ipn/localapi: add endpoint to request id token

Updates tailscale/corp#4347

Signed-off-by: Maisem Ali <maisem@tailscale.com>

ipn/localapi/localapi.go

@@ -6,6 +6,7 @@
 package localapi
 
 import (
+	"bytes"
 	"crypto/rand"
 	"encoding/hex"
 	"encoding/json"
@@ -24,6 +25,7 @@
 
 	"inet.af/netaddr"
 	"tailscale.com/client/tailscale/apitype"
+	"tailscale.com/envknob"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnlocal"
 	"tailscale.com/ipn/ipnstate"
@@ -128,6 +130,8 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		h.serveSetExpirySooner(w, r)
 	case "/localapi/v0/dial":
 		h.serveDial(w, r)
+	case "/localapi/v0/id-token":
+		h.serveIDToken(w, r)
 	case "/":
 		io.WriteString(w, "tailscaled\n")
 	default:
@@ -135,6 +139,54 @@ func (h *Handler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 	}
 }
 
+// serveIDToken handles requests to get an OIDC ID token.
+func (h *Handler) serveIDToken(w http.ResponseWriter, r *http.Request) {
+	if !h.PermitWrite {
+		http.Error(w, "id-token access denied", http.StatusForbidden)
+		return
+	}
+	if !envknob.UseWIPCode() {
+		http.Error(w, "id-token access denied", http.StatusServiceUnavailable)
+		return
+	}
+	nm := h.b.NetMap()
+	if nm == nil {
+		http.Error(w, "no netmap", http.StatusServiceUnavailable)
+		return
+	}
+	aud := strings.TrimSpace(r.FormValue("aud"))
+	if len(aud) == 0 {
+		http.Error(w, "no audience requested", http.StatusBadRequest)
+		return
+	}
+	req := &tailcfg.TokenRequest{
+		CapVersion: tailcfg.CurrentCapabilityVersion,
+		Audience:   aud,
+		NodeKey:    nm.NodeKey,
+	}
+	b, err := json.Marshal(req)
+	if err != nil {
+		http.Error(w, err.Error(), 500)
+		return
+	}
+	httpReq, err := http.NewRequest("POST", "https://unused/machine/id-token", bytes.NewReader(b))
+	if err != nil {
+		http.Error(w, err.Error(), 500)
+		return
+	}
+	resp, err := h.b.DoNoiseRequest(httpReq)
+	if err != nil {
+		http.Error(w, err.Error(), 500)
+		return
+	}
+	defer resp.Body.Close()
+	w.WriteHeader(resp.StatusCode)
+	if _, err := io.Copy(w, resp.Body); err != nil {
+		http.Error(w, err.Error(), 500)
+		return
+	}
+}
+
 func (h *Handler) serveBugReport(w http.ResponseWriter, r *http.Request) {
 	if !h.PermitRead {
 		http.Error(w, "bugreport access denied", http.StatusForbidden)

tailcfg/tailcfg.go

@@ -65,8 +65,9 @@
 //    26: 2022-01-12: (nothing, just bumping for 1.20.0)
 //    27: 2022-02-18: start of SSHPolicy being respected
 //    28: 2022-03-09: client can communicate over Noise.
-//    29: 2022-03-09: MapResponse.PopBrowserURL
+//    29: 2022-03-21: MapResponse.PopBrowserURL
-const CurrentCapabilityVersion CapabilityVersion = 29
+//    30: 2022-03-22: client can request id tokens.
+const CurrentCapabilityVersion CapabilityVersion = 30
 
 type StableID string