DEV Community: de4ps The latest articles on DEV Community by de4ps (@de4ps). https://dev.to/de4ps https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3162568%2F6d72983a-961e-4900-a456-e5cd9f1df752.jpeg DEV Community: de4ps https://dev.to/de4ps en Tailscale Custom OIDC with Cloudflare Zero Trust and a Cloudflare Worker de4ps Mon, 23 Feb 2026 11:12:54 +0000 https://dev.to/de4ps/tailscale-custom-oidc-with-cloudflare-zero-trust-and-a-cloudflare-worker-54d6 https://dev.to/de4ps/tailscale-custom-oidc-with-cloudflare-zero-trust-and-a-cloudflare-worker-54d6 <p>Tailscale supports custom OIDC providers for authentication. Instead of building a full OIDC identity provider from scratch, you can use Cloudflare Zero Trust as the IdP and a tiny Cloudflare Worker as the glue. The worker serves a single endpoint — WebFinger — that lets Tailscale discover the OIDC issuer on your domain.</p> <p>The total amount of code: ~30 lines of TypeScript.</p> <h2> Background </h2> <p>When you sign up for Tailscale with a custom domain (say <code>user@example.com</code>), Tailscale needs to find the OIDC provider responsible for that domain. It does this via <a href="https://datatracker.ietf.org/doc/html/rfc7033" rel="noopener noreferrer">WebFinger</a> — an HTTP-based protocol for discovering information about resources.</p> <p>Tailscale sends a GET request to:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>https://example.com/.well-known/webfinger?resource=acct:user@example.com&amp;rel=http://openid.net/specs/connect/1.0/issuer </code></pre> </div> <p>The response must be a JSON Resource Descriptor (JRD) pointing to the OIDC issuer:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"subject"</span><span class="p">:</span><span class="w"> </span><span class="s2">"acct:user@example.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"links"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"rel"</span><span class="p">:</span><span class="w"> </span><span class="s2">"http://openid.net/specs/connect/1.0/issuer"</span><span class="p">,</span><span class="w"> </span><span class="nl">"href"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://your-issuer-url"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Tailscale then fetches <code>/.well-known/openid-configuration</code> from that issuer and proceeds with the standard OIDC Authorization Code flow.</p> <h2> The idea </h2> <p>Cloudflare Zero Trust can act as a full OIDC identity provider when you create a SaaS application. It handles everything: authorization, token exchange, user info, JWKS. Users authenticate via Cloudflare Access (one-time PIN sent to email, or any other identity provider you configure in Zero Trust).</p> <p>The only piece missing is the WebFinger endpoint on your domain. A Cloudflare Worker fills that gap.</p> <h2> The full flow </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>1. User enters user@example.com in Tailscale login 2. Tailscale → GET https://example.com/.well-known/webfinger 3. Cloudflare Worker responds with the CF Zero Trust issuer URL 4. Tailscale → GET &lt;issuer&gt;/.well-known/openid-configuration 5. Tailscale redirects user to Cloudflare Access authorization endpoint 6. User authenticates (email OTP, or configured IdP) 7. Cloudflare redirects to https://login.tailscale.com/a/oauth_response 8. Tailscale exchanges the authorization code for tokens 9. User is authenticated in the tailnet </code></pre> </div> <h2> Step 1: Cloudflare Zero Trust — SaaS Application </h2> <p>In the Cloudflare Zero Trust dashboard:</p> <ol> <li>Go to <strong>Access → Applications → Add an application</strong> </li> <li>Choose <strong>SaaS</strong> </li> <li>Set the protocol to <strong>OIDC</strong> </li> <li>Set the redirect URL to <code>https://login.tailscale.com/a/oauth_response</code> </li> <li>Enable scopes: <code>openid</code>, <code>email</code>, <code>profile</code> </li> <li>Create an <strong>Access Policy</strong> to control who can authenticate (e.g., only specific email addresses or an email domain)</li> <li>Save the application and copy the <strong>Client ID</strong>, <strong>Client Secret</strong>, and <strong>Issuer URL</strong> </li> </ol> <p>The issuer URL will look something like:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>https://&lt;team-name&gt;.cloudflareaccess.com/cdn-cgi/access/sso/oidc/&lt;client-id&gt; </code></pre> </div> <h2> Step 2: Cloudflare Worker — WebFinger endpoint </h2> <p>Initialize a new project:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir </span>example-com <span class="o">&amp;&amp;</span> <span class="nb">cd </span>example-com npm init <span class="nt">-y</span> npm <span class="nb">install </span>hono npm <span class="nb">install</span> <span class="nt">-D</span> wrangler typescript @cloudflare/workers-types </code></pre> </div> <h3> wrangler.toml </h3> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="py">name</span> <span class="p">=</span> <span class="s">"example-com"</span> <span class="py">main</span> <span class="p">=</span> <span class="s">"src/index.ts"</span> <span class="py">compatibility_date</span> <span class="p">=</span> <span class="s">"2025-01-01"</span> <span class="c"># OIDC_ISSUER stored as a secret:</span> <span class="c"># npx wrangler secret put OIDC_ISSUER</span> </code></pre> </div> <h3> src/index.ts </h3> <p>The entire worker:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="k">import</span> <span class="p">{</span> <span class="nx">Hono</span> <span class="p">}</span> <span class="k">from</span> <span class="dl">"</span><span class="s2">hono</span><span class="dl">"</span><span class="p">;</span> <span class="kd">type</span> <span class="nx">Env</span> <span class="o">=</span> <span class="p">{</span> <span class="na">OIDC_ISSUER</span><span class="p">:</span> <span class="kr">string</span><span class="p">;</span> <span class="p">};</span> <span class="kd">const</span> <span class="nx">app</span> <span class="o">=</span> <span class="k">new</span> <span class="nx">Hono</span><span class="o">&lt;</span><span class="p">{</span> <span class="na">Bindings</span><span class="p">:</span> <span class="nx">Env</span> <span class="p">}</span><span class="o">&gt;</span><span class="p">();</span> <span class="nx">app</span><span class="p">.</span><span class="nf">get</span><span class="p">(</span><span class="dl">"</span><span class="s2">/.well-known/webfinger</span><span class="dl">"</span><span class="p">,</span> <span class="p">(</span><span class="nx">c</span><span class="p">)</span> <span class="o">=&gt;</span> <span class="p">{</span> <span class="kd">const</span> <span class="nx">resource</span> <span class="o">=</span> <span class="nx">c</span><span class="p">.</span><span class="nx">req</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">"</span><span class="s2">resource</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">resource</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">c</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">missing resource parameter</span><span class="dl">"</span> <span class="p">},</span> <span class="mi">400</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Validate the resource is an acct: URI for your domain</span> <span class="kd">const</span> <span class="nx">match</span> <span class="o">=</span> <span class="nx">resource</span><span class="p">.</span><span class="nf">match</span><span class="p">(</span><span class="sr">/^acct:</span><span class="se">(</span><span class="sr">.+</span><span class="se">)</span><span class="sr">@</span><span class="se">(</span><span class="sr">.+</span><span class="se">)</span><span class="sr">$/</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="o">!</span><span class="nx">match</span> <span class="o">||</span> <span class="nx">match</span><span class="p">[</span><span class="mi">2</span><span class="p">]</span> <span class="o">!==</span> <span class="dl">"</span><span class="s2">example.com</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">c</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">unknown resource</span><span class="dl">"</span> <span class="p">},</span> <span class="mi">404</span><span class="p">);</span> <span class="p">}</span> <span class="c1">// Optional: validate the rel parameter</span> <span class="kd">const</span> <span class="nx">rel</span> <span class="o">=</span> <span class="nx">c</span><span class="p">.</span><span class="nx">req</span><span class="p">.</span><span class="nf">query</span><span class="p">(</span><span class="dl">"</span><span class="s2">rel</span><span class="dl">"</span><span class="p">);</span> <span class="k">if </span><span class="p">(</span><span class="nx">rel</span> <span class="o">&amp;&amp;</span> <span class="nx">rel</span> <span class="o">!==</span> <span class="dl">"</span><span class="s2">http://openid.net/specs/connect/1.0/issuer</span><span class="dl">"</span><span class="p">)</span> <span class="p">{</span> <span class="k">return</span> <span class="nx">c</span><span class="p">.</span><span class="nf">json</span><span class="p">({</span> <span class="na">error</span><span class="p">:</span> <span class="dl">"</span><span class="s2">unsupported rel</span><span class="dl">"</span> <span class="p">},</span> <span class="mi">404</span><span class="p">);</span> <span class="p">}</span> <span class="k">return</span> <span class="nx">c</span><span class="p">.</span><span class="nf">json</span><span class="p">(</span> <span class="p">{</span> <span class="na">subject</span><span class="p">:</span> <span class="nx">resource</span><span class="p">,</span> <span class="na">links</span><span class="p">:</span> <span class="p">[</span> <span class="p">{</span> <span class="na">rel</span><span class="p">:</span> <span class="dl">"</span><span class="s2">http://openid.net/specs/connect/1.0/issuer</span><span class="dl">"</span><span class="p">,</span> <span class="na">href</span><span class="p">:</span> <span class="nx">c</span><span class="p">.</span><span class="nx">env</span><span class="p">.</span><span class="nx">OIDC_ISSUER</span><span class="p">,</span> <span class="p">},</span> <span class="p">],</span> <span class="p">},</span> <span class="mi">200</span><span class="p">,</span> <span class="p">{</span> <span class="dl">"</span><span class="s2">Content-Type</span><span class="dl">"</span><span class="p">:</span> <span class="dl">"</span><span class="s2">application/jrd+json</span><span class="dl">"</span> <span class="p">},</span> <span class="p">);</span> <span class="p">});</span> <span class="k">export</span> <span class="k">default</span> <span class="nx">app</span><span class="p">;</span> </code></pre> </div> <p>The worker validates that the <code>resource</code> parameter is an <code>acct:</code> URI for your domain, and returns a JRD response pointing to the OIDC issuer URL stored in the <code>OIDC_ISSUER</code> secret.</p> <h3> Deploy </h3> <p>Connect the repository to Cloudflare for automatic deployments, or deploy manually:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx wrangler deploy </code></pre> </div> <p>Set the issuer secret (the issuer URL from Step 1):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>npx wrangler secret put OIDC_ISSUER </code></pre> </div> <p>Make sure the worker is routed to your domain. You can either set up a custom domain in the Cloudflare dashboard or add a route in <code>wrangler.toml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight toml"><code><span class="py">routes</span> <span class="p">=</span> <span class="p">[</span> <span class="err">{</span> <span class="py">pattern</span> <span class="p">=</span> <span class="s">"example.com/*"</span><span class="p">,</span> <span class="py">zone_name</span> <span class="p">=</span> <span class="s">"example.com"</span> <span class="err">}</span> <span class="p">]</span> </code></pre> </div> <h3> Verify </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="s2">"https://example.com/.well-known/webfinger?resource=acct:user@example.com&amp;rel=http%3A%2F%2Fopenid.net%2Fspecs%2Fconnect%2F1.0%2Fissuer"</span> </code></pre> </div> <p>Should return:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"subject"</span><span class="p">:</span><span class="w"> </span><span class="s2">"acct:user@example.com"</span><span class="p">,</span><span class="w"> </span><span class="nl">"links"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"rel"</span><span class="p">:</span><span class="w"> </span><span class="s2">"http://openid.net/specs/connect/1.0/issuer"</span><span class="p">,</span><span class="w"> </span><span class="nl">"href"</span><span class="p">:</span><span class="w"> </span><span class="s2">"https://&lt;team-name&gt;.cloudflareaccess.com/cdn-cgi/access/sso/oidc/&lt;client-id&gt;"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <h2> Step 3: Tailscale — Custom OIDC </h2> <ol> <li>Go to the <a href="https://login.tailscale.com/admin" rel="noopener noreferrer">Tailscale admin console</a> </li> <li>Navigate to <strong>Identity providers → Custom OIDC</strong> (or sign up with OIDC if creating a new tailnet)</li> <li>Enter your email address (e.g., <code>user@example.com</code>)</li> <li> <strong>Issuer URL</strong>: the issuer URL from Step 1</li> <li> <strong>Client ID</strong>: from Step 1</li> <li> <strong>Client Secret</strong>: from Step 1</li> <li> <strong>Prompts</strong>: select <strong>login</strong> </li> </ol> <h2> That's it </h2> <p>The result: Tailscale authenticates users on your custom domain through Cloudflare Zero Trust, with a ~30-line Cloudflare Worker as the bridge. No databases, no key management, no token handling — Cloudflare does all the heavy OIDC lifting.</p> <p>To add or remove users, manage them in the Cloudflare Zero Trust Access Policy. The worker itself never needs to change.</p> devops cybersecurity Run Sepolia node de4ps Mon, 26 May 2025 12:24:14 +0000 https://dev.to/de4ps/run-sepolia-node-1lf7 https://dev.to/de4ps/run-sepolia-node-1lf7 <h2> Disclamer </h2> <blockquote> <p>Only for experimental purposes. Don't use in production</p> </blockquote> <h2> Docs </h2> <ul> <li><a href="https://sepolia.ethpandaops.io/" rel="noopener noreferrer">https://sepolia.ethpandaops.io/</a></li> <li><a href="https://sepolia.dev/" rel="noopener noreferrer">https://sepolia.dev/</a></li> <li><a href="https://github.com/eth-clients/sepolia" rel="noopener noreferrer">https://github.com/eth-clients/sepolia</a></li> <li><a href="https://www.offchainlabs.com/prysm/docs/install/install-with-script/" rel="noopener noreferrer">https://www.offchainlabs.com/prysm/docs/install/install-with-script/</a></li> </ul> <h2> Steps </h2> <h3> Make dirs </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">mkdir</span> <span class="nt">-p</span> ~/ethereum/consensus <span class="nb">mkdir</span> <span class="nt">-p</span> ~/ethereum/execution <span class="nb">mkdir</span> <span class="nt">-p</span> ~/ethereum/bin </code></pre> </div> <h3> Download binaries </h3> <p>Geth:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> ~/ethereum/bin <span class="o">&amp;&amp;</span> curl https://raw.githubusercontent.com/OffchainLabs/prysm/master/prysm.sh <span class="nt">--output</span> prysm.sh <span class="o">&amp;&amp;</span> <span class="nb">chmod</span> +x prysm.sh </code></pre> </div> <p>Prysm:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> ~/ethereum/bin <span class="o">&amp;&amp;</span> wget https://gethstore.blob.core.windows.net/builds/geth-linux-amd64-1.15.11-36b2371c.tar.gz <span class="o">&amp;&amp;</span> <span class="nb">tar</span> <span class="nt">-xzvf</span> geth-linux-amd64-1.15.11-36b2371c.tar.gz </code></pre> </div> <h3> Generate JWT </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd </span>ethereum <span class="o">&amp;&amp;</span> openssl rand <span class="nt">-hex</span> 32 | <span class="nb">tr</span> <span class="nt">-d</span> <span class="s2">"</span><span class="se">\n</span><span class="s2">"</span> <span class="o">&gt;</span> <span class="s2">"jwt.hex"</span> </code></pre> </div> <h3> Run geth </h3> <p>(in screen)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> ~/ethereum/execution <span class="o">&amp;&amp;</span> ~/ethereum/bin/geth-linux-amd64-1.15.11-36b2371c/geth <span class="nt">--sepolia</span> <span class="nt">--http</span> <span class="nt">--http</span>.api eth,net,engine,admin <span class="nt">--http</span>.addr 0.0.0.0 <span class="nt">--authrpc</span>.jwtsecret<span class="o">=</span>~/ethereum/jwt.txt </code></pre> </div> <p>Test:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-s</span> http://localhost:8545 <span class="nt">-X</span> POST <span class="nt">-H</span> <span class="s2">"Content-Type: application/json"</span> <span class="nt">--data</span> <span class="s1">'{"jsonrpc":"2.0","method":"eth_syncing","params":[],"id":1}'</span> </code></pre> </div> <h3> Run prism </h3> <p>(in screen)<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">cd</span> ~/ethereum/consensus <span class="o">&amp;&amp;</span> ~/ethereum/bin/prysm.sh beacon-chain <span class="nt">--execution-endpoint</span><span class="o">=</span>http://localhost:8551 <span class="nt">--sepolia</span> <span class="nt">--jwt-secret</span><span class="o">=</span>~/ethereum/jwt.txt <span class="nt">--checkpoint-sync-url</span><span class="o">=</span>https://sepolia.beaconstate.info <span class="nt">--genesis-beacon-api-url</span><span class="o">=</span>https://sepolia.beaconstate.info <span class="nt">--grpc-gateway-host</span> 0.0.0.0 </code></pre> </div> <p>Test:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>curl <span class="nt">-s</span> http://localhost:3500/eth/v1/node/syncing </code></pre> </div> <h3> Open firewall </h3> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="nb">sudo </span>ufw allow 8545/tcp <span class="nb">sudo </span>ufw allow 3500/tcp </code></pre> </div> ethereum sepolia devops