MyFavMirrors/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2025-11-07 21:02:51 -05:00
Code Issues Packages Projects Releases Wiki Activity

OIDC: Query userinfo endpoint before verifying user

Browse Source 
This patch includes some changes to the OIDC integration in particular:
 - Make sure that userinfo claims are queried *before* comparing the
   user with the configured allowed groups, email and email domain.
 - Update user with group claim from the userinfo endpoint which is
   required for allowed groups to work correctly. This is essentially a
   continuation of #2545.
 - Let userinfo claims take precedence over id token claims.

With these changes I have verified that Headscale works as expected
together with Authelia without the documented escape hatch [0], i.e.
everything works even if the id token only contain the iss and sub
claims.

[0]: https://www.authelia.com/integration/openid-connect/headscale/#configuration-escape-hatch
This commit is contained in:
Fredrik Ekre
2025-06-27 12:10:14 +00:00
committed by nblock
parent b4f7782fd8
commit 5d8a2c25ea
3 changed files with 34 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGELOG.md
View File

@@ -69,6 +69,10 @@ systemctl start headscale
[#2656](https://github.com/juanfont/headscale/pull/2656)
- Adds `/robots.txt` endpoint to avoid crawlers
[#2643](https://github.com/juanfont/headscale/pull/2643)
- OIDC: Use group claim from UserInfo
[#2663](https://github.com/juanfont/headscale/pull/2663)
- OIDC: Update user with claims from UserInfo *before* comparing with allowed
groups, email and domain [#2663](https://github.com/juanfont/headscale/pull/2663)
## 0.26.1 (2025-06-06)