TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-04-04 15:26:00 +00:00
Code Issues Packages Projects Releases Wiki Activity
tailscale/cmd/tsidp
History
Patrick O'Doherty 8f0080c7a4
cmd/tsidp: allow CORS requests to openid-configuration (#15229) 
Add support for Cross-Origin XHR requests to the openid-configuration
endpoint to enable clients like Grafana's auto-population of OIDC setup
data from its contents.

Updates https://github.com/tailscale/tailscale/issues/10263

Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>
2025-03-11 13:10:22 -07:00
..
Dockerfile
cmd/tsidp: add README and Dockerfile (#15205)
2025-03-05 10:55:37 -06:00
README.md
cmd/tsidp: add README and Dockerfile (#15205)
2025-03-05 10:55:37 -06:00
tsidp.go
cmd/tsidp: allow CORS requests to openid-configuration (#15229)
2025-03-11 13:10:22 -07:00

README.md

tsidp - Tailscale OpenID Connect (OIDC) Identity Provider

status: experimental

tsidp is an OIDC Identity Provider (IdP) server that integrates with your Tailscale network. It allows you to use Tailscale identities for authentication in applications that support OpenID Connect, enabling single sign-on (SSO) capabilities within your tailnet.

Prerequisites

  • A Tailscale network (tailnet) with magicDNS and HTTPS enabled
  • A Tailscale authentication key from your tailnet
  • Docker installed on your system

Installation using Docker

  1. Build the Docker Image

    The Dockerfile uses a multi-stage build process to:

    • Build the tsidp binary from source
    • Create a minimal Alpine-based image with just the necessary components
    # Clone the Tailscale repository
git clone https://github.com/tailscale/tailscale.git
cd tailscale

    # Build the Docker image
docker build -t tsidp:latest -f cmd/tsidp/Dockerfile .

  2. Run the Container

    Replace YOUR_TAILSCALE_AUTHKEY with your Tailscale authentication key.

    docker run -d \
  --name `tsidp` \
  -p 443:443 \
  -e TS_AUTHKEY=YOUR_TAILSCALE_AUTHKEY \
  -e TS_HOSTNAME=tsidp \
  -v tsidp-data:/var/lib/tsidp \
  tsidp:latest

  3. Verify Installation

    docker logs tsidp

    Visit https://tsidp.tailnet.ts.net to confirm the service is running.

Usage Example: Proxmox Integration

Here's how to configure Proxmox to use tsidp for authentication:

  1. In Proxmox, navigate to Datacenter > Realms > Add OpenID Connect Server

  2. Configure the following settings:

    • Issuer URL: https://idp.velociraptor.ts.net
    • Realm: tailscale (or your preferred name)
    • Client ID: unused
    • Client Key: unused
    • Default: true
    • Autocreate users: true
    • Username claim: email

  3. Set up user permissions:

    • Go to Datacenter > Permissions > Groups
    • Create a new group (e.g., "tsadmins")
    • Click Permissions in the sidebar
    • Add Group Permission
    • Set Path to / for full admin access or scope as needed
    • Set the group and role
    • Add Tailscale-authenticated users to the group

Configuration Options

The tsidp server supports several command-line flags:

  • --verbose: Enable verbose logging
  • --port: Port to listen on (default: 443)
  • --local-port: Allow requests from localhost
  • --use-local-tailscaled: Use local tailscaled instead of tsnet
  • --dir: tsnet state directory

Environment Variables

  • TS_AUTHKEY: Your Tailscale authentication key (required)
  • TS_HOSTNAME: Hostname for the tsidp server (default: "idp")
  • TS_STATE_DIR: State directory (default: "/var/lib/tsidp")
  • TAILSCALE_USE_WIP_CODE: Enable work-in-progress code (default: "1")

Support

This is an experimental, work in progress feature. For issues or questions, file issues on the GitHub repository

License

BSD-3-Clause License. See LICENSE for details.