[zrail]

It's transparent. The user is already authenticated to the tailnet by dint of having a tailscale IP. This implementation asks the local tailscale daemon for who the request's IP belongs to and just passes that back up to nginx. It does some filtering to make sure it's an actual user instead of a service machine (i.e. does the IP have tags or not, basically) but otherwise leans entirely on Tailscale's ACLs.

[mbreese]

Got it. So, it’s a legit SSO process. Being able to control IP addresses has its advantages!

[zrail]

Yep! As the author alluded to elsewhere in the comments, if you want to make _really sure_ that the user is a person in a browser instead of a rogue malware process on their machine you can combine this with a yubikey tap or webauthn attestation step.