Mirrors/juanfont.headscale
1
0
Fork 0
mirror of https://github.com/juanfont/headscale.git synced 2025-09-16 17:50:44 +02:00
Code Issues Projects Releases Wiki Activity

Refresh OIDC docs

Browse Source 
The UserInfo endpoint is always queried since 5d8a2c2.

This allows to use all OIDC related features without any extra
configuration on Authelia.

For Keycloak, its sufficient to add the groups mapper to the userinfo
endpoint.
This commit is contained in:
Florian Preinstorfer 2025-08-22 14:14:26 +02:00 committed by nblock
parent 2f3c365b68
commit 8ff5baadbe
1 changed files with 2 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
docs/ref/oidc.md
View File

@ -184,7 +184,7 @@ You may refer to users in the Headscale policy via:
## Supported OIDC claims ## Supported OIDC claims
Headscale uses [the standard OIDC claims](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) to Headscale uses [the standard OIDC claims](https://openid.net/specs/openid-connect-core-1_0.html#StandardClaims) to
populate and update its local user profile on each login. OIDC claims are read from the ID Token or from the UserInfo populate and update its local user profile on each login. OIDC claims are read from the ID Token and from the UserInfo
endpoint. endpoint.
| Headscale profile | OIDC claim | Notes / examples | | Headscale profile | OIDC claim | Notes / examples |
@ -230,19 +230,6 @@ are known to work:
Authelia is fully supported by Headscale. Authelia is fully supported by Headscale.
#### Additional configuration to authorize users based on filters
Authelia (4.39.0 or newer) no longer provides standard OIDC claims such as `email` or `groups` via the ID Token. The
OIDC `email` and `groups` claims are used to [authorize users with filters](#authorize-users-with-filters). This extra
configuration step is **only** needed if you need to authorize access based on one of the following user properties:
- domain
- email address
- group membership
Please follow the instructions from Authelia's documentation on how to [Restore Functionality Prior to Claims
Parameter](https://www.authelia.com/integration/openid-connect/openid-connect-1.0-claims/#restore-functionality-prior-to-claims-parameter).
### Authentik ### Authentik
- Authentik is fully supported by Headscale. - Authentik is fully supported by Headscale.
@ -297,7 +284,7 @@ you need to [authorize access based on group membership](#authorize-users-with-f
- Create a new client scope `groups` for OpenID Connect: - Create a new client scope `groups` for OpenID Connect:
- Configure a `Group Membership` mapper with name `groups` and the token claim name `groups`. - Configure a `Group Membership` mapper with name `groups` and the token claim name `groups`.
- Enable the mapper for the ID Token, Access Token and UserInfo endpoint. - Add the mapper to at least the UserInfo endpoint.
- Configure the new client scope for your Headscale client: - Configure the new client scope for your Headscale client:
- Edit the Headscale client. - Edit the Headscale client.
- Search for the client scope `group`. - Search for the client scope `group`.