juanfont/headscale v0.24.0-beta.1 on GitHub

Security fix: OIDC changes in Headscale 0.24.0

The following issue only affects Headscale installations which authenticate
with OIDC.

Headscale v0.23.0 and earlier identified OIDC users by the "username" part of
their email address (when strip_email_domain: true, the default) or whole
email address (when strip_email_domain: false).

Depending on how Headscale and your Identity Provider (IdP) were configured,
only using the email claim could allow a malicious user with an IdP account to
take over another Headscale user's account, even when
strip_email_domain: false.

This would also cause a user to lose access to their Headscale account if they
changed their email address.

Headscale v0.24.0 now identifies OIDC users by the iss and sub claims.
These are guaranteed by the OIDC specification to be stable and unique,
even if a user changes email address. A well-designed IdP will typically set
sub to an opaque identifier like a UUID or numeric ID, which has no relation
to the user's name or email address.

Headscale v0.24.0 and later will also automatically update profile fields with
OIDC data on login. This means that users can change those details in your IdP,
and have it populate to Headscale automatically the next time they log in.
However, this may affect the way you reference users in policies.

Headscale v0.23.0 and earlier never recorded the iss and sub fields, so all
legacy (existing) OIDC accounts need to be migrated to be properly
secured.

What do I need to do to migrate?

Headscale v0.24.0 has an automatic migration feature, which is enabled by
default (map_legacy_users: true). This will be disabled by default in a
future version of Headscale – any unmigrated users will get new accounts.

The migration will mostly be done automatically, with one exception. If your
OIDC does not provide an email_verified claim, Headscale will ignore the
email. This means that either the administrator will have to mark the user
emails as verified, or ensure the users verify their emails. Any unverified
emails will be ignored, meaning that the users will get new accounts instead
of being migrated.

After this exception is ensured, make all users log into Headscale with their
account, and Headscale will automatically update the account record. This will
be transparent to the users.

When all users have logged in, you can disable the automatic migration by
setting map_legacy_users: false in your configuration file.

Please note that map_legacy_users will be set to false by default in v0.25.0
and the migration mechanism will be removed in v0.26.0.

What does automatic migration do?

When automatic migration is enabled (map_legacy_users: true), Headscale will
first match an OIDC account to a Headscale account by iss and sub, and then
fall back to matching OIDC users similarly to how Headscale v0.23.0 did:

If strip_email_domain: true (the default): the Headscale username matches
the "username" part of their email address.
If strip_email_domain: false: the Headscale username matches the whole
email address.

On migration, Headscale will change the account's username to their
preferred_username. This could break any ACLs or policies which are
configured to match by username.

Like with Headscale v0.23.0 and earlier, this migration only works for users who
haven't changed their email address since their last Headscale login.

A successful automated migration should otherwise be transparent to users.

Once a Headscale account has been migrated, it will be unavailable to be
matched by the legacy process. An OIDC login with a matching username, but
non-matching iss and sub will instead get a new Headscale account.

Because of the way OIDC works, Headscale's automated migration process can
only work when a user tries to log in after the update.

Legacy account migration should have no effect on new installations where all
users have a recorded sub and iss.

What happens when automatic migration is disabled?

When automatic migration is disabled (map_legacy_users: false), Headscale will
only try to match an OIDC account to a Headscale account by iss and sub.

If there is no match, it will get a new Headscale account – even if there was
a legacy account which could have matched and migrated.

We recommend new Headscale users explicitly disable automatic migration – but it
should otherwise have no effect if every account has a recorded iss and sub.

When automatic migration is disabled, the strip_email_domain setting will have
no effect.

Special thanks to @micolous for reviewing, proposing and working with us on
these changes.

Other OIDC changes

Headscale now uses
the standard OIDC claims
to populate and update user information every time they log in:

Headscale profile field	OIDC claim	Notes / examples
email address	`email`	Only used when `"email_verified": true`
display name	`name`	eg: `Sam Smith`
username	`preferred_username`	Varies depending on IdP and configuration, eg: `ssmith`, `ssmith@idp.example.com`, `\\example.com\ssmith`
profile picture	`picture`	URL to a profile picture or avatar

These should show up nicely in the Tailscale client.

This will also affect the way you
reference users in policies.

BREAKING

Remove dns.use_username_in_magic_dns configuration option
#2020,
#2279
- Having usernames in magic DNS is no longer possible.
Remove versions older than 1.56
#2149
- Clean up old code required by old versions
User gRPC/API #2261:
- If you depend on a Headscale Web UI, you should wait with this update until
  the UI have been updated to match the new API.
- GET /api/v1/user/{name} and GetUser have been removed in favour of ListUsers with an ID parameter
- RenameUser and DeleteUser now require an ID instead of a name.

Changes

Improved compatibilty of built-in DERP server with clients connecting over
WebSocket #2132
Allow nodes to use SSH agent forwarding
#2145
Fixed processing of fields in post request in MoveNode rpc
#2179
Added conversion of 'Hostname' to 'givenName' in a node with FQDN rules
applied #2198
Fixed updating of hostname and givenName when it is updated in HostInfo
#2199
Fixed missing stable-debug container tag
#2232
Loosened up server_url and base_domain check. It was overly strict in some
cases. #2248
CLI for managing users now accepts --identifier in addition to --name,
usage of --identifier is recommended
#2261
Add dns.extra_records_path configuration option #2262

Changelog

b6dc6eb #2140 Fixed reflection of hostname change (#2199)
cc42fc3 #2177 Added conversion of 'Hostname' to 'givenName' in a node with FQDN rules applied (#2198)
b3cda08 #2178 Fixed processing of fields in post request in MoveNode rpc (#2179)
e367454 Add -it to docker exec (#2148)
75e7411 Add FAQ entry on which database to use
2345c38 Add a page for third-party tools (#2217)
1e61084 Add compatibility with only websocket-capable clients (#2132)
0602304 Add headplane
204a102 Add ouroboros to web ui list (#2154)
4445649 Add versioned documentation
380fcdb Add worker reading extra_records_path from file (#2271)
07b596d Allow nodes to use SSH agent forwarding (#2145)
7512e23 Bump deprecated github actions
24e7851 Changed all the html into go using go-elem (#2161)
dc17b4d Documentation dependencies (#2252)
0089cea Feature tvos documentation (#2226)
0d3cf74 Fix README links to point to the stable version
d2a86b1 Fix broken indent
52a3b54 Fixed loginUrl with "WithTLS()" used. Added "WithTLS()" to scenario integration tests (#2187)
9a46c57 Handle /derp/latency-check (#2227)
7821469 Harden OIDC migration and make optional
2c974dd MagicDNS no longer requires nameservers (#1681)
29119bb Misc doc fixes (#2240)
218138a Redo OIDC configuration (#2020)
e724585 Refresh remote CLI documentation (#2216)
89a648c Remove use_username_in_magic_dns option
fffd236 Resolve user to stable unique ID in policy (#2205)
8c7d8ee Restructure headscale documentation (#2163)
101ca7f Update flake.lock (#2173)
0c98d09 Update flake.lock (#2195)
63035cd Update headscale user creation settings in .deb (#2134)
6275399 Update tls.md to mention using the full cert chain (#2243)
a7874af Use discord server invite link (#2235)
5fbf3f8 Websocket derp test fixes (#2247)
dc07779 add @ to end of username if not present
35b669f add iss to identifier, only set email if verified
a71a933 add nblock to doc owners (#2207)
028d9aa add new user fields to grpc and list command (#2202)
697d80d chore: configure some actions to be skipped for forks (#2005)
e2d5ee0 cleanup linter warnings (#2206)
c6336ad config: loosen up BaseDomain and ServerURL checks (#2248)
5eda9c8 denormalise PreAuthKey tags (#2155)
45c9585 feat: derpmap field in config (#1823)
edf9e25 feat: support client verify for derp (add integration tests) (#2046)
7d9b430 fix constraints
281025b fix constraints
58d089c fix deletion of exit routes without nodes (#2286)
08bd4b9 fix docker network caps (#2273)
3780c9f fix nil in test
4dd12a2 fix oidc test, add tests for migration
f6276ab fix postgres constraints, add postgres testing
4e44d57 fix: missing stable-debug tag (#2232)
f3fca83 flake.lock: Update (#2143)
49ce573 flake.lock: Update (#2158)
8cfaa6b flake.lock: Update (#2222)
93ba21e flake.lock: Update (#2239)
2c1ad6d flake.lock: Update (#2254)
26d91ae flake.lock: Update (#2266)
64bb563 make configurable wal auto checkpoint (#2242)
4b58dc6 make preauthkey tags test stable
9515040 make reauth test compat with tailscale head (#2167)
a6b19e8 more linter fixups (#2212)
5e7c315 nits
d72663a remove log print
4f2fb65 remove versions older than 1.56 (#2149)
3a2589f rename dockerfile to integration to avoid confusion (#2225)
2fe6562 restore strip_email_domain for migration
64fd1f9 restructure command/api to use stable IDs (#2261)
757defa run cross compile of headscale as part of build (#2270)
e16ea2e set hostinfo,ipv* columns explicitly (#2165)
0a82d3f update changelog
76d26a7 update oidc part of changelog for 0.24.0 (#2285)
bc9e83b use gorm serialiser instead of custom hooks (#2156)
3964dec use tsaddr library and cleanups (#2150)
7ba0c3d use userID instead of username everywhere
f7b0cbb wrap policy in policy manager interface (#2255)