[Feature] OIDC with permanent ID

[adipierro]

Use case

Currently, if user account in external system might have an email or username changed, OIDC authentication in Headscale won't match an existing user in DB, and another user will be created instead.

Description

Use OIDC sub claim as a permanent identifier for a user

If we use sub claim as a permanent unique ID for a user, we can match OIDC authenticated user with it instead of a username, and update a username (email) in DB if it differs. We should make updating optional as ACLs might stop applying to affected users.

Use and save OIDC email claim regardless of email domain stripping

A discussion is probably needed.

email, if available, could be used to display as LoginName in Tailscale clients. Or, it could be another way to identify users in ACLs if strip_email_domain is turned on, particularly, to avoid username collisions if multiple domains are allowed to login.

But considering #1987, we might not need to strip email domains anymore.

Contribution

• I can write the design doc for this feature
• I can contribute this feature

[IamTaoChen]

Maybe not sub, we can design the username claim, e.g. preferred_username

[SirBomble]

I believe this PR is attempting to add support for preferred_username #1997

[adipierro]

I think sub should be used as an internal identifier for matching the user, useful in cases username has changed upstream at OIDC. Of course, it should not be used as end-user display name or in CLI.

[micolous]

I do not think this is actually fixed by #2020, because the always-active fallback behaviour will still allow account take-overs, even if the target account has been "updated" to use the sub parameter.