Supporting OAuth in the Tailscale API

Tailscale has enhanced its API authentication by introducing OAuth support, allowing for the creation of scoped access tokens tailored to specific operations and the ability to continuously generate or refresh tokens using OAuth clients. Previously, API requests were authenticated using simple API keys tied to the user who created them, with a maximum lifespan of 90 days, which was suitable for basic automation but not for more complex scenarios. The new OAuth implementation enables tailnet administrators to create OAuth clients that are not owned by individual users and do not expire, allowing for more granular and secure access control. These clients can generate short-lived access tokens for specific operations, such as managing devices or integrating third-party services, and are compatible with any standard OAuth 2.0 library supporting client credentials grants. The creation and use of OAuth client credentials are logged, can be revoked at any time, and are subject to the permissions allowed by the administrator's role. The feature is currently available in beta for all tailnets, with setup possible through the admin console's OAuth clients page.