tailscale

Using Codeberg as an OIDC provider

Using Codeberg as an OIDC provider

These steps also apply to Gitea and Forgejo instances.

Requirements

Use moonshadow.dev for the domain.
Use hyperreal@moonshadow.dev for the email. This must be the primary email on your Codeberg, Gitea, or Forgejo account.
Setup a web server to host the webfinger file at moonshadow.dev.

Webfinger

In the web root of the web server, create .well-known/webfinger.

{
  "subject": "acct:hyperreal@moonshadow.dev",
  "links": [
    {
      "rel": "http://openid.net/specs/connect/1.0/issuer",
      "href": "https://codeberg.org"
    }
  ]
}

Use the Webfinger lookup tool to make sure it is setup correctly.

Create an OAuth2 application on Codeberg

Go to User Settings → Applications → Manage OAuth2 applications.

Application name	tailscale
Redirect URI	https://login.tailscale.com/a/oauth_response
Confidential client	Checked

Click on Create. Copy and save the Client ID and Client secret that were generated.

Sign up with Tailscale

Go to the Tailscale login page, and select “Sign up with OIDC”.
Enter hyperreal@moonshadow.dev for the email.
Choose Codeberg as the identity provider. (optional)
Select “Get OIDC Issuer”.
Enter the Client ID and Client secret saved from the OAuth2 application. Leave everything else as default, and make sure that “consent” is checked under Prompts.
Click “Sign up with OIDC”, and you should be able to login to Tailscale and be redirected to your Tailscale admin console.

Resources

Custom OIDC providers - Tailscale Docs