Building on Tailscale: How we made a tiny identity provider

Tailscale, widely recognized for its VPN capabilities, can be leveraged to build applications directly on its platform, as demonstrated by the creation of tsidp, a lightweight identity provider. This development was facilitated by three key Tailscale features: tsnet, application capability grants, and Funnel. Tsnet allows embedding Tailscale connectivity within a Go program, enabling secure communication by using a hostname and an auth key. It also provides user identity information through its .WhoIs call, which tsidp uses for authorization processes. Application capability grants provide customizable access controls through JSON configurations, enhancing the flexibility of user and group permissions. Funnel allows applications within a tailnet to be exposed globally while maintaining private access to specific endpoints, supporting seamless login experiences for public SaaS apps. The article also encourages exploring the potential of tsnet for creating a variety of applications, showcasing its versatility and inviting developers to delve into its documentation and community projects.