Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[Plugin] Tailscale IDP

Featured Replies

Tailscale IDP (tsidp)

The Tailscale IDP plugin brings Single Sign-On (SSO) to your Unraid server using Tailscale as an identity provider. With this plugin, you can log in to your Unraid web UI using your Tailscale account—no need to enter the root username and password if you’re already connected via Tailscale.

Configuration

After installing the plugin:

  1. Go to Settings -> Management Access -> Unraid API Settings.

  2. In the "OIDC Providers" section, select "Tailscale".

  3. Expand "Authorization Rules".

  4. Add Tailscale accounts to "Specific Email Addresses".

  5. Click "Apply".

Changelog

https://github.com/dkaser/unraid-tsidp/releases

Contributing

Issue reports and pull requests are welcome on Github: https://github.com/dkaser/unraid-tsidp

In case anyone is using Tailscale ACL, add 1025 port to that rule.

This is pretty neat, cool :)

Love this plugin!!! But, it seems to not persist a reboot… anything I can try??

Thanks!!

  • Author
1 minute ago, DeltaEchoFour said:

Love this plugin!!! But, it seems to not persist a reboot… anything I can try??

Thanks!!

What version of Unraid? I have a guess on what’s happening. If you can install “Plugin Diagnostics” and upload diags for the plugin, I can confirm.

  • Author
13 hours ago, DeltaEchoFour said:

Love this plugin!!! But, it seems to not persist a reboot… anything I can try??

Thanks!!

I just released an update that should fix that problem.

Came here to ask about persistence as well - I've added a couple extra redirect URI's in the TSIDP UI (LAN IP and my FQDN), they didn't persist when updating to the latest version of the plugin so I've gone back in and added them - will they now persist on future updates/reboot of machine (barring any breaking changes by Tailscale!)

7 hours ago, EDACerton said:

I just released an update that should fix that problem.

I updated the plugin, and rebooted, and it's stuck!

Thank you!!!

  • Author
6 hours ago, erf89 said:

Came here to ask about persistence as well - I've added a couple extra redirect URI's in the TSIDP UI (LAN IP and my FQDN), they didn't persist when updating to the latest version of the plugin so I've gone back in and added them - will they now persist on future updates/reboot of machine (barring any breaking changes by Tailscale!)

They will not persist in the current version, but that's something that I could look at doing. It shouldn't be too difficult to do, the only disadvantage I can think of is that the list could get a little bloated if you're routinely changing your hostname or WebGUI ports (but I don't think that would be all that common, nor would it really be a problem, more a cosmetic annoyance).

Also, you'll need to add the grants to your Tailnet policy to make changes now, but it sounds like you already figured that out.

6 hours ago, EDACerton said:

They will not persist in the current version, but that's something that I could look at doing. It shouldn't be too difficult to do, the only disadvantage I can think of is that the list could get a little bloated if you're routinely changing your hostname or WebGUI ports (but I don't think that would be all that common, nor would it really be a problem, more a cosmetic annoyance).

Also, you'll need to add the grants to your Tailnet policy to make changes now, but it sounds like you already figured that out.

Yeah I've got the Grant in my ACL, would be good to have that persistence, although not super important!

  • Author
On 9/28/2025 at 7:29 PM, erf89 said:

Yeah I've got the Grant in my ACL, would be good to have that persistence, although not super important!

I just released a new update, it has an "allowed hosts" setting on the Tailscale IDP settings page. Add anything you need there (separated by spaces)

3 hours ago, EDACerton said:

I just released a new update, it has an "allowed hosts" setting on the Tailscale IDP settings page. Add anything you need there (separated by spaces)

Just tested that - looks like it's appending the same ports to my domain as I use for non-reverse proxy access. So I have :84 and :447 set as HTTP and HTTPS WebGUI in Unraid, but when I add unraid.domain.com, it's adding it as https://unraid.domain.com:447/graphql... where my reverse proxy doesn't need the port. It also doesn't seem to like IP's, I tried adding 192.168.50.5 and it didn't add anything to the IDP. (I tried it with a space after the first entry and also just on it's own in the Allowed Hosts field) - maybe if it was a field that doesn't append ports, tooltip could be to add the host:port and then the plugin is only appending /graphql/api..., for me that would be "unraid.domain.com 192.168.50.5:84 192.168.50.5:447"

I don't know enough about the Unraid API, but could it reference the entries from "Allowed OIDC Redirect Origins"

image.png

  • Author
19 hours ago, erf89 said:

Just tested that - looks like it's appending the same ports to my domain as I use for non-reverse proxy access. So I have :84 and :447 set as HTTP and HTTPS WebGUI in Unraid, but when I add unraid.domain.com, it's adding it as https://unraid.domain.com:447/graphql... where my reverse proxy doesn't need the port. It also doesn't seem to like IP's, I tried adding 192.168.50.5 and it didn't add anything to the IDP. (I tried it with a space after the first entry and also just on it's own in the Allowed Hosts field) - maybe if it was a field that doesn't append ports, tooltip could be to add the host:port and then the plugin is only appending /graphql/api..., for me that would be "unraid.domain.com 192.168.50.5:84 192.168.50.5:447"

I don't know enough about the Unraid API, but could it reference the entries from "Allowed OIDC Redirect Origins"

image.png

Possibly, I'll have to dig into that more.

In the meantime, I adjusted the setting in "Tailscale IDP" -- if an entry starts with http:// or https://, it won't try to add the WebGUI port.

4 hours ago, EDACerton said:

Possibly, I'll have to dig into that more.

In the meantime, I adjusted the setting in "Tailscale IDP" -- if an entry starts with http:// or https://, it won't try to add the WebGUI port.

Ahh this is great, just tested and all working, thanks!

Great project this, I was testing it out with Tinyauth the other day to SSO apps that don't have OIDC

  • 3 weeks later...

Hello, I accidentally removed tailscale OICD settings. How could I add it again? I tried to reinstall the plugin but didn’t help.

Thanks

  • 2 weeks later...

Is this the full implementation of Tailscales tsidp? Can I use this plugin to sign in to my other services as well, and not just Unraid?

When logging in it adds the port 1025 to the tailscale serve url with this error: Error 400: invalid_request - redirect_uri mismatch

Edited by PilaScat

  • 4 months later...
On 10/31/2025 at 8:28 PM, kaffesugen said:

Is this the full implementation of Tailscales tsidp? Can I use this plugin to sign in to my other services as well, and not just Unraid?

Good question! Did you find an answer?

  • Author
5 hours ago, Tom7320 said:

Good question! Did you find an answer?

Yes, you can; you’ll just need to add the necessary rule to your Tailscale ACLs to grant access to the tsidp admin console.

For all the newbies like me who missed it:

Tailscale ACL within the "grants" section:

			"src": ["autogroup:admin"],
			"dst": ["*"],
			"app": {
				"tailscale.com/cap/tsidp": [
					{
						"allow_admin_ui": true,
						"allow_dcr": true,
						"users":     ["*"],
						"resources": ["*"],
						"includeInUserInfo": true,
					},
				],
			},
		},

Then go to

https://unraid.your-tailnet.ts.net:1025

I missed port 1025... 😉

Have a nice weekend!

Thorsten

  • 1 month later...

image.png

[07:04:39 INFO OidcService]: Built authorization URL via discovery for provider tsidp {"apiVersion":"4.29.2+c39b0b26","logger":"OidcService","context":"OidcService"}

[07:04:39 INFO OidcService]: Authorization parameters: {"redirect_uri":"https://unraid.xxx.ts.net/graphql/api/auth/oidc/callback","scope":"openid profile email","state":"tsidp:bc1d80521bfc123745e5acb35ad74372.1777275939026.07cd4c720601451f09277a0d0b828830a14d12493d7369346938e1d91599ece9","response_type":"code"} {"apiVersion":"4.29.2+c39b0b26","logger":"OidcService","context":"OidcService"}

[07:04:39 INFO OidcRestController]: Redirecting to OIDC provider: https://unraid.xxx.ts.net:1025/authorize?redirect_uri=https%3A%2F%2Funraid.xxx.ts.net%2Fgraphql%2Fapi%2Fauth%2Foidc%2Fcallback&scope=openid+profile+email&state=tsidp%3Abc1d80521bfc123745e5acb35ad74372.1777275939026.07cd4c720601451f09277a0d0b828830a14d12493d7369346938e1d91599ece9&response_type=code&client_id=unraidgui {"apiVersion":"4.29.2+c39b0b26","logger":"OidcRestController","context":"OidcRestController"}

[07:04:39 ERROR OidcTokenExchangeService]: Token exchange failed {"apiVersion":"4.29.2+c39b0b26","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"}

[07:04:39 ERROR OidcTokenExchangeService]: Error type: ClientError {"apiVersion":"4.29.2+c39b0b26","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"}

[07:04:39 ERROR OidcTokenExchangeService]: Error message: unexpected response content-type {"apiVersion":"4.29.2+c39b0b26","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"}

[07:04:39 ERROR OidcTokenExchangeService]: Error code: OAUTH_RESPONSE_IS_NOT_JSON {"apiVersion":"4.29.2+c39b0b26","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"}

[07:04:39 ERROR OidcTokenExchangeService]: Error cause chain: {"apiVersion":"4.29.2+c39b0b26","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"}

[07:04:39 ERROR OidcTokenExchangeService]:   [Cause 1] object: [object Response] {"apiVersion":"4.29.2+c39b0b26","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"}

[07:04:39 ERROR OidcTokenExchangeService]: Token endpoint returned invalid or non-JSON response. {"apiVersion":"4.29.2+c39b0b26","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"}

[07:04:39 ERROR OidcTokenExchangeService]: This typically means: {"apiVersion":"4.29.2+c39b0b26","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"}

[07:04:39 ERROR OidcTokenExchangeService]: 1. The token endpoint URL is incorrect (check for typos or wrong paths) {"apiVersion":"4.29.2+c39b0b26","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"}

[07:04:39 ERROR OidcTokenExchangeService]: 2. The server returned an HTML error page instead of JSON {"apiVersion":"4.29.2+c39b0b26","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"}

[07:04:39 ERROR OidcTokenExchangeService]: 3. Authentication failed (invalid client_id or client_secret) {"apiVersion":"4.29.2+c39b0b26","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"}

[07:04:39 ERROR OidcTokenExchangeService]: 4. A proxy/firewall is intercepting the request {"apiVersion":"4.29.2+c39b0b26","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"}

[07:04:39 ERROR OidcTokenExchangeService]: 5. The OAuth server returned malformed JSON {"apiVersion":"4.29.2+c39b0b26","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"}

[07:04:39 ERROR OidcTokenExchangeService]: Configured token endpoint: https://unraid.xxx.ts.net:1025/token {"apiVersion":"4.29.2+c39b0b26","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"}

[07:04:39 ERROR OidcTokenExchangeService]: Please verify your OIDC provider configuration. {"apiVersion":"4.29.2+c39b0b26","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"}

[07:04:39 ERROR OidcService]: OAuth callback error: unexpected response content-type {"apiVersion":"4.29.2+c39b0b26","logger":"OidcService","context":"OidcService"}

[07:04:39 ERROR OidcRestController]: OIDC callback error: UnauthorizedException: Authentication failed {"apiVersion":"4.29.2+c39b0b26","logger":"OidcRestController","context":"OidcRestController"}

Tailscale ACL below:

{
	"src": ["tag:grp-admin", "tag:role-relay"],
	"dst": ["*"],
	"ip":  ["*"],

	"app": {
		"tailscale.com/cap/tsidp": [
			{
				"allow_admin_ui": true,
				"allow_dcr":      true,
				"resources":      ["*"],
				"users":          ["*"],
			},
		],
	},
}

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.