headscale icon indicating copy to clipboard operation
headscale copied to clipboard

Published 20 hours ago verified publisher icon juanfont

[Feature] OIDC with permanent ID

Open adipierro opened this issue 8 months ago • 3 comments

Use case

Currently, if user account in external system might have an email or username changed, OIDC authentication in Headscale won't match an existing user in DB, and another user will be created instead.

Description

Use OIDC sub claim as a permanent identifier for a user

If we use sub claim as a permanent unique ID for a user, we can match OIDC authenticated user with it instead of a username, and update a username (email) in DB if it differs. We should make updating optional as ACLs might stop applying to affected users.

Use and save OIDC email claim regardless of email domain stripping

A discussion is probably needed. Screenshot 2024-06-22 at 5 21 29 PM email, if available, could be used to display as LoginName in Tailscale clients. Or, it could be another way to identify users in ACLs if strip_email_domain is turned on, particularly, to avoid username collisions if multiple domains are allowed to login.

But considering https://github.com/juanfont/headscale/pull/1987, we might not need to strip email domains anymore.

Contribution

  • [X] I can write the design doc for this feature
  • [X] I can contribute this feature

adipierro avatar Jun 22 '24 13:06 adipierro