[Bug] EntraID OIDC - ACLs not being applied to OIDC registered users #2377
Comments
SysAdminSmith
changed the title
|
I am also experiencing this. In headscale version 0.24.0, ACL worked by the user's email address (the username has no effect). If no email was defined, it worked on Provider ID (which was horrendously ugly having an entire URL in the ACL entries, but it did work). Now in 0.24.1, the |
|
Could you give me some example output of your users? Something like the output som
Are you saying there is different behaviour in 0.24.0 and 0.24.1 ? from entra, which didnt seem to send emails based on another issue, it would not expect that. @GoodiesHQ Could you give me the same output but from 0.24.0 and 0.24.1? |
|
I just posted this in Discord in response to a suggestion I downgrade to 0.24.0 and manually change usernames - which auto populate with email names ([email protected]) - to just user.name.
(Name, Display Name, and Tenant ID and sub claim are randomized) This is in 0.24.0 |
|
Curious your OIDC user is missing an "email" property, perhaps your IDP isn't including |
This would match my experience. In 0.24.0 with ODIC users that have plain usernames (fred, mike, etc) and email addresses ([email protected], [email protected], etc) populated, I have working user ACLs based on email address. In 0.24.1, usernames get migrated to email addresses (as users login again), but I can't seem to get user ACLs to work based on email address. |
Do you mind expanding a bit on this? |
|
In 0.24.0 at least, user ACLs seem to key off email address, but your user with username My OIDC users do have the email property set like: ...
{
"id": 2,
"name": "testuser",
"created_at": {
"seconds": 1737933527,
"nanos": 133145801
},
"display_name": "Test User",
=> "email": "[email protected]",
"provider_id": "https://auth.domain.com/304400930772615424",
"provider": "oidc"
}And the email address can be used for user based ACLs in 0.24.0. But not in 0.24.1 it seems. |
Thank you :) I did some further research an apparently Entra ID does not provide |
I downgraded to 0.24.0 and went the UPN route since EntraID provides it by default (i.e. in the headscale config I set When I logged in, just the Display Name was populated; neither the username nor the email address was captured. I manually modified the user to create a username (user.name) which is referenced in the ACL. No difference, sadly. What is so damn odd is that when I set the endpoint to For whatever reason, it is forwarding dns requests to the exitnode (100.64.0.3). The dns is configured at 100.64.0.2. Further: I'm not sure what its trying to do by sending to port 53 on a private ip. That is a DNS server but I am not sure how tailscale even knows about it. |
|
Well AFAIK email address has to be used for user ACLs in 0.24.0, so without that set you may be out of luck there. And 0.24.1 doesn't seem work with email or username as far as I can tell. Not sure about the dns issue, but without a working ACL maybe it's trying whatever it can to get some dns back through your exit node. Pure guess, seems odd. I know Tailscale does try to transparently upgrade you to DNS over HTTPS (DoH). |
|
I have been fighting this ACL issue about a week now. And I finally found a repro case on my end If a User's user.name field is updated ACL no longer works for any user. On 0.24.0 I had manually assigned each user a username and it broke my ACL, Once I upgraded to 0.24.1 ACL started working soon as server was up and it broke again once a user logged out and logged-in, which caused the user.name to be updated to include email. It looks like update of the user.name field for any user breaks the ACL and it cannot be fixed until a minor version upgrade is done? Is there any database migration that occurs during version upgrade/downgrade? Because it only seems to get fixed after that |
|
@SlackingVeteran this is useful, can you show me your ACL? Do you use your "old" usernames in the ACL or have you migrated to the what ends up being populated in the ACL (likely emails)? |
|
@kradalby I was using usernames in ACL on v0.24.0 which was not working, upgrading to 0.24.1 fixed it to a point where username started working until username was updated by OIDC to be email. I swapped to use email in ACL after it stopped working, and it still did not apply appropriate ACL, i then changed username from email to custom username and used username on ACL and that did not work either, downgraded to 0.24.0 and username started working again. |
|
@SlackingVeteran, you have to use the exact value present in the user object, it will check the When using OIDC, rename should not be used as it will be overwritten every time the user logs in, I filed #2387 to block the usage of it when OIDC is used to avoid confusion. |
|
Thanks @kradalby |
|
@kradalby I started fresh again thinking I may have made some mistake, but I'm afraid I can't get OIDC user based ACLs to work as you describe in 0.24.1. Starting in a working state in 0.24.0 (note not .1) where I have 1 user (which is stable between login/logout as usernames can't be email addresses yet in 0.24.0): root@cloud:~ # headscale users list
ID | Name | Username | Email | Created
1 | Fred Wilson | fred | [email protected] | 2025-01-21 22:31:18And a very simple ACL: {
"groups": {},
"tagOwners": {},
"hosts": {},
"acls": [
{
"action": "accept",
"src": [
"[email protected]"
],
"dst": [
"*:*"
]
}
],
"ssh": []
}It works as expected, the user fred ([email protected]) sees and can reach everything. Then I update the system to 0.24.1 -- initially the ACL still works fine. But the second fred ([email protected]) does a logout/login, his Headscale username is updated to email as expected: root@cloud:~ # headscale users list
ID | Name | Username | Email | Created
1 | Fred Wilson | [email protected] | [email protected] | 2025-01-21 22:31:18But the ACL no longer works, with the following logged to the Headscale console:
Which according to If I try editing the ACL using his email [email protected], Headscale will log The only thing that seems to work for me to identify his user in the ACL is using his Is there some specific output that would help investigate this? |
|
I think the problem may be here. Once the user does a logout/login in 0.24.1 both Edit: I just ran with trace logging and that is what is hitting for me:
|
|
Great find @Codelica, I didn't update to 0.24.1 yet because of this issue and looks like you found the cause, might be worth creating a PR. A |
|
Unfortunately I'm not a Go dev :(, although it would be the one language I'd love to pick up if there's ever time. (seems doubtful) I have a feeling he'll want to preserve a check for legitimate multiple matches though -- just checking based on multiple unique users ids instead. |
I think this is it!, good catch! I have actually redone that function here #2388, a bit by accident but it should fix that problem. |
|
I would test it but my Kubernetes deployment relies on pre-built docker images. If there is an image for it I can test it out right away |
|
I built the docker container myself to test this and can verify email for OIDC logged in user is working as expected in ACL now |
|
I updated to 0.24.2 and unforuntately I still am having issues. Am I right to believe that all users must have an email address, now? Because, as mentioned previously, EntraID does not provide email by default in a way that the email field is filled. The username will be filled by the email EntraID provides, but the email field will remain empty (user.name is retrieved via EntraID; node.mgr was a user created locally): |
|
user.name will have email once user logs out and logs back in with OIDC. Account stays unchanged until user re-logins |
|
As for email field, it will stay empty unless OIDC claim contains email_verified claim with |
|
@SysAdminSmith Code in 0.24.2 checks the So you should be able to reference those 2 users as "node.mgr" and "[email protected]" even with their |
|
I use Entra as well and I have added additional claim on entra that has true value. You should be able to follow this instruction on Headscale discord to do so https://discord.com/channels/896711691637780480/1105842846386356294/1331037795900461106 |
Thank you for this! What "scopes" did you use in your config.yaml? Also, did you declare a separate "email_claim" in your config.yaml? |
|
My scope is |
ooof. Thank you! |
|
I am not entirely sure why this bug was closed because I still cannot use ACL's with my headscale setup. I have upgraded to 0.24.2 and followed @suyashFSG suggestions but I am still unable to use acls. Funny thing is, if the default is "deny all to all", then the directive of "accept all from all to all" is technically an acl that "works". But, outside of that, any acl rule will break a user's ability to: use dns and access anything outside of the tailnet. Perhaps it has something to do with EntraID? I don't know. I am happy to provide whatever information is needed. |
|
I'm seeing very similar issues with a custom OIDC server. Email is populating correctly but ACLs are just seemingly not working. Haven't really been able to get to the root of what exactly is happening. Edit: Never mind, I believe my issue is actually #1475 |
Is this a support request?
Is there an existing issue for this?
Current Behavior
Users register via Entra ID OIDC. They are granted access by virtue of Security Group membership. When they login for the first time they are assigned a User ID, and their Name and Username are registered. The username is their EntraID email address (i.e. [email protected]). I have also created a local user (node.mgr) to manager subnet nodes and exit nodes. This user has an ID and username only (node.mgr).
When the default Allow All from All policy is in place all users can receive subnet routes, exit node routes, and have access to the DNS server.
However, when implementing the following ACL, only the node.mgr user has the proper policies applied. Any other user - which register via OIDC - can see (tailscale status) every node to which they should have access and can "tailscale ping" those devices, but none can resolve FQDN's. reach the outside world, or navigate the subnets provided by the subnet routers.
Expected Behavior
Expected behavior is that every user defined in a group has the policies applied based on the group to which they are party.
I am new to Headscale/Tailscale so I am fully cognizant that I may be misconstruing the ACL or misunderstanding how it works so I apologize in advance if this is not a bug but, rather, user error. If the latter, I would sincerely appreciate being pointed in the right direction.
Steps To Reproduce
Create ACL
Apply ACL
Login
Environment
Runtime environment
Anything else?
The text was updated successfully, but these errors were encountered: