undefined | Better HN

0 pointshashworks2y ago0 comments

For companies this is the way. But I guess for personal use a private Keycloak instance is a bit overkill?

0 comments

You certainly don't need a full on Keycloak installation here, if you don't want to go that far. There's various OIDC providers, some more complex than others!

stryan2y ago

If you already have LDAP or some other backing auth, setting up Dex for OIDC is pretty easy. Took me less than an hour or so.

If you want something fancier Authelia isn't too bad, I got that running in an evening and hooking it up to Tailscale took another hour or two. Most of that spent figuring out how I want to do webfinger.

phantomathkg2y ago

Curious, do you any blog/post that you used to guide your set up that you can share?

stryan2y ago

I haven't written one yet, but the provided docs are pretty easy to follow:

1. Tailscale has their custom OIDC docs that tell you everything you need, plus the Webfinger setup: https://tailscale.com/kb/1240/sso-custom-oidc/

2. I set up Webfinger first, so assuming you're setting it up from scratch you can either run a Webfinger server yourself, or just configure the paths in whatever web server you have for your base domain. I didn't feel like running Yet Another Server and since the Tailnet's only for me I just plugged the following section into Caddy:

  @webfinger {
    path /.well-known/webfinger
    method GET HEAD
    query resource=acct:MY@EMAIL
  }
  rewrite @webfinger /webfinger.json
  header @webfinger {
    Content-Type "application/jrd+json"
    Access-Control-Allow-Origin "\*"
    X-Robots-Tag "noindex"
  }

Where webfinger.json is file containing the response tailscale is looking for from their doc. You can verify it works right at https://webfinger.net/lookup/ .

3. For Dex you can just set it up like any OIDC connection; Authelia was about the same but they have their own page: https://www.authelia.com/integration/openid-connect/tailscal...

Took me about an hour or two, most of that being wishy-washy on how I wanted to serve Webfinger.

agarsev2y ago

I setup authelia specifically for this and it was barely a morning's work, and works beautifully.

nulbyte2y ago

I guess I'm doing overkill then. I actually use Keycloak for Tailscale. It also serves as authentication for my Nextcloud and Mastodon instances, so maybe slightly less overkill.

j / k navigate · click thread line to collapse

0 comments

Operyl2y ago

You certainly don't need a full on Keycloak installation here, if you don't want to go that far. There's various OIDC providers, some more complex than others!

stryan2y ago

If you already have LDAP or some other backing auth, setting up Dex for OIDC is pretty easy. Took me less than an hour or so.

phantomathkg2y ago

Curious, do you any blog/post that you used to guide your set up that you can share?

stryan2y ago

I haven't written one yet, but the provided docs are pretty easy to follow:

1. Tailscale has their custom OIDC docs that tell you everything you need, plus the Webfinger setup: https://tailscale.com/kb/1240/sso-custom-oidc/

  @webfinger {
    path /.well-known/webfinger
    method GET HEAD
    query resource=acct:MY@EMAIL
  }
  rewrite @webfinger /webfinger.json
  header @webfinger {
    Content-Type "application/jrd+json"
    Access-Control-Allow-Origin "\*"
    X-Robots-Tag "noindex"
  }

Where webfinger.json is file containing the response tailscale is looking for from their doc. You can verify it works right at https://webfinger.net/lookup/ .

3. For Dex you can just set it up like any OIDC connection; Authelia was about the same but they have their own page: https://www.authelia.com/integration/openid-connect/tailscal...

Took me about an hour or two, most of that being wishy-washy on how I wanted to serve Webfinger.

agarsev2y ago

I setup authelia specifically for this and it was barely a morning's work, and works beautifully.

nulbyte2y ago

I guess I'm doing overkill then. I actually use Keycloak for Tailscale. It also serves as authentication for my Nextcloud and Mastodon instances, so maybe slightly less overkill.

j / k navigate · click thread line to collapse