http/content/posts/2025-10-02-uising-codeberg-gitea-or-forgejo-as-oidc-provider-for-tailscale.md at main · hyperreal.bsky.moonshadow.dev/hyperreal.coffee

hyperreal.bsky.moonshadow.dev / hyperreal.coffee

My personal website and Gemini capsule

hyperreal.coffee / http / content / posts / 2025-10-02-uising-codeberg-gitea-or-forgejo-as-oidc-provider-for-tailscale.md

at main 2.5 kB view raw view rendered

 1+++
 2title = 'Using Codeberg, Gitea, or Forgejo as OIDC provider for Tailscale'
 3date = 2025-10-02 22:37:00
 4tags = ["oidc", "codeberg", "gitea", "forgejo", "tailscale"]
 5+++
 6
 7## Requirements
 8
 9* An account on Codeberg, Gitea instance, or Forgejo instance.
10* A domain name. E.g., I use moonshadow.dev.
11* The primary email address on your Codeberg, Gitea, or Forgejo account must be from the above domain name. E.g., mine is <hyperreal@moonshadow.dev>.
12* A publicly accessible web server to host your webfinger file. You could also use [Codeberg pages](https://docs.codeberg.org/codeberg-pages/) for this with your [custom domain](https://docs.codeberg.org/codeberg-pages/using-custom-domain/). The web server must serve content at your domain. E.g., <https://moonshadow.dev>.
13
14## Webfinger
15
16In the web root of your web server, create the `.well-known/webfinger` file. For example, on mine, I have the following:
17
18```json
19{
20  "subject": "acct:hyperreal@moonshadow.dev",
21  "links": [
22    {
23      "rel": "http://openid.net/specs/connect/1.0/issuer",
24      "href": "https://codeberg.org"
25    }
26  ]
27}
28```
29
30You can use the [Webfinger lookup tool](https://webfinger.net/lookup/) to make sure it is setup correctly.
31
32The value of the "subject" field must contain the email address at the domain you own. The value of the "href" field must be the URL of Codeberg, Gitea instance, or Forgejo instance.
33
34## Create an OAuth2 application on Codeberg, Gitea, or Forgejo
35
36On Codeberg, Gitea, or Forgejo, go to your User Settings -> Applications -> Manage OAuth2 applications.
37
38* Application name: tailscale
39* Redirect URI: `https://login.tailscale.com/a/oauth_response`
40* Confidential client: checked
41
42Click on Create. Now copy and save the Client ID and Client secret that was generated.
43
44## Sign up with Tailscale
45
461. Go to the Tailscale login page, and select "Sign up with OIDC".
472. Enter your email at your custom domain. E.g., <hyperreal@moonshadow.dev>.
483. Choose Codeberg or Gitea as the identity provider. This step is optional and doesn't really matter. Forgejo instances can choose Gitea.
494. Select "Get OIDC Issuer".
505. Enter the Client ID and Client secret you saved from your OAuth2 application. Leave everything else as default, and make sure that "consent" is checked under Prompts.
516. Click "Sign up with OIDC", and you should be able to login to Tailscale and be redirected to your Tailscale admin console.
52
53## Resources
54
55* [Custom OIDC providers - Tailscale Docs](https://tailscale.com/kb/1240/sso-custom-oidc)