set oidc.map_legacy_users false (#2350)

Author: kradalby

CHANGELOG.md

@@ -2,6 +2,11 @@
 
 ## Next
 
+### Changes
+
+- `oidc.map_legacy_users` is now `false` by default
+  [#2350](https://github.com/juanfont/headscale/pull/2350)
+
 ## 0.24.0 (2025-01-17)
 
 ### Security fix: OIDC changes in Headscale 0.24.0

config-example.yaml

@@ -384,10 +384,10 @@ unix_socket_permission: "0770"
 #   # Note that this will only work if the username from the legacy user is the same
 #   # and there is a possibility for account takeover should a username have changed
 #   # with the provider.
-#   # Disabling this feature will cause all new logins to be created as new users.
+#   # When this feature is disabled, it will cause all new logins to be created as new users.
 #   # Note this option will be removed in the future and should be set to false
 #   # on all new installations, or when all users have logged in with OIDC once.
-#   map_legacy_users: true
+#   map_legacy_users: false
 
 # Logtail configuration
 # Logtail is Tailscales logging and auditing infrastructure, it allows the control panel

hscontrol/types/config.go

@@ -319,7 +319,7 @@ func LoadConfig(path string, isFile bool) error {
 	viper.SetDefault("oidc.only_start_if_oidc_is_available", true)
 	viper.SetDefault("oidc.expiry", "180d")
 	viper.SetDefault("oidc.use_expiry_from_token", false)
-	viper.SetDefault("oidc.map_legacy_users", true)
+	viper.SetDefault("oidc.map_legacy_users", false)
 	viper.SetDefault("oidc.pkce.enabled", false)
 	viper.SetDefault("oidc.pkce.method", "S256")