tailscale

mirror of https://github.com/tailscale/tailscale.git synced 2025-09-21 13:41:46 +02:00

Author	SHA1	Message	Date
Remy Guercio	89fe2e1f12	cmd/tsidp: add allow-insecure-no-client-registration and JSON file migration (#16881 ) Add a ternary flag that unless set explicitly to false keeps the insecure behavior of TSIDP. If the flag is false, add functionality on startup to migrate oidc-funnel-clients.json to oauth-clients.json if it doesn’t exist. If the flag is false, modify endpoints to behave similarly regardless of funnel, tailnet, or localhost. They will all verify client ID & secret when appropriate per RFC 6749. The authorize endpoint will no longer change based on funnel status or nodeID. Add extra tests verifying TSIDP endpoints behave as expected with the new flag. Safely create the redirect URL from what's passed into the authorize endpoint. Fixes #16880 Signed-off-by: Remy Guercio <remy@tailscale.com>	2025-08-29 15:16:39 -05:00
Raj Singh	45a4b69ce0	cmd/tsidp: fix OIDC client persistence across restarts Fixes #16088 Signed-off-by: Raj Singh <raj@tailscale.com>	2025-06-18 10:43:19 -05:00
Brad Fitzpatrick	259bab9bff	scripts/check_license_headers.sh: delete, rewrite as a Go test Updates tailscale/corp#29650 Change-Id: Iad4e4ccd9d68ebb1d1a12f335cc5295d0bd05b60 Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>	2025-06-16 13:35:38 -07:00
Patrick O'Doherty	e649227ef2	cmd/tsidp: fix interface{} linter warnings (#15729 ) Replace all instances of interface{} with any to resolve the golangci-lint errors that appeared in the previous tsidp PR. Updates #cleanup Signed-off-by: Patrick O'Doherty <patrick@tailscale.com>	2025-04-17 18:05:07 -07:00
Cedric Kienzler	b34a2bdb22	cmd/tsidp: add groups claim to tsidp (#15127 ) * cmd/tsidp: add groups claim to tsidp This feature adds support for a `groups` claim in tsidp using the grants syntax: ```json { "grants": [ { "src": ["group:admins"], "dst": [""], "ip": [""], "app": { "tailscale.com/cap/tsidp": [ { "groups": ["admin"] } ] } }, { "src": ["group:reader"], "dst": [""], "ip": [""], "app": { "tailscale.com/cap/tsidp": [ { "groups": ["reader"] } ] } } ] } ``` For #10263 Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de> * cmd/tsidp: refactor cap/tsidp to allow extraClaims This commit refactors the `capRule` struct to allow specifying arbitrary extra claims: ```json { "src": ["group:reader"], "dst": [""], "ip": [""], "app": { "tailscale.com/cap/tsidp": [ { "extraClaims": { "groups": ["reader"], "entitlements": ["read-stuff"], }, } ] } } ``` Overwriting pre-existing claims cannot be modified/overwritten. Also adding more unit-testing Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de> * Update cmd/tsidp/tsidp.go Signed-off-by: cedi <cedi@users.noreply.github.com> * Update cmd/tsidp/tsidp_test.go Co-authored-by: Patrick O'Doherty <hello@patrickod.com> Signed-off-by: Cedric Kienzler <cedi@users.noreply.github.com> * Update cmd/tsidp/tsidp_test.go Co-authored-by: Patrick O'Doherty <hello@patrickod.com> Signed-off-by: Cedric Kienzler <cedi@users.noreply.github.com> * Fix logical error in test case Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de> * fix error printing for failed to unmarshal capability in tsidp Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de> * clarify doc string for withExtraClaims Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de> --------- Signed-off-by: Cedric Kienzler <github@cedric-kienzler.de> Signed-off-by: cedi <cedi@users.noreply.github.com> Signed-off-by: Cedric Kienzler <cedi@users.noreply.github.com> Co-authored-by: Patrick O'Doherty <hello@patrickod.com>	2025-04-17 17:31:40 -07:00

5 Commits