-
Notifications
You must be signed in to change notification settings - Fork 22
docs: changes for v5.1.0 #109
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
steveiliop56
wants to merge
22
commits into
main
Choose a base branch
from
feat/v5.1.0
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
22 commits
Select commit
Hold shift + click to select a range
d8ee13a
docs: add OIDC server setup guide and configuration reference
dosubot[bot] bd9f835
docs: add OIDC server guide and configuration reference
dosubot[bot] 2a810b2
chore: merge user attributes update
steveiliop56 28c03bf
chore: remove dosu comments
steveiliop56 a13e958
feat: add new options to config reference
steveiliop56 7c4e636
feat: add oidc certification status to oidc guide
steveiliop56 f1edfa3
refactor: update tool styles
steveiliop56 7f2c90d
chore: update about section
steveiliop56 f047415
feat: add tailscale integration
steveiliop56 0522c4b
feat: add docs for deny-by-default acls
steveiliop56 9702036
chore: update changelog
steveiliop56 2f7375f
feat: add note for subdomains enabled
steveiliop56 1c6aa25
feat: tailscale auth guide
steveiliop56 2d603f4
chore: update main screenshot
steveiliop56 d32c97c
chore: update screenshots
steveiliop56 e14593d
feat: add yaml config options
steveiliop56 724bb6d
feat: update index
steveiliop56 f092b9e
feat: add note on tinyauth api
steveiliop56 2759165
fix: review comments
steveiliop56 5259b59
Merge branch 'main' into feat/v5.1.0
steveiliop56 9a87beb
chore: remove public prefix in screenshots
steveiliop56 205b777
chore: add tailscale integration back to sidebar
steveiliop56 File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -19,3 +19,6 @@ pnpm-debug.log* | |
|
|
||
| # macOS-specific files | ||
| .DS_Store | ||
|
|
||
| # idea | ||
| /.idea/ | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,108 @@ | ||
| --- | ||
| title: Tailscale Authentication | ||
| description: Use your Tailscale connection to automatically log in to Tinyauth. | ||
| --- | ||
|
|
||
| Tinyauth has support for detecting your Tailscale connection and automatically logging you in with | ||
| your Tailscale identity. This is made possible using the Tailscale API. | ||
|
|
||
| ## Requirements | ||
|
|
||
| - A Tailscale account | ||
| - A Tinyauth instance | ||
|
|
||
| :::warning | ||
| You will need your proxy to correctly forward the client IP to Tinyauth for the Tailscale detection | ||
| to work. This differs from proxy to proxy, but usually you will need your proxy container to run | ||
| with `network_mode: host` in Docker. | ||
| ::: | ||
|
|
||
| ### K3S | ||
|
|
||
| In case you are using K3S (and possibly other Kubernetes deployments that use Traefik+MetalLB) you can use | ||
| the following Helm chart config for Traefik to forward the correct client IP to your applications (including | ||
| Tinyauth): | ||
|
|
||
| ```yaml | ||
| apiVersion: helm.cattle.io/v1 | ||
| kind: HelmChartConfig | ||
| metadata: | ||
| name: traefik-config | ||
| namespace: kube-system | ||
| spec: | ||
| valuesContent: |- | ||
| service: | ||
| spec: | ||
| externalTrafficPolicy: Local | ||
|
|
||
| entryPoints: | ||
| web: | ||
| address: ':80' | ||
| forwardedHeaders: | ||
| trustedIPs: | ||
| - 10.42.0.0/24 | ||
| websecure: | ||
| address: ':443' | ||
| forwardedHeaders: | ||
| trustedIPs: | ||
| - 10.42.0.0/24 | ||
| ``` | ||
|
|
||
| You can check if Tinyauth is receiving the correct client IP by visiting it and checking the | ||
| `client_ip` section in the info logs. | ||
|
|
||
| ## Get the Tailscale API token | ||
|
|
||
| Before configuring Tinyauth, you need to obtain your Tailnet ID and an API token from Tailscale. This can be | ||
| done by visiting the Tailscale [admin console](https://login.tailscale.com/admin/settings/general). The Tailnet | ||
| ID is the first thing you see in the page. | ||
|
|
||
|  | ||
|
|
||
| :::note | ||
| While you can use the Legacy Tailnet ID, it is recommended to use the new random one. | ||
| ::: | ||
|
|
||
| Then, you can generate an API token in the [keys](https://login.tailscale.com/admin/settings/keys) page. | ||
|
|
||
|  | ||
|
|
||
| There click the **Generate access token** button, give it a name and click **Generate access token** again. | ||
| You should then be greeted by the following page. | ||
|
|
||
|  | ||
|
|
||
| Make sure to note down your Tailnet ID and the new API token as we will need them in the next part. | ||
|
|
||
| ## Configure Tinyauth | ||
|
|
||
| With your Tailnet ID and API token you can configure Tinyauth in the following way: | ||
|
|
||
| ```yaml | ||
| services: | ||
| tinyauth: | ||
| environment: | ||
| - TINYAUTH_TAILSCALE_ENABLED=true | ||
| - TINYAUTH_TAILSCALE_APITOKEN=your-api-token # TINYAUTH_TAILSCALE_APITOKENFILE also supported | ||
| - TINYAUTH_TAILSCALE_TAILNET=your-tailnet-id | ||
| ``` | ||
|
|
||
| Tinyauth by default caches the user and device list for 5 minutes, you can reduce the cache duration with | ||
| `TINYAUTH_TAILSCALE_CACHEDURATION` (in seconds). | ||
|
|
||
| :::note | ||
| Tinyauth does ***not*** support serving on a Tailscale domain (like `tinyauth.funny-name.ts.net`). This is | ||
| because we would need the `tsnet` library to serve on Tailscale which adds a lot of unnecessary weight to the | ||
| binary (+20MB). Features requiring the `tsnet` library will ***not*** be added. | ||
| ::: | ||
|
|
||
| Make sure to restart Tinyauth after updating the configuration. | ||
|
|
||
| ## Usage | ||
|
|
||
| After restarting and assuming Tinyauth can get your client IP, you should see the following screen | ||
| when visiting Tinyauth to login: | ||
|
|
||
|  | ||
|
|
||
| After clicking **Continue with Tailscale**, authentication should proceed as normal. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,95 @@ | ||
| --- | ||
| title: Tailscale | ||
| description: Use the Tinyauth OpenID Connect provider to authenticate in Tailscale. | ||
| --- | ||
|
|
||
| import { Steps } from '@astrojs/starlight/components'; | ||
| import { Tabs, TabItem } from '@astrojs/starlight/components'; | ||
| import CreateOIDCClientTool from "../../../../components/create-oidc-client-tool.astro"; | ||
|
|
||
| Tinyauth meets all of the criteria to be used as an OpenID Connect provider for Tailscale. This includes | ||
| support for all of the required OpenID Connect scopes, claims and endpoints. Tinyauth also includes support | ||
| for WebFinger which is required for Tailscale to discover the OpenID Connect provider. | ||
|
|
||
| ## Requirements | ||
|
|
||
| - A Tailscale account | ||
| - A Tinyauth instance | ||
| - A domain name | ||
|
|
||
| :::caution | ||
| You will need to run Tinyauth with HTTPS to use it as an OpenID Connect provider. | ||
| ::: | ||
|
|
||
| :::caution | ||
| Tinyauth will need to be accessible from the internet for Tailscale to be able to reach it. | ||
| This means that you will need to have a public domain name and a valid SSL certificate for | ||
| your Tinyauth instance. | ||
| ::: | ||
|
|
||
|
|
||
| ## Tinyauth Configuration | ||
|
|
||
| To begin with, we need to generate a client ID and secret in Tinyauth for Tailscale. This can be done by running the following command: | ||
|
|
||
| <Tabs> | ||
| <TabItem label="Docker"> | ||
| ```sh | ||
| docker run -i -t --rm ghcr.io/steveiliop56/tinyauth:v5 oidc create tailscale | ||
| ``` | ||
| </TabItem> | ||
| <TabItem label="Binary"> | ||
| ```sh | ||
| ./tinyauth oidc create tailscale | ||
| ``` | ||
| </TabItem> | ||
| <TabItem label="Browser"> | ||
| <CreateOIDCClientTool /> | ||
| </TabItem> | ||
| </Tabs> | ||
|
|
||
| From the output, make sure to note down the client ID and secret as we will need them later for the Tinyauth configuration. | ||
|
|
||
| Now, we can pass our configuration to Tinyauth using environment variables: | ||
|
|
||
| ```sh | ||
| TINYAUTH_OIDC_PRIVATEKEYPATH=/path/to/private/key.pem | ||
| TINYAUTH_OIDC_PUBLICKEYPATH=/path/to/public/key.pem | ||
| TINYAUTH_OIDC_CLIENTS_TAILSCALE_CLIENTID=client-id | ||
| TINYAUTH_OIDC_CLIENTS_TAILSCALE_CLIENTSECRET=ta-client-secret | ||
| TINYAUTH_OIDC_CLIENTS_TAILSCALE_TRUSTEDREDIRECTURIS=https://login.tailscale.com/a/oauth_response | ||
| TINYAUTH_OIDC_CLIENTS_TAILSCALE_NAME=Tailscale | ||
| ``` | ||
|
|
||
| ## Sign-up in Tailscale | ||
|
|
||
| :::note | ||
| These steps are quoted from the [Tailscale documentation](https://tailscale.com/docs/integrations/identity/custom-oidc#tailscale-setup). | ||
| ::: | ||
|
|
||
| <Steps> | ||
|
|
||
| 1. Go to the [Sign up with OIDC](https://login.tailscale.com/start/oidc) page of the admin console or | ||
| when signing-up for a new account, select the **Sign up with OIDC** option. | ||
|
|
||
| <img alt="Tailscale Sign-up with OIDC" width="256" | ||
| src="https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fsign-up-oidc.b699a417.png&w=1080&q=75" /> | ||
|
|
||
| 2. In the Email address field, enter the administrator's full email address. | ||
| The domain in the email address must match the domain where the WebFinger endpoint is served, and the domain you will use for Tailscale. | ||
|
|
||
| 3. Select **Get OIDC** Issuer. If Tailscale is able to retrieve the issuer from Tinyauth, it will be displayed in the Issuer field. | ||
|
|
||
| 4. In the Client ID field, enter the client ID we generated previously. | ||
|
|
||
| 5. Likewise, in the Client Secret, enter the Client Secret. | ||
|
|
||
| 6. If you like, you can skip the consent screen of Tinyauth by selecting the `none` prompt. | ||
|
|
||
| 7. Select **Sign up with OIDC**. You will be redirected to Tinyauth for authentication. | ||
|
|
||
| 8. Log in to your provider using the email you entered in step 2. Upon authentication, you will be redirected to the Tailscale admin console. | ||
|
|
||
| </Steps> | ||
|
|
||
| The user that configures OIDC for Tailscale becomes the first user in the tailnet and Owner of the tailnet. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.