[Bug] Reauthentication via OIDC Breaks Connectivity Until Manual Disconnect and Reconnect #959

New Issue

Closed

opened 2025-12-29 02:26:43 +01:00 by adam · 3 comments

adam commented 2025-12-29 02:26:43 +01:00

Owner

Copy Link

Originally created by @FlorinPeter on GitHub (Mar 2, 2025).

Is this a support request?

• This is not a support request

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

After reauthenticating a Tailscale client via OIDC due to an expiring nodekey (within less than 24 hours), the client loses connectivity to other Tailscale clients and subnet routes. Interestingly, direct connections to Tailscale clients on the same local network remain functional. The nodekeys are updated correctly across all clients, as confirmed with tailscale status --json. The issue can be resolved by manually disconnecting and reconnecting the reauthenticated Tailscale client.

Expected Behavior

After reauthentication via OIDC, the Tailscale client should automatically refresh its connections and maintain seamless access to other Tailscale clients and subnet routes without requiring manual intervention.
Actual Behavior
Post-reauthentication, the client loses connectivity to other Tailscale clients and subnet routes (except for direct local network connections) until it is manually disconnected and reconnected.

Steps To Reproduce

1. Set up a Tailscale network using headscale as the control server.
2. Configure OIDC for authentication.
3. Wait for a node’s nodekey to approach expiration (less than 24 hours remaining).
4. On the Tailscale client, click the “reauthenticate” button, which redirects to the OIDC server for authentication.
5. Complete the authentication process on the OIDC server.
6. Attempt to connect to other Tailscale clients or access subnet routes.
7. Observe that these connections fail, except for direct connections to clients on the same local network.
8. Manually disconnect and reconnect the Tailscale client.
9. Confirm that connectivity to all clients and subnet routes is restored.

Environment

- OS: MacOS 15.3.1
- Headscale version: 0.25.1
- Tailscale version: 1.80.2

Runtime environment

• Headscale is behind a (reverse) proxy
• Headscale runs in a container

Anything else?

Additional Context

• This issue occurs consistently following OIDC reauthentication.
• The nodekeys are verified to update correctly after the process, suggesting the authentication itself succeeds.
• Direct connections working while relayed connections fail might indicate an issue with the client’s state refresh or coordination with the control server after reauthentication.
• I am uncertain whether this is specific to headscale or a broader Tailscale client issue.
• I am not using headscale DERP

Originally created by @FlorinPeter on GitHub (Mar 2, 2025). ### Is this a support request? - [x] This is not a support request ### Is there an existing issue for this? - [x] I have searched the existing issues ### Current Behavior After reauthenticating a Tailscale client via OIDC due to an expiring nodekey (within less than 24 hours), the client loses connectivity to other Tailscale clients and subnet routes. Interestingly, direct connections to Tailscale clients on the same local network remain functional. The nodekeys are updated correctly across all clients, as confirmed with tailscale status --json. The issue can be resolved by manually disconnecting and reconnecting the reauthenticated Tailscale client. ### Expected Behavior After reauthentication via OIDC, the Tailscale client should automatically refresh its connections and maintain seamless access to other Tailscale clients and subnet routes without requiring manual intervention. Actual Behavior Post-reauthentication, the client loses connectivity to other Tailscale clients and subnet routes (except for direct local network connections) until it is manually disconnected and reconnected. ### Steps To Reproduce 1. Set up a Tailscale network using headscale as the control server. 2. Configure OIDC for authentication. 3. Wait for a node’s nodekey to approach expiration (less than 24 hours remaining). 4. On the Tailscale client, click the “reauthenticate” button, which redirects to the OIDC server for authentication. 5. Complete the authentication process on the OIDC server. 6. Attempt to connect to other Tailscale clients or access subnet routes. 7. Observe that these connections fail, except for direct connections to clients on the same local network. 8. Manually disconnect and reconnect the Tailscale client. 9. Confirm that connectivity to all clients and subnet routes is restored. ### Environment ```markdown - OS: MacOS 15.3.1 - Headscale version: 0.25.1 - Tailscale version: 1.80.2 ``` ### Runtime environment - [ ] Headscale is behind a (reverse) proxy - [x] Headscale runs in a container ### Anything else? Additional Context * This issue occurs consistently following OIDC reauthentication. * The nodekeys are verified to update correctly after the process, suggesting the authentication itself succeeds. * Direct connections working while relayed connections fail might indicate an issue with the client’s state refresh or coordination with the control server after reauthentication. * I am uncertain whether this is specific to headscale or a broader Tailscale client issue. * I am not using headscale DERP

adam added the bugOIDCwell described ❤️ labels 2025-12-29 02:26:43 +01:00

adam closed this issue 2025-12-29 02:26:43 +01:00

adam commented 2025-12-29 02:26:44 +01:00

Author

Owner

Copy Link

@kradalby commented on GitHub (Sep 10, 2025):

I'm having a hard time replicating this, which frustrates me. I'm sure its a headscale issue, I think Tailscale would have had customers complain louder about it.

The thing from your description that puzzles me is that you confirm that the new keys are being propagated.

What would be helpful is the output of tailscale debug netmap on a node (the one being kicked off) and a peer of that node:

• when it works
• just after you have authenticated (and connections fail)
• just after you have restarted the client

The logs from Headscale and those tailscale clients would also help.

@kradalby commented on GitHub (Sep 10, 2025): I'm having a hard time replicating this, which frustrates me. I'm sure its a headscale issue, I think Tailscale would have had customers complain louder about it. The thing from your description that puzzles me is that you confirm that the new keys are being propagated. What would be helpful is the output of `tailscale debug netmap` on a node (the one being kicked off) and a peer of that node: - when it works - just after you have authenticated (and connections fail) - just after you have restarted the client The logs from Headscale and those tailscale clients would also help.

adam commented 2025-12-29 02:26:44 +01:00

Author

Owner

Copy Link

@JeanneD4RK commented on GitHub (Sep 24, 2025):

I was not able to replicate this issue with Azure OIDC (with a 12h TTL for the session), however something strange happens to the latency starting when I click to reauthenticate until the authentication is done

Pinging XXXX [100.64.0.3] with 32 bytes of data:
Reply from 100.64.0.3: bytes=32 time=1ms TTL=64
Reply from 100.64.0.3: bytes=32 time=1ms TTL=64
---- Clicked tailscale icon to reauth
Reply from 100.64.0.3: bytes=32 time=1481ms TTL=57
Reply from 100.64.0.3: bytes=32 time=685ms TTL=57
Reply from 100.64.0.3: bytes=32 time=87ms TTL=57
Reply from 100.64.0.3: bytes=32 time=244ms TTL=57
Reply from 100.64.0.3: bytes=32 time=677ms TTL=57
Reply from 100.64.0.3: bytes=32 time=1268ms TTL=57
Reply from 100.64.0.3: bytes=32 time=1148ms TTL=57
Reply from 100.64.0.3: bytes=32 time=919ms TTL=57
Reply from 100.64.0.3: bytes=32 time=832ms TTL=57
Reply from 100.64.0.3: bytes=32 time=443ms TTL=57
Reply from 100.64.0.3: bytes=32 time=16ms TTL=57
Reply from 100.64.0.3: bytes=32 time=121ms TTL=57
Reply from 100.64.0.3: bytes=32 time=204ms TTL=64
---- Authentication done
Reply from 100.64.0.3: bytes=32 time=1ms TTL=64
Reply from 100.64.0.3: bytes=32 time=1ms TTL=64
Reply from 100.64.0.3: bytes=32 time=1ms TTL=64

@JeanneD4RK commented on GitHub (Sep 24, 2025): I was not able to replicate this issue with Azure OIDC (with a 12h TTL for the session), however something strange happens to the latency starting when I click to reauthenticate until the authentication is done ``` Pinging XXXX [100.64.0.3] with 32 bytes of data: Reply from 100.64.0.3: bytes=32 time=1ms TTL=64 Reply from 100.64.0.3: bytes=32 time=1ms TTL=64 ---- Clicked tailscale icon to reauth Reply from 100.64.0.3: bytes=32 time=1481ms TTL=57 Reply from 100.64.0.3: bytes=32 time=685ms TTL=57 Reply from 100.64.0.3: bytes=32 time=87ms TTL=57 Reply from 100.64.0.3: bytes=32 time=244ms TTL=57 Reply from 100.64.0.3: bytes=32 time=677ms TTL=57 Reply from 100.64.0.3: bytes=32 time=1268ms TTL=57 Reply from 100.64.0.3: bytes=32 time=1148ms TTL=57 Reply from 100.64.0.3: bytes=32 time=919ms TTL=57 Reply from 100.64.0.3: bytes=32 time=832ms TTL=57 Reply from 100.64.0.3: bytes=32 time=443ms TTL=57 Reply from 100.64.0.3: bytes=32 time=16ms TTL=57 Reply from 100.64.0.3: bytes=32 time=121ms TTL=57 Reply from 100.64.0.3: bytes=32 time=204ms TTL=64 ---- Authentication done Reply from 100.64.0.3: bytes=32 time=1ms TTL=64 Reply from 100.64.0.3: bytes=32 time=1ms TTL=64 Reply from 100.64.0.3: bytes=32 time=1ms TTL=64 ```

adam commented 2025-12-29 02:26:44 +01:00

Author

Owner

Copy Link

@kradalby commented on GitHub (Dec 20, 2025):

Can you give the new beta a go? I think it is fixed, and I'll close this for now.

@kradalby commented on GitHub (Dec 20, 2025): Can you give the new beta a go? I think it is fixed, and I'll close this for now.

adam referenced this issue 2025-12-29 02:31:38 +01:00

[PR #959] [MERGED] Releases: use flavor to set the tag suffix #1770

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

v0.28.0-beta.1

v0.27.2-rc.1

v0.27.1

v0.27.0

v0.27.0-beta.2

v0.27.0-beta.1

v0.26.1

v0.26.0

v0.26.0-beta.2

v0.26.0-beta.1

v0.25.1

v0.25.0

v0.25.0-beta.2

v0.24.3

v0.25.0-beta.1

v0.24.2

v0.24.1

v0.24.0

v0.24.0-beta.2

v0.24.0-beta.1

v0.23.0

v0.23.0-rc.1

v0.23.0-beta.5

v0.23.0-beta.4

v0.23.0-beta3

v0.23.0-beta2

v0.23.0-beta1

v0.23.0-alpha12

v0.23.0-alpha11

v0.23.0-alpha10

v0.23.0-alpha9

v0.23.0-alpha8

v0.23.0-alpha7

v0.23.0-alpha6

v0.23.0-alpha5

v0.23.0-alpha4

v0.23.0-alpha4-docker-ko-test9

v0.23.0-alpha4-docker-ko-test8

v0.23.0-alpha4-docker-ko-test7

v0.23.0-alpha4-docker-ko-test6

v0.23.0-alpha4-docker-ko-test5

v0.23.0-alpha-docker-release-test-debug2

v0.23.0-alpha-docker-release-test-debug

v0.23.0-alpha4-docker-ko-test4

v0.23.0-alpha4-docker-ko-test3

v0.23.0-alpha4-docker-ko-test2

v0.23.0-alpha4-docker-ko-test

v0.23.0-alpha3

v0.23.0-alpha2

v0.23.0-alpha1

v0.22.3

v0.22.2

v0.23.0-alpha-docker-release-test

v0.22.1

v0.22.0

v0.22.0-alpha3

v0.22.0-alpha2

v0.22.0-alpha1

v0.22.0-nfpmtest

v0.21.0

v0.20.0

v0.19.0

v0.19.0-beta2

v0.19.0-beta1

v0.18.0

v0.18.0-beta4

v0.18.0-beta3

v0.18.0-beta2

v0.18.0-beta1

v0.17.1

v0.17.0

v0.17.0-beta5

v0.17.0-beta4

v0.17.0-beta3

v0.17.0-beta2

v0.17.0-beta1

v0.17.0-alpha4

v0.17.0-alpha3

v0.17.0-alpha2

v0.17.0-alpha1

v0.16.4

v0.16.3

v0.16.2

v0.16.1

v0.16.0

v0.16.0-beta7

v0.16.0-beta6

v0.16.0-beta5

v0.16.0-beta4

v0.16.0-beta3

v0.16.0-beta2

v0.16.0-beta1

v0.15.0

v0.15.0-beta6

v0.15.0-beta5

v0.15.0-beta4

v0.15.0-beta3

v0.15.0-beta2

v0.15.0-beta1

v0.14.0

v0.14.0-beta2

v0.14.0-beta1

v0.13.0

v0.13.0-beta3

v0.13.0-beta2

v0.13.0-beta1

upstream/v0.12.4

v0.12.4

v0.12.3

v0.12.2

v0.12.2-beta1

v0.12.1

v0.12.0-beta2

v0.12.0-beta1

v0.11.0

v0.10.8

v0.10.7

v0.10.6

v0.10.5

v0.10.4

v0.10.3

v0.10.2

v0.10.1

v0.10.0

v0.9.3

v0.9.2

v0.9.1

v0.9.0

v0.8.1

v0.8.0

v0.7.1

v0.7.0

v0.6.1

v0.6.0

v0.5.2

v0.5.1

v0.5.0

v0.4.0

v0.3.6

v0.3.5

v0.3.4

v0.3.3

v0.3.2

v0.3.1

v0.3.0

v0.2.2

v0.2.1

v0.2.0

v0.1.1

v0.1.0

Labels

Clear labels

CLI

DERP

DNS

Nix

OIDC

SSH

bug

database

documentation

duplicate

enhancement

faq

good first issue

grants

help wanted

might-come

needs design doc

needs investigation

no-stale-bot

out of scope

performance

policy 📝

pull-request

Mirrored from GitHub Pull Request

question

regression

routes

stale

tags

tailscale-feature-gap

well described ❤️

wontfix

No Label OIDC bug well described ❤️

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

adam

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#959