cmd/tailscale/cli,feature: add support for identity federation (#17529)

Add new arguments to `tailscale up` so authkeys can be generated dynamically via identity federation.

Updates #9192

Signed-off-by: mcoulombe <max@tailscale.com>

internal/client/tailscale/identityfederation.go

@@ -0,0 +1,19 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package tailscale
+
+import (
+	"context"
+
+	"tailscale.com/feature"
+)
+
+// HookResolveAuthKeyViaWIF resolves to [identityfederation.ResolveAuthKey] when the
+// corresponding feature tag is enabled in the build process.
+//
+// baseURL is the URL of the control server used for token exchange and authkey generation.
+// clientID is the federated client ID used for token exchange, the format is <tailnet ID>/<oauth client ID>
+// idToken is the Identity token from the identity provider
+// tags is the list of tags to be associated with the auth key
+var HookResolveAuthKeyViaWIF feature.Hook[func(ctx context.Context, baseURL, clientID, idToken string, tags []string) (string, error)]

internal/client/tailscale/tailscale.go

@@ -25,6 +25,9 @@ func init() {
 // AuthMethod is an alias to tailscale.com/client/tailscale.
 type AuthMethod = tsclient.AuthMethod
 
+// APIKey is an alias to tailscale.com/client/tailscale.
+type APIKey = tsclient.APIKey
+
 // Device is an alias to tailscale.com/client/tailscale.
 type Device = tsclient.Device