MyFavMirrors/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2025-07-09 00:52:20 -04:00
Code Issues Packages Projects Releases Wiki Activity
headscale/development/ref/oidc/index.html

42 lines
61 KiB
HTML
Raw Permalink Blame History

<!doctype html><html lang=en class=no-js> <head><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1"><meta name=description content="An open source, self-hosted implementation of the Tailscale control server."><meta name=author content="Headscale authors"><link href=https://juanfont.github.io/headscale/development/ref/oidc/ rel=canonical><link href=../configuration/ rel=prev><link href=../routes/ rel=next><link rel=icon href=../../assets/favicon.png><meta name=generator content="mkdocs-1.6.1, mkdocs-material-9.6.15"><title>OpenID Connect - Headscale</title><link rel=stylesheet href=../../assets/stylesheets/main.342714a4.min.css><link rel=stylesheet href=../../assets/stylesheets/palette.06af60db.min.css><link rel=preconnect href=https://fonts.gstatic.com crossorigin><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback"><style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style><script>__md_scope=new URL("../..",location),__md_hash=e=>[...e].reduce(((e,_)=>(e<<5)-e+_.charCodeAt(0)),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script><meta property=og:type content=website><meta property=og:title content="OpenID Connect - Headscale"><meta property=og:description content="An open source, self-hosted implementation of the Tailscale control server."><meta property=og:image content=https://juanfont.github.io/headscale/development/assets/images/social/ref/oidc.png><meta property=og:image:type content=image/png><meta property=og:image:width content=1200><meta property=og:image:height content=630><meta content=https://juanfont.github.io/headscale/development/ref/oidc/ property=og:url><meta name=twitter:card content=summary_large_image><meta name=twitter:title content="OpenID Connect - Headscale"><meta name=twitter:description content="An open source, self-hosted implementation of the Tailscale control server."><meta name=twitter:image content=https://juanfont.github.io/headscale/development/assets/images/social/ref/oidc.png></head> <body dir=ltr data-md-color-scheme=default data-md-color-primary=white data-md-color-accent=indigo> <input class=md-toggle data-md-toggle=drawer type=checkbox id=__drawer autocomplete=off> <input class=md-toggle data-md-toggle=search type=checkbox id=__search autocomplete=off> <label class=md-overlay for=__drawer></label> <div data-md-component=skip> <a href=#openid-connect class=md-skip> Skip to content </a> </div> <div data-md-component=announce> </div> <div data-md-color-scheme=default data-md-component=outdated hidden> </div> <header class=md-header data-md-component=header> <nav class="md-header__inner md-grid" aria-label=Header> <a href=../.. title=Headscale class="md-header__button md-logo" aria-label=Headscale data-md-component=logo> <img src=../../logo/headscale3-dots.svg alt=logo> </a> <label class="md-header__button md-icon" for=__drawer> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M3 6h18v2H3zm0 5h18v2H3zm0 5h18v2H3z"/></svg> </label> <div class=md-header__title data-md-component=header-title> <div class=md-header__ellipsis> <div class=md-header__topic> <span class=md-ellipsis> Headscale </span> </div> <div class=md-header__topic data-md-component=header-topic> <span class=md-ellipsis> OpenID Connect </span> </div> </div> </div> <form class=md-header__option data-md-component=palette> <input class=md-option data-md-color-media data-md-color-scheme=default data-md-color-primary=white data-md-color-accent=indigo aria-label="Switch to dark mode" type=radio name=__palette id=__palette_0> <label class="md-header__button md-icon" title="Switch to dark mode" for=__palette_1 hidden> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M12 8a4 4 0 0 0-4 4 4 4 0 0 0 4 4 4 4 0 0 0 4-4 4 4 0 0 0-4-4m0 10a6 6 0 0 1-6-6 6 6 0 0 1 6-6 6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12z"/></svg> </label> <input class=md-option data-md-color-media data-md-color-scheme=slate data-md-color-primary=indigo data-md-color-accent=indigo aria-label="Switch to light mode" type=radio name=__palette id=__palette_1> <label class="md-header__button md-icon" title="Switch to light mode" for=__palette_0 hidden> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M12 18c-.89 0-1.74-.2-2.5-.55C11.56 16.5 13 14.42 13 12s-1.44-4.5-3.5-5.45C10.26 6.2 11.11 6 12 6a6 6 0 0 1 6 6 6 6 0 0 1-6 6m8-9.31V4h-4.69L12 .69 8.69 4H4v4.69L.69 12 4 15.31V20h4.69L12 23.31 15.31 20H20v-4.69L23.31 12z"/></svg> </label> </form> <script>var palette=__md_get("__palette");if(palette&&palette.color){if("(prefers-color-scheme)"===palette.color.media){var media=matchMedia("(prefers-color-scheme: light)"),input=document.querySelector(media.matches?"[data-md-color-media='(prefers-color-scheme: light)']":"[data-md-color-media='(prefers-color-scheme: dark)']");palette.color.media=input.getAttribute("data-md-color-media"),palette.color.scheme=input.getAttribute("data-md-color-scheme"),palette.color.primary=input.getAttribute("data-md-color-primary"),palette.color.accent=input.getAttribute("data-md-color-accent")}for(var[key,value]of Object.entries(palette.color))document.body.setAttribute("data-md-color-"+key,value)}</script> <label class="md-header__button md-icon" for=__search> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg> </label> <div class=md-search data-md-component=search role=dialog> <label class=md-search__overlay for=__search></label> <div class=md-search__inner role=search> <form class=md-search__form name=search> <input type=text class=md-search__input name=query aria-label=Search placeholder=Search autocapitalize=off autocorrect=off autocomplete=off spellcheck=false data-md-component=search-query required> <label class="md-search__icon md-icon" for=__search> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M9.5 3A6.5 6.5 0 0 1 16 9.5c0 1.61-.59 3.09-1.56 4.23l.27.27h.79l5 5-1.5 1.5-5-5v-.79l-.27-.27A6.52 6.52 0 0 1 9.5 16 6.5 6.5 0 0 1 3 9.5 6.5 6.5 0 0 1 9.5 3m0 2C7 5 5 7 5 9.5S7 14 9.5 14 14 12 14 9.5 12 5 9.5 5"/></svg> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11z"/></svg> </label> <nav class=md-search__options aria-label=Search> <a href=javascript:void(0) class="md-search__icon md-icon" title=Share aria-label=Share data-clipboard data-clipboard-text data-md-component=search-share tabindex=-1> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M18 16.08c-.76 0-1.44.3-1.96.77L8.91 12.7c.05-.23.09-.46.09-.7s-.04-.47-.09-.7l7.05-4.11c.54.5 1.25.81 2.04.81a3 3 0 0 0 3-3 3 3 0 0 0-3-3 3 3 0 0 0-3 3c0 .24.04.47.09.7L8.04 9.81C7.5 9.31 6.79 9 6 9a3 3 0 0 0-3 3 3 3 0 0 0 3 3c.79 0 1.5-.31 2.04-.81l7.12 4.15c-.05.21-.08.43-.08.66 0 1.61 1.31 2.91 2.92 2.91s2.92-1.3 2.92-2.91A2.92 2.92 0 0 0 18 16.08"/></svg> </a> <button type=reset class="md-search__icon md-icon" title=Clear aria-label=Clear tabindex=-1> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12z"/></svg> </button> </nav> <div class=md-search__suggest data-md-component=search-suggest></div> </form> <div class=md-search__output> <div class=md-search__scrollwrap tabindex=0 data-md-scrollfix> <div class=md-search-result data-md-component=search-result> <div class=md-search-result__meta> Initializing search </div> <ol class=md-search-result__list role=presentation></ol> </div> </div> </div> </div> </div> <div class=md-header__source> <a href=https://github.com/juanfont/headscale title="Go to repository" class=md-source data-md-component=source> <div class="md-source__icon md-icon"> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 448 512"><!-- Font Awesome Free 6.7.2 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81"/></svg> </div> <div class=md-source__repository> juanfont/headscale </div> </a> </div> </nav> </header> <div class=md-container data-md-component=container> <nav class=md-tabs aria-label=Tabs data-md-component=tabs> <div class=md-grid> <ul class=md-tabs__list> <li class=md-tabs__item> <a href=../.. class=md-tabs__link> Welcome </a> </li> <li class=md-tabs__item> <a href=../../about/faq/ class=md-tabs__link> About </a> </li> <li class=md-tabs__item> <a href=../../setup/requirements/ class=md-tabs__link> Setup </a> </li> <li class=md-tabs__item> <a href=../../usage/getting-started/ class=md-tabs__link> Usage </a> </li> <li class="md-tabs__item md-tabs__item--active"> <a href=../configuration/ class=md-tabs__link> Reference </a> </li> </ul> </div> </nav> <main class=md-main data-md-component=main> <div class="md-main__inner md-grid"> <div class="md-sidebar md-sidebar--primary" data-md-component=sidebar data-md-type=navigation> <div class=md-sidebar__scrollwrap> <div class=md-sidebar__inner> <nav class="md-nav md-nav--primary md-nav--lifted" aria-label=Navigation data-md-level=0> <label class=md-nav__title for=__drawer> <a href=../.. title=Headscale class="md-nav__button md-logo" aria-label=Headscale data-md-component=logo> <img src=../../logo/headscale3-dots.svg alt=logo> </a> Headscale </label> <div class=md-nav__source> <a href=https://github.com/juanfont/headscale title="Go to repository" class=md-source data-md-component=source> <div class="md-source__icon md-icon"> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 448 512"><!-- Font Awesome Free 6.7.2 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M439.55 236.05 244 40.45a28.87 28.87 0 0 0-40.81 0l-40.66 40.63 51.52 51.52c27.06-9.14 52.68 16.77 43.39 43.68l49.66 49.66c34.23-11.8 61.18 31 35.47 56.69-26.49 26.49-70.21-2.87-56-37.34L240.22 199v121.85c25.3 12.54 22.26 41.85 9.08 55a34.34 34.34 0 0 1-48.55 0c-17.57-17.6-11.07-46.91 11.25-56v-123c-20.8-8.51-24.6-30.74-18.64-45L142.57 101 8.45 235.14a28.86 28.86 0 0 0 0 40.81l195.61 195.6a28.86 28.86 0 0 0 40.8 0l194.69-194.69a28.86 28.86 0 0 0 0-40.81"/></svg> </div> <div class=md-source__repository> juanfont/headscale </div> </a> </div> <ul class=md-nav__list data-md-scrollfix> <li class=md-nav__item> <a href=../.. class=md-nav__link> <span class=md-ellipsis> Welcome </span> </a> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type=checkbox id=__nav_2> <label class=md-nav__link for=__nav_2 id=__nav_2_label tabindex=0> <span class=md-ellipsis> About </span> <span class="md-nav__icon md-icon"></span> </label> <nav class=md-nav data-md-level=1 aria-labelledby=__nav_2_label aria-expanded=false> <label class=md-nav__title for=__nav_2> <span class="md-nav__icon md-icon"></span> About </label> <ul class=md-nav__list data-md-scrollfix> <li class=md-nav__item> <a href=../../about/faq/ class=md-nav__link> <span class=md-ellipsis> FAQ </span> </a> </li> <li class=md-nav__item> <a href=../../about/features/ class=md-nav__link> <span class=md-ellipsis> Features </span> </a> </li> <li class=md-nav__item> <a href=../../about/clients/ class=md-nav__link> <span class=md-ellipsis> Clients </span> </a> </li> <li class=md-nav__item> <a href=../../about/help/ class=md-nav__link> <span class=md-ellipsis> Getting help </span> </a> </li> <li class=md-nav__item> <a href=../../about/releases/ class=md-nav__link> <span class=md-ellipsis> Releases </span> </a> </li> <li class=md-nav__item> <a href=../../about/contributing/ class=md-nav__link> <span class=md-ellipsis> Contributing </span> </a> </li> <li class=md-nav__item> <a href=../../about/sponsor/ class=md-nav__link> <span class=md-ellipsis> Sponsor </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type=checkbox id=__nav_3> <label class=md-nav__link for=__nav_3 id=__nav_3_label tabindex=0> <span class=md-ellipsis> Setup </span> <span class="md-nav__icon md-icon"></span> </label> <nav class=md-nav data-md-level=1 aria-labelledby=__nav_3_label aria-expanded=false> <label class=md-nav__title for=__nav_3> <span class="md-nav__icon md-icon"></span> Setup </label> <ul class=md-nav__list data-md-scrollfix> <li class=md-nav__item> <a href=../../setup/requirements/ class=md-nav__link> <span class=md-ellipsis> Requirements and Assumptions </span> </a> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type=checkbox id=__nav_3_2> <label class=md-nav__link for=__nav_3_2 id=__nav_3_2_label tabindex=0> <span class=md-ellipsis> Installation </span> <span class="md-nav__icon md-icon"></span> </label> <nav class=md-nav data-md-level=2 aria-labelledby=__nav_3_2_label aria-expanded=false> <label class=md-nav__title for=__nav_3_2> <span class="md-nav__icon md-icon"></span> Installation </label> <ul class=md-nav__list data-md-scrollfix> <li class=md-nav__item> <a href=../../setup/install/official/ class=md-nav__link> <span class=md-ellipsis> Official releases </span> </a> </li> <li class=md-nav__item> <a href=../../setup/install/community/ class=md-nav__link> <span class=md-ellipsis> Community packages </span> </a> </li> <li class=md-nav__item> <a href=../../setup/install/container/ class=md-nav__link> <span class=md-ellipsis> Container </span> </a> </li> <li class=md-nav__item> <a href=../../setup/install/source/ class=md-nav__link> <span class=md-ellipsis> Build from source </span> </a> </li> </ul> </nav> </li> <li class=md-nav__item> <a href=../../setup/upgrade/ class=md-nav__link> <span class=md-ellipsis> Upgrade </span> </a> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type=checkbox id=__nav_4> <label class=md-nav__link for=__nav_4 id=__nav_4_label tabindex=0> <span class=md-ellipsis> Usage </span> <span class="md-nav__icon md-icon"></span> </label> <nav class=md-nav data-md-level=1 aria-labelledby=__nav_4_label aria-expanded=false> <label class=md-nav__title for=__nav_4> <span class="md-nav__icon md-icon"></span> Usage </label> <ul class=md-nav__list data-md-scrollfix> <li class=md-nav__item> <a href=../../usage/getting-started/ class=md-nav__link> <span class=md-ellipsis> Getting started </span> </a> </li> <li class="md-nav__item md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type=checkbox id=__nav_4_2> <label class=md-nav__link for=__nav_4_2 id=__nav_4_2_label tabindex=0> <span class=md-ellipsis> Connect a node </span> <span class="md-nav__icon md-icon"></span> </label> <nav class=md-nav data-md-level=2 aria-labelledby=__nav_4_2_label aria-expanded=false> <label class=md-nav__title for=__nav_4_2> <span class="md-nav__icon md-icon"></span> Connect a node </label> <ul class=md-nav__list data-md-scrollfix> <li class=md-nav__item> <a href=../../usage/connect/android/ class=md-nav__link> <span class=md-ellipsis> Android </span> </a> </li> <li class=md-nav__item> <a href=../../usage/connect/apple/ class=md-nav__link> <span class=md-ellipsis> Apple </span> </a> </li> <li class=md-nav__item> <a href=../../usage/connect/windows/ class=md-nav__link> <span class=md-ellipsis> Windows </span> </a> </li> </ul> </nav> </li> </ul> </nav> </li> <li class="md-nav__item md-nav__item--active md-nav__item--section md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type=checkbox id=__nav_5 checked> <label class=md-nav__link for=__nav_5 id=__nav_5_label tabindex> <span class=md-ellipsis> Reference </span> <span class="md-nav__icon md-icon"></span> </label> <nav class=md-nav data-md-level=1 aria-labelledby=__nav_5_label aria-expanded=true> <label class=md-nav__title for=__nav_5> <span class="md-nav__icon md-icon"></span> Reference </label> <ul class=md-nav__list data-md-scrollfix> <li class=md-nav__item> <a href=../configuration/ class=md-nav__link> <span class=md-ellipsis> Configuration </span> </a> </li> <li class="md-nav__item md-nav__item--active"> <input class="md-nav__toggle md-toggle" type=checkbox id=__toc> <label class="md-nav__link md-nav__link--active" for=__toc> <span class=md-ellipsis> OpenID Connect </span> <span class="md-nav__icon md-icon"></span> </label> <a href=./ class="md-nav__link md-nav__link--active"> <span class=md-ellipsis> OpenID Connect </span> </a> <nav class="md-nav md-nav--secondary" aria-label="Table of contents"> <label class=md-nav__title for=__toc> <span class="md-nav__icon md-icon"></span> Table of contents </label> <ul class=md-nav__list data-md-component=toc data-md-scrollfix> <li class=md-nav__item> <a href=#configuration class=md-nav__link> <span class=md-ellipsis> Configuration </span> </a> <nav class=md-nav aria-label=Configuration> <ul class=md-nav__list> <li class=md-nav__item> <a href=#basic-configuration class=md-nav__link> <span class=md-ellipsis> Basic configuration </span> </a> </li> <li class=md-nav__item> <a href=#enable-pkce-recommended class=md-nav__link> <span class=md-ellipsis> Enable PKCE (recommended) </span> </a> </li> <li class=md-nav__item> <a href=#authorize-users-with-filters class=md-nav__link> <span class=md-ellipsis> Authorize users with filters </span> </a> </li> <li class=md-nav__item> <a href=#customize-node-expiration class=md-nav__link> <span class=md-ellipsis> Customize node expiration </span> </a> </li> <li class=md-nav__item> <a href=#reference-a-user-in-the-policy class=md-nav__link> <span class=md-ellipsis> Reference a user in the policy </span> </a> </li> </ul> </nav> </li> <li class=md-nav__item> <a href=#supported-oidc-claims class=md-nav__link> <span class=md-ellipsis> Supported OIDC claims </span> </a> </li> <li class=md-nav__item> <a href=#limitations class=md-nav__link> <span class=md-ellipsis> Limitations </span> </a> </li> <li class=md-nav__item> <a href=#identity-provider-specific-configuration class=md-nav__link> <span class=md-ellipsis> Identity provider specific configuration </span> </a> <nav class=md-nav aria-label="Identity provider specific configuration"> <ul class=md-nav__list> <li class=md-nav__item> <a href=#authelia class=md-nav__link> <span class=md-ellipsis> Authelia </span> </a> <nav class=md-nav aria-label=Authelia> <ul class=md-nav__list> <li class=md-nav__item> <a href=#additional-configuration-to-authorize-users-based-on-filters class=md-nav__link> <span class=md-ellipsis> Additional configuration to authorize users based on filters </span> </a> </li> </ul> </nav> </li> <li class=md-nav__item> <a href=#authentik class=md-nav__link> <span class=md-ellipsis> Authentik </span> </a> </li> <li class=md-nav__item> <a href=#google-oauth class=md-nav__link> <span class=md-ellipsis> Google OAuth </span> </a> <nav class=md-nav aria-label="Google OAuth"> <ul class=md-nav__list> <li class=md-nav__item> <a href=#steps class=md-nav__link> <span class=md-ellipsis> Steps </span> </a> </li> </ul> </nav> </li> <li class=md-nav__item> <a href=#kanidm class=md-nav__link> <span class=md-ellipsis> Kanidm </span> </a> </li> <li class=md-nav__item> <a href=#keycloak class=md-nav__link> <span class=md-ellipsis> Keycloak </span> </a> <nav class=md-nav aria-label=Keycloak> <ul class=md-nav__list> <li class=md-nav__item> <a href=#additional-configuration-to-use-the-allowed-groups-filter class=md-nav__link> <span class=md-ellipsis> Additional configuration to use the allowed groups filter </span> </a> </li> </ul> </nav> </li> <li class=md-nav__item> <a href=#microsoft-entra-id class=md-nav__link> <span class=md-ellipsis> Microsoft Entra ID </span> </a> </li> </ul> </nav> </li> </ul> </nav> </li> <li class=md-nav__item> <a href=../routes/ class=md-nav__link> <span class=md-ellipsis> Routes </span> </a> </li> <li class=md-nav__item> <a href=../tls/ class=md-nav__link> <span class=md-ellipsis> TLS </span> </a> </li> <li class=md-nav__item> <a href=../acls/ class=md-nav__link> <span class=md-ellipsis> ACLs </span> </a> </li> <li class=md-nav__item> <a href=../dns/ class=md-nav__link> <span class=md-ellipsis> DNS </span> </a> </li> <li class=md-nav__item> <a href=../remote-cli/ class=md-nav__link> <span class=md-ellipsis> Remote CLI </span> </a> </li> <li class="md-nav__item md-nav__item--section md-nav__item--nested"> <input class="md-nav__toggle md-toggle " type=checkbox id=__nav_5_8> <label class=md-nav__link for=__nav_5_8 id=__nav_5_8_label tabindex> <span class=md-ellipsis> Integration </span> <span class="md-nav__icon md-icon"></span> </label> <nav class=md-nav data-md-level=2 aria-labelledby=__nav_5_8_label aria-expanded=false> <label class=md-nav__title for=__nav_5_8> <span class="md-nav__icon md-icon"></span> Integration </label> <ul class=md-nav__list data-md-scrollfix> <li class=md-nav__item> <a href=../integration/reverse-proxy/ class=md-nav__link> <span class=md-ellipsis> Reverse proxy </span> </a> </li> <li class=md-nav__item> <a href=../integration/web-ui/ class=md-nav__link> <span class=md-ellipsis> Web UI </span> </a> </li> <li class=md-nav__item> <a href=../integration/tools/ class=md-nav__link> <span class=md-ellipsis> Tools </span> </a> </li> </ul> </nav> </li> </ul> </nav> </li> </ul> </nav> </div> </div> </div> <div class="md-sidebar md-sidebar--secondary" data-md-component=sidebar data-md-type=toc> <div class=md-sidebar__scrollwrap> <div class=md-sidebar__inner> <nav class="md-nav md-nav--secondary" aria-label="Table of contents"> <label class=md-nav__title for=__toc> <span class="md-nav__icon md-icon"></span> Table of contents </label> <ul class=md-nav__list data-md-component=toc data-md-scrollfix> <li class=md-nav__item> <a href=#configuration class=md-nav__link> <span class=md-ellipsis> Configuration </span> </a> <nav class=md-nav aria-label=Configuration> <ul class=md-nav__list> <li class=md-nav__item> <a href=#basic-configuration class=md-nav__link> <span class=md-ellipsis> Basic configuration </span> </a> </li> <li class=md-nav__item> <a href=#enable-pkce-recommended class=md-nav__link> <span class=md-ellipsis> Enable PKCE (recommended) </span> </a> </li> <li class=md-nav__item> <a href=#authorize-users-with-filters class=md-nav__link> <span class=md-ellipsis> Authorize users with filters </span> </a> </li> <li class=md-nav__item> <a href=#customize-node-expiration class=md-nav__link> <span class=md-ellipsis> Customize node expiration </span> </a> </li> <li class=md-nav__item> <a href=#reference-a-user-in-the-policy class=md-nav__link> <span class=md-ellipsis> Reference a user in the policy </span> </a> </li> </ul> </nav> </li> <li class=md-nav__item> <a href=#supported-oidc-claims class=md-nav__link> <span class=md-ellipsis> Supported OIDC claims </span> </a> </li> <li class=md-nav__item> <a href=#limitations class=md-nav__link> <span class=md-ellipsis> Limitations </span> </a> </li> <li class=md-nav__item> <a href=#identity-provider-specific-configuration class=md-nav__link> <span class=md-ellipsis> Identity provider specific configuration </span> </a> <nav class=md-nav aria-label="Identity provider specific configuration"> <ul class=md-nav__list> <li class=md-nav__item> <a href=#authelia class=md-nav__link> <span class=md-ellipsis> Authelia </span> </a> <nav class=md-nav aria-label=Authelia> <ul class=md-nav__list> <li class=md-nav__item> <a href=#additional-configuration-to-authorize-users-based-on-filters class=md-nav__link> <span class=md-ellipsis> Additional configuration to authorize users based on filters </span> </a> </li> </ul> </nav> </li> <li class=md-nav__item> <a href=#authentik class=md-nav__link> <span class=md-ellipsis> Authentik </span> </a> </li> <li class=md-nav__item> <a href=#google-oauth class=md-nav__link> <span class=md-ellipsis> Google OAuth </span> </a> <nav class=md-nav aria-label="Google OAuth"> <ul class=md-nav__list> <li class=md-nav__item> <a href=#steps class=md-nav__link> <span class=md-ellipsis> Steps </span> </a> </li> </ul> </nav> </li> <li class=md-nav__item> <a href=#kanidm class=md-nav__link> <span class=md-ellipsis> Kanidm </span> </a> </li> <li class=md-nav__item> <a href=#keycloak class=md-nav__link> <span class=md-ellipsis> Keycloak </span> </a> <nav class=md-nav aria-label=Keycloak> <ul class=md-nav__list> <li class=md-nav__item> <a href=#additional-configuration-to-use-the-allowed-groups-filter class=md-nav__link> <span class=md-ellipsis> Additional configuration to use the allowed groups filter </span> </a> </li> </ul> </nav> </li> <li class=md-nav__item> <a href=#microsoft-entra-id class=md-nav__link> <span class=md-ellipsis> Microsoft Entra ID </span> </a> </li> </ul> </nav> </li> </ul> </nav> </div> </div> </div> <div class=md-content data-md-component=content> <article class="md-content__inner md-typeset"> <a href=https://github.com/juanfont/headscale/blob/main/docs/ref/oidc.md title="Edit this page" class="md-content__button md-icon" rel=edit> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M10 20H6V4h7v5h5v3.1l2-2V8l-6-6H6c-1.1 0-2 .9-2 2v16c0 1.1.9 2 2 2h4zm10.2-7c.1 0 .3.1.4.2l1.3 1.3c.2.2.2.6 0 .8l-1 1-2.1-2.1 1-1c.1-.1.2-.2.4-.2m0 3.9L14.1 23H12v-2.1l6.1-6.1z"/></svg> </a> <a href=https://github.com/juanfont/headscale/raw/main/docs/ref/oidc.md title="View source of this page" class="md-content__button md-icon"> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M17 18c.56 0 1 .44 1 1s-.44 1-1 1-1-.44-1-1 .44-1 1-1m0-3c-2.73 0-5.06 1.66-6 4 .94 2.34 3.27 4 6 4s5.06-1.66 6-4c-.94-2.34-3.27-4-6-4m0 6.5a2.5 2.5 0 0 1-2.5-2.5 2.5 2.5 0 0 1 2.5-2.5 2.5 2.5 0 0 1 2.5 2.5 2.5 2.5 0 0 1-2.5 2.5M9.27 20H6V4h7v5h5v4.07c.7.08 1.36.25 2 .49V8l-6-6H6a2 2 0 0 0-2 2v16a2 2 0 0 0 2 2h4.5a8.2 8.2 0 0 1-1.23-2"/></svg> </a> <h1 id=openid-connect>OpenID Connect<a class=headerlink href=#openid-connect title="Permanent link">&para;</a></h1> <p>Headscale supports authentication via external identity providers using OpenID Connect (OIDC). It features:</p> <ul> <li>Autoconfiguration via OpenID Connect Discovery Protocol</li> <li><a href=#enable-pkce-recommended>Proof Key for Code Exchange (PKCE) code verification</a></li> <li><a href=#authorize-users-with-filters>Authorization based on a user's domain, email address or group membership</a></li> <li>Synchronization of <a href=#supported-oidc-claims>standard OIDC claims</a></li> </ul> <p>Please see <a href=#limitations>limitations</a> for known issues and limitations.</p> <h2 id=configuration>Configuration<a class=headerlink href=#configuration title="Permanent link">&para;</a></h2> <p>OpenID requires configuration in Headscale and your identity provider:</p> <ul> <li>Headscale: The <code>oidc</code> section of the Headscale <a href=../configuration/ >configuration</a> contains all available configuration options along with a description and their default values.</li> <li>Identity provider: Please refer to the official documentation of your identity provider for specific instructions. Additionally, there might be some useful hints in the <a href=#identity-provider-specific-configuration>Identity provider specific configuration</a> section below.</li> </ul> <h3 id=basic-configuration>Basic configuration<a class=headerlink href=#basic-configuration title="Permanent link">&para;</a></h3> <p>A basic configuration connects Headscale to an identity provider and typically requires:</p> <ul> <li>OpenID Connect Issuer URL from the identity provider. Headscale uses the OpenID Connect Discovery Protocol 1.0 to automatically obtain OpenID configuration parameters (example: <code>https://sso.example.com</code>).</li> <li>Client ID from the identity provider (example: <code>headscale</code>).</li> <li>Client secret generated by the identity provider (example: <code>generated-secret</code>).</li> <li>Redirect URI for your identity provider (example: <code>https://headscale.example.com/oidc/callback</code>).</li> </ul> <div class="tabbed-set tabbed-alternate" data-tabs=1:2><input checked=checked id=__tabbed_1_1 name=__tabbed_1 type=radio><input id=__tabbed_1_2 name=__tabbed_1 type=radio><div class=tabbed-labels><label for=__tabbed_1_1>Headscale</label><label for=__tabbed_1_2>Identity provider</label></div> <div class=tabbed-content> <div class=tabbed-block> <div class="language-yaml highlight"><pre><span></span><code><span id=__span-0-1><a id=__codelineno-0-1 name=__codelineno-0-1 href=#__codelineno-0-1></a><span class=nt>oidc</span><span class=p>:</span>
</span><span id=__span-0-2><a id=__codelineno-0-2 name=__codelineno-0-2 href=#__codelineno-0-2></a><span class=w> </span><span class=nt>issuer</span><span class=p>:</span><span class=w> </span><span class=s>&quot;https://sso.example.com&quot;</span>
</span><span id=__span-0-3><a id=__codelineno-0-3 name=__codelineno-0-3 href=#__codelineno-0-3></a><span class=w> </span><span class=nt>client_id</span><span class=p>:</span><span class=w> </span><span class=s>&quot;headscale&quot;</span>
</span><span id=__span-0-4><a id=__codelineno-0-4 name=__codelineno-0-4 href=#__codelineno-0-4></a><span class=w> </span><span class=nt>client_secret</span><span class=p>:</span><span class=w> </span><span class=s>&quot;generated-secret&quot;</span>
</span></code></pre></div> </div> <div class=tabbed-block> <ul> <li>Create a new confidential client (<code>Client ID</code>, <code>Client secret</code>)</li> <li>Add Headscale's OIDC callback URL as valid redirect URL: <code>https://headscale.example.com/oidc/callback</code></li> <li>Configure additional parameters to improve user experience such as: name, description, logo, …</li> </ul> </div> </div> </div> <h3 id=enable-pkce-recommended>Enable PKCE (recommended)<a class=headerlink href=#enable-pkce-recommended title="Permanent link">&para;</a></h3> <p>Proof Key for Code Exchange (PKCE) adds an additional layer of security to the OAuth 2.0 authorization code flow by preventing authorization code interception attacks, see: <a href=https://datatracker.ietf.org/doc/html/rfc7636>https://datatracker.ietf.org/doc/html/rfc7636</a>. PKCE is recommended and needs to be configured for Headscale and the identity provider alike:</p> <div class="tabbed-set tabbed-alternate" data-tabs=2:2><input checked=checked id=__tabbed_2_1 name=__tabbed_2 type=radio><input id=__tabbed_2_2 name=__tabbed_2 type=radio><div class=tabbed-labels><label for=__tabbed_2_1>Headscale</label><label for=__tabbed_2_2>Identity provider</label></div> <div class=tabbed-content> <div class=tabbed-block> <div class="language-yaml highlight"><pre><span></span><code><span id=__span-1-1><a id=__codelineno-1-1 name=__codelineno-1-1 href=#__codelineno-1-1></a><span class=nt>oidc</span><span class=p>:</span>
</span><span id=__span-1-2><a id=__codelineno-1-2 name=__codelineno-1-2 href=#__codelineno-1-2></a><span class=w> </span><span class=nt>issuer</span><span class=p>:</span><span class=w> </span><span class=s>&quot;https://sso.example.com&quot;</span>
</span><span id=__span-1-3><a id=__codelineno-1-3 name=__codelineno-1-3 href=#__codelineno-1-3></a><span class=w> </span><span class=nt>client_id</span><span class=p>:</span><span class=w> </span><span class=s>&quot;headscale&quot;</span>
</span><span id=__span-1-4><a id=__codelineno-1-4 name=__codelineno-1-4 href=#__codelineno-1-4></a><span class=w> </span><span class=nt>client_secret</span><span class=p>:</span><span class=w> </span><span class=s>&quot;generated-secret&quot;</span>
</span><span id=__span-1-5><a id=__codelineno-1-5 name=__codelineno-1-5 href=#__codelineno-1-5></a><span class=hll><span class=w> </span><span class=nt>pkce</span><span class=p>:</span>
</span></span><span id=__span-1-6><a id=__codelineno-1-6 name=__codelineno-1-6 href=#__codelineno-1-6></a><span class=hll><span class=w> </span><span class=nt>enabled</span><span class=p>:</span><span class=w> </span><span class="l l-Scalar l-Scalar-Plain">true</span>
</span></span></code></pre></div> </div> <div class=tabbed-block> <ul> <li>Enable PKCE for the headscale client</li> <li>Set the PKCE challenge method to "S256"</li> </ul> </div> </div> </div> <h3 id=authorize-users-with-filters>Authorize users with filters<a class=headerlink href=#authorize-users-with-filters title="Permanent link">&para;</a></h3> <p>Headscale allows to filter for allowed users based on their domain, email address or group membership. These filters can be helpful to apply additional restrictions and control which users are allowed to join. Filters are disabled by default, users are allowed to join once the authentication with the identity provider succeeds. In case multiple filters are configured, a user needs to pass all of them.</p> <div class="tabbed-set tabbed-alternate" data-tabs=3:3><input checked=checked id=__tabbed_3_1 name=__tabbed_3 type=radio><input id=__tabbed_3_2 name=__tabbed_3 type=radio><input id=__tabbed_3_3 name=__tabbed_3 type=radio><div class=tabbed-labels><label for=__tabbed_3_1>Allowed domains</label><label for=__tabbed_3_2>Allowed users/emails</label><label for=__tabbed_3_3>Allowed groups</label></div> <div class=tabbed-content> <div class=tabbed-block> <ul> <li>Check the email domain of each authenticating user against the list of allowed domains and only authorize users whose email domain matches <code>example.com</code>.</li> <li>Access allowed: <code>alice@example.com</code></li> <li>Access denied: <code>bob@example.net</code></li> </ul> <div class="language-yaml highlight"><pre><span></span><code><span id=__span-2-1><a id=__codelineno-2-1 name=__codelineno-2-1 href=#__codelineno-2-1></a><span class=nt>oidc</span><span class=p>:</span>
</span><span id=__span-2-2><a id=__codelineno-2-2 name=__codelineno-2-2 href=#__codelineno-2-2></a><span class=w> </span><span class=nt>issuer</span><span class=p>:</span><span class=w> </span><span class=s>&quot;https://sso.example.com&quot;</span>
</span><span id=__span-2-3><a id=__codelineno-2-3 name=__codelineno-2-3 href=#__codelineno-2-3></a><span class=w> </span><span class=nt>client_id</span><span class=p>:</span><span class=w> </span><span class=s>&quot;headscale&quot;</span>
</span><span id=__span-2-4><a id=__codelineno-2-4 name=__codelineno-2-4 href=#__codelineno-2-4></a><span class=w> </span><span class=nt>client_secret</span><span class=p>:</span><span class=w> </span><span class=s>&quot;generated-secret&quot;</span>
</span><span id=__span-2-5><a id=__codelineno-2-5 name=__codelineno-2-5 href=#__codelineno-2-5></a><span class=hll><span class=w> </span><span class=nt>allowed_domains</span><span class=p>:</span>
</span></span><span id=__span-2-6><a id=__codelineno-2-6 name=__codelineno-2-6 href=#__codelineno-2-6></a><span class=hll><span class=w> </span><span class="p p-Indicator">-</span><span class=w> </span><span class=s>&quot;example.com&quot;</span>
</span></span></code></pre></div> </div> <div class=tabbed-block> <ul> <li>Check the email address of each authenticating user against the list of allowed email addresses and only authorize users whose email is part of the <code>allowed_users</code> list.</li> <li>Access allowed: <code>alice@example.com</code>, <code>bob@example.net</code></li> <li>Access denied: <code>mallory@example.net</code></li> </ul> <div class="language-yaml highlight"><pre><span></span><code><span id=__span-3-1><a id=__codelineno-3-1 name=__codelineno-3-1 href=#__codelineno-3-1></a><span class=nt>oidc</span><span class=p>:</span>
</span><span id=__span-3-2><a id=__codelineno-3-2 name=__codelineno-3-2 href=#__codelineno-3-2></a><span class=w> </span><span class=nt>issuer</span><span class=p>:</span><span class=w> </span><span class=s>&quot;https://sso.example.com&quot;</span>
</span><span id=__span-3-3><a id=__codelineno-3-3 name=__codelineno-3-3 href=#__codelineno-3-3></a><span class=w> </span><span class=nt>client_id</span><span class=p>:</span><span class=w> </span><span class=s>&quot;headscale&quot;</span>
</span><span id=__span-3-4><a id=__codelineno-3-4 name=__codelineno-3-4 href=#__codelineno-3-4></a><span class=w> </span><span class=nt>client_secret</span><span class=p>:</span><span class=w> </span><span class=s>&quot;generated-secret&quot;</span>
</span><span id=__span-3-5><a id=__codelineno-3-5 name=__codelineno-3-5 href=#__codelineno-3-5></a><span class=hll><span class=w> </span><span class=nt>allowed_users</span><span class=p>:</span>
</span></span><span id=__span-3-6><a id=__codelineno-3-6 name=__codelineno-3-6 href=#__codelineno-3-6></a><span class=hll><span class=w> </span><span class="p p-Indicator">-</span><span class=w> </span><span class=s>&quot;alice@example.com&quot;</span>
</span></span><span id=__span-3-7><a id=__codelineno-3-7 name=__codelineno-3-7 href=#__codelineno-3-7></a><span class=hll><span class=w> </span><span class="p p-Indicator">-</span><span class=w> </span><span class=s>&quot;bob@example.net&quot;</span>
</span></span></code></pre></div> </div> <div class=tabbed-block> <ul> <li>Use the OIDC <code>groups</code> claim of each authenticating user to get their group membership and only authorize users which are members in at least one of the referenced groups.</li> <li>Access allowed: users in the <code>headscale_users</code> group</li> <li>Access denied: users without groups, users with other groups</li> </ul> <div class="language-yaml highlight"><pre><span></span><code><span id=__span-4-1><a id=__codelineno-4-1 name=__codelineno-4-1 href=#__codelineno-4-1></a><span class=nt>oidc</span><span class=p>:</span>
</span><span id=__span-4-2><a id=__codelineno-4-2 name=__codelineno-4-2 href=#__codelineno-4-2></a><span class=w> </span><span class=nt>issuer</span><span class=p>:</span><span class=w> </span><span class=s>&quot;https://sso.example.com&quot;</span>
</span><span id=__span-4-3><a id=__codelineno-4-3 name=__codelineno-4-3 href=#__codelineno-4-3></a><span class=w> </span><span class=nt>client_id</span><span class=p>:</span><span class=w> </span><span class=s>&quot;headscale&quot;</span>
</span><span id=__span-4-4><a id=__codelineno-4-4 name=__codelineno-4-4 href=#__codelineno-4-4></a><span class=w> </span><span class=nt>client_secret</span><span class=p>:</span><span class=w> </span><span class=s>&quot;generated-secret&quot;</span>
</span><span id=__span-4-5><a id=__codelineno-4-5 name=__codelineno-4-5 href=#__codelineno-4-5></a><span class=hll><span class=w> </span><span class=nt>scope</span><span class=p>:</span><span class=w> </span><span class="p p-Indicator">[</span><span class=s>&quot;openid&quot;</span><span class="p p-Indicator">,</span><span class=w> </span><span class=s>&quot;profile&quot;</span><span class="p p-Indicator">,</span><span class=w> </span><span class=s>&quot;email&quot;</span><span class="p p-Indicator">,</span><span class=w> </span><span class=s>&quot;groups&quot;</span><span class="p p-Indicator">]</span>
</span></span><span id=__span-4-6><a id=__codelineno-4-6 name=__codelineno-4-6 href=#__codelineno-4-6></a><span class=hll><span class=w> </span><span class=nt>allowed_groups</span><span class=p>:</span>
</span></span><span id=__span-4-7><a id=__codelineno-4-7 name=__codelineno-4-7 href=#__codelineno-4-7></a><span class=hll><span class=w> </span><span class="p p-Indicator">-</span><span class=w> </span><span class=s>&quot;headscale_users&quot;</span>
</span></span></code></pre></div> </div> </div> </div> <h3 id=customize-node-expiration>Customize node expiration<a class=headerlink href=#customize-node-expiration title="Permanent link">&para;</a></h3> <p>The node expiration is the amount of time a node is authenticated with OpenID Connect until it expires and needs to reauthenticate. The default node expiration is 180 days. This can either be customized or set to the expiration from the Access Token.</p> <div class="tabbed-set tabbed-alternate" data-tabs=4:2><input checked=checked id=__tabbed_4_1 name=__tabbed_4 type=radio><input id=__tabbed_4_2 name=__tabbed_4 type=radio><div class=tabbed-labels><label for=__tabbed_4_1>Customize node expiration</label><label for=__tabbed_4_2>Use expiration from Access Token</label></div> <div class=tabbed-content> <div class=tabbed-block> <div class="language-yaml highlight"><pre><span></span><code><span id=__span-5-1><a id=__codelineno-5-1 name=__codelineno-5-1 href=#__codelineno-5-1></a><span class=nt>oidc</span><span class=p>:</span>
</span><span id=__span-5-2><a id=__codelineno-5-2 name=__codelineno-5-2 href=#__codelineno-5-2></a><span class=w> </span><span class=nt>issuer</span><span class=p>:</span><span class=w> </span><span class=s>&quot;https://sso.example.com&quot;</span>
</span><span id=__span-5-3><a id=__codelineno-5-3 name=__codelineno-5-3 href=#__codelineno-5-3></a><span class=w> </span><span class=nt>client_id</span><span class=p>:</span><span class=w> </span><span class=s>&quot;headscale&quot;</span>
</span><span id=__span-5-4><a id=__codelineno-5-4 name=__codelineno-5-4 href=#__codelineno-5-4></a><span class=w> </span><span class=nt>client_secret</span><span class=p>:</span><span class=w> </span><span class=s>&quot;generated-secret&quot;</span>
</span><span id=__span-5-5><a id=__codelineno-5-5 name=__codelineno-5-5 href=#__codelineno-5-5></a><span class=hll><span class=w> </span><span class=nt>expiry</span><span class=p>:</span><span class=w> </span><span class="l l-Scalar l-Scalar-Plain">30d</span><span class=w> </span><span class=c1># Use 0 to disable node expiration</span>
</span></span></code></pre></div> </div> <div class=tabbed-block> <p>Please keep in mind that the Access Token is typically a short-lived token that expires within a few minutes. You will have to configure token expiration in your identity provider to avoid frequent reauthentication.</p> <div class="language-yaml highlight"><pre><span></span><code><span id=__span-6-1><a id=__codelineno-6-1 name=__codelineno-6-1 href=#__codelineno-6-1></a><span class=nt>oidc</span><span class=p>:</span>
</span><span id=__span-6-2><a id=__codelineno-6-2 name=__codelineno-6-2 href=#__codelineno-6-2></a><span class=w> </span><span class=nt>issuer</span><span class=p>:</span><span class=w> </span><span class=s>&quot;https://sso.example.com&quot;</span>
</span><span id=__span-6-3><a id=__codelineno-6-3 name=__codelineno-6-3 href=#__codelineno-6-3></a><span class=w> </span><span class=nt>client_id</span><span class=p>:</span><span class=w> </span><span class=s>&quot;headscale&quot;</span>
</span><span id=__span-6-4><a id=__codelineno-6-4 name=__codelineno-6-4 href=#__codelineno-6-4></a><span class=w> </span><span class=nt>client_secret</span><span class=p>:</span><span class=w> </span><span class=s>&quot;generated-secret&quot;</span>
</span><span id=__span-6-5><a id=__codelineno-6-5 name=__codelineno-6-5 href=#__codelineno-6-5></a><span class=hll><span class=w> </span><span class=nt>use_expiry_from_token</span><span class=p>:</span><span class=w> </span><span class="l l-Scalar l-Scalar-Plain">true</span>
</span></span></code></pre></div> </div> </div> </div> <div class="admonition tip"> <p class=admonition-title>Expire a node and force re-authentication</p> <p>A node can be expired immediately via: <div class="language-console highlight"><pre><span></span><code><span id=__span-7-1><a id=__codelineno-7-1 name=__codelineno-7-1 href=#__codelineno-7-1></a><span class=go>headscale node expire -i &lt;NODE_ID&gt;</span>
</span></code></pre></div></p> </div> <h3 id=reference-a-user-in-the-policy>Reference a user in the policy<a class=headerlink href=#reference-a-user-in-the-policy title="Permanent link">&para;</a></h3> <p>You may refer to users in the Headscale policy via:</p> <ul> <li>Email address</li> <li>Username</li> <li>Provider identifier (only available in the database or from your identity provider)</li> </ul> <div class="admonition note"> <p class=admonition-title>A user identifier in the policy must contain a single <code>@</code></p> <p>The Headscale policy requires a single <code>@</code> to reference a user. If the username or provider identifier doesn't already contain a single <code>@</code>, it needs to be appended at the end. For example: the username <code>ssmith</code> has to be written as <code>ssmith@</code> to be correctly identified as user within the policy.</p> </div> <div class="admonition warning"> <p class=admonition-title>Email address or username might be updated by users</p> <p>Many identity providers allow users to update their own profile. Depending on the identity provider and its configuration, the values for username or email address might change over time. This might have unexpected consequences for Headscale where a policy might no longer work or a user might obtain more access by hijacking an existing username or email address.</p> </div> <h2 id=supported-oidc-claims>Supported OIDC claims<a class=headerlink href=#supported-oidc-claims title="Permanent link">&para;</a></h2> <p>Headscale uses <a href=https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims>the standard OIDC claims</a> to populate and update its local user profile on each login. OIDC claims are read from the ID Token or from the UserInfo endpoint.</p> <table> <thead> <tr> <th>Headscale profile</th> <th>OIDC claim</th> <th>Notes / examples</th> </tr> </thead> <tbody> <tr> <td>email address</td> <td><code>email</code></td> <td>Only used when <code>email_verified: true</code></td> </tr> <tr> <td>display name</td> <td><code>name</code></td> <td>eg: <code>Sam Smith</code></td> </tr> <tr> <td>username</td> <td><code>preferred_username</code></td> <td>Depends on identity provider, eg: <code>ssmith</code>, <code>ssmith@idp.example.com</code>, <code>\\example.com\ssmith</code></td> </tr> <tr> <td>profile picture</td> <td><code>picture</code></td> <td>URL to a profile picture or avatar</td> </tr> <tr> <td>provider identifier</td> <td><code>iss</code>, <code>sub</code></td> <td>A stable and unique identifier for a user, typically a combination of <code>iss</code> and <code>sub</code> OIDC claims</td> </tr> <tr> <td></td> <td><code>groups</code></td> <td><a href=#authorize-users-with-filters>Only used to filter for allowed groups</a></td> </tr> </tbody> </table> <h2 id=limitations>Limitations<a class=headerlink href=#limitations title="Permanent link">&para;</a></h2> <ul> <li>Support for OpenID Connect aims to be generic and vendor independent. It offers only limited support for quirks of specific identity providers.</li> <li>OIDC groups cannot be used in ACLs.</li> <li>The username provided by the identity provider needs to adhere to this pattern:<ul> <li>The username must be at least two characters long.</li> <li>It must only contain letters, digits, hyphens, dots, underscores, and up to a single <code>@</code>.</li> <li>The username must start with a letter.</li> </ul> </li> <li>A user's email address is only synchronized to the local user profile when the identity provider marks the email address as verified (<code>email_verified: true</code>).</li> </ul> <p>Please see the <a href=https://github.com/juanfont/headscale/labels/OIDC>GitHub label "OIDC"</a> for OIDC related issues.</p> <h2 id=identity-provider-specific-configuration>Identity provider specific configuration<a class=headerlink href=#identity-provider-specific-configuration title="Permanent link">&para;</a></h2> <div class="admonition warning"> <p class=admonition-title>Third-party software and services</p> <p>This section of the documentation is specific for third-party software and services. We recommend users read the third-party documentation on how to configure and integrate an OIDC client. Please see the <a href=#configuration>Configuration section</a> for a description of Headscale's OIDC related configuration settings.</p> </div> <p>Any identity provider with OpenID Connect support should "just work" with Headscale. The following identity providers are known to work:</p> <ul> <li><a href=#authelia>Authelia</a></li> <li><a href=#authentik>Authentik</a></li> <li><a href=#kanidm>Kanidm</a></li> <li><a href=#keycloak>Keycloak</a></li> </ul> <h3 id=authelia>Authelia<a class=headerlink href=#authelia title="Permanent link">&para;</a></h3> <p>Authelia is fully supported by Headscale.</p> <h4 id=additional-configuration-to-authorize-users-based-on-filters>Additional configuration to authorize users based on filters<a class=headerlink href=#additional-configuration-to-authorize-users-based-on-filters title="Permanent link">&para;</a></h4> <p>Authelia (4.39.0 or newer) no longer provides standard OIDC claims such as <code>email</code> or <code>groups</code> via the ID Token. The OIDC <code>email</code> and <code>groups</code> claims are used to <a href=#authorize-users-with-filters>authorize users with filters</a>. This extra configuration step is <strong>only</strong> needed if you need to authorize access based on one of the following user properties:</p> <ul> <li>domain</li> <li>email address</li> <li>group membership</li> </ul> <p>Please follow the instructions from Authelia's documentation on how to <a href=https://www.authelia.com/integration/openid-connect/openid-connect-1.0-claims/#restore-functionality-prior-to-claims-parameter>Restore Functionality Prior to Claims Parameter</a>.</p> <h3 id=authentik>Authentik<a class=headerlink href=#authentik title="Permanent link">&para;</a></h3> <ul> <li>Authentik is fully supported by Headscale.</li> <li><a href=https://github.com/juanfont/headscale/issues/2446>Headscale does not JSON Web Encryption</a>. Leave the field <code>Encryption Key</code> in the providers section unset.</li> </ul> <h3 id=google-oauth>Google OAuth<a class=headerlink href=#google-oauth title="Permanent link">&para;</a></h3> <div class="admonition warning"> <p class=admonition-title>No username due to missing preferred_username</p> <p>Google OAuth does not send the <code>preferred_username</code> claim when the scope <code>profile</code> is requested. The username in Headscale will be blank/not set.</p> </div> <p>In order to integrate Headscale with Google, you'll need to have a <a href=https://console.cloud.google.com>Google Cloud Console</a> account.</p> <p>Google OAuth has a <a href="https://support.google.com/cloud/answer/9110914?hl=en">verification process</a> if you need to have users authenticate who are outside of your domain. If you only need to authenticate users from your domain name (ie <code>@example.com</code>), you don't need to go through the verification process.</p> <p>However if you don't have a domain, or need to add users outside of your domain, you can manually add emails via Google Console.</p> <h4 id=steps>Steps<a class=headerlink href=#steps title="Permanent link">&para;</a></h4> <ol> <li>Go to <a href=https://console.cloud.google.com>Google Console</a> and login or create an account if you don't have one.</li> <li>Create a project (if you don't already have one).</li> <li>On the left hand menu, go to <code>APIs and services</code> -&gt; <code>Credentials</code></li> <li>Click <code>Create Credentials</code> -&gt; <code>OAuth client ID</code></li> <li>Under <code>Application Type</code>, choose <code>Web Application</code></li> <li>For <code>Name</code>, enter whatever you like</li> <li>Under <code>Authorised redirect URIs</code>, add Headscale's OIDC callback URL: <code>https://headscale.example.com/oidc/callback</code></li> <li>Click <code>Save</code> at the bottom of the form</li> <li>Take note of the <code>Client ID</code> and <code>Client secret</code>, you can also download it for reference if you need it.</li> <li><a href=#basic-configuration>Configure Headscale following the "Basic configuration" steps</a>. The issuer URL for Google OAuth is: <code>https://accounts.google.com</code>.</li> </ol> <h3 id=kanidm>Kanidm<a class=headerlink href=#kanidm title="Permanent link">&para;</a></h3> <ul> <li>Kanidm is fully supported by Headscale.</li> <li>Groups for the <a href=#authorize-users-with-filters>allowed groups filter</a> need to be specified with their full SPN, for example: <code>headscale_users@sso.example.com</code>.</li> </ul> <h3 id=keycloak>Keycloak<a class=headerlink href=#keycloak title="Permanent link">&para;</a></h3> <p>Keycloak is fully supported by Headscale.</p> <h4 id=additional-configuration-to-use-the-allowed-groups-filter>Additional configuration to use the allowed groups filter<a class=headerlink href=#additional-configuration-to-use-the-allowed-groups-filter title="Permanent link">&para;</a></h4> <p>Keycloak has no built-in client scope for the OIDC <code>groups</code> claim. This extra configuration step is <strong>only</strong> needed if you need to <a href=#authorize-users-with-filters>authorize access based on group membership</a>.</p> <ul> <li>Create a new client scope <code>groups</code> for OpenID Connect:<ul> <li>Configure a <code>Group Membership</code> mapper with name <code>groups</code> and the token claim name <code>groups</code>.</li> <li>Enable the mapper for the ID Token, Access Token and UserInfo endpoint.</li> </ul> </li> <li>Configure the new client scope for your Headscale client:<ul> <li>Edit the Headscale client.</li> <li>Search for the client scope <code>group</code>.</li> <li>Add it with assigned type <code>Default</code>.</li> </ul> </li> <li><a href=#authorize-users-with-filters>Configure the allowed groups in Headscale</a>. Keep in mind that groups in Keycloak start with a leading <code>/</code>.</li> </ul> <h3 id=microsoft-entra-id>Microsoft Entra ID<a class=headerlink href=#microsoft-entra-id title="Permanent link">&para;</a></h3> <p>In order to integrate Headscale with Microsoft Entra ID, you'll need to provision an App Registration with the correct scopes and redirect URI.</p> <p><a href=#basic-configuration>Configure Headscale following the "Basic configuration" steps</a>. The issuer URL for Microsoft Entra ID is: <code>https://login.microsoftonline.com/&lt;tenant-UUID&gt;/v2.0</code>. The following <code>extra_params</code> might be useful:</p> <ul> <li><code>domain_hint: example.com</code> to use your own domain</li> <li><code>prompt: select_account</code> to force an account picker during login</li> </ul> </article> </div> <script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script> </div> <button type=button class="md-top md-icon" data-md-component=top hidden> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M13 20h-2V8l-5.5 5.5-1.42-1.42L12 4.16l7.92 7.92-1.42 1.42L13 8z"/></svg> Back to top </button> </main> <footer class=md-footer> <nav class="md-footer__inner md-grid" aria-label=Footer> <a href=../configuration/ class="md-footer__link md-footer__link--prev" aria-label="Previous: Configuration"> <div class="md-footer__button md-icon"> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11z"/></svg> </div> <div class=md-footer__title> <span class=md-footer__direction> Previous </span> <div class=md-ellipsis> Configuration </div> </div> </a> <a href=../routes/ class="md-footer__link md-footer__link--next" aria-label="Next: Routes"> <div class=md-footer__title> <span class=md-footer__direction> Next </span> <div class=md-ellipsis> Routes </div> </div> <div class="md-footer__button md-icon"> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11z"/></svg> </div> </a> </nav> <div class="md-footer-meta md-typeset"> <div class="md-footer-meta__inner md-grid"> <div class=md-copyright> <div class=md-copyright__highlight> Copyright &copy; 2025 Headscale authors </div> Made with <a href=https://squidfunk.github.io/mkdocs-material/ target=_blank rel=noopener> Material for MkDocs </a> </div> <div class=md-social> <a href=https://github.com/juanfont/headscale target=_blank rel=noopener title=github.com class=md-social__link> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 496 512"><!-- Font Awesome Free 6.7.2 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6m-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3m44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9M244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8M97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1m-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7m32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1m-11.4-14.7c-1.6 1-1.6 3.6 0 5.9s4.3 3.3 5.6 2.3c1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2"/></svg> </a> <a href=https://ko-fi.com/headscale target=_blank rel=noopener title=ko-fi.com class=md-social__link> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M2 21h18v-2H2M20 8h-2V5h2m0-2H4v10a4 4 0 0 0 4 4h6a4 4 0 0 0 4-4v-3h2a2 2 0 0 0 2-2V5a2 2 0 0 0-2-2"/></svg> </a> <a href=https://github.com/juanfont/headscale/pkgs/container/headscale target=_blank rel=noopener title=github.com class=md-social__link> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 640 512"><!-- Font Awesome Free 6.7.2 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M349.9 236.3h-66.1v-59.4h66.1zm0-204.3h-66.1v60.7h66.1zm78.2 144.8H362v59.4h66.1zm-156.3-72.1h-66.1v60.1h66.1zm78.1 0h-66.1v60.1h66.1zm276.8 100c-14.4-9.7-47.6-13.2-73.1-8.4-3.3-24-16.7-44.9-41.1-63.7l-14-9.3-9.3 14c-18.4 27.8-23.4 73.6-3.7 103.8-8.7 4.7-25.8 11.1-48.4 10.7H2.4c-8.7 50.8 5.8 116.8 44 162.1 37.1 43.9 92.7 66.2 165.4 66.2 157.4 0 273.9-72.5 328.4-204.2 21.4.4 67.6.1 91.3-45.2 1.5-2.5 6.6-13.2 8.5-17.1zm-511.1-27.9h-66v59.4h66.1v-59.4zm78.1 0h-66.1v59.4h66.1zm78.1 0h-66.1v59.4h66.1zm-78.1-72.1h-66.1v60.1h66.1z"/></svg> </a> <a href=https://discord.gg/c84AZQhmpx target=_blank rel=noopener title=discord.gg class=md-social__link> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 640 512"><!-- Font Awesome Free 6.7.2 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M524.531 69.836a1.5 1.5 0 0 0-.764-.7A485 485 0 0 0 404.081 32.03a1.82 1.82 0 0 0-1.923.91 338 338 0 0 0-14.9 30.6 447.9 447.9 0 0 0-134.426 0 310 310 0 0 0-15.135-30.6 1.89 1.89 0 0 0-1.924-.91 483.7 483.7 0 0 0-119.688 37.107 1.7 1.7 0 0 0-.788.676C39.068 183.651 18.186 294.69 28.43 404.354a2.02 2.02 0 0 0 .765 1.375 487.7 487.7 0 0 0 146.825 74.189 1.9 1.9 0 0 0 2.063-.676A348 348 0 0 0 208.12 430.4a1.86 1.86 0 0 0-1.019-2.588 321 321 0 0 1-45.868-21.853 1.885 1.885 0 0 1-.185-3.126 251 251 0 0 0 9.109-7.137 1.82 1.82 0 0 1 1.9-.256c96.229 43.917 200.41 43.917 295.5 0a1.81 1.81 0 0 1 1.924.233 235 235 0 0 0 9.132 7.16 1.884 1.884 0 0 1-.162 3.126 301.4 301.4 0 0 1-45.89 21.83 1.875 1.875 0 0 0-1 2.611 391 391 0 0 0 30.014 48.815 1.86 1.86 0 0 0 2.063.7A486 486 0 0 0 610.7 405.729a1.88 1.88 0 0 0 .765-1.352c12.264-126.783-20.532-236.912-86.934-334.541M222.491 337.58c-28.972 0-52.844-26.587-52.844-59.239s23.409-59.241 52.844-59.241c29.665 0 53.306 26.82 52.843 59.239 0 32.654-23.41 59.241-52.843 59.241m195.38 0c-28.971 0-52.843-26.587-52.843-59.239s23.409-59.241 52.843-59.241c29.667 0 53.307 26.82 52.844 59.239 0 32.654-23.177 59.241-52.844 59.241"/></svg> </a> </div> </div> </div> </footer> </div> <div class=md-dialog data-md-component=dialog> <div class="md-dialog__inner md-typeset"></div> </div> <script id=__config type=application/json>{"base": "../..", "features": ["announce.dismiss", "content.action.edit", "content.action.view", "content.code.annotate", "content.code.copy", "content.tooltips", "navigation.footer", "navigation.indexes", "navigation.sections", "navigation.tabs", "navigation.top", "navigation.tracking", "search.highlight", "search.share", "search.suggest", "toc.follow"], "search": "../../assets/javascripts/workers/search.d50fe291.min.js", "tags": null, "translations": {"clipboard.copied": "Copied to clipboard", "clipboard.copy": "Copy to clipboard", "search.result.more.one": "1 more on this page", "search.result.more.other": "# more on this page", "search.result.none": "No matching documents", "search.result.one": "1 matching document", "search.result.other": "# matching documents", "search.result.placeholder": "Type to start searching", "search.result.term.missing": "Missing", "select.version": "Select version"}, "version": {"alias": true, "provider": "mike"}}</script> <script src=../../assets/javascripts/bundle.56ea9cef.min.js></script> </body> </html>
Reference in New Issue View Git Blame Copy Permalink