headscale-webui
headscale-webui copied to clipboard
iFargle
OIDC return http not https address
I am trying to host a personal headscale with headscale-webui, with OIDC authentication with Azure AD. After config everything according to documentation, AAD prompts for incorrect redirect URI, which interesting it shows it is using http url instead of https.
None of the debug log and config indicate what is wrong.
Docker compose file help to indicate what is going on:
version: '3'
services:
headscale:
container_name: headscale
volumes:
- ./config:/etc/headscale
- ./var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock
ports:
- 18080:8080
- 19090:9090
image: headscale/headscale:0.22.3
restart: unless-stopped
command: headscale serve
headscale-webui:
image: ghcr.io/ifargle/headscale-webui:latest
container_name: headscale-webui
environment:
- TZ=Asia/Shanghai
- COLOR=red # Use the base colors (ie, no darken-3, etc) -
- HS_SERVER=https://headscale.mydomain.com # Reachable endpoint for your Headscale server
- DOMAIN_NAME=https://headscale.mydomain.com # The base domain name for this container.
- SCRIPT_NAME=/admin # This is your applications base path (wsgi requires the name "SCRIPT_NAME"). Remove if you are hosing at the root /
- KEY="<Redact>" # Generate with "openssl rand -base64 32" - used to encrypt your key on disk.
- AUTH_TYPE=OIDC # AUTH_TYPE is either Basic or OIDC. Empty for no authentication
# ENV for OIDC (Used only if AUTH_TYPE is "OIDC"). Can be omitted if you aren't using OIDC
- OIDC_AUTH_URL=https://login.microsoftonline.com/<Redact Telnet ID>/v2.0/.well-known/openid-configuration # URL for your OIDC issuer's well-known endpoint
- OIDC_CLIENT_ID=<Redact> # Your OIDC Issuer's Client ID for Headscale-WebUI
- OIDC_CLIENT_SECRET=<Redact> # Your OIDC Issuer's Secret Key for Headscale-WebUI
- LOG_LEVEL=DEBUG # Log level. "DEBUG", "ERROR", "WARNING", or "INFO". Default "INFO"
volumes:
- ./webui:/data # Headscale-WebUI's storage. Make sure ./volume is readable by UID 1000 (chown 1000:1000 ./volume)
- ./config/:/etc/headscale/:ro # Headscale's config storage location. Used to read your Headscale config.
depends_on:
- headscale
ports:
- 15000:5000
derp:
build: ./derp
image: derp:latest
container_name: derp
restart: always
depends_on:
- headscale
env_file:
- .env
ports:
- 10443:443
- 13478:3478
volumes:
- /etc/letsencrypt/live/mydomain.com/fullchain.pem:/cert/${DERP_DOMAIN}.crt
- /etc/letsencrypt/live/mydomain.com/privkey.pem:/cert/${DERP_DOMAIN}.key
- ./var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock
Could anyone help with this situation? Thank you.
This is caused because the behaviour of Flask OIDC is to build the redirect URI itself. As described in the doc, OVERWRITE_REDIRECT_URI needs to be set to the correct URI in the Flask OIDC settings. Unfortunately I don't think it's possible to fix without a patch.
This is what I did.
diff --git a/server.py b/server.py
index 85c0b79..e20cf29 100644
--- a/server.py
+++ b/server.py
@@ -75,6 +75,11 @@ if AUTH_TYPE == "oidc":
with open("/app/instance/secrets.json", "r+") as secrets_json:
app.logger.debug("/app/instances/secrets.json:")
app.logger.debug(secrets_json.read())
+
+ if DOMAIN_NAME:
+ OVERWRITE_REDIRECT_URI = DOMAIN_NAME + BASE_PATH + "/oidc_callback"
+ else:
+ OVERWRITE_REDIRECT_URI = False
app.config.update({
'SECRET_KEY': secrets.token_urlsafe(32),
@@ -86,7 +91,8 @@ if AUTH_TYPE == "oidc":
'OIDC_USER_INFO_ENABLED': True,
'OIDC_OPENID_REALM': 'Headscale-WebUI',
'OIDC_SCOPES': ['openid', 'profile', 'email'],
- 'OIDC_INTROSPECTION_AUTH_METHOD': 'client_secret_post'
+ 'OIDC_INTROSPECTION_AUTH_METHOD': 'client_secret_post',
+ 'OVERWRITE_REDIRECT_URI': OVERWRITE_REDIRECT_URI
})
from flask_oidc import OpenIDConnect
oidc = OpenIDConnect(app)
