docs/content/integration/openid-connect/clients/tailscale/index.md
{{% oidc-common %}}
This example makes the following assumptions:
https://{{< sitevar name="domain" nojs="example.com" >}}https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}/user@{{< sitevar name="domain" nojs="example.com" >}}tailscaleinsecure_secretSome of the values presented in this guide can automatically be replaced with documentation variables.
{{< sitevar-preferences >}}
The following YAML configuration is an example Authelia client configuration for use with Tailscale which will operate with the above example:
identity_providers:
oidc:
## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
## See: https://www.authelia.com/c/oidc
clients:
- client_id: 'tailscale'
client_name: 'Tailscale'
client_secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
public: false
authorization_policy: 'two_factor'
require_pkce: false
pkce_challenge_method: ''
redirect_uris:
- 'https://login.tailscale.com/a/oauth_response'
scopes:
- 'openid'
- 'email'
- 'profile'
response_types:
- 'code'
grant_types:
- 'authorization_code'
access_token_signed_response_alg: 'none'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_basic'
To configure Tailscale to utilize Authelia as a OpenID Connect 1.0 Provider, you will need a public WebFinger reply for your domain (see RFC7033 Section 3.1) and point it to Authelia. The steps necessary are outlined in the Tailscale documentation on Custom OIDC providers KB article. This WebFinger reply is not generated by Authelia, so your external web server hosted at the root of your domain will need to generate the response (Check See also for example implementations). The following steps are necessary to get Tailscale working with Authelia:
{{< sitevar name="domain" nojs="example.com" >}} and the Authelia account in question is user@{{< sitevar name="domain" nojs="example.com" >}} the WebFinger request
will be: https://{{< sitevar name="domain" nojs="example.com" >}}/.well-known/webfinger/?resource=acct:user@{{< sitevar name="domain" nojs="example.com" >}} the complete request is https://{{< sitevar name="domain" nojs="example.com" >}}/.well-known/webfinger?rel=http%3A%2F%2Fopenid.net%2Fspecs%2Fconnect%2F1.0%2Fissuer&resource=acct%3Auser%40{{< sitevar name="domain" nojs="example.com" >}}{
"subject": "acct:user@{{< sitevar name="domain" nojs="example.com" >}}",
"links": [{
"rel": "http://openid.net/specs/connect/1.0/issuer",
"href": "https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}"
}]
}
user2@{{< sitevar name="domain" nojs="example.com" >}} or user3@{{< sitevar name="domain" nojs="example.com" >}})https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}/.well-known/openid-configuration), you can sign up for a new Tailnet (migration can only be done if the Tailnet is associated with a custom domain) via the link: Sign up with OIDC where you will see the following screen: https://{{< sitevar name="domain" nojs="example.com" >}}/.well-known/webfinger, the actual GET request will be including request parameters, most importantly resource.https://{{< sitevar name="domain" nojs="example.com" >}}/.well-known/webfinger/?resource=acct:user@{{< sitevar name="domain" nojs="example.com" >}} and follow the set href to https://{{< sitevar name="subdomain-authelia" nojs="auth" >}}.{{< sitevar name="domain" nojs="example.com" >}}/.well-known/openid-configuration. href URL matches the issuer URL returned from the Authelia OIDC discovery endpoint