juanfont/headscale

[Bug] Unable to register ephemeral nodes using OIDC

Open

#2719 opened on Aug 6, 2025

View on GitHub
 (5 comments) (2 reactions) (0 assignees)Go (38,374 stars) (2,104 forks)batch import
OIDCbuggood first issuehelp wantedno-stale-bottailscale-feature-gap

Description

Is this a support request?

  • This is not a support request

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

I am trying to create ephemeral node (Windows 10) by using OIDC. As per Tailscale documentation that should be possible in 2 ways:

  1. using preauth ephemeral keys
  2. starting tailscaled with option "--state=mem:"

I would like to avoid preshared key in order to use 2FA provided by OIDC (Keycloak), the other problem with 1. is that I already have to have user registered to create preauth key (on first login Keycloak is set up to enable and configure 2FA). I tried option 2. by starting tailscaled on windows with option "--state=mem:" but when I log in to headscale newly registered node is not ephemeral.

Expected Behavior

After starting tailscaled with option "--state=mem:" on a node and registering a node with headscale, node should be registered as ephemeral.

Steps To Reproduce

  • start headscale server
  • start tailscaled on client machine: tailscaled --state=mem:
  • run on client machine: tailscale login --login-server https://ts.example.org --accept-routes
  • go to URL returned by previous command and authenticate
  • headscale nodes list shows:
  • 26 | NODE-030 | node-030 | [5UOSB] | [fVQNN] | test-user | 100.64.0.9, fd7a:115c:a1e0::9 | false | 2025-08-06 06:49:56 | 2026-02-02 06:44:34 | online | no

Environment

- OS: Debian 12
- Headscale version: 0.26.1
- Tailscale version: 1.86.2

Runtime environment

  • Headscale is behind a (reverse) proxy
  • Headscale runs in a container

Debug information

I know that there is disparity between headscale and Tailscale features, so my question is if this possibility is missing from headscale, is there some configuration needed, or is it a bug ?

Contributor guide

Tech stack
go
Domain
backend
Issue type
bug
DifficultyEstimated implementation difficulty for a new contributor, from 1 for very small changes to 5 for expert-level work.
3
Estimated timeA rough time range for an experienced contributor to investigate, implement, test, and prepare a pull request.
3-5 days
Activity statusHow available the issue appears right now: fresh, active, stale, blocked, or waiting on maintainer input.
fresh
ClarityHow clearly the issue explains the expected change, acceptance criteria, and next step.
mostly clear
Prerequisites
Go programmingTailscale/headscale architectureOIDC authenticationEphemeral node concept
Newbie friendlinessA 1-100 score estimating how approachable this issue is for first-time contributors.
25
Research direction
Investigate how headscale registers nodes and handles ephemeral state when using OIDC. Check the headscale codebase for node registration logic, particularly the handling of the ephemeral flag from tailscale clients. Look at the tailscale client's ' state=mem:' option and how it communicates with the control server. Compare with Tailscale's own behavior to identify missing functionality.