Merge 32da525b8d into 2024219bd1

2025-11-10 01:20:58 +01:00 · 2025-11-05 18:10:30 +00:00 · 2025-11-05 18:10:30 +00:00 · c89c6f8c3b
commit c89c6f8c3b
parent 2024219bd1 32da525b8d
5 changed files with 113 additions and 33 deletions
--- a/config-example.yaml
+++ b/config-example.yaml
@ -361,6 +361,17 @@ unix_socket_permission: "0770"
 #   # required "openid" scope.
 #   scope: ["openid", "profile", "email"]
 #
+#   # Enable this setting to accept the user's email address regardless
+#   # if "email_verified: true" is sent by identity provider.
+#   #
+#   # By default, "email_verified: true" must appear in claims or user info
+#   # before Headscale will accept the principal's email address as the user
+#   # account is created after successful authentication.
+#   #
+#   # This setting is useful when claims and their mapping can't be controlled,
+#   # such as when using Cloudflare One-time pin for authentication.
+#   use_unverified_email: false
+#
 #   # Provide custom key/value pairs which get sent to the identity provider's
 #   # authorization endpoint.
 #   extra_params:
--- a/hscontrol/oidc.go
+++ b/hscontrol/oidc.go
@ -167,7 +167,11 @@ func (a *AuthProviderOIDC) RegisterHandler(
 			extras = append(extras, oauth2.S256ChallengeOption(verifier))
 		case types.PKCEMethodPlain:
 			// oauth2 does not have a plain challenge option, so we add it manually
-			extras = append(extras, oauth2.SetAuthURLParam("code_challenge_method", "plain"), oauth2.SetAuthURLParam("code_challenge", verifier))
+			extras = append(
+				extras,
+				oauth2.SetAuthURLParam("code_challenge_method", "plain"),
+				oauth2.SetAuthURLParam("code_challenge", verifier),
+			)
 		}
 	}

@ -281,11 +285,13 @@ func (a *AuthProviderOIDC) OIDCCallbackHandler(
 		util.LogErr(err, "could not get userinfo; only using claims from id token")
 	}

-	// The user claims are now updated from the userinfo endpoint so we can verify the user
-	// against allowed emails, email domains, and groups.
-	if err := validateOIDCAllowedDomains(a.cfg.AllowedDomains, &claims); err != nil {
-		httpError(writer, err)
-		return
+	if bool(claims.EmailVerified) || a.cfg.UseUnverifiedEmail {
+		// The user claims are now updated from the userinfo endpoint so we can verify the user
+		// against allowed emails, email domains, and groups.
+		if err := validateOIDCAllowedDomains(a.cfg.AllowedDomains, &claims); err != nil {
+			httpError(writer, err)
+			return
+		}
 	}

 	if err := validateOIDCAllowedGroups(a.cfg.AllowedGroups, &claims); err != nil {
@ -332,8 +338,14 @@ func (a *AuthProviderOIDC) OIDCCallbackHandler(
 		newNode, err := a.handleRegistration(user, *registrationId, nodeExpiry)
 		if err != nil {
 			if errors.Is(err, db.ErrNodeNotFoundRegistrationCache) {
-				log.Debug().Caller().Str("registration_id", registrationId.String()).Msg("registration session expired before authorization completed")
-				httpError(writer, NewHTTPError(http.StatusGone, "login session expired, try again", err))
+				log.Debug().
+					Caller().
+					Str("registration_id", registrationId.String()).
+					Msg("registration session expired before authorization completed")
+				httpError(
+					writer,
+					NewHTTPError(http.StatusGone, "login session expired, try again", err),
+				)

 				return
 			}
@ -373,7 +385,11 @@ func extractCodeAndStateParamFromRequest(
 	state := req.URL.Query().Get("state")

 	if code == "" || state == "" {
-		return "", "", NewHTTPError(http.StatusBadRequest, "missing code or state parameter", errEmptyOIDCCallbackParams)
+		return "", "", NewHTTPError(
+			http.StatusBadRequest,
+			"missing code or state parameter",
+			errEmptyOIDCCallbackParams,
+		)
 	}

 	return code, state, nil
@ -390,7 +406,11 @@ func (a *AuthProviderOIDC) getOauth2Token(
 	if a.cfg.PKCE.Enabled {
 		regInfo, ok := a.registrationCache.Get(state)
 		if !ok {
-			return nil, NewHTTPError(http.StatusNotFound, "registration not found", errNoOIDCRegistrationInfo)
+			return nil, NewHTTPError(
+				http.StatusNotFound,
+				"registration not found",
+				errNoOIDCRegistrationInfo,
+			)
 		}
 		if regInfo.Verifier != nil {
 			exchangeOpts = []oauth2.AuthCodeOption{oauth2.VerifierOption(*regInfo.Verifier)}
@ -399,7 +419,11 @@ func (a *AuthProviderOIDC) getOauth2Token(

 	oauth2Token, err := a.oauth2Config.Exchange(ctx, code, exchangeOpts...)
 	if err != nil {
-		return nil, NewHTTPError(http.StatusForbidden, "invalid code", fmt.Errorf("could not exchange code for token: %w", err))
+		return nil, NewHTTPError(
+			http.StatusForbidden,
+			"invalid code",
+			fmt.Errorf("could not exchange code for token: %w", err),
+		)
 	}

 	return oauth2Token, err
@ -418,7 +442,11 @@ func (a *AuthProviderOIDC) extractIDToken(
 	verifier := a.oidcProvider.Verifier(&oidc.Config{ClientID: a.cfg.ClientID})
 	idToken, err := verifier.Verify(ctx, rawIDToken)
 	if err != nil {
-		return nil, NewHTTPError(http.StatusForbidden, "failed to verify id_token", fmt.Errorf("failed to verify ID token: %w", err))
+		return nil, NewHTTPError(
+			http.StatusForbidden,
+			"failed to verify id_token",
+			fmt.Errorf("failed to verify ID token: %w", err),
+		)
 	}

 	return idToken, nil
@ -433,7 +461,11 @@ func validateOIDCAllowedDomains(
 	if len(allowedDomains) > 0 {
 		if at := strings.LastIndex(claims.Email, "@"); at < 0 ||
 			!slices.Contains(allowedDomains, claims.Email[at+1:]) {
-			return NewHTTPError(http.StatusUnauthorized, "unauthorised domain", errOIDCAllowedDomains)
+			return NewHTTPError(
+				http.StatusUnauthorized,
+				"unauthorised domain",
+				errOIDCAllowedDomains,
+			)
 		}
 	}

@ -505,7 +537,7 @@ func (a *AuthProviderOIDC) createOrUpdateUserFromClaim(
 		user = &types.User{}
 	}

-	user.FromClaim(claims)
+	user.FromClaim(claims, a.cfg.UseUnverifiedEmail)

 	if newUser {
 		user, c, err = a.h.state.CreateUser(*user)
--- a/hscontrol/types/config.go
+++ b/hscontrol/types/config.go
@ -31,10 +31,16 @@ const (
 )

 var (
-	errOidcMutuallyExclusive = errors.New("oidc_client_secret and oidc_client_secret_path are mutually exclusive")
-	errServerURLSuffix       = errors.New("server_url cannot be part of base_domain in a way that could make the DERP and headscale server unreachable")
-	errServerURLSame         = errors.New("server_url cannot use the same domain as base_domain in a way that could make the DERP and headscale server unreachable")
-	errInvalidPKCEMethod     = errors.New("pkce.method must be either 'plain' or 'S256'")
+	errOidcMutuallyExclusive = errors.New(
+		"oidc_client_secret and oidc_client_secret_path are mutually exclusive",
+	)
+	errServerURLSuffix = errors.New(
+		"server_url cannot be part of base_domain in a way that could make the DERP and headscale server unreachable",
+	)
+	errServerURLSame = errors.New(
+		"server_url cannot use the same domain as base_domain in a way that could make the DERP and headscale server unreachable",
+	)
+	errInvalidPKCEMethod = errors.New("pkce.method must be either 'plain' or 'S256'")
 )

 type IPAllocationStrategy string
@ -179,6 +185,7 @@ type OIDCConfig struct {
 	ClientSecret               string
 	Scope                      []string
 	ExtraParams                map[string]string
+	UseUnverifiedEmail         bool
 	AllowedDomains             []string
 	AllowedUsers               []string
 	AllowedGroups              []string
@ -327,6 +334,7 @@ func LoadConfig(path string, isFile bool) error {
 	viper.SetDefault("oidc.use_expiry_from_token", false)
 	viper.SetDefault("oidc.pkce.enabled", false)
 	viper.SetDefault("oidc.pkce.method", "S256")
+	viper.SetDefault("oidc.use_unverified_email", false)

 	viper.SetDefault("logtail.enabled", false)
 	viper.SetDefault("randomize_client_port", false)
@ -385,10 +393,18 @@ func validateServerConfig() error {
 		}
 	}

+	if viper.IsSet("oidc.use_unverified_email") {
+		log.Warn().
+			Msg("unverified emails will be accepted during oidc authentication (oidc.use_unverified_email=true)")
+	} else {
+		log.Warn().Msg("only verified emails will be accepted during oidc authentication (oidc.use_unverified_email=false)")
+	}
+
 	depr.Log()

 	if viper.IsSet("dns.extra_records") && viper.IsSet("dns.extra_records_path") {
-		log.Fatal().Msg("Fatal config error: dns.extra_records and dns.extra_records_path are mutually exclusive. Please remove one of them from your config file")
+		log.Fatal().
+			Msg("Fatal config error: dns.extra_records and dns.extra_records_path are mutually exclusive. Please remove one of them from your config file")
 	}

 	// Collect any validation errors and return them all at once
@ -947,14 +963,15 @@ func LoadServerConfig() (*Config, error) {
 			OnlyStartIfOIDCIsAvailable: viper.GetBool(
 				"oidc.only_start_if_oidc_is_available",
 			),
-			Issuer:         viper.GetString("oidc.issuer"),
-			ClientID:       viper.GetString("oidc.client_id"),
-			ClientSecret:   oidcClientSecret,
-			Scope:          viper.GetStringSlice("oidc.scope"),
-			ExtraParams:    viper.GetStringMapString("oidc.extra_params"),
-			AllowedDomains: viper.GetStringSlice("oidc.allowed_domains"),
-			AllowedUsers:   viper.GetStringSlice("oidc.allowed_users"),
-			AllowedGroups:  viper.GetStringSlice("oidc.allowed_groups"),
+			Issuer:             viper.GetString("oidc.issuer"),
+			ClientID:           viper.GetString("oidc.client_id"),
+			ClientSecret:       oidcClientSecret,
+			Scope:              viper.GetStringSlice("oidc.scope"),
+			ExtraParams:        viper.GetStringMapString("oidc.extra_params"),
+			UseUnverifiedEmail: viper.GetBool("oidc.use_unverified_email"),
+			AllowedDomains:     viper.GetStringSlice("oidc.allowed_domains"),
+			AllowedUsers:       viper.GetStringSlice("oidc.allowed_users"),
+			AllowedGroups:      viper.GetStringSlice("oidc.allowed_groups"),
 			Expiry: func() time.Duration {
 				// if set to 0, we assume no expiry
 				if value := viper.GetString("oidc.expiry"); value == "0" {
--- a/hscontrol/types/users.go
+++ b/hscontrol/types/users.go
@ -324,7 +324,7 @@ type OIDCUserInfo struct {

 // FromClaim overrides a User from OIDC claims.
 // All fields will be updated, except for the ID.
-func (u *User) FromClaim(claims *OIDCClaims) {
+func (u *User) FromClaim(claims *OIDCClaims, useUnverifiedEmail bool) {
 	err := util.ValidateUsername(claims.Username)
 	if err == nil {
 		u.Name = claims.Username
@ -332,7 +332,7 @@ func (u *User) FromClaim(claims *OIDCClaims) {
 		log.Debug().Caller().Err(err).Msgf("Username %s is not valid", claims.Username)
 	}

-	if claims.EmailVerified {
+	if claims.EmailVerified || FlexibleBoolean(useUnverifiedEmail) {
 		_, err = mail.ParseAddress(claims.Email)
 		if err == nil {
 			u.Email = claims.Email
--- a/hscontrol/types/users_test.go
+++ b/hscontrol/types/users_test.go
@ -291,9 +291,10 @@ func TestCleanIdentifier(t *testing.T) {

 func TestOIDCClaimsJSONToUser(t *testing.T) {
 	tests := []struct {
-		name    string
-		jsonstr string
-		want    User
+		name               string
+		jsonstr            string
+		useUnverifiedEmail bool
+		want               User
 	}{
 		{
 			name: "normal-bool",
@ -348,6 +349,25 @@ func TestOIDCClaimsJSONToUser(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "use-unverified-email",
+			jsonstr: `
+{
+  "sub": "test-unverified-email",
+  "email": "test-unverified-email@test.no",
+  "email_verified": "false"
+}
+			`,
+			useUnverifiedEmail: true,
+			want: User{
+				Provider: util.RegisterMethodOIDC,
+				Email:    "test-unverified-email@test.no",
+				ProviderIdentifier: sql.NullString{
+					String: "/test-unverified-email",
+					Valid:  true,
+				},
+			},
+		},
 		{
 			// From https://github.com/juanfont/headscale/issues/2333
 			name: "okta-oidc-claim-20250121",
@ -458,7 +478,7 @@ func TestOIDCClaimsJSONToUser(t *testing.T) {

 			var user User

-			user.FromClaim(&got)
+			user.FromClaim(&got, tt.useUnverifiedEmail)
 			if diff := cmp.Diff(user, tt.want); diff != "" {
 				t.Errorf("TestOIDCClaimsJSONToUser() mismatch (-want +got):\n%s", diff)
 			}