Caution
This is an experimental update of tsidp. It is under active development and may experince breaking changes.
tsidp is an OIDC / OAuth Identity Provider (IdP) server that integrates with your Tailscale network. It allows you to use Tailscale identities for authentication into applications that support OpenID Connect as well as authenticated MCP client / server connections.
- A Tailscale network (tailnet) with magicDNS and HTTPS enabled
- A Tailscale authentication key from your tailnet
- (Recommended) Docker installed on your system
To be updated.
Building your own container
Replace YOUR_TAILSCALE_AUTHKEY with your Tailscale authentication key in the following commands:
- Use an existing auth key or create a new auth key in the Tailscale dashboard. Ensure you select an existing tag or create a new one.
# Build the container using the included Dockerfile
docker build -t tsidp .
# Run tsidp with a persistent volume to store state
docker run -d \
--name tsidp \
-p 443:443 \
-e TS_AUTHKEY=YOUR_TAILSCALE_AUTHKEY \
-e TSNET_FORCE_LOGIN=1
-e TAILSCALE_USE_WIP_CODE=1 \
-v tsidp-data:/var/lib/tsidp \
tsidp --hostname=idp --dir=/var/lib/tsidpVisit https://idp.yourtailnet.ts.net to confirm the service is running.
If you're running tsidp for the first time, you may not be able to access it initially even though it is running. It takes a few minutes for the TLS certificate to generate.
Using Go directly
If you'd like to build tsidp and / or run it directly you can do the following:
# Clone the Tailscale repository
git clone https://github.com/tailscale/tsidp.git
cd tsidpReplace YOUR_TAILSCALE_AUTHKEY with your Tailscale authentication key in the following commands:
- Use an existing auth key or create a new auth key in the Tailscale dashboard. Ensure you select an existing tag or create a new one.
- Run
TS_AUTH_KEY=YOUR_TAILSCALE_AUTHKEY TAILSCALE_USE_WIP_CODE=1 TSNET_FORCE_LOGIN=1 go run .
Visit https://idp.yourtailnet.ts.net to confirm the service is running.
If you're running tsidp for the first time, you may not be able to access it initially even though it is running. It takes a few minutes for the TLS certificate to generate.
tsidp can be used as IdP server for any application that supports custom OIDC providers.
Important
Note: If you'd like to use tsidp to login to a SaaS application outside of your tailnet rather than a self-hosted app inside of your tailnet, you'll need to run tsidp with --funnel enabled.
- (TODO) Proxmox
- (TODO) Grafana
- (TODO) open-webui
- (TODO) Jellyfin
- (TODO) Salesforce
- (TODO) ...
tsidp supports all of the endpoints required & suggested by the MCP Authorization specification, including Dynamic Client Registration (DCR). More information can be found in the following examples:
The tsidp server supports several command-line flags:
--verbose: Enable verbose logging--port: Port to listen on (default: 443)--local-port: Allow requests from localhost--use-local-tailscaled: Use local tailscaled instead of tsnet--funnel: Use Tailscale Funnel to make tsidp available on the public internet so it works with SaaS products--hostname: tsnet hostname--dir: tsnet state directory--enable-sts: Enable OAuth token exchange using RFC 8693--enable-debug: Enable debug printing of requests to the server
TS_AUTHKEY: Your Tailscale authentication key (required)TS_HOSTNAME: Hostname for thetsidpserver (default: "idp", Docker only)TS_STATE_DIR: State directory (default: "/var/lib/tsidp", Docker only)TAILSCALE_USE_WIP_CODE: Enable work-in-progress code (default: "1")
This is an experimental, work in progress, community project. For issues or questions, file issues on the GitHub repository.
BSD-3-Clause License. See LICENSE for details.