[Vexs]

Every time I see tailscale do something really neat I'm always a little disappointed to find out they still offer only the three auth schemes- and I really don't want to tie my networking to google/github/ms. On top of the various tinfoil hat reasons, I know a variety of people who have had these accounts terminated out of the blue, and it throwing out my networking stack would be insanely aggravating.

If you're reading tailscale, I will pay you actual real dollars per month to offer a different not-tied-to-a-megacorp authentication scheme. Till then, guess I've got headscale.

[xena]

You're in luck: https://tailscale.com/blog/custom-oidc/

You also don't need to pay Tailscale to use it.

[Vexs]

Well god damn there it is! Three days fresh, even! Thanks!

Looks like a fair lot of work to get it configured, but few good things come entirely free. Wonder if there's enough people that could get together for a communal one...?

[xrd]

Got to the end of that post and thought: definitely don't want to self host that!

Are there good options for an IdP that has good data policies that are easy to wire in with tailscale? I'm not opposed to paying for it. I wonder if Zoho can do this for me, I'm very happy paying them $12/yr for email.

[evntdrvn]

yayyy! Thanks Xe and friends!

Question about the docs, it mentions that "The WebFinger endpoint must be hosted at the domain of the email address provided during setup". Would it be possible to support a subdomain?

Also, a small ask: could the webfinger request that's sent include the `rel` and a well-known user resource params, for the situations where there's already a webfinger implementation there that isn't 100% under dev control which requires these params like

     GET /.well-known/webfinger?
            resource=tailscale-webfinger%3A%40mydomain.com&
            rel=http%3A%2F%2Fopenid.net%2Fspecs%2Fconnect%2F1.0%2Fissuer
            HTTP/1.1
     Host: mydomain.com

lastly, is this request resent at every auth event?

Thanks!@!

[dx034]

Are there really Microsoft accounts that were terminated out of the blue? I always had the feeling they acted a bit more responsibly around that than Google.

[codethief]

Not necessarily terminated but there are other ways you can lose control over your account: https://news.ycombinator.com/item?id=34934280

(Also see the various comments in the discussion.)

[mr337]

Yup, in the same boat. Don't need google to decide on a whim that my account is odd and lock me out and thus all the access to my devices.