hyperreal's Gists

Using Codeberg, Gitea, or Forgejo as OIDC provider for Tailscale

hyperreal October 3, 2025

Requirements

Webfinger

In the web root of your web server, create the .well-known/webfinger file. For example, on mine, I have the following:

{
  "subject": "acct:hyperreal@moonshadow.dev",
  "links": [
    {
      "rel": "http://openid.net/specs/connect/1.0/issuer",
      "href": "https://codeberg.org"
    }
  ]
}

You can use the Webfinger lookup tool to make sure it is setup correctly.

The value of the "subject" field must contain the email address at the domain you own. The value of the "href" field must be the URL of the Codeberg, Gitea instance, or Forgejo instance.

Create an OAuth2 application on Codeberg, Gitea, or Forgejo

On Codeberg, Gitea, or Forgejo, go to your User Settings -> Applications -> Manage OAuth2 applications.

Click on Create. Now copy and save the Client ID and Client secret that was generated.

Using Codeberg, Gitea, or Forgejo as OIDC provider for Tailscale

Requirements

Webfinger

Create an OAuth2 application on Codeberg, Gitea, or Forgejo

Sign up with Tailscale

Resources

Discussion in the ATmosphere