Well god damn there it is! Three days fresh, even! Thanks!
Looks like a fair lot of work to get it configured, but few good things come entirely free. Wonder if there's enough people that could get together for a communal one...?
Got to the end of that post and thought: definitely don't want to self host that!
Are there good options for an IdP that has good data policies that are easy to wire in with tailscale? I'm not opposed to paying for it. I wonder if Zoho can do this for me, I'm very happy paying them $12/yr for email.
Question about the docs, it mentions that "The WebFinger endpoint must be hosted at the domain of the email address provided during setup". Would it be possible to support a subdomain?
Also, a small ask: could the webfinger request that's sent include the `rel` and a well-known user resource params, for the situations where there's already a webfinger implementation there that isn't 100% under dev control which requires these params
like
GET /.well-known/webfinger?
resource=tailscale-webfinger%3A%40mydomain.com&
rel=http%3A%2F%2Fopenid.net%2Fspecs%2Fconnect%2F1.0%2Fissuer
HTTP/1.1
Host: mydomain.com
lastly, is this request resent at every auth event?
You also don't need to pay Tailscale to use it.