Tsidp

v1.0.0Securitystable

A simple OIDC / OAuth Identity Provider (IdP) server for your tailnet.

idpmcpoauthoauth2oidc
Share:
585
Stars
0
Downloads
0
Weekly
0/5

What is Tsidp?

Tsidp is a Model Context Protocol (MCP) server that allows AI assistants like Claude, Cursor, and VS Code to simple oidc / oauth identity provider (idp) server for your tailnet.

A simple OIDC / OAuth Identity Provider (IdP) server for your tailnet.

This server falls under the Security category on MCPgee, the world's largest MCP server directory with 33,000+ servers.

Features

  • A simple OIDC / OAuth Identity Provider (IdP) server for you

Use Cases

Provide OIDC and OAuth2 identity services for your Tailscale network.
tailscale

Maintainer

LicenseBSD-3-Clause
Languagego
Versionv1.0.0
UpdatedMay 21, 2026
Statushealthy
Maintenanceactive

Works with

ClaudeOpenAIwindowsmacoslinux

Installation

Manual Installation

npx tsidp

Configuration

Configuration Details

Config File

claude_desktop_config.json

Performance

Response Metrics

Response Time< 200ms
ThroughputMedium

Resource Usage

Memory UsageLow
CPU UsageLow

How to Set Up and Use Tsidp

tsidp is an OIDC/OAuth 2.0 Identity Provider (IdP) server that runs inside your Tailscale network (tailnet), letting you authenticate any OIDC-compatible application using Tailscale identities. It issues ID tokens and access tokens based on who is already authenticated on your tailnet, eliminating the need for a separate identity provider for internal services. Teams use it to add single sign-on to self-hosted apps, Kubernetes clusters, or any OAuth2-protected service within their Tailscale network without managing passwords or external IdP subscriptions.

Prerequisites

  • An active Tailscale account and tailnet with MagicDNS and HTTPS certificates enabled
  • A Tailscale authentication key (TS_AUTHKEY) for node registration
  • Docker and Docker Compose (recommended installation method)
  • Go 1.21+ (for building from source)
  • Applications requiring OIDC/OAuth2 authentication within the tailnet
1

Enable MagicDNS and HTTPS on your Tailscale network

In the Tailscale admin console, enable MagicDNS and HTTPS certificate provisioning for your tailnet. These are required for tsidp to serve a valid HTTPS OIDC discovery endpoint.

2

Create a Docker Compose file

Create a compose.yaml file for tsidp. The TAILSCALE_USE_WIP_CODE=1 flag is required as this is an experimental feature. Set TS_AUTHKEY to a pre-authorized auth key from the Tailscale admin console.

services:
  tsidp:
    container_name: tsidp
    image: ghcr.io/tailscale/tsidp:latest
    volumes:
      - tsidp-data:/data
    environment:
      - TAILSCALE_USE_WIP_CODE=1
      - TS_STATE_DIR=/data
      - TS_HOSTNAME=idp
      - TS_AUTHKEY=tskey-auth-YOUR_KEY_HERE
      - TSIDP_ENABLE_STS=1
volumes:
  tsidp-data:
3

Start tsidp

Launch the tsidp container. It will join your tailnet as a node named 'idp' and begin serving the OIDC discovery endpoint at https://idp.<your-tailnet>.ts.net.

docker compose up -d
4

Verify the OIDC discovery endpoint

Confirm tsidp is running and serving OIDC metadata from within your tailnet. The URL will use your tailnet's MagicDNS domain.

curl https://idp.<your-tailnet>.ts.net/.well-known/openid-configuration
5

Register your application with tsidp

Configure your OIDC-compatible application to use tsidp as its identity provider. Set the issuer URL to your tsidp MagicDNS address and configure allowed redirect URIs and client IDs via Tailscale capability grants.

6

Alternative: Run from source with Go

If you prefer running without Docker, clone the repo and run directly with Go. Provide your Tailscale auth key as an environment variable.

git clone https://github.com/tailscale/tsidp.git
cd tsidp
TAILSCALE_USE_WIP_CODE=1 TS_AUTHKEY=tskey-auth-YOUR_KEY go run .

Tsidp Examples

Docker Compose configuration

Complete Docker Compose setup for tsidp joining your tailnet as 'idp' with OAuth token exchange enabled.

{
  "services": {
    "tsidp": {
      "image": "ghcr.io/tailscale/tsidp:latest",
      "volumes": ["tsidp-data:/data"],
      "environment": [
        "TAILSCALE_USE_WIP_CODE=1",
        "TS_STATE_DIR=/data",
        "TS_HOSTNAME=idp",
        "TS_AUTHKEY=tskey-auth-YOUR_KEY_HERE",
        "TSIDP_ENABLE_STS=1"
      ]
    }
  }
}

OIDC client configuration example

Example settings to provide to an OIDC client application pointing to your tsidp instance.

- Issuer URL: https://idp.<your-tailnet>.ts.net
- Discovery URL: https://idp.<your-tailnet>.ts.net/.well-known/openid-configuration
- Authorization endpoint: https://idp.<your-tailnet>.ts.net/authorize
- Token endpoint: https://idp.<your-tailnet>.ts.net/token
- JWKS URI: https://idp.<your-tailnet>.ts.net/.well-known/jwks.json

Troubleshooting Tsidp

Container starts but OIDC endpoint is not reachable

Confirm MagicDNS and HTTPS certificates are enabled in the Tailscale admin panel. Verify the container joined the tailnet successfully with 'docker logs tsidp' and check that TS_AUTHKEY is a valid pre-authorized key.

TAILSCALE_USE_WIP_CODE error or startup failure

The TAILSCALE_USE_WIP_CODE=1 environment variable is mandatory — tsidp is an experimental feature and will refuse to start without it. Ensure it is set in your Docker Compose environment or shell before running.

Client application rejects tokens from tsidp

Ensure your application is configured with the correct issuer URL exactly as it appears in the /.well-known/openid-configuration response. Check that Tailscale HTTPS certificates are valid (can take a few minutes to provision on first start).

Frequently Asked Questions about Tsidp

What is Tsidp?

Tsidp is a Model Context Protocol (MCP) server that simple oidc / oauth identity provider (idp) server for your tailnet. It connects AI assistants to external tools and data sources through a standardized interface.

How do I install Tsidp?

Follow the installation instructions on the Tsidp GitHub repository. Clone the repo, install dependencies, and add the server config to your AI client.

Which AI clients work with Tsidp?

Tsidp works with all major MCP-compatible AI clients including Claude Desktop, Claude Code, Cursor, VS Code (GitHub Copilot), Windsurf, and Cline.

Is Tsidp free to use?

Yes, Tsidp is open source and available under the BSD-3-Clause license. You can use it freely in both personal and commercial projects.

Tsidp Alternatives — Similar Security Servers

Looking for alternatives to Tsidp? Here are other popular security servers you can use with Claude, Cursor, and VS Code.

Casdoor

13.6k

An open-source Agent-first Identity and Access Management (IAM) /LLM MCP & agent gateway and auth server with web UI supporting OpenClaw, MCP, OAuth, OIDC, SAML, CAS, LDAP, SCIM, WebAuthn, TOTP, MFA, Face ID, Google Workspace, Azure AD

ghidraMCP

9.0k

An Model Context Protocol server that enables LLMs to autonomously reverse engineer applications by exposing Ghidra's decompilation and analysis tools. It allows AI agents to list code structures, rename methods, and analyze binaries directly through

HexStrike AI

8.9k

HexStrike AI MCP Agents is an advanced MCP server that lets AI agents (Claude, GPT, Copilot, etc.) autonomously run 150+ cybersecurity tools for automated pentesting, vulnerability discovery, bug bounty automation, and security research. Seamlessly b

IDA Pro MCP

8.7k

Enables AI-assisted reverse engineering in IDA Pro by providing tools to analyze binaries, decompile functions, manage comments, search patterns, and interact with the IDA database through natural language.

Anthropic Cybersecurity Skills

6.6k

754 structured cybersecurity skills for AI agents · Mapped to 5 frameworks: MITRE ATT&CK, NIST CSF 2.0, MITRE ATLAS, D3FEND & NIST AI RMF · agentskills.io standard · Works with Claude Code, GitHub Copilot, Codex CLI, Cursor, Gemini CLI & 20+ platform

Hooker

5.1k

🔥🔥 hooker is a Frida-based reverse engineering toolkit for Android. It offers a user-friendly CLI, universal scripts, auto hook generation, memory roaming to detect activities/services, one-click SOCKS5 proxy setup, Frida JustTrustMe, and BoringSSL u

Browse More Security MCP Servers

Explore all security servers available in the MCPgee directory. Each server includes setup guides for Claude, Cursor, and VS Code.

Quick Config Preview

{ "mcpServers": { "tsidp": { "command": "npx", "args": ["-y", "tsidp"] } } }

Add this to your claude_desktop_config.json or .cursor/mcp.json

Read the full setup guide →

Ready to use Tsidp?

Browse our complete directory of 33,000+ MCP servers, read setup guides for your editor, and start building with the Model Context Protocol.

33,000+ ServersFree & Open SourceStep-by-Step Guides