2023-05-10 16:24:05 +09:00
|
|
|
package hscontrol
|
2021-09-26 17:53:05 +09:00
|
|
|
|
|
|
|
|
import (
|
2021-12-23 11:43:53 +09:00
|
|
|
"bytes"
|
2021-10-06 18:19:15 +09:00
|
|
|
"context"
|
2023-06-06 05:21:31 +09:00
|
|
|
_ "embed"
|
2021-11-22 06:51:39 +09:00
|
|
|
"errors"
|
2021-09-26 17:53:05 +09:00
|
|
|
"fmt"
|
2021-12-23 11:43:53 +09:00
|
|
|
"html/template"
|
2021-10-19 04:27:52 +09:00
|
|
|
"net/http"
|
2024-07-19 16:04:04 +09:00
|
|
|
"slices"
|
2021-10-19 04:27:52 +09:00
|
|
|
"strings"
|
2022-03-18 17:32:07 +09:00
|
|
|
"time"
|
2021-10-19 04:27:52 +09:00
|
|
|
|
2021-10-06 18:19:15 +09:00
|
|
|
"github.com/coreos/go-oidc/v3/oidc"
|
2022-06-20 19:31:19 +09:00
|
|
|
"github.com/gorilla/mux"
|
2023-05-22 01:37:59 +09:00
|
|
|
"github.com/juanfont/headscale/hscontrol/db"
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
"github.com/juanfont/headscale/hscontrol/notifier"
|
2024-11-26 23:16:06 +09:00
|
|
|
"github.com/juanfont/headscale/hscontrol/policy"
|
2023-05-22 01:37:59 +09:00
|
|
|
"github.com/juanfont/headscale/hscontrol/types"
|
2023-05-11 16:09:18 +09:00
|
|
|
"github.com/juanfont/headscale/hscontrol/util"
|
2021-09-26 17:53:05 +09:00
|
|
|
"github.com/rs/zerolog/log"
|
2021-10-06 18:19:15 +09:00
|
|
|
"golang.org/x/oauth2"
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
"zgo.at/zcache/v2"
|
2021-09-26 17:53:05 +09:00
|
|
|
)
|
|
|
|
|
|
2021-11-15 02:31:51 +09:00
|
|
|
const (
|
2024-12-23 01:46:36 +09:00
|
|
|
randomByteSize = 16
|
|
|
|
|
defaultOAuthOptionsCount = 3
|
2023-05-11 16:09:18 +09:00
|
|
|
)
|
2022-08-07 20:57:07 +09:00
|
|
|
|
2023-05-11 16:09:18 +09:00
|
|
|
var (
|
|
|
|
|
errEmptyOIDCCallbackParams = errors.New("empty OIDC callback params")
|
|
|
|
|
errNoOIDCIDToken = errors.New("could not extract ID Token for OIDC callback")
|
2024-12-23 01:46:36 +09:00
|
|
|
errNoOIDCRegistrationInfo = errors.New("could not get registration info from cache")
|
2023-05-11 16:09:18 +09:00
|
|
|
errOIDCAllowedDomains = errors.New(
|
|
|
|
|
"authenticated principal does not match any allowed domain",
|
|
|
|
|
)
|
|
|
|
|
errOIDCAllowedGroups = errors.New("authenticated principal is not in any allowed group")
|
|
|
|
|
errOIDCAllowedUsers = errors.New(
|
|
|
|
|
"authenticated principal does not match any allowed user",
|
|
|
|
|
)
|
2023-09-24 20:42:05 +09:00
|
|
|
errOIDCInvalidNodeState = errors.New(
|
|
|
|
|
"requested node state key expired before authorisation completed",
|
2023-01-31 20:40:38 +09:00
|
|
|
)
|
2023-05-11 16:09:18 +09:00
|
|
|
errOIDCNodeKeyMissing = errors.New("could not get node key from cache")
|
2021-11-15 02:31:51 +09:00
|
|
|
)
|
|
|
|
|
|
2024-12-23 01:46:36 +09:00
|
|
|
// RegistrationInfo contains both machine key and verifier information for OIDC validation.
|
|
|
|
|
type RegistrationInfo struct {
|
2025-01-13 19:54:35 +09:00
|
|
|
RegistrationID types.RegistrationID
|
|
|
|
|
Verifier *string
|
2024-12-23 01:46:36 +09:00
|
|
|
}
|
|
|
|
|
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
type AuthProviderOIDC struct {
|
|
|
|
|
serverURL string
|
|
|
|
|
cfg *types.OIDCConfig
|
|
|
|
|
db *db.HSDatabase
|
2024-12-23 01:46:36 +09:00
|
|
|
registrationCache *zcache.Cache[string, RegistrationInfo]
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
notifier *notifier.Notifier
|
|
|
|
|
ipAlloc *db.IPAllocator
|
2024-11-26 23:16:06 +09:00
|
|
|
polMan policy.PolicyManager
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
|
|
|
|
|
oidcProvider *oidc.Provider
|
|
|
|
|
oauth2Config *oauth2.Config
|
2021-09-26 17:53:05 +09:00
|
|
|
}
|
|
|
|
|
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
func NewAuthProviderOIDC(
|
|
|
|
|
ctx context.Context,
|
|
|
|
|
serverURL string,
|
|
|
|
|
cfg *types.OIDCConfig,
|
|
|
|
|
db *db.HSDatabase,
|
|
|
|
|
notif *notifier.Notifier,
|
|
|
|
|
ipAlloc *db.IPAllocator,
|
2024-11-26 23:16:06 +09:00
|
|
|
polMan policy.PolicyManager,
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
) (*AuthProviderOIDC, error) {
|
2021-09-26 17:53:05 +09:00
|
|
|
var err error
|
|
|
|
|
// grab oidc config if it hasn't been already
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
oidcProvider, err := oidc.NewProvider(context.Background(), cfg.Issuer)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("creating OIDC provider from issuer config: %w", err)
|
|
|
|
|
}
|
2021-10-06 18:19:15 +09:00
|
|
|
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
oauth2Config := &oauth2.Config{
|
|
|
|
|
ClientID: cfg.ClientID,
|
|
|
|
|
ClientSecret: cfg.ClientSecret,
|
|
|
|
|
Endpoint: oidcProvider.Endpoint(),
|
|
|
|
|
RedirectURL: fmt.Sprintf(
|
|
|
|
|
"%s/oidc/callback",
|
|
|
|
|
strings.TrimSuffix(serverURL, "/"),
|
|
|
|
|
),
|
|
|
|
|
Scopes: cfg.Scope,
|
2021-10-08 18:43:52 +09:00
|
|
|
}
|
|
|
|
|
|
2024-12-23 01:46:36 +09:00
|
|
|
registrationCache := zcache.New[string, RegistrationInfo](
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
registerCacheExpiration,
|
|
|
|
|
registerCacheCleanup,
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
return &AuthProviderOIDC{
|
|
|
|
|
serverURL: serverURL,
|
|
|
|
|
cfg: cfg,
|
|
|
|
|
db: db,
|
|
|
|
|
registrationCache: registrationCache,
|
|
|
|
|
notifier: notif,
|
|
|
|
|
ipAlloc: ipAlloc,
|
2024-11-26 23:16:06 +09:00
|
|
|
polMan: polMan,
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
|
|
|
|
|
oidcProvider: oidcProvider,
|
|
|
|
|
oauth2Config: oauth2Config,
|
|
|
|
|
}, nil
|
2021-10-08 18:43:52 +09:00
|
|
|
}
|
|
|
|
|
|
2025-01-13 19:54:35 +09:00
|
|
|
func (a *AuthProviderOIDC) AuthURL(registrationID types.RegistrationID) string {
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
return fmt.Sprintf(
|
|
|
|
|
"%s/register/%s",
|
|
|
|
|
strings.TrimSuffix(a.serverURL, "/"),
|
2025-01-13 19:54:35 +09:00
|
|
|
registrationID.String())
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (a *AuthProviderOIDC) determineNodeExpiry(idTokenExpiration time.Time) time.Time {
|
|
|
|
|
if a.cfg.UseExpiryFromToken {
|
2023-01-31 20:40:38 +09:00
|
|
|
return idTokenExpiration
|
|
|
|
|
}
|
|
|
|
|
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
return time.Now().Add(a.cfg.Expiry)
|
2023-01-31 20:40:38 +09:00
|
|
|
}
|
|
|
|
|
|
2021-10-08 18:43:52 +09:00
|
|
|
// RegisterOIDC redirects to the OIDC provider for authentication
|
2022-08-11 19:15:16 +09:00
|
|
|
// Puts NodeKey in cache so the callback can retrieve it using the oidc state param
|
2025-01-13 19:54:35 +09:00
|
|
|
// Listens in /register/:registration_id.
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
func (a *AuthProviderOIDC) RegisterHandler(
|
2022-06-26 18:55:37 +09:00
|
|
|
writer http.ResponseWriter,
|
|
|
|
|
req *http.Request,
|
2022-06-20 19:31:19 +09:00
|
|
|
) {
|
2022-06-26 18:55:37 +09:00
|
|
|
vars := mux.Vars(req)
|
2025-01-13 19:54:35 +09:00
|
|
|
registrationIdStr, ok := vars["registration_id"]
|
2021-11-23 04:32:11 +09:00
|
|
|
|
2022-11-14 23:05:47 +09:00
|
|
|
// We need to make sure we dont open for XSS style injections, if the parameter that
|
|
|
|
|
// is passed as a key is not parsable/validated as a NodePublic key, then fail to render
|
|
|
|
|
// the template and log an error.
|
2025-01-13 19:54:35 +09:00
|
|
|
registrationId, err := types.RegistrationIDFromString(registrationIdStr)
|
2023-11-20 06:37:04 +09:00
|
|
|
if err != nil {
|
2025-01-13 19:54:35 +09:00
|
|
|
http.Error(writer, "invalid registration ID", http.StatusBadRequest)
|
2022-11-14 23:05:47 +09:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2025-01-13 19:54:35 +09:00
|
|
|
log.Debug().
|
|
|
|
|
Caller().
|
|
|
|
|
Str("registration_id", registrationId.String()).
|
|
|
|
|
Bool("ok", ok).
|
|
|
|
|
Msg("Received oidc register call")
|
|
|
|
|
|
2025-01-09 00:29:37 +09:00
|
|
|
// Set the state and nonce cookies to protect against CSRF attacks
|
|
|
|
|
state, err := setCSRFCookie(writer, req, "state")
|
|
|
|
|
if err != nil {
|
2022-06-26 18:55:37 +09:00
|
|
|
http.Error(writer, "Internal server error", http.StatusInternalServerError)
|
2021-09-26 22:12:36 +09:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2025-01-09 00:29:37 +09:00
|
|
|
// Set the state and nonce cookies to protect against CSRF attacks
|
|
|
|
|
nonce, err := setCSRFCookie(writer, req, "nonce")
|
|
|
|
|
if err != nil {
|
|
|
|
|
http.Error(writer, "Internal server error", http.StatusInternalServerError)
|
|
|
|
|
return
|
|
|
|
|
}
|
2021-09-26 17:53:05 +09:00
|
|
|
|
2024-12-23 01:46:36 +09:00
|
|
|
// Initialize registration info with machine key
|
|
|
|
|
registrationInfo := RegistrationInfo{
|
2025-01-13 19:54:35 +09:00
|
|
|
RegistrationID: registrationId,
|
2024-12-23 01:46:36 +09:00
|
|
|
}
|
2021-09-26 17:53:05 +09:00
|
|
|
|
2024-12-23 01:46:36 +09:00
|
|
|
extras := make([]oauth2.AuthCodeOption, 0, len(a.cfg.ExtraParams)+defaultOAuthOptionsCount)
|
|
|
|
|
// Add PKCE verification if enabled
|
|
|
|
|
if a.cfg.PKCE.Enabled {
|
|
|
|
|
verifier := oauth2.GenerateVerifier()
|
|
|
|
|
registrationInfo.Verifier = &verifier
|
|
|
|
|
|
|
|
|
|
extras = append(extras, oauth2.AccessTypeOffline)
|
|
|
|
|
|
|
|
|
|
switch a.cfg.PKCE.Method {
|
|
|
|
|
case types.PKCEMethodS256:
|
|
|
|
|
extras = append(extras, oauth2.S256ChallengeOption(verifier))
|
|
|
|
|
case types.PKCEMethodPlain:
|
|
|
|
|
// oauth2 does not have a plain challenge option, so we add it manually
|
|
|
|
|
extras = append(extras, oauth2.SetAuthURLParam("code_challenge_method", "plain"), oauth2.SetAuthURLParam("code_challenge", verifier))
|
|
|
|
|
}
|
|
|
|
|
}
|
2022-04-26 04:05:37 +09:00
|
|
|
|
2024-12-23 01:46:36 +09:00
|
|
|
// Add any extra parameters from configuration
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
for k, v := range a.cfg.ExtraParams {
|
2022-04-26 04:05:37 +09:00
|
|
|
extras = append(extras, oauth2.SetAuthURLParam(k, v))
|
|
|
|
|
}
|
2025-01-09 00:29:37 +09:00
|
|
|
extras = append(extras, oidc.Nonce(nonce))
|
2022-04-26 04:05:37 +09:00
|
|
|
|
2024-12-23 01:46:36 +09:00
|
|
|
// Cache the registration info
|
2025-01-09 00:29:37 +09:00
|
|
|
a.registrationCache.Set(state, registrationInfo)
|
2024-12-23 01:46:36 +09:00
|
|
|
|
2025-01-09 00:29:37 +09:00
|
|
|
authURL := a.oauth2Config.AuthCodeURL(state, extras...)
|
2021-11-16 02:24:24 +09:00
|
|
|
log.Debug().Msgf("Redirecting to %s for authentication", authURL)
|
2021-09-26 17:53:05 +09:00
|
|
|
|
2022-06-26 18:55:37 +09:00
|
|
|
http.Redirect(writer, req, authURL, http.StatusFound)
|
2021-09-26 17:53:05 +09:00
|
|
|
}
|
|
|
|
|
|
2021-12-23 11:43:53 +09:00
|
|
|
type oidcCallbackTemplateConfig struct {
|
|
|
|
|
User string
|
|
|
|
|
Verb string
|
|
|
|
|
}
|
|
|
|
|
|
2023-06-06 05:21:31 +09:00
|
|
|
//go:embed assets/oidc_callback_template.html
|
|
|
|
|
var oidcCallbackTemplateContent string
|
|
|
|
|
|
2021-12-23 11:43:53 +09:00
|
|
|
var oidcCallbackTemplate = template.Must(
|
2023-06-06 05:21:31 +09:00
|
|
|
template.New("oidccallback").Parse(oidcCallbackTemplateContent),
|
2021-12-23 11:43:53 +09:00
|
|
|
)
|
|
|
|
|
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
// OIDCCallbackHandler handles the callback from the OIDC endpoint
|
2023-09-24 20:42:05 +09:00
|
|
|
// Retrieves the nkey from the state cache and adds the node to the users email user
|
|
|
|
|
// TODO: A confirmation page for new nodes should be added to avoid phishing vulnerabilities
|
|
|
|
|
// TODO: Add groups information from OIDC tokens into node HostInfo
|
2021-11-13 17:39:04 +09:00
|
|
|
// Listens in /oidc/callback.
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
func (a *AuthProviderOIDC) OIDCCallbackHandler(
|
2022-06-26 19:01:04 +09:00
|
|
|
writer http.ResponseWriter,
|
|
|
|
|
req *http.Request,
|
2022-06-18 00:42:17 +09:00
|
|
|
) {
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
code, state, err := extractCodeAndStateParamFromRequest(req)
|
2022-08-07 20:57:07 +09:00
|
|
|
if err != nil {
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
http.Error(writer, err.Error(), http.StatusBadRequest)
|
2022-07-12 06:25:13 +09:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2025-01-09 00:29:37 +09:00
|
|
|
log.Debug().Interface("cookies", req.Cookies()).Msg("Received oidc callback")
|
|
|
|
|
cookieState, err := req.Cookie("state")
|
|
|
|
|
if err != nil {
|
|
|
|
|
http.Error(writer, "state not found", http.StatusBadRequest)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if state != cookieState.Value {
|
|
|
|
|
http.Error(writer, "state did not match", http.StatusBadRequest)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2024-12-23 01:46:36 +09:00
|
|
|
idToken, err := a.extractIDToken(req.Context(), code, state)
|
2022-08-07 20:57:07 +09:00
|
|
|
if err != nil {
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
http.Error(writer, err.Error(), http.StatusBadRequest)
|
2022-07-12 06:25:13 +09:00
|
|
|
return
|
|
|
|
|
}
|
2025-01-09 00:29:37 +09:00
|
|
|
|
|
|
|
|
nonce, err := req.Cookie("nonce")
|
|
|
|
|
if err != nil {
|
|
|
|
|
http.Error(writer, "nonce not found", http.StatusBadRequest)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
if idToken.Nonce != nonce.Value {
|
|
|
|
|
http.Error(writer, "nonce did not match", http.StatusBadRequest)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
nodeExpiry := a.determineNodeExpiry(idToken.Expiry)
|
2022-07-12 06:25:13 +09:00
|
|
|
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
var claims types.OIDCClaims
|
|
|
|
|
if err := idToken.Claims(&claims); err != nil {
|
|
|
|
|
http.Error(writer, fmt.Errorf("failed to decode ID token claims: %w", err).Error(), http.StatusInternalServerError)
|
2022-07-12 06:25:13 +09:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
if err := validateOIDCAllowedDomains(a.cfg.AllowedDomains, &claims); err != nil {
|
|
|
|
|
http.Error(writer, err.Error(), http.StatusUnauthorized)
|
2022-07-12 06:25:13 +09:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
if err := validateOIDCAllowedGroups(a.cfg.AllowedGroups, &claims); err != nil {
|
|
|
|
|
http.Error(writer, err.Error(), http.StatusUnauthorized)
|
2022-07-12 06:25:13 +09:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
if err := validateOIDCAllowedUsers(a.cfg.AllowedUsers, &claims); err != nil {
|
|
|
|
|
http.Error(writer, err.Error(), http.StatusUnauthorized)
|
2022-12-07 09:08:01 +09:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
user, err := a.createOrUpdateUserFromClaim(&claims)
|
|
|
|
|
if err != nil {
|
|
|
|
|
http.Error(writer, err.Error(), http.StatusInternalServerError)
|
2022-07-12 06:25:13 +09:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2025-01-17 20:46:40 +09:00
|
|
|
// TODO(kradalby): Is this comment right?
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
// If the node exists, then the node should be reauthenticated,
|
|
|
|
|
// if the node does not exist, and the machine key exists, then
|
|
|
|
|
// this is a new node that should be registered.
|
2025-01-17 20:46:40 +09:00
|
|
|
registrationId := a.getRegistrationIDFromState(state)
|
2022-07-12 06:25:13 +09:00
|
|
|
|
2025-01-17 20:46:40 +09:00
|
|
|
// Register the node if it does not exist.
|
|
|
|
|
if registrationId != nil {
|
|
|
|
|
verb := "Reauthenticated"
|
|
|
|
|
newNode, err := a.handleRegistrationID(user, *registrationId, nodeExpiry)
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
if err != nil {
|
|
|
|
|
http.Error(writer, err.Error(), http.StatusInternalServerError)
|
|
|
|
|
return
|
|
|
|
|
}
|
2022-07-12 06:25:13 +09:00
|
|
|
|
2025-01-17 20:46:40 +09:00
|
|
|
if newNode {
|
|
|
|
|
verb = "Authenticated"
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
}
|
|
|
|
|
|
2025-01-17 20:46:40 +09:00
|
|
|
// TODO(kradalby): replace with go-elem
|
|
|
|
|
content, err := renderOIDCCallbackTemplate(user, verb)
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
if err != nil {
|
|
|
|
|
http.Error(writer, err.Error(), http.StatusInternalServerError)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
writer.Header().Set("Content-Type", "text/html; charset=utf-8")
|
|
|
|
|
writer.WriteHeader(http.StatusOK)
|
|
|
|
|
if _, err := writer.Write(content.Bytes()); err != nil {
|
|
|
|
|
util.LogErr(err, "Failed to write response")
|
|
|
|
|
}
|
|
|
|
|
|
2022-07-12 06:25:13 +09:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
// Neither node nor machine key was found in the state cache meaning
|
|
|
|
|
// that we could not reauth nor register the node.
|
2025-01-17 02:05:05 +09:00
|
|
|
http.Error(writer, "login session expired, try again", http.StatusInternalServerError)
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
return
|
2022-07-12 06:25:13 +09:00
|
|
|
}
|
|
|
|
|
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
func extractCodeAndStateParamFromRequest(
|
2022-07-12 06:25:13 +09:00
|
|
|
req *http.Request,
|
2022-08-07 20:57:07 +09:00
|
|
|
) (string, string, error) {
|
2022-06-26 19:01:04 +09:00
|
|
|
code := req.URL.Query().Get("code")
|
|
|
|
|
state := req.URL.Query().Get("state")
|
2021-09-26 17:53:05 +09:00
|
|
|
|
|
|
|
|
if code == "" || state == "" {
|
2022-08-07 20:57:07 +09:00
|
|
|
return "", "", errEmptyOIDCCallbackParams
|
2021-09-26 17:53:05 +09:00
|
|
|
}
|
|
|
|
|
|
2022-08-07 20:57:07 +09:00
|
|
|
return code, state, nil
|
2022-07-12 06:25:13 +09:00
|
|
|
}
|
|
|
|
|
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
// extractIDToken takes the code parameter from the callback
|
|
|
|
|
// and extracts the ID token from the oauth2 token.
|
|
|
|
|
func (a *AuthProviderOIDC) extractIDToken(
|
2022-09-04 22:02:18 +09:00
|
|
|
ctx context.Context,
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
code string,
|
2024-12-23 01:46:36 +09:00
|
|
|
state string,
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
) (*oidc.IDToken, error) {
|
2024-12-23 01:46:36 +09:00
|
|
|
var exchangeOpts []oauth2.AuthCodeOption
|
|
|
|
|
|
|
|
|
|
if a.cfg.PKCE.Enabled {
|
|
|
|
|
regInfo, ok := a.registrationCache.Get(state)
|
|
|
|
|
if !ok {
|
|
|
|
|
return nil, errNoOIDCRegistrationInfo
|
|
|
|
|
}
|
|
|
|
|
if regInfo.Verifier != nil {
|
|
|
|
|
exchangeOpts = []oauth2.AuthCodeOption{oauth2.VerifierOption(*regInfo.Verifier)}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
oauth2Token, err := a.oauth2Config.Exchange(ctx, code, exchangeOpts...)
|
2021-09-26 17:53:05 +09:00
|
|
|
if err != nil {
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
return nil, fmt.Errorf("could not exchange code for token: %w", err)
|
2021-09-26 17:53:05 +09:00
|
|
|
}
|
|
|
|
|
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
rawIDToken, ok := oauth2Token.Extra("id_token").(string)
|
|
|
|
|
if !ok {
|
|
|
|
|
return nil, errNoOIDCIDToken
|
2021-10-06 18:19:15 +09:00
|
|
|
}
|
|
|
|
|
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
verifier := a.oidcProvider.Verifier(&oidc.Config{ClientID: a.cfg.ClientID})
|
2022-09-04 22:02:18 +09:00
|
|
|
idToken, err := verifier.Verify(ctx, rawIDToken)
|
2021-09-26 17:53:05 +09:00
|
|
|
if err != nil {
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
return nil, fmt.Errorf("failed to verify ID token: %w", err)
|
2021-10-06 18:19:15 +09:00
|
|
|
}
|
|
|
|
|
|
2022-08-07 20:57:07 +09:00
|
|
|
return idToken, nil
|
2022-07-12 06:25:13 +09:00
|
|
|
}
|
2021-10-06 18:19:15 +09:00
|
|
|
|
2022-07-12 06:25:13 +09:00
|
|
|
// validateOIDCAllowedDomains checks that if AllowedDomains is provided,
|
|
|
|
|
// that the authenticated principal ends with @<alloweddomain>.
|
|
|
|
|
func validateOIDCAllowedDomains(
|
|
|
|
|
allowedDomains []string,
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
claims *types.OIDCClaims,
|
2022-08-07 20:57:07 +09:00
|
|
|
) error {
|
2022-07-12 06:25:13 +09:00
|
|
|
if len(allowedDomains) > 0 {
|
2022-04-26 04:05:37 +09:00
|
|
|
if at := strings.LastIndex(claims.Email, "@"); at < 0 ||
|
2024-07-19 16:04:04 +09:00
|
|
|
!slices.Contains(allowedDomains, claims.Email[at+1:]) {
|
2022-08-07 20:57:07 +09:00
|
|
|
return errOIDCAllowedDomains
|
2022-04-26 04:05:37 +09:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2022-08-07 20:57:07 +09:00
|
|
|
return nil
|
2022-07-12 06:25:13 +09:00
|
|
|
}
|
|
|
|
|
|
2022-12-07 09:08:01 +09:00
|
|
|
// validateOIDCAllowedGroups checks if AllowedGroups is provided,
|
|
|
|
|
// and that the user has one group in the list.
|
|
|
|
|
// claims.Groups can be populated by adding a client scope named
|
|
|
|
|
// 'groups' that contains group membership.
|
|
|
|
|
func validateOIDCAllowedGroups(
|
|
|
|
|
allowedGroups []string,
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
claims *types.OIDCClaims,
|
2022-12-07 09:08:01 +09:00
|
|
|
) error {
|
|
|
|
|
if len(allowedGroups) > 0 {
|
|
|
|
|
for _, group := range allowedGroups {
|
2024-07-19 16:04:04 +09:00
|
|
|
if slices.Contains(claims.Groups, group) {
|
2022-12-07 09:08:01 +09:00
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return errOIDCAllowedGroups
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
2022-07-12 06:25:13 +09:00
|
|
|
// validateOIDCAllowedUsers checks that if AllowedUsers is provided,
|
|
|
|
|
// that the authenticated principal is part of that list.
|
|
|
|
|
func validateOIDCAllowedUsers(
|
|
|
|
|
allowedUsers []string,
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
claims *types.OIDCClaims,
|
2022-08-07 20:57:07 +09:00
|
|
|
) error {
|
2022-07-12 06:25:13 +09:00
|
|
|
if len(allowedUsers) > 0 &&
|
2024-07-19 16:04:04 +09:00
|
|
|
!slices.Contains(allowedUsers, claims.Email) {
|
2023-06-22 23:38:57 +09:00
|
|
|
log.Trace().Msg("authenticated principal does not match any allowed user")
|
2022-08-07 20:57:07 +09:00
|
|
|
return errOIDCAllowedUsers
|
2022-04-26 04:05:37 +09:00
|
|
|
}
|
|
|
|
|
|
2022-08-07 20:57:07 +09:00
|
|
|
return nil
|
2022-07-12 06:25:13 +09:00
|
|
|
}
|
|
|
|
|
|
2025-01-13 19:54:35 +09:00
|
|
|
// getRegistrationIDFromState retrieves the registration ID from the state.
|
|
|
|
|
func (a *AuthProviderOIDC) getRegistrationIDFromState(state string) *types.RegistrationID {
|
2024-12-23 01:46:36 +09:00
|
|
|
regInfo, ok := a.registrationCache.Get(state)
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
if !ok {
|
2025-01-13 19:54:35 +09:00
|
|
|
return nil
|
2021-11-27 08:30:42 +09:00
|
|
|
}
|
2021-09-26 17:53:05 +09:00
|
|
|
|
2025-01-13 19:54:35 +09:00
|
|
|
return ®Info.RegistrationID
|
2022-07-12 06:25:13 +09:00
|
|
|
}
|
|
|
|
|
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
func (a *AuthProviderOIDC) createOrUpdateUserFromClaim(
|
|
|
|
|
claims *types.OIDCClaims,
|
2023-05-22 01:37:59 +09:00
|
|
|
) (*types.User, error) {
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
var user *types.User
|
|
|
|
|
var err error
|
2024-10-18 21:59:27 +09:00
|
|
|
user, err = a.db.GetUserByOIDCIdentifier(claims.Identifier())
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
if err != nil && !errors.Is(err, db.ErrUserNotFound) {
|
|
|
|
|
return nil, fmt.Errorf("creating or updating user: %w", err)
|
|
|
|
|
}
|
2021-12-23 11:43:53 +09:00
|
|
|
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
// This check is for legacy, if the user cannot be found by the OIDC identifier
|
|
|
|
|
// look it up by username. This should only be needed once.
|
2024-12-13 16:52:40 +09:00
|
|
|
// This branch will persist for a number of versions after the OIDC migration and
|
2024-10-04 19:24:35 +09:00
|
|
|
// then be removed following a deprecation.
|
2024-10-17 21:22:44 +09:00
|
|
|
// TODO(kradalby): Remove when strip_email_domain and migration is removed
|
|
|
|
|
// after #2170 is cleaned up.
|
2024-10-04 19:24:35 +09:00
|
|
|
if a.cfg.MapLegacyUsers && user == nil {
|
2024-10-18 21:59:27 +09:00
|
|
|
log.Trace().Str("username", claims.Username).Str("sub", claims.Sub).Msg("user not found by OIDC identifier, looking up by username")
|
2024-10-17 21:22:44 +09:00
|
|
|
if oldUsername, err := getUserName(claims, a.cfg.StripEmaildomain); err == nil {
|
2024-10-18 21:59:27 +09:00
|
|
|
log.Trace().Str("old_username", oldUsername).Str("sub", claims.Sub).Msg("found username")
|
2024-10-17 21:22:44 +09:00
|
|
|
user, err = a.db.GetUserByName(oldUsername)
|
|
|
|
|
if err != nil && !errors.Is(err, db.ErrUserNotFound) {
|
2024-10-18 21:59:27 +09:00
|
|
|
return nil, fmt.Errorf("getting user: %w", err)
|
2024-10-17 21:22:44 +09:00
|
|
|
}
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
|
2024-10-17 21:22:44 +09:00
|
|
|
// If the user exists, but it already has a provider identifier (OIDC sub), create a new user.
|
|
|
|
|
// This is to prevent users that have already been migrated to the new OIDC format
|
|
|
|
|
// to be updated with the new OIDC identifier inexplicitly which might be the cause of an
|
|
|
|
|
// account takeover.
|
2024-11-19 01:33:46 +09:00
|
|
|
if user != nil && user.ProviderIdentifier.Valid {
|
2024-10-17 21:22:44 +09:00
|
|
|
log.Info().Str("username", claims.Username).Str("sub", claims.Sub).Msg("user found by username, but has provider identifier, creating new user.")
|
|
|
|
|
user = &types.User{}
|
|
|
|
|
}
|
2022-06-26 19:21:35 +09:00
|
|
|
}
|
2024-10-17 21:22:44 +09:00
|
|
|
}
|
2024-10-04 19:24:35 +09:00
|
|
|
|
2024-10-17 21:22:44 +09:00
|
|
|
// if the user is still not found, create a new empty user.
|
|
|
|
|
if user == nil {
|
|
|
|
|
user = &types.User{}
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
}
|
2022-03-01 01:55:57 +09:00
|
|
|
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
user.FromClaim(claims)
|
|
|
|
|
err = a.db.DB.Save(user).Error
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("creating or updating user: %w", err)
|
2022-03-01 01:55:57 +09:00
|
|
|
}
|
|
|
|
|
|
2024-11-26 23:16:06 +09:00
|
|
|
err = usersChangedHook(a.db, a.polMan, a.notifier)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, fmt.Errorf("updating resources using user: %w", err)
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-18 01:43:44 +09:00
|
|
|
return user, nil
|
2022-07-12 06:25:13 +09:00
|
|
|
}
|
2022-03-02 15:55:21 +09:00
|
|
|
|
2025-01-17 20:46:40 +09:00
|
|
|
func (a *AuthProviderOIDC) handleRegistrationID(
|
2023-05-22 01:37:59 +09:00
|
|
|
user *types.User,
|
2025-01-13 19:54:35 +09:00
|
|
|
registrationID types.RegistrationID,
|
2022-12-15 09:10:26 +09:00
|
|
|
expiry time.Time,
|
2025-01-17 20:46:40 +09:00
|
|
|
) (bool, error) {
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
ipv4, ipv6, err := a.ipAlloc.Next()
|
2024-02-19 03:31:29 +09:00
|
|
|
if err != nil {
|
2025-01-17 20:46:40 +09:00
|
|
|
return false, err
|
2024-02-19 03:31:29 +09:00
|
|
|
}
|
|
|
|
|
|
2025-01-17 20:46:40 +09:00
|
|
|
node, newNode, err := a.db.HandleNodeFromAuthPath(
|
2025-01-13 19:54:35 +09:00
|
|
|
registrationID,
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
types.UserID(user.ID),
|
|
|
|
|
&expiry,
|
|
|
|
|
util.RegisterMethodOIDC,
|
|
|
|
|
ipv4, ipv6,
|
2025-01-17 20:46:40 +09:00
|
|
|
)
|
2024-11-26 23:16:06 +09:00
|
|
|
if err != nil {
|
2025-01-17 20:46:40 +09:00
|
|
|
return false, fmt.Errorf("could not register node: %w", err)
|
2024-11-26 23:16:06 +09:00
|
|
|
}
|
|
|
|
|
|
2025-01-17 20:46:40 +09:00
|
|
|
// Send an update to all nodes if this is a new node that they need to know
|
|
|
|
|
// about.
|
|
|
|
|
// If this is a refresh, just send new expiry updates.
|
|
|
|
|
if newNode {
|
|
|
|
|
err = nodesChangedHook(a.db, a.polMan, a.notifier)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return false, fmt.Errorf("updating resources using node: %w", err)
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
ctx := types.NotifyCtx(context.Background(), "oidc-expiry-self", node.Hostname)
|
|
|
|
|
a.notifier.NotifyByNodeID(
|
|
|
|
|
ctx,
|
|
|
|
|
types.StateUpdate{
|
|
|
|
|
Type: types.StateSelfUpdate,
|
|
|
|
|
ChangeNodes: []types.NodeID{node.ID},
|
|
|
|
|
},
|
|
|
|
|
node.ID,
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
ctx = types.NotifyCtx(context.Background(), "oidc-expiry-peers", node.Hostname)
|
|
|
|
|
a.notifier.NotifyWithIgnore(ctx, types.StateUpdateExpire(node.ID, expiry), node.ID)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return newNode, nil
|
2022-07-12 06:25:13 +09:00
|
|
|
}
|
|
|
|
|
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
// TODO(kradalby):
|
2024-11-23 00:54:58 +09:00
|
|
|
// Rewrite in elem-go.
|
2022-07-12 06:25:13 +09:00
|
|
|
func renderOIDCCallbackTemplate(
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
user *types.User,
|
2025-01-17 20:46:40 +09:00
|
|
|
verb string,
|
2022-08-07 20:57:07 +09:00
|
|
|
) (*bytes.Buffer, error) {
|
2022-02-22 20:46:45 +09:00
|
|
|
var content bytes.Buffer
|
|
|
|
|
if err := oidcCallbackTemplate.Execute(&content, oidcCallbackTemplateConfig{
|
Redo OIDC configuration (#2020)
expand user, add claims to user
This commit expands the user table with additional fields that
can be retrieved from OIDC providers (and other places) and
uses this data in various tailscale response objects if it is
available.
This is the beginning of implementing
https://docs.google.com/document/d/1X85PMxIaVWDF6T_UPji3OeeUqVBcGj_uHRM5CI-AwlY/edit
trying to make OIDC more coherant and maintainable in addition
to giving the user a better experience and integration with a
provider.
remove usernames in magic dns, normalisation of emails
this commit removes the option to have usernames as part of MagicDNS
domains and headscale will now align with Tailscale, where there is a
root domain, and the machine name.
In addition, the various normalisation functions for dns names has been
made lighter not caring about username and special character that wont
occur.
Email are no longer normalised as part of the policy processing.
untagle oidc and regcache, use typed cache
This commits stops reusing the registration cache for oidc
purposes and switches the cache to be types and not use any
allowing the removal of a bunch of casting.
try to make reauth/register branches clearer in oidc
Currently there was a function that did a bunch of stuff,
finding the machine key, trying to find the node, reauthing
the node, returning some status, and it was called validate
which was very confusing.
This commit tries to split this into what to do if the node
exists, if it needs to register etc.
Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
2024-10-02 21:50:17 +09:00
|
|
|
User: user.DisplayNameOrUsername(),
|
2025-01-17 20:46:40 +09:00
|
|
|
Verb: verb,
|
2022-02-22 20:46:45 +09:00
|
|
|
}); err != nil {
|
2024-04-12 22:57:43 +09:00
|
|
|
return nil, fmt.Errorf("rendering OIDC callback template: %w", err)
|
2021-10-19 04:27:52 +09:00
|
|
|
}
|
|
|
|
|
|
2022-08-07 20:57:07 +09:00
|
|
|
return &content, nil
|
2021-09-26 17:53:05 +09:00
|
|
|
}
|
2024-10-17 21:22:44 +09:00
|
|
|
|
|
|
|
|
// TODO(kradalby): Reintroduce when strip_email_domain is removed
|
|
|
|
|
// after #2170 is cleaned up
|
2024-12-13 16:52:40 +09:00
|
|
|
// DEPRECATED: DO NOT USE.
|
2024-10-17 21:22:44 +09:00
|
|
|
func getUserName(
|
|
|
|
|
claims *types.OIDCClaims,
|
|
|
|
|
stripEmaildomain bool,
|
|
|
|
|
) (string, error) {
|
2024-10-18 21:59:27 +09:00
|
|
|
if !claims.EmailVerified {
|
|
|
|
|
return "", fmt.Errorf("email not verified")
|
|
|
|
|
}
|
2024-10-17 21:22:44 +09:00
|
|
|
userName, err := util.NormalizeToFQDNRules(
|
|
|
|
|
claims.Email,
|
|
|
|
|
stripEmaildomain,
|
|
|
|
|
)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return "", err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return userName, nil
|
|
|
|
|
}
|
2025-01-09 00:29:37 +09:00
|
|
|
|
|
|
|
|
func setCSRFCookie(w http.ResponseWriter, r *http.Request, name string) (string, error) {
|
|
|
|
|
val, err := util.GenerateRandomStringURLSafe(64)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return val, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
c := &http.Cookie{
|
|
|
|
|
Path: "/oidc/callback",
|
|
|
|
|
Name: name,
|
|
|
|
|
Value: val,
|
|
|
|
|
MaxAge: int(time.Hour.Seconds()),
|
|
|
|
|
Secure: r.TLS != nil,
|
|
|
|
|
HttpOnly: true,
|
|
|
|
|
}
|
|
|
|
|
http.SetCookie(w, c)
|
|
|
|
|
|
|
|
|
|
return val, nil
|
|
|
|
|
}
|
