starred/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2026-01-11 20:00:28 +01:00
Code Issues 98 Packages Projects Releases 10 Wiki Activity

[Bug] authURL is empty when using GitHub as an OIDC server #813

New Issue
Open
opened 2025-12-29 02:24:19 +01:00 by adam · 3 comments
adam commented 2025-12-29 02:24:19 +01:00
Owner
Copy Link

Originally created by @maxpain on GitHub (Oct 3, 2024).

Is this a support request?

  • This is not a support request

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

Headscale redirects to empty authURL

2024-10-03T11:08:53Z DBG Redirecting to ?client_id=123&domain_hint=...

Expected Behavior

Headscale should redirect to "https://github.com/login/oauth/authorize"

Steps To Reproduce

  1. Create an OAuth app in GitHub developer settings
  2. Set up Headscale to use GitHub as an OIDC server:
oidc:
  only_start_if_oidc_is_available: true
  issuer: "https://token.actions.githubusercontent.com"
  client_id: "123"
  client_secret: "123"
  1. Try to login

Environment

- OS: Ubuntu 24.04
- Headscale version: 0.23.0

Runtime environment

  • Headscale is behind a (reverse) proxy
  • Headscale runs in a container

Anything else?

No response

Originally created by @maxpain on GitHub (Oct 3, 2024). ### Is this a support request? - [X] This is not a support request ### Is there an existing issue for this? - [X] I have searched the existing issues ### Current Behavior Headscale redirects to empty [authURL](https://github.com/juanfont/headscale/blob/95150401612ec5143f5d9d44bcfa8730bcf94bba/hscontrol/oidc.go#L169C2-L169C9) ``` 2024-10-03T11:08:53Z DBG Redirecting to ?client_id=123&domain_hint=... ``` ### Expected Behavior Headscale should redirect to "https://github.com/login/oauth/authorize" ### Steps To Reproduce 1. Create an OAuth app in GitHub developer settings 2. Set up Headscale to use GitHub as an OIDC server: ```yaml oidc: only_start_if_oidc_is_available: true issuer: "https://token.actions.githubusercontent.com" client_id: "123" client_secret: "123" ``` 3. Try to login ### Environment ```markdown - OS: Ubuntu 24.04 - Headscale version: 0.23.0 ``` ### Runtime environment - [ ] Headscale is behind a (reverse) proxy - [X] Headscale runs in a container ### Anything else? _No response_
adam added the bugno-stale-bot labels 2025-12-29 02:24:19 +01:00
adam commented 2025-12-29 02:24:19 +01:00
Author
Owner
Copy Link

@maxpain commented on GitHub (Oct 3, 2024):

It seems https://token.actions.githubusercontent.com/.well-known/openid-configuration doesn't contain authorization_endpoint field

@maxpain commented on GitHub (Oct 3, 2024): It seems https://token.actions.githubusercontent.com/.well-known/openid-configuration doesn't contain `authorization_endpoint` field
adam commented 2025-12-29 02:24:19 +01:00
Author
Owner
Copy Link

@kradalby commented on GitHub (Oct 4, 2024):

I am not sure why they do not provide authorization_endpoint, but I thought that was a part of the OIDC standard requirements (feel free to correct). Some searching dont seem to make me any cleverer.

We do not support non-compliant providers, so if that is the case for Github, I suppose we do not support it.

If someone have more insights on their requirements/quirks, that would be helpful

@kradalby commented on GitHub (Oct 4, 2024): I am not sure why they do not provide `authorization_endpoint`, but I thought that was a part of the OIDC standard requirements (feel free to correct). Some searching dont seem to make me any cleverer. We do not support non-compliant providers, so if that is the case for Github, I suppose we do not support it. If someone have more insights on their requirements/quirks, that would be helpful
adam commented 2025-12-29 02:24:20 +01:00
Author
Owner
Copy Link

@oneingan commented on GitHub (Oct 4, 2024):

Using Jenkins OIDC provider here, this is the openid-cofniguration:

{
  "issuer": "https://jenkins.example.com/oidc",
  "jwks_uri": "https://jenkins.example.com/oidc/jwks",
  "response_types_supported": [
    "code"
  ],
  "subject_types_supported": [
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "authorization_endpoint": "https://unimplemented",
  "token_endpoint": "https://unimplemented"
}

Im using this provider with AWS, step-ca and grafana without issues

@oneingan commented on GitHub (Oct 4, 2024): Using Jenkins OIDC provider here, this is the openid-cofniguration: ```json { "issuer": "https://jenkins.example.com/oidc", "jwks_uri": "https://jenkins.example.com/oidc/jwks", "response_types_supported": [ "code" ], "subject_types_supported": [ "public" ], "id_token_signing_alg_values_supported": [ "RS256" ], "authorization_endpoint": "https://unimplemented", "token_endpoint": "https://unimplemented" } ``` Im using this provider with AWS, step-ca and grafana without issues
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
CLI
DERP
DNS
Nix
OIDC
SSH
bug
database
documentation
duplicate
enhancement
faq
good first issue
grants
help wanted
might-come
needs design doc
needs investigation
no-stale-bot
out of scope
performance
policy 📝
pull-request
Mirrored from GitHub Pull Request
 question
regression
routes
stale
tags
tailscale-feature-gap
well described ❤️
wontfix
No Label bug no-stale-bot
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
adam
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/headscale#813
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?