September 17, 2025Sep 17 Tailscale IDP (tsidp)The Tailscale IDP plugin brings Single Sign-On (SSO) to your Unraid server using Tailscale as an identity provider. With this plugin, you can log in to your Unraid web UI using your Tailscale account—no need to enter the root username and password if you’re already connected via Tailscale.ConfigurationAfter installing the plugin:Go to Settings -> Management Access -> Unraid API Settings.In the "OIDC Providers" section, select "Tailscale".Expand "Authorization Rules".Add Tailscale accounts to "Specific Email Addresses".Click "Apply".Changeloghttps://github.com/dkaser/unraid-tsidp/releasesContributingIssue reports and pull requests are welcome on Github: https://github.com/dkaser/unraid-tsidp
September 27, 2025Sep 27 Love this plugin!!! But, it seems to not persist a reboot… anything I can try??Thanks!!
September 27, 2025Sep 27 Author 1 minute ago, DeltaEchoFour said:Love this plugin!!! But, it seems to not persist a reboot… anything I can try??Thanks!!What version of Unraid? I have a guess on what’s happening. If you can install “Plugin Diagnostics” and upload diags for the plugin, I can confirm.
September 27, 2025Sep 27 I’m running unRAID 7.1.4.I installed Plugin Diagnostics, and attached the zip.I did notice the following error is being logged… Tower-tsidp-diag-20250927-172329.zip
September 28, 2025Sep 28 Author 13 hours ago, DeltaEchoFour said:Love this plugin!!! But, it seems to not persist a reboot… anything I can try??Thanks!!I just released an update that should fix that problem.
September 28, 2025Sep 28 Came here to ask about persistence as well - I've added a couple extra redirect URI's in the TSIDP UI (LAN IP and my FQDN), they didn't persist when updating to the latest version of the plugin so I've gone back in and added them - will they now persist on future updates/reboot of machine (barring any breaking changes by Tailscale!)
September 28, 2025Sep 28 7 hours ago, EDACerton said:I just released an update that should fix that problem.I updated the plugin, and rebooted, and it's stuck!Thank you!!!
September 28, 2025Sep 28 Author 6 hours ago, erf89 said:Came here to ask about persistence as well - I've added a couple extra redirect URI's in the TSIDP UI (LAN IP and my FQDN), they didn't persist when updating to the latest version of the plugin so I've gone back in and added them - will they now persist on future updates/reboot of machine (barring any breaking changes by Tailscale!)They will not persist in the current version, but that's something that I could look at doing. It shouldn't be too difficult to do, the only disadvantage I can think of is that the list could get a little bloated if you're routinely changing your hostname or WebGUI ports (but I don't think that would be all that common, nor would it really be a problem, more a cosmetic annoyance).Also, you'll need to add the grants to your Tailnet policy to make changes now, but it sounds like you already figured that out.
September 28, 2025Sep 28 6 hours ago, EDACerton said:They will not persist in the current version, but that's something that I could look at doing. It shouldn't be too difficult to do, the only disadvantage I can think of is that the list could get a little bloated if you're routinely changing your hostname or WebGUI ports (but I don't think that would be all that common, nor would it really be a problem, more a cosmetic annoyance).Also, you'll need to add the grants to your Tailnet policy to make changes now, but it sounds like you already figured that out.Yeah I've got the Grant in my ACL, would be good to have that persistence, although not super important!
September 30, 2025Sep 30 Author On 9/28/2025 at 7:29 PM, erf89 said:Yeah I've got the Grant in my ACL, would be good to have that persistence, although not super important!I just released a new update, it has an "allowed hosts" setting on the Tailscale IDP settings page. Add anything you need there (separated by spaces)
September 30, 2025Sep 30 3 hours ago, EDACerton said:I just released a new update, it has an "allowed hosts" setting on the Tailscale IDP settings page. Add anything you need there (separated by spaces)Just tested that - looks like it's appending the same ports to my domain as I use for non-reverse proxy access. So I have :84 and :447 set as HTTP and HTTPS WebGUI in Unraid, but when I add unraid.domain.com, it's adding it as https://unraid.domain.com:447/graphql... where my reverse proxy doesn't need the port. It also doesn't seem to like IP's, I tried adding 192.168.50.5 and it didn't add anything to the IDP. (I tried it with a space after the first entry and also just on it's own in the Allowed Hosts field) - maybe if it was a field that doesn't append ports, tooltip could be to add the host:port and then the plugin is only appending /graphql/api..., for me that would be "unraid.domain.com 192.168.50.5:84 192.168.50.5:447"I don't know enough about the Unraid API, but could it reference the entries from "Allowed OIDC Redirect Origins"
October 1, 2025Oct 1 Author 19 hours ago, erf89 said:Just tested that - looks like it's appending the same ports to my domain as I use for non-reverse proxy access. So I have :84 and :447 set as HTTP and HTTPS WebGUI in Unraid, but when I add unraid.domain.com, it's adding it as https://unraid.domain.com:447/graphql... where my reverse proxy doesn't need the port. It also doesn't seem to like IP's, I tried adding 192.168.50.5 and it didn't add anything to the IDP. (I tried it with a space after the first entry and also just on it's own in the Allowed Hosts field) - maybe if it was a field that doesn't append ports, tooltip could be to add the host:port and then the plugin is only appending /graphql/api..., for me that would be "unraid.domain.com 192.168.50.5:84 192.168.50.5:447"I don't know enough about the Unraid API, but could it reference the entries from "Allowed OIDC Redirect Origins"Possibly, I'll have to dig into that more.In the meantime, I adjusted the setting in "Tailscale IDP" -- if an entry starts with http:// or https://, it won't try to add the WebGUI port.
October 1, 2025Oct 1 4 hours ago, EDACerton said:Possibly, I'll have to dig into that more.In the meantime, I adjusted the setting in "Tailscale IDP" -- if an entry starts with http:// or https://, it won't try to add the WebGUI port.Ahh this is great, just tested and all working, thanks! Great project this, I was testing it out with Tinyauth the other day to SSO apps that don't have OIDC
October 17, 2025Oct 17 Hello, I accidentally removed tailscale OICD settings. How could I add it again? I tried to reinstall the plugin but didn’t help.Thanks
October 31, 2025Oct 31 Is this the full implementation of Tailscales tsidp? Can I use this plugin to sign in to my other services as well, and not just Unraid?
November 8, 2025Nov 8 When logging in it adds the port 1025 to the tailscale serve url with this error: Error 400: invalid_request - redirect_uri mismatch Edited November 8, 2025Nov 8 by PilaScat
March 14Mar 14 On 10/31/2025 at 8:28 PM, kaffesugen said:Is this the full implementation of Tailscales tsidp? Can I use this plugin to sign in to my other services as well, and not just Unraid?Good question! Did you find an answer?
March 14Mar 14 Author 5 hours ago, Tom7320 said:Good question! Did you find an answer?Yes, you can; you’ll just need to add the necessary rule to your Tailscale ACLs to grant access to the tsidp admin console.
March 14Mar 14 Thanks! I just copy/pasted the ACLs from here: https://github.com/tailscale/tsidpBut how do I reach tsidp admin console? I still don't get it....
March 15Mar 15 For all the newbies like me who missed it:Tailscale ACL within the "grants" section: "src": ["autogroup:admin"], "dst": ["*"], "app": { "tailscale.com/cap/tsidp": [ { "allow_admin_ui": true, "allow_dcr": true, "users": ["*"], "resources": ["*"], "includeInUserInfo": true, }, ], }, },Then go tohttps://unraid.your-tailnet.ts.net:1025I missed port 1025... 😉Have a nice weekend!Thorsten
April 27Apr 27 [07:04:39 INFO OidcService]: Built authorization URL via discovery for provider tsidp {"apiVersion":"4.29.2+c39b0b26","logger":"OidcService","context":"OidcService"} [07:04:39 INFO OidcService]: Authorization parameters: {"redirect_uri":"https://unraid.xxx.ts.net/graphql/api/auth/oidc/callback","scope":"openid profile email","state":"tsidp:bc1d80521bfc123745e5acb35ad74372.1777275939026.07cd4c720601451f09277a0d0b828830a14d12493d7369346938e1d91599ece9","response_type":"code"} {"apiVersion":"4.29.2+c39b0b26","logger":"OidcService","context":"OidcService"} [07:04:39 INFO OidcRestController]: Redirecting to OIDC provider: https://unraid.xxx.ts.net:1025/authorize?redirect_uri=https%3A%2F%2Funraid.xxx.ts.net%2Fgraphql%2Fapi%2Fauth%2Foidc%2Fcallback&scope=openid+profile+email&state=tsidp%3Abc1d80521bfc123745e5acb35ad74372.1777275939026.07cd4c720601451f09277a0d0b828830a14d12493d7369346938e1d91599ece9&response_type=code&client_id=unraidgui {"apiVersion":"4.29.2+c39b0b26","logger":"OidcRestController","context":"OidcRestController"} [07:04:39 ERROR OidcTokenExchangeService]: Token exchange failed {"apiVersion":"4.29.2+c39b0b26","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [07:04:39 ERROR OidcTokenExchangeService]: Error type: ClientError {"apiVersion":"4.29.2+c39b0b26","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [07:04:39 ERROR OidcTokenExchangeService]: Error message: unexpected response content-type {"apiVersion":"4.29.2+c39b0b26","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [07:04:39 ERROR OidcTokenExchangeService]: Error code: OAUTH_RESPONSE_IS_NOT_JSON {"apiVersion":"4.29.2+c39b0b26","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [07:04:39 ERROR OidcTokenExchangeService]: Error cause chain: {"apiVersion":"4.29.2+c39b0b26","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [07:04:39 ERROR OidcTokenExchangeService]: [Cause 1] object: [object Response] {"apiVersion":"4.29.2+c39b0b26","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [07:04:39 ERROR OidcTokenExchangeService]: Token endpoint returned invalid or non-JSON response. {"apiVersion":"4.29.2+c39b0b26","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [07:04:39 ERROR OidcTokenExchangeService]: This typically means: {"apiVersion":"4.29.2+c39b0b26","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [07:04:39 ERROR OidcTokenExchangeService]: 1. The token endpoint URL is incorrect (check for typos or wrong paths) {"apiVersion":"4.29.2+c39b0b26","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [07:04:39 ERROR OidcTokenExchangeService]: 2. The server returned an HTML error page instead of JSON {"apiVersion":"4.29.2+c39b0b26","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [07:04:39 ERROR OidcTokenExchangeService]: 3. Authentication failed (invalid client_id or client_secret) {"apiVersion":"4.29.2+c39b0b26","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [07:04:39 ERROR OidcTokenExchangeService]: 4. A proxy/firewall is intercepting the request {"apiVersion":"4.29.2+c39b0b26","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [07:04:39 ERROR OidcTokenExchangeService]: 5. The OAuth server returned malformed JSON {"apiVersion":"4.29.2+c39b0b26","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [07:04:39 ERROR OidcTokenExchangeService]: Configured token endpoint: https://unraid.xxx.ts.net:1025/token {"apiVersion":"4.29.2+c39b0b26","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [07:04:39 ERROR OidcTokenExchangeService]: Please verify your OIDC provider configuration. {"apiVersion":"4.29.2+c39b0b26","logger":"OidcTokenExchangeService","context":"OidcTokenExchangeService"} [07:04:39 ERROR OidcService]: OAuth callback error: unexpected response content-type {"apiVersion":"4.29.2+c39b0b26","logger":"OidcService","context":"OidcService"} [07:04:39 ERROR OidcRestController]: OIDC callback error: UnauthorizedException: Authentication failed {"apiVersion":"4.29.2+c39b0b26","logger":"OidcRestController","context":"OidcRestController"}Tailscale ACL below:{ "src": ["tag:grp-admin", "tag:role-relay"], "dst": ["*"], "ip": ["*"], "app": { "tailscale.com/cap/tsidp": [ { "allow_admin_ui": true, "allow_dcr": true, "resources": ["*"], "users": ["*"], }, ], }, }
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.