Custom OIDC shouldn't use the logged in OIDC user's `email` claim as the identity of the user

[michaelbeaumont]

What is the issue?

When signing up with a custom OIDC provider, we're asked to provide an "email", from which the host to send the webfinger query to is derived. If we provide mike@my-oidc-domain.com, we lookup the webfinger at my-oidc-domain.com for the resource acct:mike@my-oidc-domain.com. Note however, that there's no part of WebFinger RFC or the acct scheme RFC that requires the semantics of the acct resource be "email address". Editing this here to point out there's even a discussion in the acct RFC about the interaction with email.

Yet when we proceed with the signup, Tailscale forces the OIDC identity token it receives for the logged in user to have an email that's equal to this acct resource. If I have instead the email mike@email-domain.com I see:

The user returned from the authentication process (mike@email-domain.com) does not match the user provided at login (mike@my-oidc-domain.com). You may need to log out from your identity provider in order to switch users. Try again or contact support.

Why? Where does an email address come into play here?

Users on my OIDC provider can have arbitrary email addresses, after all an email address is just a place to send communications, not an identity. The identity is defined by the OIDC subject.

Hence, according to the OIDC spec, the relying party also MUST NOT depend on email being unique. Granted I suppose this depends on how exactly Tailscale is using this identifier, but doesn't Tailscale indeed want a unique identifier for the user at this issuer? Is this not a problem?

In particular, this means I can never change my email address on my OIDC! Otherwise I can no longer log into my account again, I get the same error.

I suppose the idea of WebFinger is to get a "nice" name for your tailnet? Where if I can show that I own domain.com, Tailscale will let me call my tailnet domain.com, even if my IdP is some-other-domain.com. For this purpose, perhaps instead of email preferred_username should have been used. So given the initial fake "email" mike@domain.com, Tailscale verifies preferred_username == mike in the ID token. preferred_username is just as invalid as email for an identity because it also might not be unique, but at least it doesn't require such a drastic constraint on how the IdP handles email addresses. The correct way to do this is of course to use sub but a lot of the time this is just a meaningless number.

Steps to reproduce

Try to sign up with custom OIDC with a user whose email is not under control of the OIDC issuer.

Are there any recent changes that introduced the issue?

No response

OS

No response

OS version

No response

Tailscale version

No response

Other software

No response

Bug report

No response

[bradfitz]

Mike, thanks for filing.

Coincidentally, I was pretty involved in WebFinger back in the day, before it even had an RFC, and I was the one who'd proposed the acct: scheme to distinguish it from mailto: and make it clear it's not an email address.

I've shared this around with the Tailscale folk who work on our identity/auth model. We may not get to it super quickly because we're in the middle of some big overhauls of related stuff, but we'll keep this in mind.

[willnorris]

Yeah, I just glanced through the accounts that use custom OIDC, and at least for the few hundred I looked at, the vast majority of providers sent an opaque value for the sub, so that's not going to be usable.

One of the things we're working on is better self-serve management of identity providers for your tailnet, and maybe we can allow custom mapping of which attribute to use for the login name, or something like that. Like Brad said, we probably won't get to it super quickly, but it's something I'll look at when we get to it.

[alexmoras]

This is an issue I've been struggling with, so I thought I'd weigh in.

I guess half the battle is that even though many IDPs return the preferred_username claim, this is not going to be unique against the whole of Tailscale. What if, on the login page, users input their organisation's domain instead of email address. This would then find the relevant OIDC client details and immediately redirect to the IDP. It removes the need for users specifying their actual username, since this is handled by the IDPs login process, and would mean that the email address could be completely different to the organisation domain; i.e. example.com vs email.example.com.

Between the preferred_username claim and aud claim in a token, it would be easy enough for the backend logic to work out who is trying to login to which account.

I may have missed something glaring, which is the reason Tailscale uses its current method, so please correct me if I'm mistaken!

[michaelbeaumont]

I guess half the battle is that even though many IDPs return the preferred_username claim, this is not going to be unique against the whole of Tailscale

Yeah of course this would still require entering the name of the org. It's <preferred_username>@<tailnet> but it's no longer necessarily an email address, it's an acct URI and the administrator gets to pick which claim from the token to use.

What if, on the login page, users input their organisation's domain instead of email address
It removes the need for users specifying their actual username

This can be useful though. What if I don't want to use the currently logged in user? Then the user has to go to the IdP and switch accounts.

I suppose it's a nice shortcut, but also the fact that I have to enter the org name anyway makes it kinda 🤷. Now if every tailnet had a unique URL to log in to so we wouldn't need to enter anything, that'd be another story.

EDIT: Now that I think about it, it could be that the email the user entered isn't even communicated to the IdP. In which case yes, the org name should definitely be the only thing required, because otherwise the whole email is both unnecessary and misleading.