TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-08-22 11:01:54 +00:00
Code Issues Packages Projects Releases Wiki Activity
9,378 Commits 881 Branches 184 Tags
jwhited/disable-peer-relay-if-cryptorouting-disabled
Commit Graph

17 Commits

Author SHA1 Message Date
Mike O'Driscoll
47b5f10165 cmd/tsidp,tsnet: update tsidp oidc-key store path (#16735) 
The tsidp oidc-key.json ended up in the root directory
or home dir of the user process running it.

Update this to store it in a known location respecting
the TS_STATE_DIR and flagDir options.

Fixes #16734

Signed-off-by: Mike O'Driscoll <mikeo@tailscale.com>
 2025-07-31 12:13:36 -04:00
KevinLiang10
19faaff95c cmd/tailscale/cli: revert key for web config for services to FQDN (#16627) 
This commit reverts the key of Web field in ipn.ServiceConfig to use FQDN instead of service
name for the host part of HostPort. This change is because k8s operator already build base on
the assumption of the part being FQDN. We don't want to break the code with dependency.

Fixes tailscale/corp#30695

Signed-off-by: KevinLiang10 <37811973+KevinLiang10@users.noreply.github.com>
 2025-07-22 16:23:51 -04:00
Andrew Lytvynov
39bf84d1c7 cmd/tsidp: set hostinfo.App in tsnet mode (#16544) 
This makes it easier to track how widely tsidp is used in practice.

Updates #cleanup

Signed-off-by: Andrew Lytvynov <awly@tailscale.com>
 2025-07-11 16:01:15 -07:00
Raj Singh
45a4b69ce0 cmd/tsidp: fix OIDC client persistence across restarts 
Fixes #16088
Signed-off-by: Raj Singh <raj@tailscale.com>
 2025-06-18 10:43:19 -05:00
Raj Singh
09582bdc00 cmd/tsidp: add web UI for managing OIDC clients (#16068) 
Add comprehensive web interface at ui for managing OIDC clients, similar to tsrecorder's design. Features include list view, create/edit forms with validation, client secret management, delete functionality with confirmation dialogs, responsive design, and restricted tailnet access only.

Fixes #16067

Signed-off-by: Raj Singh <raj@tailscale.com>
 2025-05-24 18:16:29 -04:00
Tim Klocke
4980869977 cmd/tsidp: Fix sending string for refresh_token 
In accordance with the OIDC/OAuth 2.0 protocol, do not send an empty
refresh_token and instead omit the field when empty.

Fixes https://github.com/tailscale/tailscale/issues/16073

Signed-off-by: Tim Klocke <taaem@mailbox.org>
 2025-05-24 11:30:00 -07:00
Patrick O'Doherty
e649227ef2 cmd/tsidp: fix interface{} linter warnings (#15729) 
Replace all instances of interface{} with any to resolve the
golangci-lint errors that appeared in the previous tsidp PR.

Updates #cleanup

Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>
 2025-04-17 18:05:07 -07:00
Cedric Kienzler
b34a2bdb22 cmd/tsidp: add groups claim to tsidp (#15127) 
* cmd/tsidp: add groups claim to tsidp

This feature adds support for a `groups` claim in tsidp using the grants
syntax:

```json
{
  "grants": [
    {
      "src": ["group:admins"],
      "dst": ["*"],
      "ip":  ["*"],
      "app": {
        "tailscale.com/cap/tsidp": [
          {
            "groups": ["admin"]
          }
        ]
      }
    },
    {
      "src": ["group:reader"],
      "dst": ["*"],
      "ip":  ["*"],
      "app": {
        "tailscale.com/cap/tsidp": [
          {
            "groups": ["reader"]
          }
        ]
      }
    }
  ]
}
```

For #10263

Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de>

* cmd/tsidp: refactor cap/tsidp to allow extraClaims

This commit refactors the `capRule` struct to allow specifying arbitrary
extra claims:

```json
{
  "src": ["group:reader"],
  "dst": ["*"],
  "ip":  ["*"],
  "app": {
    "tailscale.com/cap/tsidp": [
      {
        "extraClaims": {
          "groups": ["reader"],
          "entitlements": ["read-stuff"],
        },
      }
    ]
  }
}
```

Overwriting pre-existing claims cannot be modified/overwritten.

Also adding more unit-testing

Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de>

* Update cmd/tsidp/tsidp.go

Signed-off-by: cedi <cedi@users.noreply.github.com>

* Update cmd/tsidp/tsidp_test.go

Co-authored-by: Patrick O'Doherty <hello@patrickod.com>
Signed-off-by: Cedric Kienzler <cedi@users.noreply.github.com>

* Update cmd/tsidp/tsidp_test.go

Co-authored-by: Patrick O'Doherty <hello@patrickod.com>
Signed-off-by: Cedric Kienzler <cedi@users.noreply.github.com>

* Fix logical error in test case

Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de>

* fix error printing for failed to unmarshal capability in tsidp

Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de>

* clarify doc string for withExtraClaims

Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de>

---------

Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de>
Signed-off-by: cedi <cedi@users.noreply.github.com>
Signed-off-by: Cedric Kienzler <cedi@users.noreply.github.com>
Co-authored-by: Patrick O'Doherty <hello@patrickod.com>
 2025-04-17 17:31:40 -07:00
Kot
c86afacf26 Move env var flag passing to Dockerfile 
Updates #15465

Signed-off-by: Kot <kot@kot.pink>
 2025-04-02 10:11:17 -07:00
Kot
85bcc2e3bd cmd/tsidp: use advertised env vars for config 
Fixes #14491

Signed-off-by: Kot <kot@kot.pink>
 2025-04-02 10:11:17 -07:00
Patrick O'Doherty
8f0080c7a4 cmd/tsidp: allow CORS requests to openid-configuration (#15229) 
Add support for Cross-Origin XHR requests to the openid-configuration
endpoint to enable clients like Grafana's auto-population of OIDC setup
data from its contents.

Updates https://github.com/tailscale/tailscale/issues/10263

Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>
 2025-03-11 13:10:22 -07:00
Patrick O'Doherty
9d7f2719bb cmd/tsidp: use constant time comparison for client_id/secret (#15222) 
Use secure constant time comparisons for the client ID and secret values
during the allowRelyingParty authorization check.

Updates #cleanup

Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>
 2025-03-06 08:52:35 -08:00
Brad Fitzpatrick
05ac21ebe4 all: use new LocalAPI client package location 
It was moved in f57fa3cbc3.

Updates tailscale/corp#22748

Change-Id: I19f965e6bded1d4c919310aa5b864f2de0cd6220
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 2025-02-05 14:41:42 -08:00
Maisem Ali
fb0f8fc0ae cmd/tsidp: add --dir flag 
To better control where the tsnet state is being stored.

Updates #10263

Signed-off-by: Maisem Ali <maisem@tailscale.com>
 2024-09-29 16:15:22 -07:00
Naman Sood
f79183dac7 cmd/tsidp: add funnel support (#12591) 
* cmd/tsidp: add funnel support

Updates #10263.

Signed-off-by: Naman Sood <mail@nsood.in>

* look past funnel-ingress-node to see who we're authenticating

Signed-off-by: Naman Sood <mail@nsood.in>

* fix comment typo

Signed-off-by: Naman Sood <mail@nsood.in>

* address review feedback, support Basic auth for /token

Turns out you need to support Basic auth if you do client ID/secret
according to OAuth.

Signed-off-by: Naman Sood <mail@nsood.in>

* fix typos

Signed-off-by: Naman Sood <mail@nsood.in>

* review fixes

Signed-off-by: Naman Sood <mail@nsood.in>

* remove debugging log

Signed-off-by: Naman Sood <mail@nsood.in>

* add comments, fix header

Signed-off-by: Naman Sood <mail@nsood.in>

---------

Signed-off-by: Naman Sood <mail@nsood.in>
 2024-08-08 10:46:45 -04:00
Maisem Ali
486a423716 tsnet: split user facing and backend logging 
This adds a new `UserLogf` field to the `Server` struct.
When set this any logs generated by Server are logged using
`UserLogf` and all spammy backend logs are logged to `Logf`.

If it `UserLogf` is unset, we default to `log.Printf` and
if `Logf` is unset we discard all the spammy logs.

Fixes #12094

Signed-off-by: Maisem Ali <maisem@tailscale.com>
 2024-05-10 15:29:13 -07:00
Maisem Ali
7d4221c295 cmd/tsidp: add start of OIDC Tailscale IdP 
Updates #10263

Co-authored-by: Brad Fitzpatrick <bradfitz@tailscale.com>
Change-Id: I240bc9b5ecf2df6f92c45929d105fde66c06a860
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>
 2023-11-15 14:27:39 -08:00