
electrical
software


administration
characters
combinator-calculus
computer-science-history
crafting-interpreters
devterm
game-development
generative-art
machine-learning
managing-music
oidc
programming-languages
software-design
spellbook
steam-deck
vim

oidc
- tailscale

oidc

recently i decided to setup an oidc server using void auth. part of the reason i wanted to do this is because sometimes there are services that allow for an oidc provider so you don’t have to use an existing service like github or gmail etc. as part of a long process of degoogling, i figured it’s a good time to learn how to authenticate using just my own domain and static web server.

while i’m not sure how oftne i’ll use it, i am jotting down some notes here in case someone else comes across the same need, and, as notes for myself.

tailscale

in this case, i was setting up void auth to work with tailscale. tailscale also has decent documentation on how to do this but i still found it somewhat difficult to figure out, thus, the note here. the main downside is that i cannot migrate my existing tailnet, but, since it was tied to my github account, i didn’t really want to keep that one anyway.

webfinger endpoint (caddy)

serve /.well-known/webfinger from https://metasyn.pw
caddy snippet i got from will norris

metasyn.pw {
   file_server

   # headers for webfinger only
   @webfinger {
       path /.well-known/webfinger
       method GET HEAD
       query resource=acct:xander@metasyn.pw
       query resource=mailto:xander@metasyn.pw
       query resource=https://metasyn.pw
       query resource=https://metasyn.pw/
   }

   rewrite @webfinger /webfinger.json

   header @webfinger {
       Content-Type "application/jrd+json"
       Access-Control-Allow-Origin "*"
       X-Robots-Tag "noindex"
   }
}

returns:

{
 "subject": "acct:xander@metasyn.pw",
 "links": [
   {
     "rel": "http://openid.net/specs/connect/1.0/issuer",
     "href": "https://auth.metasyn.pw/oidc"
   }
 ]
}

voidauth oidc app

in the voidauth application, you create a new oidc app
homepage: my domain
redirect url: https://login.tailscale.com/a/oauth_response
response type: code
grant types: authorization_code, refresh_token
generate client id + client secret and save those

tailscale custom oidc provider

confirm webfinger works at webfinger.net
create a new account here: https://login.tailscale.com/start/oidc
client id / secret: from voidauth oidc app

          +-------------------+
          |   tailscale ui    |
          +-------------------+
                   |
                   | webfinger lookup
                   v
          +-------------------+
          |   metasyn.pw      |
          |  /.well-known/    |
          |   webfinger       |
          +-------------------+
                   |
                   | fetch issuer URL
                   v
          +-------------------+
          | auth.metasyn.pw   |
          |     voidauth      |
          |  OIDC endpoints   |
          +-------------------+
                   |
                   | user login / sso
                   v
          +-------------------+
          | authorization code|
          +-------------------+
                   |
                   | token exchange
                   v
          +-------------------+
          | tailscale grants  |
          |  access to user   |
          +-------------------+

last updated:

2026.02.16