diff --git a/app.go b/app.go index 3a4e9a258e..a40d889472 100644 --- a/app.go +++ b/app.go @@ -192,7 +192,9 @@ func NewHeadscale(cfg *Config) (*Headscale, error) { if cfg.OIDC.Issuer != "" { err = app.initOIDC() - if err != nil { + if err != nil && cfg.OIDC.OnlyStartIfOIDCIsAvailable { + return nil, err + } else { log.Warn().Err(err).Msg("failed to set up OIDC provider, falling back to CLI based authentication") } } diff --git a/config.go b/config.go index b000c5664d..494356d863 100644 --- a/config.go +++ b/config.go @@ -90,14 +90,15 @@ type LetsEncryptConfig struct { } type OIDCConfig struct { - Issuer string - ClientID string - ClientSecret string - Scope []string - ExtraParams map[string]string - AllowedDomains []string - AllowedUsers []string - StripEmaildomain bool + OnlyStartIfOIDCIsAvailable bool + Issuer string + ClientID string + ClientSecret string + Scope []string + ExtraParams map[string]string + AllowedDomains []string + AllowedUsers []string + StripEmaildomain bool } type DERPConfig struct { @@ -174,6 +175,7 @@ func LoadConfig(path string, isFile bool) error { viper.SetDefault("oidc.scope", []string{oidc.ScopeOpenID, "profile", "email"}) viper.SetDefault("oidc.strip_email_domain", true) + viper.SetDefault("oidc.only_start_if_oidc_is_available", true) viper.SetDefault("logtail.enabled", false) viper.SetDefault("randomize_client_port", false) @@ -559,6 +561,9 @@ func GetHeadscaleConfig() (*Config, error) { UnixSocketPermission: GetFileMode("unix_socket_permission"), OIDC: OIDCConfig{ + OnlyStartIfOIDCIsAvailable: viper.GetBool( + "oidc.only_start_if_oidc_is_available", + ), Issuer: viper.GetString("oidc.issuer"), ClientID: viper.GetString("oidc.client_id"), ClientSecret: viper.GetString("oidc.client_secret"),