Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Feature] OIDC with permanent ID #1990

Closed
2 tasks done
adipierro opened this issue Jun 22, 2024 · 4 comments · Fixed by #2020 · May be fixed by #2170
Closed
2 tasks done

[Feature] OIDC with permanent ID #1990

adipierro opened this issue Jun 22, 2024 · 4 comments · Fixed by #2020 · May be fixed by #2170
Labels
enhancement New feature or request OIDC OpenID Connect related issues

Comments

@adipierro
Copy link

adipierro commented Jun 22, 2024
edited
Loading

Use case

Currently, if user account in external system might have an email or username changed, OIDC authentication in Headscale won't match an existing user in DB, and another user will be created instead.

Description

Use OIDC sub claim as a permanent identifier for a user

If we use sub claim as a permanent unique ID for a user, we can match OIDC authenticated user with it instead of a username, and update a username (email) in DB if it differs. We should make updating optional as ACLs might stop applying to affected users.

Use and save OIDC email claim regardless of email domain stripping

A discussion is probably needed.
Screenshot 2024-06-22 at 5 21 29 PM
email, if available, could be used to display as LoginName in Tailscale clients. Or, it could be another way to identify users in ACLs if strip_email_domain is turned on, particularly, to avoid username collisions if multiple domains are allowed to login.

But considering #1987, we might not need to strip email domains anymore.

Contribution

  • I can write the design doc for this feature
  • I can contribute this feature
@adipierro adipierro added the enhancement New feature or request label Jun 22, 2024
@IamTaoChen
Copy link

Maybe not sub, we can design the username claim, e.g. preferred_username

@SirBomble
Copy link

I believe this PR is attempting to add support for preferred_username #1997

@adipierro
Copy link
Author

adipierro commented Jul 2, 2024
edited
Loading

I think sub should be used as an internal identifier for matching the user, useful in cases username has changed upstream at OIDC. Of course, it should not be used as end-user display name or in CLI.

@kradalby kradalby added the OIDC OpenID Connect related issues label Jul 12, 2024
@kradalby kradalby mentioned this issue Sep 12, 2024
Merged
@micolous
Copy link

micolous commented Oct 4, 2024
edited
Loading

I do not think this is actually fixed by #2020, because the always-active fallback behaviour will still allow account take-overs, even if the target account has been "updated" to use the sub parameter.

kradalby added a commit to kradalby/headscale that referenced this issue Oct 4, 2024
@kradalby
Harden OIDC migration and make optional
cd4c82f 
This commit hardens the migration part of the OIDC from
the old username based approach to the new sub based approach
and makes it possible for the operator to opt out entirely.

Fixes juanfont#1990

Signed-off-by: Kristoffer Dalby <[email protected]>
@kradalby kradalby mentioned this issue Oct 4, 2024
Open
kradalby added a commit to kradalby/headscale that referenced this issue Oct 4, 2024
@kradalby
Harden OIDC migration and make optional
e5c28ce 
This commit hardens the migration part of the OIDC from
the old username based approach to the new sub based approach
and makes it possible for the operator to opt out entirely.

Fixes juanfont#1990

Signed-off-by: Kristoffer Dalby <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request OIDC OpenID Connect related issues
Projects
None yet
Milestone
No milestone
6 participants
@kradalby @micolous @SirBomble @IamTaoChen @adipierro and others