Skip to content

OIDC: Add configurable username mapping via oidc.username_claim_order #3003

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
angelbarrera92 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

OIDC: Add configurable username mapping via oidc.username_claim_order #3003

angelbarrera92 wants to merge 1 commit into from

Conversation

@angelbarrera92
Copy link

@angelbarrera92 angelbarrera92 commented Jan 11, 2026
edited
Loading

Add support for deriving Headscale usernames from configurable OIDC claims, addressing IdPs (like Google) that omit the standard preferred_username claim.

  • have read the CONTRIBUTING.md file
  • raised a GitHub issue or discussed it on the projects chat beforehand
  • added unit tests
  • added integration tests
  • updated documentation if needed
  • updated CHANGELOG.md

Fixes #3002

Summary

This PR adds a configurable way to derive the Headscale username from OIDC claims. It addresses IdPs (like Google) that do not emit preferred_username, enabling predictable, valid usernames without manual remediation.

Changes

  • Config: Introduce oidc.username_claim_order (array) that defines a priority list of claims to try.
    • Supported values: preferred_username, email_localpart, email, name, sub.
    • Default (when unset): [preferred_username, email_localpart, email, name, sub].
  • Username derivation helper: picks the first non-empty, syntactically valid candidate using existing ValidateUsername rules.
  • OIDC flow: applies the mapping before creating/updating the user record so Username() resolves reliably.
  • Documentation: added configuration reference and OIDC guide notes (including Google example).
  • Tests: unit tests covering the derivation and common fallback cases.

Example Configuration

oidc:
  issuer: "https://accounts.google.com"
  client_id: "..."
  client_secret: "..."
  # Prefer preferred_username, otherwise use email local-part, then email
  username_claim_order:
    - preferred_username
    - email_localpart
    - email

Notes

  • Candidates are tried in order and must pass ValidateUsername.
  • If the list is omitted, the default order is used.
  • Default behavior preserves existing installs where preferred_username is present.
  • No database migrations required.
  • Username syntax is validated; all email verification and authorization constraints remain unchanged.

@angelbarrera92
feat(oidc): add configurable username mapping via `oidc.username_clai…
a8077c1 
…m_order`

Add support for deriving Headscale usernames from configurable OIDC claims,
addressing IdPs (like Google) that omit the standard `preferred_username` claim.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ohdearaugustin ohdearaugustin Awaiting requested review from ohdearaugustin ohdearaugustin is a code owner

@nblock nblock Awaiting requested review from nblock nblock is a code owner

@juanfont juanfont Awaiting requested review from juanfont juanfont is a code owner

@kradalby kradalby Awaiting requested review from kradalby kradalby is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Feature] Configurable OIDC username mapping (fallback when preferred_username is missing)

1 participant

@angelbarrera92