Headscale “users” can be authenticated using Google Workspace logins. This only applies to nodes that do not have tags. Nodes with tags do not get logged in/out via OIDC.
Google Config
- You need to login to the Google Cloud Console for your Google Workgroups account at https://console.cloud.google.com/
- Search for “Credentials” and pick the one for “Credentials APIs & Services”.
- On the left select “OAuth consent screen” and create one for “Internal”, those are your Google Workgroups users.
- On the left select “Credentials”.
- “Create Credentials” and “OAuth 2.0 Client IDs”.
- Name it something like “Headscale”.
- In “Authorized Redirect URIs” add a value of the “server_url” from your headscale “config.yaml”, followed by “/oidc/callback” So if you “server_url” is “https://headscale.example.com” this needs to be “https://headscale.example.com/oidc/callback".
- You will need the “Client ID” and “Client secret” for your Headscale config below.
- Click “Save”. It says it may take up to a few hours, so be patient.
Headscale Config
In your config.yaml, include these settings:
oidc:
only_start_if_oidc_is_available: true
issuer: "https://accounts.google.com"
client_id: "<Value of "Client ID" from Google>"
client_secret: "<Value of "Client secret" from Google>"
expiry: 10d
scope: ["openid", "profile", "email"]
extra_params:
domain_hint: "<Your Google Workgroups Domain>"
allowed_domains:
- "<Your Google Workgroups Domain>"
strip_email_domain: true