starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-01-11 20:00:28 +01:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity

[Feature] OIDC with permanent ID #733

New Issue
Closed
opened 2025-12-29 02:23:02 +01:00 by adam · 4 comments
adam commented 2025-12-29 02:23:02 +01:00
Owner
Copy Link

Originally created by @adipierro on GitHub (Jun 22, 2024).

Use case

Currently, if user account in external system might have an email or username changed, OIDC authentication in Headscale won't match an existing user in DB, and another user will be created instead.

Description

Use OIDC sub claim as a permanent identifier for a user

If we use sub claim as a permanent unique ID for a user, we can match OIDC authenticated user with it instead of a username, and update a username (email) in DB if it differs. We should make updating optional as ACLs might stop applying to affected users.

Use and save OIDC email claim regardless of email domain stripping

A discussion is probably needed.
Screenshot 2024-06-22 at 5 21 29 PM
email, if available, could be used to display as LoginName in Tailscale clients. Or, it could be another way to identify users in ACLs if strip_email_domain is turned on, particularly, to avoid username collisions if multiple domains are allowed to login.

But considering https://github.com/juanfont/headscale/pull/1987, we might not need to strip email domains anymore.

Contribution

  • I can write the design doc for this feature
  • I can contribute this feature
Originally created by @adipierro on GitHub (Jun 22, 2024). ### Use case Currently, if user account in external system might have an email or username changed, OIDC authentication in Headscale won't match an existing user in DB, and another user will be created instead. ### Description ### Use OIDC `sub` claim as a permanent identifier for a user If we use [`sub`](https://openid.net/specs/openid-connect-basic-1_0.html#StandardClaims) claim as a permanent unique ID for a user, we can match OIDC authenticated user with it instead of a username, and update a username (email) in DB if it differs. We should make updating optional as ACLs might stop applying to affected users. ### Use and save OIDC `email` claim regardless of email domain stripping _A discussion is probably needed._ <img width="277" alt="Screenshot 2024-06-22 at 5 21 29 PM" src="https://github.com/juanfont/headscale/assets/80180243/56a8d96e-2c39-4be6-a16a-c5b63e76691e"> `email`, if available, could be used to display as `LoginName` in Tailscale clients. Or, it could be another way to identify users in ACLs if `strip_email_domain` is turned on, particularly, to avoid username collisions if multiple domains are allowed to login. But considering https://github.com/juanfont/headscale/pull/1987, we might not need to strip email domains anymore. ### Contribution - [X] I can write the design doc for this feature - [X] I can contribute this feature
adam added the enhancementOIDC labels 2025-12-29 02:23:02 +01:00
adam closed this issue 2025-12-29 02:23:02 +01:00
adam commented 2025-12-29 02:23:02 +01:00
Author
Owner
Copy Link

@IamTaoChen commented on GitHub (Jun 23, 2024):

Maybe not sub, we can design the username claim, e.g. preferred_username

@IamTaoChen commented on GitHub (Jun 23, 2024): Maybe not `sub`, we can design the username claim, e.g. `preferred_username`
adam commented 2025-12-29 02:23:03 +01:00
Author
Owner
Copy Link

@SirBomble commented on GitHub (Jul 2, 2024):

I believe this PR is attempting to add support for preferred_username https://github.com/juanfont/headscale/pull/1997

@SirBomble commented on GitHub (Jul 2, 2024): I believe this PR is attempting to add support for ` preferred_username ` https://github.com/juanfont/headscale/pull/1997
adam commented 2025-12-29 02:23:03 +01:00
Author
Owner
Copy Link

@adipierro commented on GitHub (Jul 2, 2024):

I think sub should be used as an internal identifier for matching the user, useful in cases username has changed upstream at OIDC. Of course, it should not be used as end-user display name or in CLI.

@adipierro commented on GitHub (Jul 2, 2024): I think `sub` should be used as an internal identifier for matching the user, useful in cases username has changed upstream at OIDC. Of course, it should not be used as end-user display name or in CLI.
adam commented 2025-12-29 02:23:03 +01:00
Author
Owner
Copy Link

@micolous commented on GitHub (Oct 4, 2024):

I do not think this is actually fixed by #2020, because the always-active fallback behaviour will still allow account take-overs, even if the target account has been "updated" to use the sub parameter.

@micolous commented on GitHub (Oct 4, 2024): I do not think this is actually fixed by #2020, because [the *always-active* fallback behaviour will still allow account take-overs, even if the target account has been "updated" to use the `sub` parameter](https://github.com/juanfont/headscale/pull/2020#issuecomment-2393061100).
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
CLI
DERP
DNS
Nix
OIDC
SSH
bug
database
documentation
duplicate
enhancement
faq
good first issue
grants
help wanted
might-come
needs design doc
needs investigation
no-stale-bot
out of scope
performance
policy 📝
pull-request
Mirrored from GitHub Pull Request
 question
regression
routes
stale
tags
tailscale-feature-gap
well described ❤️
wontfix
No Label OIDC enhancement
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/headscale#733
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?