Closed adipierro closed 4 days ago
Maybe not sub
, we can design the username claim, e.g. preferred_username
I believe this PR is attempting to add support for preferred_username
https://github.com/juanfont/headscale/pull/1997
I think sub
should be used as an internal identifier for matching the user, useful in cases username has changed upstream at OIDC. Of course, it should not be used as end-user display name or in CLI.
I do not think this is actually fixed by #2020, because the always-active fallback behaviour will still allow account take-overs, even if the target account has been "updated" to use the sub
parameter.
Use case
Currently, if user account in external system might have an email or username changed, OIDC authentication in Headscale won't match an existing user in DB, and another user will be created instead.
Description
Use OIDC
sub
claim as a permanent identifier for a userIf we use
sub
claim as a permanent unique ID for a user, we can match OIDC authenticated user with it instead of a username, and update a username (email) in DB if it differs. We should make updating optional as ACLs might stop applying to affected users.Use and save OIDC
email
claim regardless of email domain strippingA discussion is probably needed.
email
, if available, could be used to display asLoginName
in Tailscale clients. Or, it could be another way to identify users in ACLs ifstrip_email_domain
is turned on, particularly, to avoid username collisions if multiple domains are allowed to login.But considering https://github.com/juanfont/headscale/pull/1987, we might not need to strip email domains anymore.
Contribution