{"id":27362553,"url":"https://github.com/tailscale/tsidp","last_synced_at":"2026-02-07T02:02:46.581Z","repository":{"id":314830629,"uuid":"1051235507","full_name":"tailscale/tsidp","owner":"tailscale","description":"A simple OIDC / OAuth Identity Provider (IdP) server for your tailnet.","archived":false,"fork":false,"pushed_at":"2026-01-29T20:46:44.000Z","size":2616,"stargazers_count":446,"open_issues_count":39,"forks_count":32,"subscribers_count":11,"default_branch":"main","last_synced_at":"2026-02-02T03:37:23.084Z","etag":null,"topics":["idp","mcp","oauth","oauth2","oidc","tailscale"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tailscale.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-09-05T16:49:35.000Z","updated_at":"2026-02-01T18:08:53.000Z","dependencies_parsed_at":"2025-09-15T04:29:44.248Z","dependency_job_id":"141315d9-add8-45f0-8ad2-1003943240bb","html_url":"https://github.com/tailscale/tsidp","commit_stats":null,"previous_names":["tailscale/tsidp"],"tags_count":9,"template":false,"template_full_name":null,"purl":"pkg:github/tailscale/tsidp","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tailscale%2Ftsidp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tailscale%2Ftsidp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tailscale%2Ftsidp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tailscale%2Ftsidp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tailscale","download_url":"https://codeload.github.com/tailscale/tsidp/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tailscale%2Ftsidp/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29184977,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-07T00:44:15.062Z","status":"online","status_checked_at":"2026-02-07T02:00:07.217Z","response_time":63,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["idp","mcp","oauth","oauth2","oidc","tailscale"],"created_at":"2025-04-13T03:21:27.639Z","updated_at":"2026-02-07T02:02:46.576Z","avatar_url":"https://github.com/tailscale.png","language":"Go","readme":"# `tsidp` - Tailscale OpenID Connect (OIDC) Identity Provider\n\n\u003e [!CAUTION]\n\u003e This is an experimental update of tsidp. It is under active development and may experience breaking changes.\n\n[![status: community project](https://img.shields.io/badge/status-community_project-blue)](https://tailscale.com/kb/1531/community-projects)\n\n`tsidp` is an OIDC / OAuth Identity Provider (IdP) server that integrates with your Tailscale network. It allows you to use Tailscale identities for authentication into applications that support OpenID Connect as well as authenticated MCP client / server connections.\n\n## Prerequisites\n\n- A Tailscale network (tailnet) with MagicDNS and HTTPS enabled\n- A Tailscale authentication key from your tailnet\n- (Recommended) Docker installed on your system\n- Ability to set an Application capability grant\n\n## Running tsidp\n\n### (Recommended) Using the pre-built image\n\nDocker images are automatically published at \u003chttps://ghcr.io/tailscale/tsidp\u003e when releases are tagged.\n\n\u003e [!TIP]\n\u003e Replace `YOUR_TAILSCALE_AUTHKEY` with your Tailscale authentication key in the following commands:\n\u003e\n\u003e Use an existing auth key or create a new auth key in the [**Keys**](https://login.tailscale.com/admin/settings/keys) page of the Tailscale admin console. Ensure you select an existing [tag](https://tailscale.com/kb/1068/tags) or create a new one.\n\nHere is an example [docker compose](https://docs.docker.com/compose/) YAML file for tsidp:\n\n```yaml\nservices:\n  tsidp:\n    container_name: tsidp\n    image: ghcr.io/tailscale/tsidp:latest\n    volumes:\n      - tsidp-data:/data\n    environment:\n      - TAILSCALE_USE_WIP_CODE=1 # tsidp is experimental - needed while version \u003c1.0.0\n      - TS_STATE_DIR=/data # store persistent tsnet and tsidp state\n      - TS_HOSTNAME=idp # Hostname on tailnet (becomes idp.your-tailnet.ts.net)\n      - TSIDP_ENABLE_STS=1 # Enable OAuth token exchange\n      # Optional: Tailscale auth key for automatic node registration\n      # - TS_AUTHKEY=tskey-auth-xxxxx\nvolumes:\n  tsidp-data:\n```\n\nPaste the YAML snippet above into a file named `compose.yaml`. Once the compose file has been edited to your satisfaction, start tsidp by issuing `docker compose up -d`. Monitor the result with `docker compose logs -f`.\n\nOnce tsidp has started, visit `https://idp.yourtailnet.ts.net` in a browser to confirm the service is running.\n\n\u003e [!NOTE]\n\u003e If you're running tsidp for the first time it may take a few minutes for the TLS certificate to generate. You may not be able to access the service until the certificate is ready.\n\n### Other Ways to Build and Run\n\n\u003cdetails\u003e\n\u003csummary\u003eBuilding your own container\u003c/summary\u003e\n\n```bash\n$ make docker-image\n```\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n\u003csummary\u003eUsing Go directly\u003c/summary\u003e\n\nIf you'd like to build tsidp and / or run it directly you can do the following:\n\n```bash\n# Clone the Tailscale repository\n$ git clone https://github.com/tailscale/tsidp.git\n$ cd tsidp\n\n# run with default values for flags\n$ TAILSCALE_USE_WIP_CODE=1 TS_AUTHKEY={YOUR_TAILSCALE_AUTHKEY} TSNET_FORCE_LOGIN=1 go run .\n```\n\n\u003c/details\u003e\n\n## Setting an Application Capability Grant\n\n\u003e [!IMPORTANT]\n\u003e Access to the admin UI and dynamic client registration endpoints are **denied** by default.\n\n\u003e [!WARNING]\n\u003e tsidp's application capability schema are still in development and may change at anytime.\n\n- Set an [Application capability](https://tailscale.com/kb/1537/grants-app-capabilities) to grant access to the admin UI and DCR endpoints.\n- Configure grants in the [**Access controls**](https://login.tailscale.com/admin/acls/) page of the Tailscale admin console.\n- App capability grants are per request and updated immediately. No need to restart tsidp.\n\n### Example\n\n```hujson\n\"grants\": [\n  {\n    // Very permissive and suitable only for testing.\n    \"src\": [\"*\"],\n    \"dst\": [\"*\"],\n\n    // Example of a grant for tsidp:\n    \"app\": {\n      \"tailscale.com/cap/tsidp\": [\n        {\n          // allow access to UI\n          \"allow_admin_ui\": true,\n\n          // allow dynamic client registration\n          \"allow_dcr\": true,\n\n          // Secure Token Service (STS) controls\n          \"users\":     [\"*\"],\n          \"resources\": [\"*\"],\n\n          // extraClaims are included in the id_token\n          // recommend: keep this small and simple\n          \"extraClaims\": {\n            \"bools\": true,\n            \"strings\": \"Mon Jan 2 15:04:05 MST 2006\",\n            \"numbers\": 180,\n            \"array1\": [1,2,3],\n            \"array2\": [\"one\", \"two\", \"three\"]\n          },\n\n          // include extraClaims data in /userinfo response\n          \"includeInUserInfo\": true,\n        },\n      ],\n    },\n  },\n],\n```\n\n## tsidp Configuration Options\n\nThe `tsidp-server` is configured by several command-line flags:\n\n| Flag                    | Description                                                                                        | Default  |\n| ----------------------- | -------------------------------------------------------------------------------------------------- | -------- |\n| `-dir \u003cpath\u003e`           | Directory path to save tsnet and tsidp state. Recommend to be set.                                 | `\"\"`     |\n| `-hostname \u003chostname\u003e`  | hostname on tailnet. Will become `\u003chostname\u003e.your-tailnet.ts.net`                                  | `idp`    |\n| `-port \u003cport\u003e`          | Port to listen on                                                                                  | `443`    |\n| `-local-port \u003cport\u003e`    | Listen on `localhost:\u003cport\u003e`. Useful for testing                                                   | disabled |\n| `-use-local-tailscaled` | Use local tailscaled instead of tsnet                                                              | `false`  |\n| `-funnel`               | Use Tailscale Funnel to make tsidp available on the public internet so it works with SaaS products | disabled |\n| `-enable-sts`           | Enable OAuth token exchange using RFC 8693                                                         | disabled |\n| `-log \u003clevel\u003e`          | Set logging level: `debug`, `info`, `warn`, `error`                                                | `info`   |\n| `-debug-all-requests`   | For development. Prints all requests and responses                                                 | disabled |\n| `-debug-tsnet`          | For development. Enables debug level logging with tsnet connection                                 | disabled |\n\n### CLI Environment Variables\n\nThe `tsidp-server` binary is configured through the CLI flags above. However, there are several environment variables that configure the libraries `tsidp-server` uses to connect to the tailnet.\n\n#### Required\n\n- `TAILSCALE_USE_WIP_CODE=1`: required while tsidp is in development (\u003cv1.0.0).\n\n#### Optional\n\nThese environment variables are used when tsidp does not have any state information set in `-dir \u003cpath\u003e`.\n\n- `TS_AUTHKEY=\u003ckey\u003e`: Key for registering a tsidp as a new node on your tailnet. If omitted a link will be printed to manually register.\n- `TSNET_FORCE_LOGIN=1`: Force re-login of the node. Useful during development.\n\n### Docker Environment Variables\n\nThe Docker image exposes the CLI flags through environment variables. If omitted the default values for the CLI flags will be used.\n\n\u003e [!NOTE] \u003e `TS_STATE_DIR` and `TS_HOSTNAME` are legacy names. These will be replaced by `TSIDP_STATE_DIR` and `TSIDP_HOSTNAME` in the future.\n\n| Environment Variable                     | CLI flag                   |\n| ---------------------------------------- | -------------------------- |\n| `TS_STATE_DIR=\u003cpath\u003e` _\\*note prefix_    | `-dir \u003cpath\u003e`              |\n| `TS_HOSTNAME=\u003chostname\u003e` _\\*note prefix_ | `-hostname \u003chostname\u003e`     |\n| `TSIDP_PORT=\u003cport\u003e`                      | `-port \u003cport\u003e`             |\n| `TSIDP_LOCAL_PORT=\u003clocal-port\u003e`          | `-local-port \u003clocal-port\u003e` |\n| `TSIDP_USE_FUNNEL=1`                     | `-funnel`                  |\n| `TSIDP_ENABLE_STS=1`                     | `-enable-sts`              |\n| `TSIDP_LOG=\u003clevel\u003e`                      | `-log \u003clevel\u003e`             |\n| `TSIDP_DEBUG_TSNET=1`                    | `-debug-tsnet`             |\n| `TSIDP_DEBUG_ALL_REQUESTS=1`             | `-debug-all-requests`      |\n\n## Application Configuration Guides (WIP)\n\ntsidp can be used as IdP server for any application that supports custom OIDC providers.\n\n\u003e [!IMPORTANT]\n\u003e Note: If you'd like to use tsidp to login to a SaaS application outside of your tailnet rather than a self-hosted app inside of your tailnet, you'll need to run tsidp with `--funnel` enabled.\n\n- [Proxmox](docs/proxmox/README.md)\n\n### TODOs\n\n- (TODO) Grafana\n- (TODO) open-webui\n- (TODO) Jellyfin\n- (TODO) Salesforce\n- (TODO) ...\n\n## MCP Configuration Guides\n\ntsidp supports all of the endpoints required \u0026 suggested by the [MCP Authorization specification](https://modelcontextprotocol.io/specification/draft/basic/authorization), including Dynamic Client Registration (DCR). More information can be found in the following examples:\n\n- [MCP Client / Server](./examples/mcp-server/README.md)\n- [MCP Client / Gateway Server](./examples/mcp-gateway/README.md)\n\n## Support\n\nThis is an experimental, work in progress, [community project](https://tailscale.com/kb/1531/community-projects). For issues or questions, file issues on the [GitHub repository](https://github.com/tailscale/tsidp).\n\n## License\n\nBSD-3-Clause License. See [LICENSE](./LICENSE) for details.\n","funding_links":[],"categories":["📚 Projects (1974 total)"],"sub_categories":["MCP Servers"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftailscale%2Ftsidp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftailscale%2Ftsidp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftailscale%2Ftsidp/lists"}