Skip to content

OIDC: Fetch UserInfo to get EmailVerified if necessary #2493

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kradalby merged 1 commit into from
Mar 27, 2025
Merged

OIDC: Fetch UserInfo to get EmailVerified if necessary #2493

kradalby merged 1 commit into from
Mar 27, 2025

Conversation

@benley
Copy link
Contributor

@benley benley commented Mar 20, 2025
edited
Loading

Some OIDC providers (including Okta) do not include an email_verified claim in ID tokens, so headscale will never trust their email addresses. The OIDC spec says that the set of "standard claims" can be returned in either the UserInfo response or the ID token, so we can try requesting UserInfo if necessary to find the email_verified claim that we're looking for. If this also fails, the behavior of headscale is unchanged from before.

Please let me know if this approach looks acceptable, and I can try to add test coverage and update docs as needed.

Related to #2333 and #2295

  • have read the CONTRIBUTING.md file
  • raised a GitHub issue or discussed it on the projects chat beforehand
  • added unit tests
  • added integration tests
  • updated documentation if needed
  • updated CHANGELOG.md

tfly-singlestore
tfly-singlestore reviewed Mar 20, 2025
View reviewed changes
dhyanio
dhyanio reviewed Mar 21, 2025
View reviewed changes
kradalby
kradalby approved these changes Mar 21, 2025
View reviewed changes
Copy link
Collaborator

@kradalby kradalby left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this looks reasonable, is it confirmed that some of the providers (like Okta), sets the email verified in the user info?

Question for further improvement, is there more info we potentially should "fall back" to getting from userinfo if we dont get it in the claim?

Could you please add a changelog entry?

@benley
Copy link
Contributor Author

benley commented Mar 21, 2025

I think this looks reasonable, is it confirmed that some of the providers (like Okta), sets the email verified in the user info?

Okta's knowledge base indicates that they do this (https://support.okta.com/help/s/article/how-to-return-the-email-verified-claim), and I have confirmed the behavior through live testing. The only other one I've tested is Keycloak, but keycloak also includes email_verified in the id token response.

Question for further improvement, is there more info we potentially should "fall back" to getting from userinfo if we dont get it in the claim?

Good question! In theory we could try UserInfo for any of the standard claims that headscale uses: name, email, picture, preferred_username.

Could you please add a changelog entry?

Yes, coming right up.

@benley benley force-pushed the userinfo-emailverified branch from eaec48d to 3643914 Compare March 21, 2025 17:24
@benley
Copy link
Contributor Author

benley commented Mar 24, 2025

No rush, but I think this is ready for another look.

@soymgomez soymgomez mentioned this pull request Mar 25, 2025
Closed
4 tasks
@alteriks
Copy link
Contributor

alteriks commented Mar 27, 2025
edited
Loading

Hi, I've created #2505 with docs regarding how to configure Authelia.

Since v4.39.0, by default Authelia removed 'default' claims from ID Token.
If headscale starts using UserInfo endpoint we won't have to send those claims to Headscale.

Ping me, if you'd like me to verify your code with Authelia.

@kradalby
Copy link
Collaborator

kradalby commented Mar 27, 2025

@benley looks good, will merge when the TestUpdateHostnameFromClient passes, mostly a formality.

Would you be up for a PR to use this info for the other fields too?

I imagine we prioritise the claims, and then fall back to userinfo.

@kradalby kradalby merged commit b5953d6 into juanfont:main Mar 27, 2025
403 of 411 checks passed
@benley
Copy link
Contributor Author

benley commented Mar 27, 2025

Would you be up for a PR to use this info for the other fields too?

I imagine we prioritise the claims, and then fall back to userinfo.

Sure, I can followup with a second PR to do the rest of the fields. Thank you for merging this one!

@benley benley deleted the userinfo-emailverified branch March 27, 2025 17:05
@nblock nblock mentioned this pull request Mar 28, 2025
Merged
6 tasks
@nblock nblock mentioned this pull request Apr 4, 2025
Closed
2 tasks
@kradalby kradalby mentioned this pull request Apr 23, 2025
Merged
benley added a commit to benley/headscale that referenced this pull request May 8, 2025
@benley
OIDC: Fetch UserInfo to get EmailVerified if necessary (juanfont#2493)
bdada79 
(cherry picked from commit b5953d6)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kradalby kradalby kradalby approved these changes

@juanfont juanfont Awaiting requested review from juanfont juanfont is a code owner

@ohdearaugustin ohdearaugustin Awaiting requested review from ohdearaugustin ohdearaugustin is a code owner

@nblock nblock Awaiting requested review from nblock nblock is a code owner

+2 more reviewers

@dhyanio dhyanio dhyanio left review comments

@tfly-singlestore tfly-singlestore tfly-singlestore approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@benley @alteriks @kradalby @dhyanio @tfly-singlestore