top | item 35376950

(no title)

Vexs | 2 years ago

Every time I see tailscale do something really neat I'm always a little disappointed to find out they still offer only the three auth schemes- and I really don't want to tie my networking to google/github/ms. On top of the various tinfoil hat reasons, I know a variety of people who have had these accounts terminated out of the blue, and it throwing out my networking stack would be insanely aggravating.

If you're reading tailscale, I will pay you actual real dollars per month to offer a different not-tied-to-a-megacorp authentication scheme. Till then, guess I've got headscale.

discuss

xena|2 years ago

You're in luck: https://tailscale.com/blog/custom-oidc/

You also don't need to pay Tailscale to use it.

Vexs|2 years ago

Well god damn there it is! Three days fresh, even! Thanks!

Looks like a fair lot of work to get it configured, but few good things come entirely free. Wonder if there's enough people that could get together for a communal one...?

xrd|2 years ago

Got to the end of that post and thought: definitely don't want to self host that!

Are there good options for an IdP that has good data policies that are easy to wire in with tailscale? I'm not opposed to paying for it. I wonder if Zoho can do this for me, I'm very happy paying them $12/yr for email.

evntdrvn|2 years ago

yayyy! Thanks Xe and friends!

Question about the docs, it mentions that "The WebFinger endpoint must be hosted at the domain of the email address provided during setup". Would it be possible to support a subdomain?

Also, a small ask: could the webfinger request that's sent include the `rel` and a well-known user resource params, for the situations where there's already a webfinger implementation there that isn't 100% under dev control which requires these params like

     GET /.well-known/webfinger?
            resource=tailscale-webfinger%3A%40mydomain.com&
            rel=http%3A%2F%2Fopenid.net%2Fspecs%2Fconnect%2F1.0%2Fissuer
            HTTP/1.1
     Host: mydomain.com

lastly, is this request resent at every auth event?

Thanks!@!

dx034|2 years ago

Are there really Microsoft accounts that were terminated out of the blue? I always had the feeling they acted a bit more responsibly around that than Google.

codethief|2 years ago

Not necessarily terminated but there are other ways you can lose control over your account: https://news.ycombinator.com/item?id=34934280

(Also see the various comments in the discussion.)

mr337|2 years ago

Yup, in the same boat. Don't need google to decide on a whim that my account is odd and lock me out and thus all the access to my devices.