[Bug] OIDC Register/Login Page Opens Twice

[GoodiesHQ]

Is this a support request?

• This is not a support request

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

I noticed that, since upgrading to version 0.25, when I authenticate to my OIDC provider, it will open the login page with the /register/... URL twice. The first time, it redirects me to my OIDC provider as expected, and then successfully authenticating results in a page which shows:

And then immediately afterwards, a new /register/... URL opens again (different identifier than the previous one) which redirects me to my OIDC provider for a second time. Another successfully authentication is required, which then shows the message:

Only the first page is required. If I simply close the second page, it will work just fine. The second page seems to be fully redundant.

Expected Behavior

It's expected that only one register URL should be opened during the first authentication, and then one URL should open for re-authentication. Instead, I'm getting both "authenticated" and "re-authenticated" messages for both the first and subsequent authentications.

I opened this bug report because it is:

1. Confusing to my users, and
2. If the public domain is part of split-brain DNS with the internal domain, it can cause a "network changed" error message.

Steps To Reproduce

1. Use HeadScale version 0.25
2. Set up an OIDC provider

Environment

- OS: Linux (Docker image)
- Headscale version: 0.25.0
- Tailscale version: 1.80.0/1.80.2

Runtime environment

• Headscale is behind a (reverse) proxy
• Headscale runs in a container

Anything else?

No response

[kradalby]

Does it seem like the second register url is opened by the Client in the cli/UI or by a redirect from "Signed in via your OIDC provider" page?

I am trying to figure out how I can replicate this in a test.

[kradalby]

Is this happening in both GUI and CLI clients?

[GoodiesHQ]

@kradalby good question. Until now, I only tested it using the GUI. Upon first registration and then manually expiring the node through the API and getting the popup:

Using the CLI I can confirm that this command brought the same behavior, and it does in fact show both URLs in the terminal:

C:\>tailscale up --login-server=https://headscale.example.com --reset --unattended --accept-dns --accept-routes

To authenticate, visit:

        https://headscale.example.com/register/3oYCOZYA2zZmGB4PQ7aHBaMi


To authenticate, visit:

        https://headscale.example.com/register/dv1l2k5FackOYl-7-V3mSd_E

Success.

[GoodiesHQ]

In fact, I can even confirm that the second URL and the "Success." message gets printed even before the second URL has even loaded in my browser. I can freely close the second URL and it will still successfully log me in and print Success.

For what it's worth, I'm using Micrsoft 365/Entra as my IdP.

[oneingan]

Same behavior for me with Entra IdP

[kradalby]

I wondered if this was happening in the tests and they passed because we just took the first URL and ignored the second, so I hardened that over in #2445, but it doesnt seem like it is the case.

I am unable to reproduce it locally with our test infra, I wonder if it applies to other IdPs or if it is a Entra thing.

[nblock]

I am unable to reproduce it locally with our test infra, I wonder if it applies to other IdPs or if it is a Entra thing.

I've seen this with Keycloak, too. At first, there is only one URL visible. As soon as the login with Keycloak is successful, the second link is printed.

[GoodiesHQ]

I can confirm that this is fixed! Thank you @kradalby :D