2Fcallback&response_type=code&scope=openid+profile+email&state=02f3fa1ce4075237cf69d9fd130e1893 for authentication headscale-1 | 2024-01-29T18:41:42Z DBG go/src/headscale/hscontrol/oidc.go:102 > Received oidc register call machine_key=mkey:787dc6830b29f29b5c78c1e5e9678be22b5675109e77a372defdd2518a144d50 ok=true headscale-1 | 2024-01-29T18:41:42Z DBG Redirecting to https://trial-5107038.okta.com/oauth2/v1/authorize?client_id=0oab2ph6iz3xPp6Xs697&redirect_uri=https%3A%2F%2Fcloud.xxxx.yy%2Foidc%2Fcallback&response_type=code&scope=openid+profile+email&state=cd5603f60cbc34ecaa4c7429ffb1d620 for authentication headscale-1 | 2024-01-29T18:41:43Z ERR noise upgrade failed error="noise handshake failed: decrypting machine key: chacha20poly1305: message authentication failed" headscale-1 | 2024/01/29 18:41:43 http: response.WriteHeader on hijacked connection from github.com/juanfont/headscale/hscontrol.(*Headscale).NoiseUpgradeHandler (noise.go:84) headscale-1 | 2024/01/29 18:41:43 http: response.Write on hijacked connection from fmt.Fprintln (print.go:305) headscale-1 | 2024-01-29T18:41:46Z DBG New noise client cap_ver=85 handler=/key **headscale-1 | 2024-01-29T18:41:46Z DBG successfully refreshed node expiresAt="2024-07-27 18:41:46.737673873 +0000 UTC m=+15553611.235251311" node=parsec-sto-p01** headscale-1 | 2024-01-29T18:41:52Z DBG New noise client cap_ver=85 handler=/key headscale-1 | 2024-01-29T18:41:57Z DBG New noise client cap_ver=85 handler=/key 9 | parsec-sto-p01 | parsec-sto-p01 | [eH3Gg] | [O5xet] | felix | 100.64.0.1, fd7a:115c:a1e0::1 | false | 2024-01-29 18:39:51 | 2024-07-27 18:41:46 | offline | **no** "docker exec headscale-headscale-1 headscale nodes delete -i 9 --force" "systemctl restart tailscaled.service && tailscale up --login-server https://cloud.xxxx.yy" 9 | parsec-sto-p01 | parsec-sto-p01 | [eH3Gg] | [FgWr6] | felix | 100.64.0.1, fd7a:115c:a1e0::1 | false | 2024-01-29 18:39:51 | 2024-07-27 18:44:09 | offline | no Still no go... "docker exec headscale-headscale-1 headscale nodes delete -i 9 --force" "systemctl restart tailscaled.service && tailscale up --login-server https://cloud.xxxx.yy" 10 | parsec-sto-p01 | parsec-sto-p01 | [eH3Gg] | [Csd42] | felix | 100.64.0.1, fd7a:115c:a1e0::1 | false | 2024-01-29 18:45:54 | 2024-07-27 18:45:50 | online | no **Then all is good and connected, so it seems like it will only work when node ID is different** <!-- A clear and concise description of what the bug is. Describe the expected bahavior and how it is currently different. If you are unsure if it is a bug, consider discussing it on our Discord server first. --> ## Environment I can see docker and reverse proxy is not supported, I will try and replicate it native - but for now, if anyone have any clues do let me know :) Docker "image: headscale/headscale:0.23.0-alpha3" Client Ubuntu and Tailscale client version 1.58.2 - [x] Headscale is behind a (reverse) proxy - [x] Headscale runs in a container
adam added the bug label 2025-12-29 02:21:14 +01:00
adam closed this issue 2025-12-29 02:21:14 +01:00
adam commented 2025-12-29 02:21:15 +01:00
Author
Owner
Copy Link

@felixn-unity commented on GitHub (Jan 29, 2024):

Ok! this seems to work fine on Native version..Great!

Felix

@felixn-unity commented on GitHub (Jan 29, 2024): Ok! this seems to work fine on Native version..**Great!** Felix
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
CLI
DERP
DNS
Nix
OIDC
SSH
bug
database
documentation
duplicate
enhancement
faq
good first issue
grants
help wanted
might-come
needs design doc
needs investigation
no-stale-bot
out of scope
performance
policy 📝
pull-request
Mirrored from GitHub Pull Request
 question
regression
routes
stale
tags
tailscale-feature-gap
well described ❤️
wontfix
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/headscale#617
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?