How to configure tailscale with keycloak OIDC auth

1_tailscale_with_keycloak_auth.md

Tailscale is OIDC compliant now!!!

We self-hosted headscale, but wanted to move to their cloud product for higher reliablity.

The way that tailscale authenticates for an email like denzell.f@trieve.ai is:

1. Makes a call to https://trieve.ai/.well-known/webfinger?resource=acct:denzell.f@trieve.ai. The response should look like this

{
  "links": [
    {
      "href": "https://auth.trieve.ai/realms/trieve-organization",
      "rel": "http://openid.net/specs/connect/1.0/issuer"
    }
  ],
  "subject": "acct:denzell.f@trieve.ai"
}

2. Makes calls to your oidc provider based on the href value.

this is gist a blog and Tailscale has pretty good documentation on everything after webfinger in their docs and in this blog.

Settting up webfinger is an excersize left to the reader.

The blog reccomends to have .well-known/web-finger just return a static response.

tailscale/tailscale#379

This doesn't work for multiple users, this is how we setup a simple webfinger server to support multiple users.

Quickstart

git clone https://gist.github.com/cdxker/160f5cd730fcd6818dbf32c954b5577c web-finger
cd web-finger
echo "OAUTH_SERVER_URL=auth.trieve.ai" > .env # Replace this with your auth-server url
docker compose -f 4_docker-compose.yml up -d --build

We use Caddy to host our static files, so all we have to do is setup a rule to redirect traffic to trieve.ai/.well-known/webfinger

App Breakdown

2_App.py

I made a simple flask server to make this more dynamic.

3_Dockerfile

Made a basic Dockerfile, python is annoying on bare metal.

4_docker-compose.yml

Setup for docker-compose so you can easily deploy

5_Caddyfile

Caddyfile for directing traffic to different servers and assigning the SSL

2_app.py

from flask import Flask, request, jsonify
import os

app = Flask(__name__)

OAUTH_SERVER_URL = os.environ.get('OAUTH_SERVER_URL', 'https://auth.trieve.ai')

@app.route("/.well-known/webfinger")
def webfinger():
    resource = request.args.get('resource')
    if not resource:
        return jsonify({"error": "Resource parameter is required"}), 400

    # Here you would typically look up the user or resource
    # and return the appropriate information
    # This is a simplified example
    response = {
        "subject": resource,
        "links": [
            {
                "rel": "http://openid.net/specs/connect/1.0/issuer",
                "href": f"{OAUTH_SERVER_URL}"
            }
        ]
    }

    return jsonify(response)

@app.route('/health', methods=['GET'])
def health():

    return "i am here"


if __name__ == "__main__":
    app.run(host="0.0.0.0", port=5000)

3_Dockerfile

# Use an official Python runtime as the base image
FROM python:3.9-slim

# Set the working directory in the container
WORKDIR /app

# Install the required packages
RUN pip install --no-cache-dir flask

# Copy the current directory contents into the container at /app
COPY . /app

# Make port 5000 available to the world outside this container
EXPOSE 5000

# Run app.py when the container launches
CMD ["python", "app.py"]

4_docker-compose.yml

version: '3.8'

services:
  webfinger-server:
    image: trieve/webfinger-oauth-accept
    build: .
    ports:
      - "5000:5000"
    environment:
      - OAUTH_SERVER_URL=${OAUTH_SERVER_URL}
    restart: unless-stopped

networks:
  app-network:
    driver: bridge

5_Caddyfile

{
    email developer@trieve.ai
}

trieve.ai {
    reverse_proxy /.well-known/webfinger localhost:5000 # Routing this to webfinger

    reverse_proxy localhost:6000 # Route this our website url or anything else you want
}