devproje/headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2025-01-31 23:01:23 +09:00
Code Issues Projects Releases Packages Wiki Activity Actions 5
headscale/development/ref/oidc/index.html

122 lines
58 KiB
HTML
Raw Normal View History

Deployed 7d937c6b to development with MkDocs 1.6.1 and mike 2.1.3
2024-12-17 22:03:54 +09:00
<!doctype html><html lang=en class=no-js> <head><meta charset=utf-8><meta name=viewport content="width=device-width,initial-scale=1"><meta name=description content="An open source, self-hosted implementation of the Tailscale control server."><meta name=author content="Headscale authors"><link href=https://juanfont.github.io/headscale/development/ref/oidc/ rel=canonical><link href=../configuration/ rel=prev><link href=../exit-node/ rel=next><link rel=icon href=../../assets/favicon.png><meta name=generator content="mkdocs-1.6.1, mkdocs-material-9.5.49"><title>OIDC authentication - Headscale</title><link rel=stylesheet href=../../assets/stylesheets/main.6f8fc17f.min.css><link rel=stylesheet href=../../assets/stylesheets/palette.06af60db.min.css><link rel=preconnect href=https://fonts.gstatic.com crossorigin><link rel=stylesheet href="https://fonts.googleapis.com/css?family=Roboto:300,300i,400,400i,700,700i%7CRoboto+Mono:400,400i,700,700i&display=fallback"><style>:root{--md-text-font:"Roboto";--md-code-font:"Roboto Mono"}</style><script>__md_scope=new URL("../..",location),__md_hash=e=>[...e].reduce(((e,_)=>(e<<5)-e+_.charCodeAt(0)),0),__md_get=(e,_=localStorage,t=__md_scope)=>JSON.parse(_.getItem(t.pathname+"."+e)),__md_set=(e,_,t=localStorage,a=__md_scope)=>{try{t.setItem(a.pathname+"."+e,JSON.stringify(_))}catch(e){}}</script><meta property=og:type content=website><meta property=og:title content="OIDC authentication - Headscale"><meta property=og:description content="An open source, self-hosted implementation of the Tailscale control server."><meta property=og:image content=https://juanfont.github.io/headscale/development/assets/images/social/ref/oidc.png><meta property=og:image:type content=image/png><meta property=og:image:width content=1200><meta property=og:image:height content=630><meta content=https://juanfont.github.io/headscale/development/ref/oidc/ property=og:url><meta name=twitter:card content=summary_large_image><meta name=twitter:title content="OIDC authentication - Headscale"><meta name=twitter:description content="An open source, self-hosted implementation of the Tailscale control server."><meta name=twitter:image content=https://juanfont.github.io/headscale/development/assets/images/social/ref/oidc.png></head> <body dir=ltr data-md-color-scheme=default data-md-color-primary=white data-md-color-accent=indigo> <input class=md-toggle data-md-toggle=drawer type=checkbox id=__drawer autocomplete=off> <input class=md-toggle data-md-toggle=search type=checkbox id=__search autocomplete=off> <label class=md-overlay for=__drawer></label> <div data-md-component=skip> <a href=#configuring-headscale-to-use-oidc-authentication class=md-skip> Skip to content </a> </div> <div data-md-component=announce> </div> <div data-md-color-scheme=default data-md-component=outdated hidden> </div> <header class=md-header data-md-component=header> <nav class="md-header__inner md-grid" aria-label=Header> <a href=../.. title=Headscale class="md-header__button md-logo" aria-label=Headscale data-md-component=logo> <img src=../../logo/headscale3-dots.svg alt=logo> </a> <label class="md-header__button md-icon" for=__drawer> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M3 6h18v2H3zm0 5h18v2H3zm0 5h18v2H3z"/></svg> </label> <div class=md-header__title data-md-component=header-title> <div class=md-header__ellipsis> <div class=md-header__topic> <span class=md-ellipsis> Headscale </span> </div> <div class=md-header__topic data-md-component=header-topic> <span class=md-ellipsis> OIDC authentication </span> </div> </div> </div> <form class=md-header__option data-md-component=palette> <input class=md-option data-md-color-media data-md-color-scheme=default data-md-color-primary=white data-md-color-accent=indigo aria-label="Switch to dark mode" type=radio name=__palette id=__palette_0> <label class="md-header__button md-icon" title="Switch to dark mode" for=__palette_1 hidden> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M12 8a4 4 0 0 0-4 4 4 4 0 0 0 4 4 4 4 0 0 0 4-4 4 4 0 0 0-4-4m0 10a6 6 0 0 1-6-6 6 6 0
Deployed 145bf30b to development with MkDocs 1.6.1 and mike 2.1.3
2024-12-03 00:50:02 +09:00
</span><span id=__span-0-2><a id=__codelineno-0-2 name=__codelineno-0-2 href=#__codelineno-0-2></a><span class=w> </span><span class=c1># Block further startup until the OIDC provider is healthy and available</span>
</span><span id=__span-0-3><a id=__codelineno-0-3 name=__codelineno-0-3 href=#__codelineno-0-3></a><span class=w> </span><span class=nt>only_start_if_oidc_is_available</span><span class=p>:</span><span class=w> </span><span class="l l-Scalar l-Scalar-Plain">true</span>
</span><span id=__span-0-4><a id=__codelineno-0-4 name=__codelineno-0-4 href=#__codelineno-0-4></a><span class=w> </span><span class=c1># Specified by your OIDC provider</span>
</span><span id=__span-0-5><a id=__codelineno-0-5 name=__codelineno-0-5 href=#__codelineno-0-5></a><span class=w> </span><span class=nt>issuer</span><span class=p>:</span><span class=w> </span><span class=s>&quot;https://your-oidc.issuer.com/path&quot;</span>
</span><span id=__span-0-6><a id=__codelineno-0-6 name=__codelineno-0-6 href=#__codelineno-0-6></a><span class=w> </span><span class=c1># Specified/generated by your OIDC provider</span>
</span><span id=__span-0-7><a id=__codelineno-0-7 name=__codelineno-0-7 href=#__codelineno-0-7></a><span class=w> </span><span class=nt>client_id</span><span class=p>:</span><span class=w> </span><span class=s>&quot;your-oidc-client-id&quot;</span>
</span><span id=__span-0-8><a id=__codelineno-0-8 name=__codelineno-0-8 href=#__codelineno-0-8></a><span class=w> </span><span class=nt>client_secret</span><span class=p>:</span><span class=w> </span><span class=s>&quot;your-oidc-client-secret&quot;</span>
</span><span id=__span-0-9><a id=__codelineno-0-9 name=__codelineno-0-9 href=#__codelineno-0-9></a><span class=w> </span><span class=c1># alternatively, set `client_secret_path` to read the secret from the file.</span>
</span><span id=__span-0-10><a id=__codelineno-0-10 name=__codelineno-0-10 href=#__codelineno-0-10></a><span class=w> </span><span class=c1># It resolves environment variables, making integration to systemd&#39;s</span>
</span><span id=__span-0-11><a id=__codelineno-0-11 name=__codelineno-0-11 href=#__codelineno-0-11></a><span class=w> </span><span class=c1># `LoadCredential` straightforward:</span>
</span><span id=__span-0-12><a id=__codelineno-0-12 name=__codelineno-0-12 href=#__codelineno-0-12></a><span class=w> </span><span class=c1>#client_secret_path: &quot;${CREDENTIALS_DIRECTORY}/oidc_client_secret&quot;</span>
</span><span id=__span-0-13><a id=__codelineno-0-13 name=__codelineno-0-13 href=#__codelineno-0-13></a><span class=w> </span><span class=c1># as third option, it&#39;s also possible to load the oidc secret from environment variables</span>
</span><span id=__span-0-14><a id=__codelineno-0-14 name=__codelineno-0-14 href=#__codelineno-0-14></a><span class=w> </span><span class=c1># set HEADSCALE_OIDC_CLIENT_SECRET to the required value</span>
</span><span id=__span-0-15><a id=__codelineno-0-15 name=__codelineno-0-15 href=#__codelineno-0-15></a>
</span><span id=__span-0-16><a id=__codelineno-0-16 name=__codelineno-0-16 href=#__codelineno-0-16></a><span class=w> </span><span class=c1># Customize the scopes used in the OIDC flow, defaults to &quot;openid&quot;, &quot;profile&quot; and &quot;email&quot; and add custom query</span>
</span><span id=__span-0-17><a id=__codelineno-0-17 name=__codelineno-0-17 href=#__codelineno-0-17></a><span class=w> </span><span class=c1># parameters to the Authorize Endpoint request. Scopes default to &quot;openid&quot;, &quot;profile&quot; and &quot;email&quot;.</span>
</span><span id=__span-0-18><a id=__codelineno-0-18 name=__codelineno-0-18 href=#__codelineno-0-18></a><span class=w> </span><span class=nt>scope</span><span class=p>:</span><span class=w> </span><span class="p p-Indicator">[</span><span class=s>&quot;openid&quot;</span><span class="p p-Indicator">,</span><span class=w> </span><span class=s>&quot;profile&quot;</span><span class="p p-Indicator">,</span><span class=w> </span><span class=s>&quot;email&quot;</span><span class="p p-Indicator">,</span><span class=w> </span><span class=s>&quot;custom&quot;</span><span class="p p-Indicator">]</span>
</span><span id=__span-0-19><a id=__codelineno-0-19 name=__codelineno-0-19 href=#__codelineno-0-19></a><span class=w> </span><span class=c1># Optional: Passed on to the browser login request used to tweak behaviour for the OIDC provider</span>
</span><span id=__span-0-20><a id=__codelineno-0-20 name=__codelineno-0-20 href=#__codelineno-0-20></a><span class=w> </span><span class=nt>extra_params</span><span class=p>:</span>
</span><span id=__span-0-21><a id=__codelineno-0-21 name=__codelineno-0-21 href=#__codelineno-0-21></a><span class=w> </span><span class=nt>domain_hint</span><span class=p>:</span><span class=w> </span><span class="l l-Scalar l-Scalar-Plain">example.com</span>
</span><span id=__span-0-22><a id=__codelineno-0-22 name=__codelineno-0-22 href=#__codelineno-0-22></a>
</span><span id=__span-0-23><a id=__codelineno-0-23 name=__codelineno-0-23 href=#__codelineno-0-23></a><span class=w> </span><span class=c1># Optional: List allowed principal domains and/or users. If an authenticated user&#39;s domain is not in this list,</span>
</span><span id=__span-0-24><a id=__codelineno-0-24 name=__codelineno-0-24 href=#__codelineno-0-24></a><span class=w> </span><span class=c1># the authentication request will be rejected.</span>
</span><span id=__span-0-25><a id=__codelineno-0-25 name=__codelineno-0-25 href=#__codelineno-0-25></a><span class=w> </span><span class=nt>allowed_domains</span><span class=p>:</span>
</span><span id=__span-0-26><a id=__codelineno-0-26 name=__codelineno-0-26 href=#__codelineno-0-26></a><span class=w> </span><span class="p p-Indicator">-</span><span class=w> </span><span class="l l-Scalar l-Scalar-Plain">example.com</span>
</span><span id=__span-0-27><a id=__codelineno-0-27 name=__codelineno-0-27 href=#__codelineno-0-27></a><span class=w> </span><span class=c1># Optional. Note that groups from Keycloak have a leading &#39;/&#39;.</span>
</span><span id=__span-0-28><a id=__codelineno-0-28 name=__codelineno-0-28 href=#__codelineno-0-28></a><span class=w> </span><span class=nt>allowed_groups</span><span class=p>:</span>
</span><span id=__span-0-29><a id=__codelineno-0-29 name=__codelineno-0-29 href=#__codelineno-0-29></a><span class=w> </span><span class="p p-Indicator">-</span><span class=w> </span><span class="l l-Scalar l-Scalar-Plain">/headscale</span>
</span><span id=__span-0-30><a id=__codelineno-0-30 name=__codelineno-0-30 href=#__codelineno-0-30></a><span class=w> </span><span class=c1># Optional.</span>
</span><span id=__span-0-31><a id=__codelineno-0-31 name=__codelineno-0-31 href=#__codelineno-0-31></a><span class=w> </span><span class=nt>allowed_users</span><span class=p>:</span>
</span><span id=__span-0-32><a id=__codelineno-0-32 name=__codelineno-0-32 href=#__codelineno-0-32></a><span class=w> </span><span class="p p-Indicator">-</span><span class=w> </span><span class="l l-Scalar l-Scalar-Plain">alice@example.com</span>
</span><span id=__span-0-33><a id=__codelineno-0-33 name=__codelineno-0-33 href=#__codelineno-0-33></a>
</span><span id=__span-0-34><a id=__codelineno-0-34 name=__codelineno-0-34 href=#__codelineno-0-34></a><span class=w> </span><span class=c1># If `strip_email_domain` is set to `true`, the domain part of the username email address will be removed.</span>
</span><span id=__span-0-35><a id=__codelineno-0-35 name=__codelineno-0-35 href=#__codelineno-0-35></a><span class=w> </span><span class=c1># This will transform `first-name.last-name@example.com` to the user `first-name.last-name`</span>
</span><span id=__span-0-36><a id=__codelineno-0-36 name=__codelineno-0-36 href=#__codelineno-0-36></a><span class=w> </span><span class=c1># If `strip_email_domain` is set to `false` the domain part will NOT be removed resulting to the following</span>
</span><span id=__span-0-37><a id=__codelineno-0-37 name=__codelineno-0-37 href=#__codelineno-0-37></a><span class=w> </span><span class=c1># user: `first-name.last-name.example.com`</span>
</span><span id=__span-0-38><a id=__codelineno-0-38 name=__codelineno-0-38 href=#__codelineno-0-38></a><span class=w> </span><span class=nt>strip_email_domain</span><span class=p>:</span><span class=w> </span><span class="l l-Scalar l-Scalar-Plain">true</span>
</span></code></pre></div> <h2 id=azure-ad-example>Azure AD example<a class=headerlink href=#azure-ad-example title="Permanent link">&para;</a></h2> <p>In order to integrate headscale with Azure Active Directory, we'll need to provision an App Registration with the correct scopes and redirect URI. Here with Terraform:</p> <div class="language-hcl highlight"><pre><span></span><code><span id=__span-1-1><a id=__codelineno-1-1 name=__codelineno-1-1 href=#__codelineno-1-1></a><span class=kr>resource</span><span class=w> </span><span class=nc>&quot;azuread_application&quot;</span><span class=w> </span><span class=nv>&quot;headscale&quot;</span><span class=w> </span><span class=p>{</span>
</span><span id=__span-1-2><a id=__codelineno-1-2 name=__codelineno-1-2 href=#__codelineno-1-2></a><span class=w> </span><span class=na>display_name</span><span class=w> </span><span class=o>=</span><span class=w> </span><span class=s2>&quot;Headscale&quot;</span>
</span><span id=__span-1-3><a id=__codelineno-1-3 name=__codelineno-1-3 href=#__codelineno-1-3></a>
</span><span id=__span-1-4><a id=__codelineno-1-4 name=__codelineno-1-4 href=#__codelineno-1-4></a><span class=w> </span><span class=na>sign_in_audience</span><span class=w> </span><span class=o>=</span><span class=w> </span><span class=s2>&quot;AzureADMyOrg&quot;</span>
</span><span id=__span-1-5><a id=__codelineno-1-5 name=__codelineno-1-5 href=#__codelineno-1-5></a><span class=w> </span><span class=na>fallback_public_client_enabled</span><span class=w> </span><span class=o>=</span><span class=w> </span><span class=no>false</span>
</span><span id=__span-1-6><a id=__codelineno-1-6 name=__codelineno-1-6 href=#__codelineno-1-6></a>
</span><span id=__span-1-7><a id=__codelineno-1-7 name=__codelineno-1-7 href=#__codelineno-1-7></a><span class=w> </span><span class=nb>required_resource_access</span><span class=w> </span><span class=p>{</span>
</span><span id=__span-1-8><a id=__codelineno-1-8 name=__codelineno-1-8 href=#__codelineno-1-8></a><span class=c1> // Microsoft Graph</span>
</span><span id=__span-1-9><a id=__codelineno-1-9 name=__codelineno-1-9 href=#__codelineno-1-9></a><span class=w> </span><span class=na>resource_app_id</span><span class=w> </span><span class=o>=</span><span class=w> </span><span class=s2>&quot;00000003-0000-0000-c000-000000000000&quot;</span>
</span><span id=__span-1-10><a id=__codelineno-1-10 name=__codelineno-1-10 href=#__codelineno-1-10></a>
</span><span id=__span-1-11><a id=__codelineno-1-11 name=__codelineno-1-11 href=#__codelineno-1-11></a><span class=w> </span><span class=nb>resource_access</span><span class=w> </span><span class=p>{</span>
</span><span id=__span-1-12><a id=__codelineno-1-12 name=__codelineno-1-12 href=#__codelineno-1-12></a><span class=c1> // scope: profile</span>
</span><span id=__span-1-13><a id=__codelineno-1-13 name=__codelineno-1-13 href=#__codelineno-1-13></a><span class=w> </span><span class=na>id</span><span class=w> </span><span class=o>=</span><span class=w> </span><span class=s2>&quot;14dad69e-099b-42c9-810b-d002981feec1&quot;</span>
</span><span id=__span-1-14><a id=__codelineno-1-14 name=__codelineno-1-14 href=#__codelineno-1-14></a><span class=w> </span><span class=na>type</span><span class=w> </span><span class=o>=</span><span class=w> </span><span class=s2>&quot;Scope&quot;</span>
</span><span id=__span-1-15><a id=__codelineno-1-15 name=__codelineno-1-15 href=#__codelineno-1-15></a><span class=w> </span><span class=p>}</span>
</span><span id=__span-1-16><a id=__codelineno-1-16 name=__codelineno-1-16 href=#__codelineno-1-16></a><span class=w> </span><span class=nb>resource_access</span><span class=w> </span><span class=p>{</span>
</span><span id=__span-1-17><a id=__codelineno-1-17 name=__codelineno-1-17 href=#__codelineno-1-17></a><span class=c1> // scope: openid</span>
</span><span id=__span-1-18><a id=__codelineno-1-18 name=__codelineno-1-18 href=#__codelineno-1-18></a><span class=w> </span><span class=na>id</span><span class=w> </span><span class=o>=</span><span class=w> </span><span class=s2>&quot;37f7f235-527c-4136-accd-4a02d197296e&quot;</span>
</span><span id=__span-1-19><a id=__codelineno-1-19 name=__codelineno-1-19 href=#__codelineno-1-19></a><span class=w> </span><span class=na>type</span><span class=w> </span><span class=o>=</span><span class=w> </span><span class=s2>&quot;Scope&quot;</span>
</span><span id=__span-1-20><a id=__codelineno-1-20 name=__codelineno-1-20 href=#__codelineno-1-20></a><span class=w> </span><span class=p>}</span>
</span><span id=__span-1-21><a id=__codelineno-1-21 name=__codelineno-1-21 href=#__codelineno-1-21></a><span class=w> </span><span class=nb>resource_access</span><span class=w> </span><span class=p>{</span>
</span><span id=__span-1-22><a id=__codelineno-1-22 name=__codelineno-1-22 href=#__codelineno-1-22></a><span class=c1> // scope: email</span>
</span><span id=__span-1-23><a id=__codelineno-1-23 name=__codelineno-1-23 href=#__codelineno-1-23></a><span class=w> </span><span class=na>id</span><span class=w> </span><span class=o>=</span><span class=w> </span><span class=s2>&quot;64a6cdd6-aab1-4aaf-94b8-3cc8405e90d0&quot;</span>
</span><span id=__span-1-24><a id=__codelineno-1-24 name=__codelineno-1-24 href=#__codelineno-1-24></a><span class=w> </span><span class=na>type</span><span class=w> </span><span class=o>=</span><span class=w> </span><span class=s2>&quot;Scope&quot;</span>
</span><span id=__span-1-25><a id=__codelineno-1-25 name=__codelineno-1-25 href=#__codelineno-1-25></a><span class=w> </span><span class=p>}</span>
</span><span id=__span-1-26><a id=__codelineno-1-26 name=__codelineno-1-26 href=#__codelineno-1-26></a><span class=w> </span><span class=p>}</span>
</span><span id=__span-1-27><a id=__codelineno-1-27 name=__codelineno-1-27 href=#__codelineno-1-27></a><span class=w> </span><span class=nb>web</span><span class=w> </span><span class=p>{</span>
</span><span id=__span-1-28><a id=__codelineno-1-28 name=__codelineno-1-28 href=#__codelineno-1-28></a><span class=c1> # Points at your running headscale instance</span>
</span><span id=__span-1-29><a id=__codelineno-1-29 name=__codelineno-1-29 href=#__codelineno-1-29></a><span class=w> </span><span class=na>redirect_uris</span><span class=w> </span><span class=o>=</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;https://headscale.example.com/oidc/callback&quot;</span><span class=p>]</span>
</span><span id=__span-1-30><a id=__codelineno-1-30 name=__codelineno-1-30 href=#__codelineno-1-30></a>
</span><span id=__span-1-31><a id=__codelineno-1-31 name=__codelineno-1-31 href=#__codelineno-1-31></a><span class=w> </span><span class=nb>implicit_grant</span><span class=w> </span><span class=p>{</span>
</span><span id=__span-1-32><a id=__codelineno-1-32 name=__codelineno-1-32 href=#__codelineno-1-32></a><span class=w> </span><span class=na>access_token_issuance_enabled</span><span class=w> </span><span class=o>=</span><span class=w> </span><span class=no>false</span>
</span><span id=__span-1-33><a id=__codelineno-1-33 name=__codelineno-1-33 href=#__codelineno-1-33></a><span class=w> </span><span class=na>id_token_issuance_enabled</span><span class=w> </span><span class=o>=</span><span class=w> </span><span class=no>true</span>
</span><span id=__span-1-34><a id=__codelineno-1-34 name=__codelineno-1-34 href=#__codelineno-1-34></a><span class=w> </span><span class=p>}</span>
</span><span id=__span-1-35><a id=__codelineno-1-35 name=__codelineno-1-35 href=#__codelineno-1-35></a><span class=w> </span><span class=p>}</span>
</span><span id=__span-1-36><a id=__codelineno-1-36 name=__codelineno-1-36 href=#__codelineno-1-36></a>
</span><span id=__span-1-37><a id=__codelineno-1-37 name=__codelineno-1-37 href=#__codelineno-1-37></a><span class=w> </span><span class=na>group_membership_claims</span><span class=w> </span><span class=o>=</span><span class=w> </span><span class=p>[</span><span class=s2>&quot;SecurityGroup&quot;</span><span class=p>]</span>
</span><span id=__span-1-38><a id=__codelineno-1-38 name=__codelineno-1-38 href=#__codelineno-1-38></a><span class=w> </span><span class=nb>optional_claims</span><span class=w> </span><span class=p>{</span>
</span><span id=__span-1-39><a id=__codelineno-1-39 name=__codelineno-1-39 href=#__codelineno-1-39></a><span class=c1> # Expose group memberships</span>
</span><span id=__span-1-40><a id=__codelineno-1-40 name=__codelineno-1-40 href=#__codelineno-1-40></a><span class=w> </span><span class=nb>id_token</span><span class=w> </span><span class=p>{</span>
</span><span id=__span-1-41><a id=__codelineno-1-41 name=__codelineno-1-41 href=#__codelineno-1-41></a><span class=w> </span><span class=na>name</span><span class=w> </span><span class=o>=</span><span class=w> </span><span class=s2>&quot;groups&quot;</span>
</span><span id=__span-1-42><a id=__codelineno-1-42 name=__codelineno-1-42 href=#__codelineno-1-42></a><span class=w> </span><span class=p>}</span>
</span><span id=__span-1-43><a id=__codelineno-1-43 name=__codelineno-1-43 href=#__codelineno-1-43></a><span class=w> </span><span class=p>}</span>
</span><span id=__span-1-44><a id=__codelineno-1-44 name=__codelineno-1-44 href=#__codelineno-1-44></a><span class=p>}</span>
</span><span id=__span-1-45><a id=__codelineno-1-45 name=__codelineno-1-45 href=#__codelineno-1-45></a>
</span><span id=__span-1-46><a id=__codelineno-1-46 name=__codelineno-1-46 href=#__codelineno-1-46></a><span class=kr>resource</span><span class=w> </span><span class=nc>&quot;azuread_application_password&quot;</span><span class=w> </span><span class=nv>&quot;headscale-application-secret&quot;</span><span class=w> </span><span class=p>{</span>
</span><span id=__span-1-47><a id=__codelineno-1-47 name=__codelineno-1-47 href=#__codelineno-1-47></a><span class=w> </span><span class=na>display_name</span><span class=w> </span><span class=o>=</span><span class=w> </span><span class=s2>&quot;Headscale Server&quot;</span>
</span><span id=__span-1-48><a id=__codelineno-1-48 name=__codelineno-1-48 href=#__codelineno-1-48></a><span class=w> </span><span class=na>application_object_id</span><span class=w> </span><span class=o>=</span><span class=w> </span><span class=nv>azuread_application.headscale.object_id</span>
</span><span id=__span-1-49><a id=__codelineno-1-49 name=__codelineno-1-49 href=#__codelineno-1-49></a><span class=p>}</span>
</span><span id=__span-1-50><a id=__codelineno-1-50 name=__codelineno-1-50 href=#__codelineno-1-50></a>
</span><span id=__span-1-51><a id=__codelineno-1-51 name=__codelineno-1-51 href=#__codelineno-1-51></a><span class=kr>resource</span><span class=w> </span><span class=nc>&quot;azuread_service_principal&quot;</span><span class=w> </span><span class=nv>&quot;headscale&quot;</span><span class=w> </span><span class=p>{</span>
</span><span id=__span-1-52><a id=__codelineno-1-52 name=__codelineno-1-52 href=#__codelineno-1-52></a><span class=w> </span><span class=na>application_id</span><span class=w> </span><span class=o>=</span><span class=w> </span><span class=nv>azuread_application.headscale.application_id</span>
</span><span id=__span-1-53><a id=__codelineno-1-53 name=__codelineno-1-53 href=#__codelineno-1-53></a><span class=p>}</span>
</span><span id=__span-1-54><a id=__codelineno-1-54 name=__codelineno-1-54 href=#__codelineno-1-54></a>
</span><span id=__span-1-55><a id=__codelineno-1-55 name=__codelineno-1-55 href=#__codelineno-1-55></a><span class=kr>resource</span><span class=w> </span><span class=nc>&quot;azuread_service_principal_password&quot;</span><span class=w> </span><span class=nv>&quot;headscale&quot;</span><span class=w> </span><span class=p>{</span>
</span><span id=__span-1-56><a id=__codelineno-1-56 name=__codelineno-1-56 href=#__codelineno-1-56></a><span class=w> </span><span class=na>service_principal_id</span><span class=w> </span><span class=o>=</span><span class=w> </span><span class=nv>azuread_service_principal.headscale.id</span>
</span><span id=__span-1-57><a id=__codelineno-1-57 name=__codelineno-1-57 href=#__codelineno-1-57></a><span class=w> </span><span class=na>end_date_relative</span><span class=w> </span><span class=o>=</span><span class=w> </span><span class=s2>&quot;44640h&quot;</span>
</span><span id=__span-1-58><a id=__codelineno-1-58 name=__codelineno-1-58 href=#__codelineno-1-58></a><span class=p>}</span>
</span><span id=__span-1-59><a id=__codelineno-1-59 name=__codelineno-1-59 href=#__codelineno-1-59></a>
</span><span id=__span-1-60><a id=__codelineno-1-60 name=__codelineno-1-60 href=#__codelineno-1-60></a><span class=kr>output</span><span class=w> </span><span class=nv>&quot;headscale_client_id&quot;</span><span class=w> </span><span class=p>{</span>
</span><span id=__span-1-61><a id=__codelineno-1-61 name=__codelineno-1-61 href=#__codelineno-1-61></a><span class=w> </span><span class=na>value</span><span class=w> </span><span class=o>=</span><span class=w> </span><span class=nv>azuread_application.headscale.application_id</span>
</span><span id=__span-1-62><a id=__codelineno-1-62 name=__codelineno-1-62 href=#__codelineno-1-62></a><span class=p>}</span>
</span><span id=__span-1-63><a id=__codelineno-1-63 name=__codelineno-1-63 href=#__codelineno-1-63></a>
</span><span id=__span-1-64><a id=__codelineno-1-64 name=__codelineno-1-64 href=#__codelineno-1-64></a><span class=kr>output</span><span class=w> </span><span class=nv>&quot;headscale_client_secret&quot;</span><span class=w> </span><span class=p>{</span>
</span><span id=__span-1-65><a id=__codelineno-1-65 name=__codelineno-1-65 href=#__codelineno-1-65></a><span class=w> </span><span class=na>value</span><span class=w> </span><span class=o>=</span><span class=w> </span><span class=nv>azuread_application_password.headscale-application-secret.value</span>
</span><span id=__span-1-66><a id=__codelineno-1-66 name=__codelineno-1-66 href=#__codelineno-1-66></a><span class=p>}</span>
</span></code></pre></div> <p>And in your headscale <code>config.yaml</code>:</p> <div class="language-yaml highlight"><pre><span></span><code><span id=__span-2-1><a id=__codelineno-2-1 name=__codelineno-2-1 href=#__codelineno-2-1></a><span class=nt>oidc</span><span class=p>:</span>
</span><span id=__span-2-2><a id=__codelineno-2-2 name=__codelineno-2-2 href=#__codelineno-2-2></a><span class=w> </span><span class=nt>issuer</span><span class=p>:</span><span class=w> </span><span class=s>&quot;https://login.microsoftonline.com/&lt;tenant-UUID&gt;/v2.0&quot;</span>
</span><span id=__span-2-3><a id=__codelineno-2-3 name=__codelineno-2-3 href=#__codelineno-2-3></a><span class=w> </span><span class=nt>client_id</span><span class=p>:</span><span class=w> </span><span class=s>&quot;&lt;client-id-from-terraform&gt;&quot;</span>
</span><span id=__span-2-4><a id=__codelineno-2-4 name=__codelineno-2-4 href=#__codelineno-2-4></a><span class=w> </span><span class=nt>client_secret</span><span class=p>:</span><span class=w> </span><span class=s>&quot;&lt;client-secret-from-terraform&gt;&quot;</span>
</span><span id=__span-2-5><a id=__codelineno-2-5 name=__codelineno-2-5 href=#__codelineno-2-5></a>
</span><span id=__span-2-6><a id=__codelineno-2-6 name=__codelineno-2-6 href=#__codelineno-2-6></a><span class=w> </span><span class=c1># Optional: add &quot;groups&quot;</span>
</span><span id=__span-2-7><a id=__codelineno-2-7 name=__codelineno-2-7 href=#__codelineno-2-7></a><span class=w> </span><span class=nt>scope</span><span class=p>:</span><span class=w> </span><span class="p p-Indicator">[</span><span class=s>&quot;openid&quot;</span><span class="p p-Indicator">,</span><span class=w> </span><span class=s>&quot;profile&quot;</span><span class="p p-Indicator">,</span><span class=w> </span><span class=s>&quot;email&quot;</span><span class="p p-Indicator">]</span>
</span><span id=__span-2-8><a id=__codelineno-2-8 name=__codelineno-2-8 href=#__codelineno-2-8></a><span class=w> </span><span class=nt>extra_params</span><span class=p>:</span>
</span><span id=__span-2-9><a id=__codelineno-2-9 name=__codelineno-2-9 href=#__codelineno-2-9></a><span class=w> </span><span class=c1># Use your own domain, associated with Azure AD</span>
</span><span id=__span-2-10><a id=__codelineno-2-10 name=__codelineno-2-10 href=#__codelineno-2-10></a><span class=w> </span><span class=nt>domain_hint</span><span class=p>:</span><span class=w> </span><span class="l l-Scalar l-Scalar-Plain">example.com</span>
</span><span id=__span-2-11><a id=__codelineno-2-11 name=__codelineno-2-11 href=#__codelineno-2-11></a><span class=w> </span><span class=c1># Optional: Force the Azure AD account picker</span>
</span><span id=__span-2-12><a id=__codelineno-2-12 name=__codelineno-2-12 href=#__codelineno-2-12></a><span class=w> </span><span class=nt>prompt</span><span class=p>:</span><span class=w> </span><span class="l l-Scalar l-Scalar-Plain">select_account</span>
</span></code></pre></div> <h2 id=google-oauth-example>Google OAuth Example<a class=headerlink href=#google-oauth-example title="Permanent link">&para;</a></h2> <p>In order to integrate headscale with Google, you'll need to have a <a href=https://console.cloud.google.com>Google Cloud Console</a> account.</p> <p>Google OAuth has a <a href="https://support.google.com/cloud/answer/9110914?hl=en">verification process</a> if you need to have users authenticate who are outside of your domain. If you only need to authenticate users from your domain name (ie <code>@example.com</code>), you don't need to go through the verification process.</p> <p>However if you don't have a domain, or need to add users outside of your domain, you can manually add emails via Google Console.</p> <h3 id=steps>Steps<a class=headerlink href=#steps title="Permanent link">&para;</a></h3> <ol> <li>Go to <a href=https://console.cloud.google.com>Google Console</a> and login or create an account if you don't have one.</li> <li>Create a project (if you don't already have one).</li> <li>On the left hand menu, go to <code>APIs and services</code> -&gt; <code>Credentials</code></li> <li>Click <code>Create Credentials</code> -&gt; <code>OAuth client ID</code></li> <li>Under <code>Application Type</code>, choose <code>Web Application</code></li> <li>For <code>Name</code>, enter whatever you like</li> <li>Under <code>Authorised redirect URIs</code>, use <code>https://example.com/oidc/callback</code>, replacing example.com with your headscale URL.</li> <li>Click <code>Save</code> at the bottom of the form</li> <li>Take note of the <code>Client ID</code> and <code>Client secret</code>, you can also download it for reference if you need it.</li> <li>Edit your headscale config, under <code>oidc</code>, filling in your <code>client_id</code> and <code>client_secret</code>: <div class="language-yaml highlight"><pre><span></span><code><span id=__span-3-1><a id=__codelineno-3-1 name=__codelineno-3-1 href=#__codelineno-3-1></a><span class=nt>oidc</span><span class=p>:</span>
</span><span id=__span-3-2><a id=__codelineno-3-2 name=__codelineno-3-2 href=#__codelineno-3-2></a><span class=w> </span><span class=nt>issuer</span><span class=p>:</span><span class=w> </span><span class=s>&quot;https://accounts.google.com&quot;</span>
</span><span id=__span-3-3><a id=__codelineno-3-3 name=__codelineno-3-3 href=#__codelineno-3-3></a><span class=w> </span><span class=nt>client_id</span><span class=p>:</span><span class=w> </span><span class=s>&quot;&quot;</span>
</span><span id=__span-3-4><a id=__codelineno-3-4 name=__codelineno-3-4 href=#__codelineno-3-4></a><span class=w> </span><span class=nt>client_secret</span><span class=p>:</span><span class=w> </span><span class=s>&quot;&quot;</span>
</span><span id=__span-3-5><a id=__codelineno-3-5 name=__codelineno-3-5 href=#__codelineno-3-5></a><span class=w> </span><span class=nt>scope</span><span class=p>:</span><span class=w> </span><span class="p p-Indicator">[</span><span class=s>&quot;openid&quot;</span><span class="p p-Indicator">,</span><span class=w> </span><span class=s>&quot;profile&quot;</span><span class="p p-Indicator">,</span><span class=w> </span><span class=s>&quot;email&quot;</span><span class="p p-Indicator">]</span>
Deployed 7d937c6b to development with MkDocs 1.6.1 and mike 2.1.3
2024-12-17 22:03:54 +09:00
</span></code></pre></div></li> </ol> <p>You can also use <code>allowed_domains</code> and <code>allowed_users</code> to restrict the users who can authenticate.</p> </article> </div> <script>var target=document.getElementById(location.hash.slice(1));target&&target.name&&(target.checked=target.name.startsWith("__tabbed_"))</script> </div> <button type=button class="md-top md-icon" data-md-component=top hidden> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M13 20h-2V8l-5.5 5.5-1.42-1.42L12 4.16l7.92 7.92-1.42 1.42L13 8z"/></svg> Back to top </button> </main> <footer class=md-footer> <nav class="md-footer__inner md-grid" aria-label=Footer> <a href=../configuration/ class="md-footer__link md-footer__link--prev" aria-label="Previous: Configuration"> <div class="md-footer__button md-icon"> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11z"/></svg> </div> <div class=md-footer__title> <span class=md-footer__direction> Previous </span> <div class=md-ellipsis> Configuration </div> </div> </a> <a href=../exit-node/ class="md-footer__link md-footer__link--next" aria-label="Next: Exit node"> <div class=md-footer__title> <span class=md-footer__direction> Next </span> <div class=md-ellipsis> Exit node </div> </div> <div class="md-footer__button md-icon"> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11z"/></svg> </div> </a> </nav> <div class="md-footer-meta md-typeset"> <div class="md-footer-meta__inner md-grid"> <div class=md-copyright> <div class=md-copyright__highlight> Copyright &copy; 2024 Headscale authors </div> Made with <a href=https://squidfunk.github.io/mkdocs-material/ target=_blank rel=noopener> Material for MkDocs </a> </div> <div class=md-social> <a href=https://github.com/juanfont/headscale target=_blank rel=noopener title=github.com class=md-social__link> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 496 512"><!-- Font Awesome Free 6.7.1 by @fontawesome - https://fontawesome.com License - https://fontawesome.com/license/free (Icons: CC BY 4.0, Fonts: SIL OFL 1.1, Code: MIT License) Copyright 2024 Fonticons, Inc.--><path d="M165.9 397.4c0 2-2.3 3.6-5.2 3.6-3.3.3-5.6-1.3-5.6-3.6 0-2 2.3-3.6 5.2-3.6 3-.3 5.6 1.3 5.6 3.6m-31.1-4.5c-.7 2 1.3 4.3 4.3 4.9 2.6 1 5.6 0 6.2-2s-1.3-4.3-4.3-5.2c-2.6-.7-5.5.3-6.2 2.3m44.2-1.7c-2.9.7-4.9 2.6-4.6 4.9.3 2 2.9 3.3 5.9 2.6 2.9-.7 4.9-2.6 4.6-4.6-.3-1.9-3-3.2-5.9-2.9M244.8 8C106.1 8 0 113.3 0 252c0 110.9 69.8 205.8 169.5 239.2 12.8 2.3 17.3-5.6 17.3-12.1 0-6.2-.3-40.4-.3-61.4 0 0-70 15-84.7-29.8 0 0-11.4-29.1-27.8-36.6 0 0-22.9-15.7 1.6-15.4 0 0 24.9 2 38.6 25.8 21.9 38.6 58.6 27.5 72.9 20.9 2.3-16 8.8-27.1 16-33.7-55.9-6.2-112.3-14.3-112.3-110.5 0-27.5 7.6-41.3 23.6-58.9-2.6-6.5-11.1-33.3 2.6-67.9 20.9-6.5 69 27 69 27 20-5.6 41.5-8.5 62.8-8.5s42.8 2.9 62.8 8.5c0 0 48.1-33.6 69-27 13.7 34.7 5.2 61.4 2.6 67.9 16 17.7 25.8 31.5 25.8 58.9 0 96.5-58.9 104.2-114.8 110.5 9.2 7.9 17 22.9 17 46.4 0 33.7-.3 75.4-.3 83.6 0 6.5 4.6 14.4 17.3 12.1C428.2 457.8 496 362.9 496 252 496 113.3 383.5 8 244.8 8M97.2 352.9c-1.3 1-1 3.3.7 5.2 1.6 1.6 3.9 2.3 5.2 1 1.3-1 1-3.3-.7-5.2-1.6-1.6-3.9-2.3-5.2-1m-10.8-8.1c-.7 1.3.3 2.9 2.3 3.9 1.6 1 3.6.7 4.3-.7.7-1.3-.3-2.9-2.3-3.9-2-.6-3.6-.3-4.3.7m32.4 35.6c-1.6 1.3-1 4.3 1.3 6.2 2.3 2.3 5.2 2.6 6.5 1 1.3-1.3.7-4.3-1.3-6.2-2.2-2.3-5.2-2.6-6.5-1m-11.4-14.7c-1.6 1-1.6 3.6 0 5.9s4.3 3.3 5.6 2.3c1.6-1.3 1.6-3.9 0-6.2-1.4-2.3-4-3.3-5.6-2"/></svg> </a> <a href=https://ko-fi.com/headscale target=_blank rel=noopener title=ko-fi.com class=md-social__link> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 24 24"><path d="M2 21h18v-2H2M20 8h-2V5h2m0-2H4v10a4 4 0 0 0 4 4h6a4 4 0 0 0 4-4v-3h2a2 2 0 0 0 2-2V5a2 2 0 0 0-2-2"/></svg> </a> <a href=https://github.com/juanfont/headscale/pkgs/container/headscale target=_blank rel=noopener title=github.com class=md-social__link> <svg xmlns=http://www.w3.org/2000/svg viewbox="0 0 640 512"><!-- Font Awesome Free 6.7.1 by @fontawesome - https://fontaw
Reference in a new issue Copy permalink