4980869977
cmd/tsidp: Fix sending string for refresh_token
...
In accordance with the OIDC/OAuth 2.0 protocol, do not send an empty
refresh_token and instead omit the field when empty.
Fixes https://github.com/tailscale/tailscale/issues/16073
Signed-off-by: Tim Klocke <taaem@mailbox.org >
2025-05-24 11:30:00 -07:00
383664b2f7
cmd/tsidp: remove backticks in README in shell example
...
Fixes #15818
Change-Id: I7a6f4c7368fed74b865a63acdea4559c3d0a0d09
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com >
2025-05-01 12:18:50 -07:00
e649227ef2
cmd/tsidp: fix interface{} linter warnings ( #15729 )
...
Replace all instances of interface{} with any to resolve the
golangci-lint errors that appeared in the previous tsidp PR.
Updates #cleanup
Signed-off-by: Patrick O'Doherty <patrick@tailscale.com >
2025-04-17 18:05:07 -07:00
b34a2bdb22
cmd/tsidp: add groups claim to tsidp ( #15127 )
...
* cmd/tsidp: add groups claim to tsidp
This feature adds support for a `groups` claim in tsidp using the grants
syntax:
```json
{
"grants": [
{
"src": ["group:admins"],
"dst": ["*"],
"ip": ["*"],
"app": {
"tailscale.com/cap/tsidp": [
{
"groups": ["admin"]
}
]
}
},
{
"src": ["group:reader"],
"dst": ["*"],
"ip": ["*"],
"app": {
"tailscale.com/cap/tsidp": [
{
"groups": ["reader"]
}
]
}
}
]
}
```
For #10263
Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de >
* cmd/tsidp: refactor cap/tsidp to allow extraClaims
This commit refactors the `capRule` struct to allow specifying arbitrary
extra claims:
```json
{
"src": ["group:reader"],
"dst": ["*"],
"ip": ["*"],
"app": {
"tailscale.com/cap/tsidp": [
{
"extraClaims": {
"groups": ["reader"],
"entitlements": ["read-stuff"],
},
}
]
}
}
```
Overwriting pre-existing claims cannot be modified/overwritten.
Also adding more unit-testing
Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de >
* Update cmd/tsidp/tsidp.go
Signed-off-by: cedi <cedi@users.noreply.github.com >
* Update cmd/tsidp/tsidp_test.go
Co-authored-by: Patrick O'Doherty <hello@patrickod.com >
Signed-off-by: Cedric Kienzler <cedi@users.noreply.github.com >
* Update cmd/tsidp/tsidp_test.go
Co-authored-by: Patrick O'Doherty <hello@patrickod.com >
Signed-off-by: Cedric Kienzler <cedi@users.noreply.github.com >
* Fix logical error in test case
Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de >
* fix error printing for failed to unmarshal capability in tsidp
Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de >
* clarify doc string for withExtraClaims
Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de >
---------
Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de >
Signed-off-by: cedi <cedi@users.noreply.github.com >
Signed-off-by: Cedric Kienzler <cedi@users.noreply.github.com >
Co-authored-by: Patrick O'Doherty <hello@patrickod.com >
2025-04-17 17:31:40 -07:00
1284482790
Change README to reflect configuration
...
Updates #15465
Signed-off-by: Kot <kot@kot.pink >
2025-04-02 10:11:17 -07:00
c86afacf26
Move env var flag passing to Dockerfile
...
Updates #15465
Signed-off-by: Kot <kot@kot.pink >
2025-04-02 10:11:17 -07:00
85bcc2e3bd
cmd/tsidp: use advertised env vars for config
...
Fixes #14491
Signed-off-by: Kot <kot@kot.pink >
2025-04-02 10:11:17 -07:00
8f0080c7a4
cmd/tsidp: allow CORS requests to openid-configuration ( #15229 )
...
Add support for Cross-Origin XHR requests to the openid-configuration
endpoint to enable clients like Grafana's auto-population of OIDC setup
data from its contents.
Updates https://github.com/tailscale/tailscale/issues/10263
Signed-off-by: Patrick O'Doherty <patrick@tailscale.com >
2025-03-11 13:10:22 -07:00
9d7f2719bb
cmd/tsidp: use constant time comparison for client_id/secret ( #15222 )
...
Use secure constant time comparisons for the client ID and secret values
during the allowRelyingParty authorization check.
Updates #cleanup
Signed-off-by: Patrick O'Doherty <patrick@tailscale.com >
2025-03-06 08:52:35 -08:00
27e0575f76
cmd/tsidp: add README and Dockerfile ( #15205 )
2025-03-05 10:55:37 -06:00
05ac21ebe4
all: use new LocalAPI client package location
...
It was moved in f57fa3cbc3tailscale/corp#22748
Change-Id: I19f965e6bded1d4c919310aa5b864f2de0cd6220
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com >
2025-02-05 14:41:42 -08:00
fb0f8fc0ae
cmd/tsidp: add --dir flag
...
To better control where the tsnet state is being stored.
Updates #10263
Signed-off-by: Maisem Ali <maisem@tailscale.com >
2024-09-29 16:15:22 -07:00
f79183dac7
cmd/tsidp: add funnel support ( #12591 )
...
* cmd/tsidp: add funnel support
Updates #10263 .
Signed-off-by: Naman Sood <mail@nsood.in >
* look past funnel-ingress-node to see who we're authenticating
Signed-off-by: Naman Sood <mail@nsood.in >
* fix comment typo
Signed-off-by: Naman Sood <mail@nsood.in >
* address review feedback, support Basic auth for /token
Turns out you need to support Basic auth if you do client ID/secret
according to OAuth.
Signed-off-by: Naman Sood <mail@nsood.in >
* fix typos
Signed-off-by: Naman Sood <mail@nsood.in >
* review fixes
Signed-off-by: Naman Sood <mail@nsood.in >
* remove debugging log
Signed-off-by: Naman Sood <mail@nsood.in >
* add comments, fix header
Signed-off-by: Naman Sood <mail@nsood.in >
---------
Signed-off-by: Naman Sood <mail@nsood.in >
2024-08-08 10:46:45 -04:00
486a423716
tsnet: split user facing and backend logging
...
This adds a new `UserLogf` field to the `Server` struct.
When set this any logs generated by Server are logged using
`UserLogf` and all spammy backend logs are logged to `Logf`.
If it `UserLogf` is unset, we default to `log.Printf` and
if `Logf` is unset we discard all the spammy logs.
Fixes #12094
Signed-off-by: Maisem Ali <maisem@tailscale.com >
2024-05-10 15:29:13 -07:00
7d4221c295
cmd/tsidp: add start of OIDC Tailscale IdP
...
Updates #10263
Co-authored-by: Brad Fitzpatrick <bradfitz@tailscale.com >
Change-Id: I240bc9b5ecf2df6f92c45929d105fde66c06a860
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com >
2023-11-15 14:27:39 -08:00
Tim Klocke
Brad Fitzpatrick
Patrick O'Doherty
Cedric Kienzler
Kot
Sam Linville
Maisem Ali
Naman Sood