Skip to content

hscontrol/oidc: fix ACL policy not applied to new OIDC nodes #2890

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
kradalby merged 1 commit into from
Nov 30, 2025
Merged

hscontrol/oidc: fix ACL policy not applied to new OIDC nodes #2890

kradalby merged 1 commit into from
Nov 30, 2025

Conversation

@kradalby
Copy link
Collaborator

@kradalby kradalby commented Nov 14, 2025

Remove premature policy change notification after user creation in OIDC callback handler. This was causing a race condition where asynchronous policy updates interfered with node registration, resulting in new OIDC nodes receiving incomplete network maps.

The policy manager is still updated synchronously during user creation, and handleRegistration now sends a single consolidated change notification after node registration completes.

Add integration test to validate OIDC nodes immediately receive correct ACL policies and can see advertised routes without requiring a client restart.

Fixes #2888

claude was used in this PR.

@kradalby kradalby mentioned this pull request Nov 14, 2025
Closed
4 tasks
@kradalby kradalby force-pushed the kradalby/2888-oidc-pol branch 3 times, most recently from 950d7ac to 13546dc Compare November 14, 2025 16:23
@kradalby kradalby force-pushed the kradalby/2888-oidc-pol branch 3 times, most recently from 2b66ec6 to 984121e Compare November 24, 2025 10:00
@kradalby kradalby mentioned this pull request Nov 25, 2025
Closed
4 tasks
@kradalby kradalby changed the base branch from main to kradalby/release-v0.27.2 November 26, 2025 08:28
@kradalby kradalby force-pushed the kradalby/2888-oidc-pol branch from 984121e to e227dc2 Compare November 26, 2025 08:49
@kradalby kradalby marked this pull request as ready for review November 26, 2025 09:01
@kradalby kradalby added this to the v0.27.0 milestone Nov 26, 2025
@kradalby kradalby force-pushed the kradalby/2888-oidc-pol branch 2 times, most recently from 3480f84 to 06f496b Compare November 28, 2025 11:57
@kradalby
hscontrol/oidc: fix ACL policy not applied to new OIDC nodes
ed1fdc3 
Remove premature policy change notification after user creation
in OIDC callback handler. This was causing a race condition where
asynchronous policy updates interfered with node registration,
resulting in new OIDC nodes receiving incomplete network maps.

The policy manager is still updated synchronously during user
creation, and handleRegistration now sends a single consolidated
change notification after node registration completes.

Add integration test to validate OIDC nodes immediately receive
correct ACL policies and can see advertised routes without
requiring a client restart.

Regression introduced in 1553f0a (state: introduce state).

Fixes juanfont#2888
Fixes juanfont#2896

Signed-off-by: Kristoffer Dalby <kristoffer@tailscale.com>
@kradalby kradalby force-pushed the kradalby/2888-oidc-pol branch from 06f496b to ed1fdc3 Compare November 30, 2025 14:58
@kradalby kradalby merged commit 4fe5cbe into juanfont:kradalby/release-v0.27.2 Nov 30, 2025
186 of 189 checks passed
kradalby added a commit to kradalby/headscale that referenced this pull request Dec 1, 2025
@kradalby
hscontrol/oidc: fix ACL policy not applied to new OIDC nodes (juanfon…
f0679d7 
…t#2890)

Fixes juanfont#2888
Fixes juanfont#2896
kradalby added a commit to kradalby/headscale that referenced this pull request Dec 2, 2025
@kradalby
hscontrol/oidc: fix ACL policy not applied to new OIDC nodes (juanfon…
c214c93 
…t#2890)

Fixes juanfont#2888
Fixes juanfont#2896
kradalby added a commit to kradalby/headscale that referenced this pull request Dec 2, 2025
@kradalby
hscontrol/oidc: fix ACL policy not applied to new OIDC nodes (juanfon…
2d29897 
…t#2890)

Fixes juanfont#2888
Fixes juanfont#2896
kradalby added a commit that referenced this pull request Dec 2, 2025
@kradalby
hscontrol/oidc: fix ACL policy not applied to new OIDC nodes (#2890)
cb4d5b1 
Fixes #2888
Fixes #2896
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ohdearaugustin ohdearaugustin Awaiting requested review from ohdearaugustin ohdearaugustin is a code owner

@nblock nblock Awaiting requested review from nblock nblock is a code owner

@juanfont juanfont Awaiting requested review from juanfont juanfont is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

v0.27.0

Development

Successfully merging this pull request may close these issues.

[Bug] ACLs not applied on newly added nodes using OIDC

1 participant

@kradalby