Description
Use case
With OIDC enabled, headscale /register/<code> link goes directly to the OIDC provider's stateful URL. This URL cannot be copied & continued on another device (eg high-trust device, or non-default browser with authenticated session).
Current situation hinders headscale-enabled login on eg android TV.
Commandline tailscale client has --qr to pause at the register link with a QR code to scan:
To authenticate, visit:
https://headscale.example/register/<code>
██████████████████████████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████████████████████████
██████████████████████████████████████████████████████████████████████████████████
████████ ██ ████ ██ ██ ██████ ████ ████████
████████ ██████████ ██ ████ ██ ██ ██████████ ██ ██████████ ████████
████████ ██ ██ ████████ ██ ████████ ██ ██ ██ ██ ████████
████████ ██ ██ ██ ████ ██ ████ ██ ██ ████████Description
tailscale's https://login.tailscale.com/a/<code> redirects to https://login.tailscale.com/login?next_url=%2Fa%2F<code>&refresh=true, which can be continued elsewhere. Optionally, a &qr parameter allows transporting the page to a high-trust device easily.
Versions:
- headscale 0.26 (thanks for the great beta tests)
- tailscale 1.82.x (android, linux)
- KB 1336 https://tailscale.com/kb/1336/device-add-qr-code
Contribution
- I can write the design doc for this feature
- I can contribute this feature
How can it be implemented?
A new intersitial template in /assets/, with QR code for itself, and a single "Continue with 'OIDC Provider Name'" or clickable url.
Replace the redirect in with that template, while still waiting for return authcode, around hscontrol/oidc.go debug message "Redirecting to %s for authentication"
We may need a field in config for the pretty name, or pick out the domain from issuer path.