API key support #76

New Issue

adam · 2025-12-29T01:21:45+01:00

adam commented

2025-12-29 01:21:45 +01:00

Originally created by @kradalby on GitHub (Nov 12, 2021).

Originally assigned to: @kradalby on GitHub.

We need to add support for creating, storing and authorising API keys.

We have support for gRPC and HTTP but we currently make all requests end in a failed authorisation.

This issue requires:

a new mode for storing api keys
Understanding best practice for storing keys
- Keys should be stored salted and encrypted (a leaked db should be useless)
Support for expiring keys
Convenience functions to check the key
Enable in grpc interceptor
Enable in http auth

Originally created by @kradalby on GitHub (Nov 12, 2021). Originally assigned to: @kradalby on GitHub. We need to add support for creating, storing and authorising API keys. We have support for gRPC and HTTP but we currently make all requests end in a failed authorisation. This issue requires: - [ ] a new mode for storing api keys - [ ] Understanding best practice for storing keys - Keys should be stored salted and encrypted (a leaked db should be useless) - [ ] Support for expiring keys - [ ] Convenience functions to check the key - [ ] Enable in grpc interceptor - [ ] Enable in http auth

adam added the enhancement label 2025-12-29 01:21:45 +01:00

adam closed this issue

2025-12-29 01:21:45 +01:00

adam commented

2025-12-29 01:21:46 +01:00

@ItalyPaleAle commented on GitHub (Nov 13, 2021):

If I could make a suggestion, have you considered relying on OAuth2 and JWTs? I really love it when apps allow me to re-use the same accounts :)

Pro:

Standard-based
Authentication+authorization become someone else's problem - some of your requirements get solved automatically (such as safely storing keys, expiring keys, etc)
- Corollary: depending on the auth server, and this can offer additional things such as 2FA.
Users can re-use existing credentials
Different OAuth flows can be used to authenticate/authorize users and applications (other machines)

Cons:

Adds a dependency on an external service. This can be self-hosted (Keycloak, Hydra...) but for most users it may be more convenient to use an external OIDC provider (such as Auth0, Azure AD, Okta, Google Apps)

@ItalyPaleAle commented on GitHub (Nov 13, 2021): If I could make a suggestion, have you considered relying on OAuth2 and JWTs? I really love it when apps allow me to re-use the same accounts :) Pro: - Standard-based - Authentication+authorization become someone else's problem - some of your requirements get solved automatically (such as safely storing keys, expiring keys, etc) - Corollary: depending on the auth server, and this can offer additional things such as 2FA. - Users can re-use existing credentials - Different OAuth flows can be used to authenticate/authorize users and applications (other machines) Cons: - Adds a dependency on an external service. This can be self-hosted (Keycloak, Hydra...) but for most users it may be more convenient to use an external OIDC provider (such as Auth0, Azure AD, Okta, Google Apps)

adam commented

2025-12-29 01:21:47 +01:00

@kradalby commented on GitHub (Nov 14, 2021):

We have started to add oidc in the unreleased version on main, while it is suitable for node registration for now. I don't think it is suitable for the CLI use case to begin with, I don't think we can assume that most users have a oidc provider to rely on.

In general, I am not sure if the CLI should rely on any other service than headscale for auth. Most services I can think of would have OAuth and regular, old school API tokens as far as I can remember (github, dockerhub, etc)

That said, I am very much for expanding the auth for http and grpc with OAuth2 etc in the future.

But I might miss somethings, so happy to be enlightened.

@kradalby commented on GitHub (Nov 14, 2021): We have started to add oidc in the unreleased version on `main`, while it is suitable for node registration for now. I don't think it is suitable for the CLI use case to begin with, I don't think we can assume that most users have a oidc provider to rely on. In general, I am not sure if the CLI should rely on any other service than headscale for auth. Most services I can think of would have OAuth _and_ regular, old school API tokens as far as I can remember (github, dockerhub, etc) That said, I am very much for _expanding_ the auth for `http` and `grpc` with OAuth2 etc in the future. But I might miss somethings, so happy to be enlightened.

adam commented

2025-12-29 01:21:47 +01:00

@ohdearaugustin commented on GitHub (Nov 18, 2021):

I would also be in favor for not relying on an external service. As for hydra and keycloak they are not easy to operate for everyone. So classical API tokens are in my opinion necessary to make this feature more accessible for users.

So I'm rather with @kradalby opinion on that one.

The other implementation are a nice to have and if you already have an infrastructure for it.

@ohdearaugustin commented on GitHub (Nov 18, 2021): I would also be in favor for not relying on an external service. As for hydra and keycloak they are not easy to operate for everyone. So classical API tokens are in my opinion necessary to make this feature more accessible for users. So I'm rather with @kradalby opinion on that one. The other implementation are a nice to have and if you already have an infrastructure for it.

adam commented

2025-12-29 01:21:48 +01:00

@kradalby commented on GitHub (Feb 13, 2022):

This feature has been implemented in #306, please feel free to give it a try.

@kradalby commented on GitHub (Feb 13, 2022): This feature has been implemented in #306, please feel free to give it a try.

adam referenced this issue

2025-12-29 02:29:25 +01:00

[PR #76] [MERGED] Try to detect color support, make color configurable #1241

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#76