Skip to content

OIDC: Query userinfo endpoint before verifying user #2663

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nblock merged 1 commit into from
Aug 11, 2025
Merged

OIDC: Query userinfo endpoint before verifying user #2663

nblock merged 1 commit into from
Aug 11, 2025

Conversation

@fredrikekre
Copy link
Contributor

@fredrikekre fredrikekre commented Jun 27, 2025
edited
Loading

This patch includes some changes to the OIDC integration in particular:

  • Make sure that userinfo claims are queried before comparing the user with the configured allowed groups, email and email domain.
  • Update user with group claim from the userinfo endpoint which is required for allowed groups to work correctly. This is essentially a continuation of oidc: try to get username from userinfo #2545.
  • Let userinfo claims take precedence over id token claims.

With these changes I have verified that Headscale works as expected together with Authelia without the documented escape hatch 0, i.e. everything works even if the id token only contain the iss and sub claims.

  • have read the CONTRIBUTING.md file
  • raised a GitHub issue or discussed it on the projects chat beforehand
  • added unit tests
  • added integration tests
  • updated documentation if needed
  • updated CHANGELOG.md

nblock
nblock reviewed Jun 28, 2025
View reviewed changes
@nblock
Copy link
Collaborator

nblock commented Aug 10, 2025

Could you please rebase and fix the conflict for the CHANGELOG?

@fredrikekre
OIDC: Query userinfo endpoint before verifying user
24e964c 
This patch includes some changes to the OIDC integration in particular:
 - Make sure that userinfo claims are queried *before* comparing the
   user with the configured allowed groups, email and email domain.
 - Update user with group claim from the userinfo endpoint which is
   required for allowed groups to work correctly. This is essentially a
   continuation of juanfont#2545.
 - Let userinfo claims take precedence over id token claims.

With these changes I have verified that Headscale works as expected
together with Authelia without the documented escape hatch [0], i.e.
everything works even if the id token only contain the iss and sub
claims.

[0]: https://www.authelia.com/integration/openid-connect/headscale/#configuration-escape-hatch
@fredrikekre
Copy link
Contributor Author

fredrikekre commented Aug 11, 2025

Done!

@nblock nblock enabled auto-merge (rebase) August 11, 2025 15:46
@nblock nblock merged commit 5d8a2c2 into juanfont:main Aug 11, 2025
81 of 84 checks passed
@fredrikekre fredrikekre deleted the fe/userinfo-groups branch August 11, 2025 15:54
@chenrui333 chenrui333 mentioned this pull request Oct 27, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nblock nblock nblock left review comments

@kradalby kradalby kradalby approved these changes

@juanfont juanfont Awaiting requested review from juanfont juanfont is a code owner

@ohdearaugustin ohdearaugustin Awaiting requested review from ohdearaugustin ohdearaugustin is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@fredrikekre @nblock @kradalby