Tsidp
A simple OIDC / OAuth Identity Provider (IdP) server for your tailnet.
What is Tsidp?
Tsidp is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to simple oidc / oauth identity provider (idp) server for your tailnet.
A simple OIDC / OAuth Identity Provider (IdP) server for your tailnet.
This server falls under the Security category on MCPgee, the world's largest MCP server directory with 33,000+ servers.
Features
- A simple OIDC / OAuth Identity Provider (IdP) server for you
Use Cases
Maintainer
Works with
Installation
Manual Installation
npx tsidpConfiguration
Configuration Details
claude_desktop_config.json
Performance
Response Metrics
Resource Usage
How to Set Up and Use Tsidp
tsidp is an OIDC/OAuth 2.0 Identity Provider (IdP) server that runs inside your Tailscale network (tailnet), letting you authenticate any OIDC-compatible application using Tailscale identities. It issues ID tokens and access tokens based on who is already authenticated on your tailnet, eliminating the need for a separate identity provider for internal services. Teams use it to add single sign-on to self-hosted apps, Kubernetes clusters, or any OAuth2-protected service within their Tailscale network without managing passwords or external IdP subscriptions.
Prerequisites
- An active Tailscale account and tailnet with MagicDNS and HTTPS certificates enabled
- A Tailscale authentication key (TS_AUTHKEY) for node registration
- Docker and Docker Compose (recommended installation method)
- Go 1.21+ (for building from source)
- Applications requiring OIDC/OAuth2 authentication within the tailnet
Enable MagicDNS and HTTPS on your Tailscale network
In the Tailscale admin console, enable MagicDNS and HTTPS certificate provisioning for your tailnet. These are required for tsidp to serve a valid HTTPS OIDC discovery endpoint.
Create a Docker Compose file
Create a compose.yaml file for tsidp. The TAILSCALE_USE_WIP_CODE=1 flag is required as this is an experimental feature. Set TS_AUTHKEY to a pre-authorized auth key from the Tailscale admin console.
services:
tsidp:
container_name: tsidp
image: ghcr.io/tailscale/tsidp:latest
volumes:
- tsidp-data:/data
environment:
- TAILSCALE_USE_WIP_CODE=1
- TS_STATE_DIR=/data
- TS_HOSTNAME=idp
- TS_AUTHKEY=tskey-auth-YOUR_KEY_HERE
- TSIDP_ENABLE_STS=1
volumes:
tsidp-data:Start tsidp
Launch the tsidp container. It will join your tailnet as a node named 'idp' and begin serving the OIDC discovery endpoint at https://idp.<your-tailnet>.ts.net.
docker compose up -dVerify the OIDC discovery endpoint
Confirm tsidp is running and serving OIDC metadata from within your tailnet. The URL will use your tailnet's MagicDNS domain.
curl https://idp.<your-tailnet>.ts.net/.well-known/openid-configurationRegister your application with tsidp
Configure your OIDC-compatible application to use tsidp as its identity provider. Set the issuer URL to your tsidp MagicDNS address and configure allowed redirect URIs and client IDs via Tailscale capability grants.
Alternative: Run from source with Go
If you prefer running without Docker, clone the repo and run directly with Go. Provide your Tailscale auth key as an environment variable.
git clone https://github.com/tailscale/tsidp.git
cd tsidp
TAILSCALE_USE_WIP_CODE=1 TS_AUTHKEY=tskey-auth-YOUR_KEY go run .Tsidp Examples
Docker Compose configuration
Complete Docker Compose setup for tsidp joining your tailnet as 'idp' with OAuth token exchange enabled.
{
"services": {
"tsidp": {
"image": "ghcr.io/tailscale/tsidp:latest",
"volumes": ["tsidp-data:/data"],
"environment": [
"TAILSCALE_USE_WIP_CODE=1",
"TS_STATE_DIR=/data",
"TS_HOSTNAME=idp",
"TS_AUTHKEY=tskey-auth-YOUR_KEY_HERE",
"TSIDP_ENABLE_STS=1"
]
}
}
}OIDC client configuration example
Example settings to provide to an OIDC client application pointing to your tsidp instance.
- Issuer URL: https://idp.<your-tailnet>.ts.net
- Discovery URL: https://idp.<your-tailnet>.ts.net/.well-known/openid-configuration
- Authorization endpoint: https://idp.<your-tailnet>.ts.net/authorize
- Token endpoint: https://idp.<your-tailnet>.ts.net/token
- JWKS URI: https://idp.<your-tailnet>.ts.net/.well-known/jwks.jsonTroubleshooting Tsidp
Container starts but OIDC endpoint is not reachable
Confirm MagicDNS and HTTPS certificates are enabled in the Tailscale admin panel. Verify the container joined the tailnet successfully with 'docker logs tsidp' and check that TS_AUTHKEY is a valid pre-authorized key.
TAILSCALE_USE_WIP_CODE error or startup failure
The TAILSCALE_USE_WIP_CODE=1 environment variable is mandatory — tsidp is an experimental feature and will refuse to start without it. Ensure it is set in your Docker Compose environment or shell before running.
Client application rejects tokens from tsidp
Ensure your application is configured with the correct issuer URL exactly as it appears in the /.well-known/openid-configuration response. Check that Tailscale HTTPS certificates are valid (can take a few minutes to provision on first start).
Frequently Asked Questions about Tsidp
What is Tsidp?
Tsidp is a Model Context Protocol (MCP) server that simple oidc / oauth identity provider (idp) server for your tailnet. It connects AI assistants to external tools and data sources through a standardized interface.
How do I install Tsidp?
Follow the installation instructions on the Tsidp GitHub repository. Clone the repo, install dependencies, and add the server config to your AI client.
Which AI clients work with Tsidp?
Tsidp works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.
Is Tsidp free to use?
Yes, Tsidp is open source and available under the BSD-3-Clause license. You can use it freely in both personal and commercial projects.
Tsidp Alternatives — Similar Security Servers
Looking for alternatives to Tsidp? Here are other popular security servers you can use with Claude, Cursor, and VS Code.
Casdoor
★ 13.6kAn open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD
ghidraMCP
★ 9.0kAn Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through
HexStrike AI
★ 8.9kHexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b
IDA Pro MCP
★ 8.7kEnables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.
Anthropic Cybersecurity Skills
★ 6.6k754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform
Hooker
★ 5.1k🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u
Browse More Security MCP Servers
Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.
Set Up Tsidp in Your Editor
Choose your AI client for step-by-step setup instructions.
Quick Config Preview
Add this to your claude_desktop_config.json or .cursor/mcp.json
Ready to use Tsidp?
Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.