summaryrefslogtreecommitdiffhomepage
path: root/control/controlhttp/controlhttpserver
diff options
context:
space:
mode:
authorRemy Guercio <remy@tailscale.com>2025-08-29 15:16:39 -0500
committerGitHub <noreply@github.com>2025-08-29 15:16:39 -0500
commit89fe2e1f126d9de3567500fa0b240cc0ac489c09 (patch)
treefd4bc7923044f37f6c8bf6c3742aa736e7b670cf /control/controlhttp/controlhttpserver
parent76fc02be09a069bcc4e440f07ba2640a56cfb5d8 (diff)
downloadtailscale-89fe2e1f126d9de3567500fa0b240cc0ac489c09.tar.xz
tailscale-89fe2e1f126d9de3567500fa0b240cc0ac489c09.zip
cmd/tsidp: add allow-insecure-no-client-registration and JSON file migration (#16881)
Add a ternary flag that unless set explicitly to false keeps the insecure behavior of TSIDP. If the flag is false, add functionality on startup to migrate oidc-funnel-clients.json to oauth-clients.json if it doesn’t exist. If the flag is false, modify endpoints to behave similarly regardless of funnel, tailnet, or localhost. They will all verify client ID & secret when appropriate per RFC 6749. The authorize endpoint will no longer change based on funnel status or nodeID. Add extra tests verifying TSIDP endpoints behave as expected with the new flag. Safely create the redirect URL from what's passed into the authorize endpoint. Fixes #16880 Signed-off-by: Remy Guercio <remy@tailscale.com>
Diffstat (limited to 'control/controlhttp/controlhttpserver')
0 files changed, 0 insertions, 0 deletions