101 lines
4.7 KiB
Markdown
101 lines
4.7 KiB
Markdown
---
|
|
title: "Tailscale"
|
|
description: "Using Authelia as the Tailscale OpenID Connect Provider."
|
|
lead: ""
|
|
date: 2023-04-20T08:53:36.993Z
|
|
draft: false
|
|
images: []
|
|
menu:
|
|
integration:
|
|
parent: "openid-connect"
|
|
weight: 620
|
|
toc: true
|
|
community: true
|
|
---
|
|
|
|
## Tested Versions
|
|
|
|
* [Authelia]
|
|
* [v4.37.5](https://github.com/authelia/authelia/releases/tag/v4.37.5)
|
|
* [Tailscale] - Note: Version not important, since configuration is via the web UI
|
|
* [1.38.4](https://github.com/tailscale/tailscale/releases/tag/v1.38.4)
|
|
|
|
## Before You Begin
|
|
|
|
{{% oidc-common %}}
|
|
|
|
### Assumptions
|
|
|
|
This example makes the following assumptions:
|
|
|
|
* __Domain Root URL:__ `https://example.com`
|
|
* __Authelia Root URL:__ `https://auth.example.com`
|
|
* __Authelia Account:__ `user@example.com`
|
|
* __Client ID:__ `tailscale`
|
|
* __Client Secret:__ `insecure_secret`
|
|
|
|
|
|
## Configuration
|
|
The configuration in Authelia is straightforwarded: Tailscale is just another `identity_provider/oidc` entry. Complicating things is the necessary WebFinger reply for your domain - see the following [Application](#application) section.
|
|
|
|
|
|
### Application
|
|
|
|
To configure [Tailscale] to utilize Authelia as an [OpenID Connect 1.0] Provider, you will need a public WebFinger reply for your domain (see [RFC 7033](https://www.rfc-editor.org/rfc/rfc7033#section-3.1)) and point it to Authelia. The steps necessary are outlined in the Tailscale documentation on [Custom OIDC providers](https://tailscale.com/kb/1240/sso-custom-oidc/). This WebFinger reply is not generated by Authelia, so your external webserver hosted at the root of your domain will need to generate the reponse (Check [See also](#see-also) for example implementations). The following steps are necessary to get Tailscale working with Authelia:
|
|
|
|
1. Your domain will need to reply to a WebFinger request for your Authelia account
|
|
2. Your domain root is `example.com` and the Authelia account in question is `user@example.com`, the WebFinger request will be: `https://example.com/.well-known/webfinger/?resource=acct:user@example.com`
|
|
3. The WebFinger request will need to be answered with the following example reply:
|
|
```
|
|
{
|
|
"subject" : "acct:user@example.com",
|
|
"links" :
|
|
[
|
|
{
|
|
"rel" : "http://openid.net/specs/connect/1.0/issuer",
|
|
"href" : "https://auth.example.com"
|
|
}
|
|
]
|
|
}
|
|
```
|
|
4. For any other users that you want to add to Tailscale, you will need to to provide similar WebFinger replies (e.g. for `user2@example.com` or `user3@example.com`)
|
|
5. Once you have the WebFinger reply set up and your [Authelia OpenID Connect Discovery endpoint](https://www.authelia.com/integration/openid-connect/introduction/#well-known-discovery-endpoints) is working (e.g. `https://auth.example.com/.well-known/openid-configuration`), you can sign up for a **new Tailnet** (currently migration isn't supported) via the link: [Sign up with OIDC](https://login.tailscale.com/start/oidc) where you will see the following screen:
|
|
{{< figure src="tailscale_signup_1.png" alt="Tailscale Signup Screen 1" width="300" >}}
|
|
6. After clicking on **Get OIDC Issuer**, Tailscale will fetch the WebFinger reply via `https://example.com/.well-known/webfinger/?resource=acct:user@example.com` and follow the set `href` to `https://auth.example.com/.well-known/openid-configuration`.
|
|
**Note:** make sure that the `href` URL matches the `issuer` URL returned from the Authelia OIDC dicsovery endpoint
|
|
7. On the next screen you will need to add your client ID & secret configured in Authelia to finish the OIDC provider registration in [Tailscale].
|
|
|
|
|
|
### Authelia
|
|
|
|
The following YAML configuration is an example __Authelia__
|
|
[client configuration](../../../configuration/identity-providers/open-id-connect.md#clients) for use with [Tailscale] which
|
|
will operate with the above example:
|
|
|
|
```yaml
|
|
identity_providers:
|
|
oidc:
|
|
## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
|
|
## See: https://www.authelia.com/c/oidc
|
|
clients:
|
|
- id: tailscale
|
|
description: Tailscale SSO
|
|
secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
|
|
redirect_uris:
|
|
- https://login.tailscale.com/a/oauth_response
|
|
scopes:
|
|
- openid
|
|
- email
|
|
- profile
|
|
```
|
|
|
|
## See Also
|
|
|
|
- [Tailscale] [Custom OIDC Provider Knowledge Base entry](https://tailscale.com/kb/1240/sso-custom-oidc/):
|
|
- [RFC 7033, Identity Provider Discovery for OpenID Connect](https://www.rfc-editor.org/rfc/rfc7033#section-3.1)
|
|
- [WebFinger example implementations](https://webfinger.net/code/)
|
|
|
|
[Authelia]: https://www.authelia.com
|
|
[Tailscale]: https://tailscale.com
|
|
[OpenID Connect 1.0]: ../../openid-connect/introduction.md
|