[Bug] Change Account

[IamTaoChen]

Is this a support request?

• This is not a support request

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

The tailscale won't change the relationship if you login another account by OIDC.

Expected Behavior

The user in Tailscale should follow the user who is login in the OIDC.

Steps To Reproduce

• Computer A login with user-A by OIDC
• Then user-A logout
• Login with user-B by OIDC
• The user shown in tailscale is still user-A

Environment

- OS: Docker
- Headscale version: 0.24.0-beta2
- Tailscale version: 1.78.1

Runtime environment

• Headscale is behind a (reverse) proxy
• Headscale runs in a container

Anything else?

No response

[nblock]

I can confirm the described behavior. Headscale logs when logging out user1 and reauthenticating as user2:

2025-01-06T13:50:57+01:00 INF Client requested logout node=n1
2025-01-06T13:50:57+01:00 INF ../runner/work/headscale/headscale/hscontrol/auth.go:553 > Successfully logged out node=n1
2025-01-06T13:52:10+01:00 INF ../runner/work/headscale/headscale/hscontrol/auth.go:610 > We have the OldNodeKey in the database. This is a key refresh node=n1
2025-01-06T13:52:10+01:00 INF ../runner/work/headscale/headscale/hscontrol/auth.go:651 > Node key successfully refreshed node=n1 node_key=[YXHpW] old_node_key=
2025-01-06T13:52:10+01:00 INF ../runner/work/headscale/headscale/hscontrol/poll.go:634 > node has connected, mapSession: 0xc000448300, chan: 0xc00027c1c0 node=n1 node.id=2 omitPeers=false readOnly=false stream=true

$ headscale users list
ID | Name     | Username | Email             | Created            
1  | User One | user1    |                   | 2025-01-06 13:02:52
2  | User Two | user2    | [email protected] | 2025-01-06 13:04:41

$ headscale nodes list
ID | Hostname | Name | MachineKey | NodeKey | User  | IP addresses                  | Ephemeral | Last seen           | Expiration          | Connected | Expired
1  | n1       | n1   | [qgksE]    | [1BW5h] | user1 | 100.64.0.1, fd7a:115c:a1e0::1 | false     | 2025-01-06 13:07:01 | 2025-07-05 13:04:41 | online    | no   

OIDC result page:

• user1: Authenticated as User One, you can now close this window.
• user2: Reauthenticated as User Two, you can now close this window.

Tailscale status after logging in as user2:

tailscale status
100.64.0.1      n1                   user1        linux   -

The tailscale client sends the same mkey.

[kradalby]

I've tested this with Tailscale SaaS and the correct behaviour is that a new node/machine should be created.

This is because when a user logs in, a new node key is generated and the old will remain logged out.

We use the machinekey for registration, which likely has to go away since the machine key is the same for the node, while the node key changes.

I will first write up a test for this, then work on fixing it.

I think this is not a new bug, but it should be fixed before 0.24.