cmd/tsidp: add allow-insecure-no-client-registration and JSON file migration (#16881)

Browse Source

Add a ternary flag that unless set explicitly to false keeps the
insecure behavior of TSIDP.

If the flag is false, add functionality on startup to migrate
oidc-funnel-clients.json to oauth-clients.json if it doesn’t exist.
If the flag is false, modify endpoints to behave similarly regardless
of funnel, tailnet, or localhost. They will all verify client ID & secret
when appropriate per RFC 6749. The authorize endpoint will no longer change
based on funnel status or nodeID.

Add extra tests verifying TSIDP endpoints behave as expected
with the new flag.

Safely create the redirect URL from what's passed into the
authorize endpoint.

Fixes #16880

Signed-off-by: Remy Guercio <remy@tailscale.com>

...

This commit is contained in:

Remy Guercio

2025-08-29 15:16:39 -05:00

committed by GitHub

parent 76fc02be09

commit 89fe2e1f12

2 changed files with 1441 additions and 74 deletions

Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL

Download Patch File Download Diff File Expand all files Collapse all files

1140

cmd/tsidp/tsidp_test.go

File diff suppressed because it is too large Load Diff