breaking: change default value of `HEADSCALE_OIDC_USE_EXPIRY_FROM_TOK…

…EN` to `false` to align with Headscale's own default
NiklasRosenstein · Oct 11, 2024 · 3f42db3 · 3f42db3
1 parent 9a80b53
commit 3f42db3
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -171,7 +171,7 @@ __Headscale configuration variables__
 | `HEADSCALE_OIDC_ALLOWED_USERS`                   | n/a                                  | A comma-separated list of users to permit. (The comma-separated list must be valid YAML if placed inside `[ ... ]`.)                                                                                                                                                                               |
 | `HEADSCALE_OIDC_STRIP_EMAIL_DOMAIN`              | `true`                               | Whether to strip the email domain for the Headscale user names.                                                                                                                                                                                                                                    |
 | `HEADSCALE_OIDC_EXPIRY`                          | `180d`                               | The amount of time from a node is authenticated with OpenID until it expires and needs to reauthenticate. Setting the value to "0" will mean no expiry.                                                                                                                                            |
-| `HEADSCALE_OIDC_USE_EXPIRY_FROM_TOKEN`           | `true`                               | Use the expiry from the token received from OpenID when the user logged in, this will typically lead to frequent need to reauthenticate and should only been enabled if you know what you are doing. If enabled, `HEADSCALE_OIDC_EXPIRY` is ignored.                                               |
+| `HEADSCALE_OIDC_USE_EXPIRY_FROM_TOKEN`           | `false`                              | Use the expiry from the token received from OpenID when the user logged in, this will typically lead to frequent need to reauthenticate and should only been enabled if you know what you are doing. If enabled, `HEADSCALE_OIDC_EXPIRY` is ignored.                                               |
 | `HEADSCALE_OIDC_ONLY_START_IF_OIDC_IS_AVAILABLE` | `true`                               | Fail startup if the OIDC server cannot be reached.                                                                                                                                                                                                                                                 |
 
 __Litestream configuration variables__

diff --git a/headscale-fly-io/entrypoint.sh b/headscale-fly-io/entrypoint.sh
@@ -123,7 +123,7 @@ if [ -n "${HEADSCALE_OIDC_ISSUER:-}" ]; then
     export HEADSCALE_OIDC_SCOPES="${HEADSCALE_OIDC_SCOPES:-openid, profile, email}"
     export HEADSCALE_OIDC_STRIP_EMAIL_DOMAIN="${HEADSCALE_OIDC_STRIP_EMAIL_DOMAIN:-true}"
     export HEADSCALE_OIDC_EXPIRY="${HEADSCALE_OIDC_EXPIRY:-180d}"
-    export HEADSCALE_OIDC_USE_EXPIRY_FROM_TOKEN="${HEADSCALE_OIDC_USE_EXPIRY_FROM_TOKEN:-true}"
+    export HEADSCALE_OIDC_USE_EXPIRY_FROM_TOKEN="${HEADSCALE_OIDC_USE_EXPIRY_FROM_TOKEN:-false}"
     export HEADSCALE_OIDC_ONLY_START_IF_OIDC_IS_AVAILABLE="${HEADSCALE_OIDC_ONLY_START_IF_OIDC_IS_AVAILABLE:-true}"
     info "generating OIDC appendix for $HEADSCALE_CONFIG_PATH"
     # shellcheck disable=SC3060