You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In some setups, there is a cyclic dependency between headscale and its OIDC backend. This could be because e.g. the OIDC provider is located through the tailnet (e.g. the OIDC provider is configured via magicDNS). In those cases, if the system boots cold, the machine running headscale can't join the tailnet without headscale being up, and headscale can't come up without its OIDC provider, unless only_start_if_oidc_is_available is false. But setting this to false means that headscale will simply not use OIDC unless it is restarted later for some reason.
Description
When starting headscale, if only_start_if_oidc_is_available is false and the OIDC provider is not available, headscale gives up on OIDC until it is restarted. This shouldn't be the case: headscale should keep trying to connect to the OIDC backend so it is used once it becomes available.
This should probably extend to failures of the OIDC provider while serving: if the OIDC provider becomes unavailable and only_start_of_oidc_is_available is false, headscale should degrade gracefully to use non-OIDC authentication until it detects that the OIDC provider is back up.
The text was updated successfully, but these errors were encountered:
Why
In some setups, there is a cyclic dependency between headscale and its OIDC backend. This could be because e.g. the OIDC provider is located through the tailnet (e.g. the OIDC provider is configured via magicDNS). In those cases, if the system boots cold, the machine running headscale can't join the tailnet without headscale being up, and headscale can't come up without its OIDC provider, unless only_start_if_oidc_is_available is false. But setting this to false means that headscale will simply not use OIDC unless it is restarted later for some reason.
Description
When starting headscale, if only_start_if_oidc_is_available is false and the OIDC provider is not available, headscale gives up on OIDC until it is restarted. This shouldn't be the case: headscale should keep trying to connect to the OIDC backend so it is used once it becomes available.
This should probably extend to failures of the OIDC provider while serving: if the OIDC provider becomes unavailable and only_start_of_oidc_is_available is false, headscale should degrade gracefully to use non-OIDC authentication until it detects that the OIDC provider is back up.
The text was updated successfully, but these errors were encountered: