Feat OIDC login as namespace #350
Conversation
kradalby
left a comment
There was a problem hiding this comment.
Some comments, did you update the changelog? 🤔
namespaces.go
Outdated
| name = normalizeNamespaceRegex.ReplaceAllString(name, "-") | ||
|
|
||
| for _, elt := range strings.Split(name, ".") { | ||
| if len(elt) > 63 { |
There was a problem hiding this comment.
This is good, I think I would have forgotten this.
It makes me thing tho, do we need an option to only use the username or the name before @? I suspect that with emails, we can easily get too long names here?
reallylongfirstname.middlename.longlastname@reallylongdomainname.com
This will throw an error, but not sure if we will display it to users, and users might not have a clue whats going on.
There was a problem hiding this comment.
Yes this is also something that I thought about without reaching a result. I could add a check at some place where we return the hostname if it's too long. In the RFC 1123 we can read the following:
Host software MUST handle host names of up to 63 characters and
SHOULD handle host names of up to 255 characters.
If we throw an error like this we should add some comments on resolution or keep the domain_map config around to solve this kind of issues.
There was a problem hiding this comment.
hmm, the combinations of options here is a bit of a can of worms:
- Add too long ones into domain-only namespace
- strip domain and use just username
- what if username is still too long
I suggest keeping it a bit simple to begin with, and actually, I wonder if people dont really need to have the domain from the email in the namespace (as they are all likely the same).
Maybe we should have a oidc.strip_email_domain which is true by default, so by default, username is used, and if people intend to have different email addresses, you turn that off and get the whole thing.
So by default:
alice@enterprise.com -> alice
bob@enterprise.com -> bob
But you can turn that off:
alice@enterprise.com -> alice.enterprice-com (or what it will become)
bob@collaboratingcompany.com -> bob.collaboratingcompany-com
Host software MUST handle host names of up to 63 characters and
SHOULD handle host names of up to 255 characters.
As for 63 vs 255, I suggest we saw that 255 is an error and 63 is a warning.
There was a problem hiding this comment.
The potential issue that I can see with the strip_email_domain as default is that if some users want to login with different email provider it's possible to have an issue. It can even become a security issue (impersonating admin account). I don't know OIDC well enough to see if it can be an issue. But I guess with a tool like dex (login aggregator), it seems possible.
There was a problem hiding this comment.
My reference to RFC 1123 seems incomplete. RFC 2181 says the following:
The DNS itself places only one restriction on the particular labels
that can be used to identify resource records. That one restriction
relates to the length of the label and the full name. The length of
any one label is limited to between 1 and 63 octets. A full domain
name is limited to 255 octets (including the separators).
It seems to be the last RFC describing host names. The wikipedia page have the same information: https://en.wikipedia.org/wiki/Domain_Name_System
I keep the check server side because it's better from a security point of view.
|
With this came to my mind that |
CHANGELOG.md
Outdated
| - Add API Key support | ||
| - Enable remote control of `headscale` via CLI [docs](docs/remote-cli.md) | ||
| - Enable HTTP API (beta, subject to change) | ||
| - OIDC login will map user to an associated namespace. |
There was a problem hiding this comment.
When we have landed on how this work, we should elaborate here, and in the example config
There was a problem hiding this comment.
Should I remove changelog modifications ?
kradalby
left a comment
There was a problem hiding this comment.
I'll have a suggestion for the Changelog when I get to the airport, but all looks good now :)
| ) | ||
|
|
||
| const ( | ||
| maxHostnameLength = 255 |
There was a problem hiding this comment.
Actually, I just thought, is it the entire url that has the max? Or the segments between . ?
I just had a memory about some kubernetes namespace stuff.
This is mostly to raise this, I'm happy about it as is for now.
There was a problem hiding this comment.
The Fully Qualified Domain Name has a maximum length of 255 and the labels (segments in between) have a maximum length of 63
kradalby
left a comment
There was a problem hiding this comment.
Lets do this and I'll approve :)
Co-authored-by: Kristoffer Dalby <kradalby@kradalby.no>
Co-authored-by: Kristoffer Dalby <kradalby@kradalby.no>
|
Integrations tests seems to have a random component. One update on changelog was ok, the other was not… |
Sadly it's not random, but race conditions/sync issues in headscale. I am continuously working on them, and have an draft with a couple of improvements. But for now, just rerunning it is the way 😖 |
|
When #357 is in, can you resolve the conflicts? I think there will be some more, so you can wait for that one. |
Merged now. |
should close #327