summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
Diffstat
-rw-r--r--tsnet/tsnet.go31
1 files changed, 26 insertions, 5 deletions
diff --git a/tsnet/tsnet.go b/tsnet/tsnet.go
index 595b052ab..aec6ae9ea 100644
--- a/tsnet/tsnet.go
+++ b/tsnet/tsnet.go
@@ -139,6 +139,14 @@ type Server struct {
// field is not used.
IDToken string
+ // Audience, if non-empty, is the audience to use when requesting
+ // an ID token from a well-known identity provider to exchange
+ // with the control server for workload identity federation. It
+ // will be preferred over the TS_AUDIENCE environment variable. If
+ // the node is already created (from state previously stored in Store),
+ // then this field is not used.
+ Audience string
+
// ControlURL optionally specifies the coordination server URL.
// If empty, the Tailscale default is used.
ControlURL string
@@ -567,6 +575,13 @@ func (s *Server) getIDToken() string {
return os.Getenv("TS_ID_TOKEN")
}
+func (s *Server) getAudience() string {
+ if v := s.Audience; v != "" {
+ return v
+ }
+ return os.Getenv("TS_AUDIENCE")
+}
+
func (s *Server) start() (reterr error) {
var closePool closeOnErrorPool
defer closePool.closeAllIfError(&reterr)
@@ -805,13 +820,19 @@ func (s *Server) resolveAuthKey() (string, error) {
if wifOk && authKey == "" {
clientID := s.getClientID()
idToken := s.getIDToken()
- if clientID != "" && idToken == "" {
- return "", fmt.Errorf("client ID for workload identity federation found, but ID token is empty")
+ audience := s.getAudience()
+ if clientID != "" && idToken == "" && audience == "" {
+ return "", fmt.Errorf("client ID for workload identity federation found, but ID token and audience are empty")
}
- if clientID == "" && idToken != "" {
- return "", fmt.Errorf("ID token for workload identity federation found, but client ID is empty")
+ if clientID == "" {
+ if idToken != "" {
+ return "", fmt.Errorf("ID token for workload identity federation found, but client ID is empty")
+ }
+ if audience != "" {
+ return "", fmt.Errorf("audience for workload identity federation found, but client ID is empty")
+ }
}
- authKey, err = resolveViaWIF(s.shutdownCtx, s.ControlURL, clientID, idToken, "", s.AdvertiseTags)
+ authKey, err = resolveViaWIF(s.shutdownCtx, s.ControlURL, clientID, idToken, audience, s.AdvertiseTags)
if err != nil {
return "", err
}
Copyright © 2025 - 2026 Wayne Cole. WTFPL. Attribution appreciated. No warranty. Not liable for bodily damages.