Skip to content

oidc: try to get username from userinfo #2545

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kradalby merged 2 commits into from
Apr 30, 2025
Merged

oidc: try to get username from userinfo #2545

kradalby merged 2 commits into from
Apr 30, 2025

Conversation

@kradalby
Copy link
Collaborator

@kradalby kradalby commented Apr 23, 2025

This builds on #2493 to get more useful information from userinfo if it is not set in the claim.

@benley would be interested to have your review on this pr.

Fixes #2516

@kradalby kradalby requested a review from juanfont as a code owner April 23, 2025 13:21
@ghost
Copy link

ghost commented Apr 23, 2025
edited by ghost
Loading

Pull Request Revisions

RevisionDescription
r3
Fixed OIDC claims assignment syntaxCorrected variable assignment syntax in OIDC claims extraction, using short variable declaration
r2
Enhanced OIDC user information retrievalImproved OIDC authentication by extracting user details from UserInfo endpoint when email verification or user attributes are missing
r1
Enhanced OIDC user info extractionImproved OIDC authentication by adding more robust user info extraction and merging from claims and userinfo endpoints
✅ AI review completed for r3
Help React with emojis to give feedback on AI-generated reviews:
  • 👍 means the feedback was helpful and actionable
  • 👎 means the feedback was incorrect or unhelpful
💬 Replying to feedback with a comment helps us improve the system. Your input also contributes to shaping future interactions with the AI reviewer.

We'd love to hear from you—reach out anytime at [email protected].

ghost
ghost reviewed Apr 23, 2025
View reviewed changes
ghost
ghost reviewed Apr 23, 2025
View reviewed changes
kradalby added 2 commits April 23, 2025 15:24
@kradalby
oidc: try to get username from userinfo
a2527f9 
Signed-off-by: Kristoffer Dalby <[email protected]>
@kradalby
changelog
c42eb70 
Signed-off-by: Kristoffer Dalby <[email protected]>
@kradalby kradalby force-pushed the kradalby/2516-oidc-userinfo branch from 06f7e19 to c42eb70 Compare April 23, 2025 13:24
benley
benley approved these changes Apr 23, 2025
View reviewed changes
Copy link
Contributor

@benley benley left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this looks good. Thank you for following up on this since I forgot about it - I wrote up something similar a few weeks ago but failed to actually send it out for review.

@kradalby kradalby merged commit cfe9bbf into juanfont:main Apr 30, 2025
374 of 536 checks passed
fredrikekre added a commit to fredrikekre/headscale that referenced this pull request Jun 27, 2025
@fredrikekre
OIDC: Query userinfo endpoint before verifying user
e1cef87 
This patch includes some changes to the OIDC integration in particular:
 - Make sure that userinfo claims are queried *before* comparing the
   user with the configured allowed groups, email and email domain.
 - Update user with group claim from the userinfo endpoint which is
   required for allowed groups to work correctly. This is essentially a
   continuation of juanfont#2545.
 - Let userinfo claims take precedence over id token claims.

With these changes I have verified that Headscale works as expected
together with Authelia without the documented escape hatch [0], i.e.
everything works even if the id token only contain the iss and sub
claims.

[0]: https://www.authelia.com/integration/openid-connect/headscale/#configuration-escape-hatch
fredrikekre added a commit to fredrikekre/headscale that referenced this pull request Jun 27, 2025
@fredrikekre
OIDC: Query userinfo endpoint before verifying user
d6fbf83 
This patch includes some changes to the OIDC integration in particular:
 - Make sure that userinfo claims are queried *before* comparing the
   user with the configured allowed groups, email and email domain.
 - Update user with group claim from the userinfo endpoint which is
   required for allowed groups to work correctly. This is essentially a
   continuation of juanfont#2545.
 - Let userinfo claims take precedence over id token claims.

With these changes I have verified that Headscale works as expected
together with Authelia without the documented escape hatch [0], i.e.
everything works even if the id token only contain the iss and sub
claims.

[0]: https://www.authelia.com/integration/openid-connect/headscale/#configuration-escape-hatch
@fredrikekre fredrikekre mentioned this pull request Jun 27, 2025
Merged
6 tasks
fredrikekre added a commit to fredrikekre/headscale that referenced this pull request Aug 11, 2025
@fredrikekre
OIDC: Query userinfo endpoint before verifying user
24e964c 
This patch includes some changes to the OIDC integration in particular:
 - Make sure that userinfo claims are queried *before* comparing the
   user with the configured allowed groups, email and email domain.
 - Update user with group claim from the userinfo endpoint which is
   required for allowed groups to work correctly. This is essentially a
   continuation of juanfont#2545.
 - Let userinfo claims take precedence over id token claims.

With these changes I have verified that Headscale works as expected
together with Authelia without the documented escape hatch [0], i.e.
everything works even if the id token only contain the iss and sub
claims.

[0]: https://www.authelia.com/integration/openid-connect/headscale/#configuration-escape-hatch
nblock pushed a commit that referenced this pull request Aug 11, 2025
@fredrikekre @nblock
OIDC: Query userinfo endpoint before verifying user
5d8a2c2 
This patch includes some changes to the OIDC integration in particular:
 - Make sure that userinfo claims are queried *before* comparing the
   user with the configured allowed groups, email and email domain.
 - Update user with group claim from the userinfo endpoint which is
   required for allowed groups to work correctly. This is essentially a
   continuation of #2545.
 - Let userinfo claims take precedence over id token claims.

With these changes I have verified that Headscale works as expected
together with Authelia without the documented escape hatch [0], i.e.
everything works even if the id token only contain the iss and sub
claims.

[0]: https://www.authelia.com/integration/openid-connect/headscale/#configuration-escape-hatch
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@juanfont juanfont juanfont approved these changes

@ohdearaugustin ohdearaugustin Awaiting requested review from ohdearaugustin ohdearaugustin is a code owner

@nblock nblock Awaiting requested review from nblock nblock is a code owner

+2 more reviewers

@benley benley benley approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Feature] Query claims from OIDC UserInfo if not available in ID token

3 participants

@kradalby @juanfont @benley