hyperreal.coffee

Using Codeberg, Gitea, or Forgejo as OIDC provider for Tailscale

Requirements

Webfinger

In the web root of your web server, create the .well-known/webfinger file. For example, on mine, I have the following:

1{
2  "subject": "acct:hyperreal@moonshadow.dev",
3  "links": [
4    {
5      "rel": "http://openid.net/specs/connect/1.0/issuer",
6      "href": "https://codeberg.org"
7    }
8  ]
9}

You can use the Webfinger lookup tool to make sure it is setup correctly.

The value of the “subject” field must contain the email address at the domain you own. The value of the “href” field must be the URL of Codeberg, Gitea instance, or Forgejo instance.

Create an OAuth2 application on Codeberg, Gitea, or Forgejo

On Codeberg, Gitea, or Forgejo, go to your User Settings -> Applications -> Manage OAuth2 applications.

Click on Create. Now copy and save the Client ID and Client secret that was generated.

Sign up with Tailscale

  1. Go to the Tailscale login page, and select “Sign up with OIDC”.
  2. Enter your email at your custom domain. E.g., hyperreal@moonshadow.dev.
  3. Choose Codeberg or Gitea as the identity provider. This step is optional and doesn’t really matter. Forgejo instances can choose Gitea.
  4. Select “Get OIDC Issuer”.
  5. Enter the Client ID and Client secret you saved from your OAuth2 application. Leave everything else as default, and make sure that “consent” is checked under Prompts.
  6. Click “Sign up with OIDC”, and you should be able to login to Tailscale and be redirected to your Tailscale admin console.

Resources

#oidc #codeberg #gitea #forgejo #tailscale

Reply to this post by email ↪