headscale icon indicating copy to clipboard operation
headscale copied to clipboard
verified publisher icon juanfont

[Feature] OIDC "offboarding"

Open dibi-codes opened this issue 11 months ago • 5 comments

Use case

I have the case that as soon as a user gets offboarded (e.g. disabled/blocked/deleted) from within oidc (EntraID) the tailnet access should be revoked as well.

Description

Automatically check whether a connecting user is still allowed to access the tailnet and expire the node if needed.

Contribution

  • [ ] I can write the design doc for this feature
  • [ ] I can contribute this feature

How can it be implemented?

From my perspective the simplest solution would be to implement a trigger to call EntraID everytime a node connects and check whether the users is still enabled or even member of the required group etc.

dibi-codes avatar Jan 21 '25 15:01 dibi-codes

If there is a part of the OIDC standard that allows you to do this, we can have a look, but I have not come across it. If this is something that would have to be implemented on a per OIDC basis, it is not feasible.

I would propose using the API/CLI to make a script validating this for your provider checking the list and disabling any user that is no longer present in your system.

kradalby avatar Jan 22 '25 10:01 kradalby

Something I have seen being used in such scenarios is using refresh token to achieve this. Let the user session be valid for as long as access token’s expiration and use refresh token after access token has expired to request new token. This will keep the user info up to date and if user is disabled/blocked/deleted then IDP should 403.

suyashFSG avatar Jan 28 '25 15:01 suyashFSG

@kradalby: Got you, thanks. Unfortunately I'm not that into OIDC standards. In terms of a script I think it would be nice to have something like a hook system that calls custom commands e.g. upon login.

@suyashFSG How did you implement this within headscale?

dibi-codes avatar Jan 31 '25 16:01 dibi-codes

@dibi-codes I have not implemented this within headscale, I was talking about how other applications that I have used makes use of refresh token for similar behavior

suyashFSG avatar Feb 08 '25 23:02 suyashFSG

This issue is stale because it has been open for 90 days with no activity.

github-actions[bot] avatar May 10 '25 02:05 github-actions[bot]

This issue was closed because it has been inactive for 14 days since being marked as stale.

github-actions[bot] avatar May 17 '25 02:05 github-actions[bot]