set oidc.map_legacy_users false (#2350)

2025-01-18 00:06:09 +01:00 · 2025-01-17 15:44:04 +01:00 · 2025-01-17 15:44:04 +01:00 · 5b986ed0a7
commit 5b986ed0a7
parent 8076c94444
3 changed files with 8 additions and 3 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,6 +2,11 @@

 ## Next

+### Changes
+
+- `oidc.map_legacy_users` is now `false` by default
+  [#2350](https://github.com/juanfont/headscale/pull/2350)
+
 ## 0.24.0 (2025-01-17)

 ### Security fix: OIDC changes in Headscale 0.24.0
--- a/config-example.yaml
+++ b/config-example.yaml
@ -384,10 +384,10 @@ unix_socket_permission: "0770"
 #   # Note that this will only work if the username from the legacy user is the same
 #   # and there is a possibility for account takeover should a username have changed
 #   # with the provider.
-#   # Disabling this feature will cause all new logins to be created as new users.
+#   # When this feature is disabled, it will cause all new logins to be created as new users.
 #   # Note this option will be removed in the future and should be set to false
 #   # on all new installations, or when all users have logged in with OIDC once.
-#   map_legacy_users: true
+#   map_legacy_users: false

 # Logtail configuration
 # Logtail is Tailscales logging and auditing infrastructure, it allows the control panel
--- a/hscontrol/types/config.go
+++ b/hscontrol/types/config.go
@ -319,7 +319,7 @@ func LoadConfig(path string, isFile bool) error {
 	viper.SetDefault("oidc.only_start_if_oidc_is_available", true)
 	viper.SetDefault("oidc.expiry", "180d")
 	viper.SetDefault("oidc.use_expiry_from_token", false)
-	viper.SetDefault("oidc.map_legacy_users", true)
+	viper.SetDefault("oidc.map_legacy_users", false)
 	viper.SetDefault("oidc.pkce.enabled", false)
 	viper.SetDefault("oidc.pkce.method", "S256")