Using Codeberg as an OIDC provider
These steps also apply to Gitea and Forgejo instances.
Requirements
- Use moonshadow.dev for the domain.
- Use hyperreal@moonshadow.dev for the email. This must be the primary email on your Codeberg, Gitea, or Forgejo account.
- Setup a web server to host the webfinger file at moonshadow.dev.
Webfinger
In the web root of the web server, create .well-known/webfinger.
{
"subject": "acct:hyperreal@moonshadow.dev",
"links": [
{
"rel": "http://openid.net/specs/connect/1.0/issuer",
"href": "https://codeberg.org"
}
]
}
Use the Webfinger lookup tool to make sure it is setup correctly.
Create an OAuth2 application on Codeberg
Go to User Settings -> Applications -> Manage OAuth2 applications.
| Application name | tailscale |
| Redirect URI | https://login.tailscale.com/a/oauth_response |
| Confidential client | Checked |
Click on Create. Copy and save the Client ID and Client secret that were generated.
Sign up with Tailscale
- Go to the Tailscale login page, and select “Sign up with OIDC”.
- Enter hyperreal@moonshadow.dev for the email.
- Choose Codeberg as the identity provider. (optional)
- Select “Get OIDC Issuer”.
- Enter the Client ID and Client secret saved from the OAuth2 application. Leave everything else as default, and make sure that “consent” is checked under Prompts.
- Click “Sign up with OIDC”, and you should be able to login to Tailscale and be redirected to your Tailscale admin console.