Introduction

If you look at the Custom OIDC providers you'll see they list specific configuration steps for most identity providers, but not Kanidm. As such I decided to document my steps to get kanidm working with Tailscale.

These steps require a static page to be return on your domain for webfinger. Tailscale thinks this is a good idea, Kanidm disagrees. Most importantly though it's at least temporary as it's only required for setup.

Step 1: Create the Kanidm Application

This should follow your normal application-creation steps. For me it was something like the following, done as idm_admin:

# Create the group
kanidm group create app_tailscale_users
kanidm group add-members app_tailscale_users me

# Create the oauth2, and give group access
kanidm system oauth2 create tailscale "Tailscale" https://login.tailscale.com
kanidm system oauth2 add-redirect-url tailscale 'https://login.tailscale.com/a/oauth_response'
kanidm system oauth2 update-scope-map tailscale app_tailscale_users openid email profile

# Because Tailscale is not as secure as it could be
kanidm system oauth2 warning-insecure-client-disable-pkce tailscale

Step 2: Create the Webfinger Endpoint

This somewhat depends on how you host your domain. In short though you simply need it to return the following JSON, with domains/emails matching your domain, when someone hits /.well-known/webfinger

{
  "subject": "acct:me@example.com",
  "links": [
    {
      "rel": "http://openid.net/specs/connect/1.0/issuer",
      "href": "https://auth.example.com/oauth2/openid/tailscale"
    }
  ]
}

Step 3: Configure Tailscale

Now you can follow the Custom OIDC provider steps to configure Tailscale. Use the email you configured in the Webfinger JSON (e.g. me@example.com) to log in. Afterwards you can take down the webfinger endpoint.