TheArchive/tailscale
1
0
Fork 0
mirror of https://github.com/tailscale/tailscale.git synced 2025-05-31 19:58:31 +00:00
Code Issues Packages Projects Releases Wiki Activity
tailscale/cmd/tsidp
History
Cedric Kienzler b34a2bdb22
cmd/tsidp: add groups claim to tsidp (#15127) 
* cmd/tsidp: add groups claim to tsidp

This feature adds support for a `groups` claim in tsidp using the grants
syntax:

```json
{
  "grants": [
    {
      "src": ["group:admins"],
      "dst": ["*"],
      "ip":  ["*"],
      "app": {
        "tailscale.com/cap/tsidp": [
          {
            "groups": ["admin"]
          }
        ]
      }
    },
    {
      "src": ["group:reader"],
      "dst": ["*"],
      "ip":  ["*"],
      "app": {
        "tailscale.com/cap/tsidp": [
          {
            "groups": ["reader"]
          }
        ]
      }
    }
  ]
}
```

For #10263

Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de>

* cmd/tsidp: refactor cap/tsidp to allow extraClaims

This commit refactors the `capRule` struct to allow specifying arbitrary
extra claims:

```json
{
  "src": ["group:reader"],
  "dst": ["*"],
  "ip":  ["*"],
  "app": {
    "tailscale.com/cap/tsidp": [
      {
        "extraClaims": {
          "groups": ["reader"],
          "entitlements": ["read-stuff"],
        },
      }
    ]
  }
}
```

Overwriting pre-existing claims cannot be modified/overwritten.

Also adding more unit-testing

Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de>

* Update cmd/tsidp/tsidp.go

Signed-off-by: cedi <cedi@users.noreply.github.com>

* Update cmd/tsidp/tsidp_test.go

Co-authored-by: Patrick O'Doherty <hello@patrickod.com>
Signed-off-by: Cedric Kienzler <cedi@users.noreply.github.com>

* Update cmd/tsidp/tsidp_test.go

Co-authored-by: Patrick O'Doherty <hello@patrickod.com>
Signed-off-by: Cedric Kienzler <cedi@users.noreply.github.com>

* Fix logical error in test case

Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de>

* fix error printing for failed to unmarshal capability in tsidp

Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de>

* clarify doc string for withExtraClaims

Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de>

---------

Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de>
Signed-off-by: cedi <cedi@users.noreply.github.com>
Signed-off-by: Cedric Kienzler <cedi@users.noreply.github.com>
Co-authored-by: Patrick O'Doherty <hello@patrickod.com>
2025-04-17 17:31:40 -07:00
..
Dockerfile
Move env var flag passing to Dockerfile
2025-04-02 10:11:17 -07:00
README.md
Change README to reflect configuration
2025-04-02 10:11:17 -07:00
tsidp_test.go
cmd/tsidp: add groups claim to tsidp (#15127)
2025-04-17 17:31:40 -07:00
tsidp.go
cmd/tsidp: add groups claim to tsidp (#15127)
2025-04-17 17:31:40 -07:00

README.md

tsidp - Tailscale OpenID Connect (OIDC) Identity Provider

status: experimental

tsidp is an OIDC Identity Provider (IdP) server that integrates with your Tailscale network. It allows you to use Tailscale identities for authentication in applications that support OpenID Connect, enabling single sign-on (SSO) capabilities within your tailnet.

Prerequisites

  • A Tailscale network (tailnet) with magicDNS and HTTPS enabled
  • A Tailscale authentication key from your tailnet
  • Docker installed on your system

Installation using Docker

  1. Build the Docker Image

    The Dockerfile uses a multi-stage build process to:

    • Build the tsidp binary from source
    • Create a minimal Alpine-based image with just the necessary components
    # Clone the Tailscale repository
git clone https://github.com/tailscale/tailscale.git
cd tailscale

    # Build the Docker image
docker build -t tsidp:latest -f cmd/tsidp/Dockerfile .

  2. Run the Container

    Replace YOUR_TAILSCALE_AUTHKEY with your Tailscale authentication key.

    docker run -d \
  --name `tsidp` \
  -p 443:443 \
  -e TS_AUTHKEY=YOUR_TAILSCALE_AUTHKEY \
  -e TS_HOSTNAME=idp \
  -v tsidp-data:/var/lib/tsidp \
  tsidp:latest

  3. Verify Installation

    docker logs tsidp

    Visit https://idp.tailnet.ts.net to confirm the service is running.

Usage Example: Proxmox Integration

Here's how to configure Proxmox to use tsidp for authentication:

  1. In Proxmox, navigate to Datacenter > Realms > Add OpenID Connect Server

  2. Configure the following settings:

    • Issuer URL: https://idp.velociraptor.ts.net
    • Realm: tailscale (or your preferred name)
    • Client ID: unused
    • Client Key: unused
    • Default: true
    • Autocreate users: true
    • Username claim: email

  3. Set up user permissions:

    • Go to Datacenter > Permissions > Groups
    • Create a new group (e.g., "tsadmins")
    • Click Permissions in the sidebar
    • Add Group Permission
    • Set Path to / for full admin access or scope as needed
    • Set the group and role
    • Add Tailscale-authenticated users to the group

Configuration Options

The tsidp server supports several command-line flags:

  • --verbose: Enable verbose logging
  • --port: Port to listen on (default: 443)
  • --local-port: Allow requests from localhost
  • --use-local-tailscaled: Use local tailscaled instead of tsnet
  • --hostname: tsnet hostname
  • --dir: tsnet state directory

Environment Variables

  • TS_AUTHKEY: Your Tailscale authentication key (required)
  • TS_HOSTNAME: Hostname for the tsidp server (default: "idp", Docker only)
  • TS_STATE_DIR: State directory (default: "/var/lib/tsidp", Docker only)
  • TAILSCALE_USE_WIP_CODE: Enable work-in-progress code (default: "1")

Support

This is an experimental, work in progress feature. For issues or questions, file issues on the GitHub repository

License

BSD-3-Clause License. See LICENSE for details.