tsidp-server.go,Makefile,server: switch to slog

Switch to slog for structured logging with appropriate log levels for
activity within the app.

- log all token api errors at WARN level
- move tsnet.Server logging to new flag: -debug-tsnet
- move request/response logging to new flag: -debug-all-requests
- unify API error handling logic to writeHTTPError
- switch funnel error to http.StatusUnauthorized
- update docker image to use new logging flags
- update README.md with new flags and env vars

Signed-off-by: Benson Wong <[email protected]>

Author: mostlygeek

Makefile

@@ -1,4 +1,4 @@
-.PHONY: build build-osx build-linux test clean
+.PHONY: build build-osx build-linux test clean docker-image
 
 build: build-osx build-linux
 
@@ -10,6 +10,9 @@ build-linux:
 	@mkdir -p build
 	GOOS=linux GOARCH=amd64 go build -o build/tsidp-server-linux-amd64-$(shell date +%Y-%m-%d)-$(shell git rev-parse --short=5 HEAD) ./tsidp-server.go
 
+docker-image:
+	docker build -t tsidp:latest .
+
 test:
 	go test -count 1  . ./server
 

README.md

@@ -18,38 +18,49 @@
 
 ### (Recommended) Using the pre-built image
 
-To be updated.
+Docker images are automatically published on when releases are tagged.
 
-### Other ways to build & run tsidp
+```bash
+# to use the latest image
+$ docker pull ghcr.io/tailscale/tsidp:latest
 
-<details>
-<summary>Building your own container</summary>
+# to use a specific release version
+$ docker pull ghcr.io/tailscale/tsidp:v0.0.2
+```
 
-Replace `YOUR_TAILSCALE_AUTHKEY` with your Tailscale authentication key in the following commands:
+Running a tsidp container:
 
-1. Use an existing auth key or create a new auth key in the [Tailscale dashboard](https://login.tailscale.com/admin/settings/keys). Ensure you select an existing [tag](https://tailscale.com/kb/1068/tags) or create a new one.
+> [!TIP]
+> Replace `YOUR_TAILSCALE_AUTHKEY` with your Tailscale authentication key in the following commands:
+>
+> Use an existing auth key or create a new auth key in the [Tailscale dashboard](https://login.tailscale.com/admin/settings/keys). Ensure you select an existing [tag](https://tailscale.com/kb/1068/tags) or create a new one.
 
 ```bash
-# Build the container using the included Dockerfile
-docker build -t tsidp .
-
 # Run tsidp with a persistent volume to store state
 docker run -d \
   --name tsidp \
   -p 443:443 \
   -v tsidp-data:/data \
-  -e TS_STATE_DIR=/data \
-  -e TS_AUTHKEY=YOUR_TAILSCALE_AUTHKEY \
-  -e TSNET_FORCE_LOGIN=1 \
   -e TAILSCALE_USE_WIP_CODE=1 \
-  -e TSIDP_ENABLE_STS=1 \
+  -e TS_STATE_DIR=/data \
   -e TS_HOSTNAME=idp \
-  tsidp
+  -e TSIDP_ENABLE_STS=1 \
+  ghcr.io/tailscale/tsidp:latest
 ```
 
 Visit `https://idp.yourtailnet.ts.net` to confirm the service is running.
 
-_If you're running tsidp for the first time, you may not be able to access it initially even though it is running. It takes a few minutes for the TLS certificate to generate._
+> [!NOTE]
+> If you're running tsidp for the first time it may take a few minutes for the TLS certificate to generate. You may not be able to access the service until the certificate is ready.
+
+### Other Ways to Build and Run
+
+<details>
+<summary>Building your own container</summary>
+
+```bash
+$ make docker-image
+```
 
 </details>
 
@@ -60,26 +71,23 @@ If you'd like to build tsidp and / or run it directly you can do the following:
 
 ```bash
 # Clone the Tailscale repository
-git clone https://github.com/tailscale/tsidp.git
-cd tsidp
-```
-
-Replace `YOUR_TAILSCALE_AUTHKEY` with your Tailscale authentication key in the following commands:
-
-1. Use an existing auth key or create a new auth key in the [Tailscale dashboard](https://login.tailscale.com/admin/settings/keys). Ensure you select an existing [tag](https://tailscale.com/kb/1068/tags) or create a new one.
-2. Run `TS_AUTH_KEY=YOUR_TAILSCALE_AUTHKEY TAILSCALE_USE_WIP_CODE=1 TSNET_FORCE_LOGIN=1 go run .`
-
-Visit `https://idp.yourtailnet.ts.net` to confirm the service is running.
+$ git clone https://github.com/tailscale/tsidp.git
+$ cd tsidp
 
-_If you're running tsidp for the first time, you may not be able to access it initially even though it is running. It takes a few minutes for the TLS certificate to generate._
+# run with default values for flags
+$ TAILSCALE_USE_WIP_CODE=1 TS_AUTHKEY={YOUR_TAILSCALE_AUTHKEY} TSNET_FORCE_LOGIN=1 go run .
+```
 
 </details>
 
 ## Setting an Application Capability Grant
 
-tsidp requires an [Application capability grant](https://tailscale.com/kb/1537/grants-app-capabilities) to allow access to the admin UI and dynamic client registration endpoints.
+> [!IMPORTANT]
+> Access to the admin UI and dynamic client registration endpoints are **denied** by default.
+
+To access the admin UI and dynamic client registration endpoints an [Application capability grant](https://tailscale.com/kb/1537/grants-app-capabilities) must be set in the the [Tailscale console](https://login.tailscale.com/admin).
 
-This is a permissive grant that is suitable only for testing purposes:
+This is a permissive grant that is suitable for testing purposes:
 
 ```json
 "grants": [
@@ -89,23 +97,75 @@ This is a permissive grant that is suitable only for testing purposes:
     "app": {
       "tailscale.com/cap/tsidp": [
         {
-          // STS controls
-          "users":     ["*"],
-          "resources": ["*"],
-
           // allow access to UI
           "allow_admin_ui": true,
 
           // allow dynamic client registration
           "allow_dcr": true,
+
+          // Secure Token Service (STS) controls
+          "users":     ["*"],
+          "resources": ["*"],
         },
       ],
     },
   },
 ],
 ```
 
-## Application Configuration Guides
+## tsidp Configuration Options
+
+The `tsidp-server` is configured by several command-line flags:
+
+| Flag                    | Description                                                                                        | Default  |
+| ----------------------- | -------------------------------------------------------------------------------------------------- | -------- |
+| `-dir <path>`           | Directory path to save tsnet and tsidp state. Recommend to be set.                                 | `""`     |
+| `-hostname <hostname>`  | hostname on tailnet. Will become `<hostname>.your-tailnet.ts.net`                                  | `idp`    |
+| `-port <port>`          | Port to listen on                                                                                  | `443`    |
+| `-local-port <port>`    | Listen on `localhost:<port>`. Useful for testing                                                   | disabled |
+| `-use-local-tailscaled` | Use local tailscaled instead of tsnet                                                              | `false`  |
+| `-funnel`               | Use Tailscale Funnel to make tsidp available on the public internet so it works with SaaS products | disabled |
+| `-enable-sts`           | Enable OAuth token exchange using RFC 8693                                                         | disabled |
+| `-log <level>`          | Set logging level: `debug`, `info`, `warn`, `error`                                                | `info`   |
+| `-debug-all-requests`   | For development. Prints all requests and responses                                                 | disabled |
+| `-debug-tsnet`          | For development. Enables debug level logging with tsnet connection                                 | disabled |
+
+### CLI Environment Variables
+
+The `tsidp-server` binary is configured through the CLI flags above. However, there are several environment variables that configure the libraries `tsidp-server` uses to connect to the Tailnet.
+
+#### Required
+
+- `TAILSCALE_USE_WIP_CODE=1`: required while tsidp is in development (<v1.0.0).
+
+#### Optional
+
+These environment variables are used when tsidp does not have any state information set in `-dir <path>`.
+
+- `TS_AUTHKEY=<key>`: Key for registering a tsidp as a new node on your tailnet. If omitted a link will be printed to manually register.
+- `TSNET_FORCE_LOGIN=1`: Force re-login of the node. Useful during development.
+
+### Docker Environment Variables
+
+The Docker image exposes the CLI flags through environment variables. If omitted the default values for the CLI flags will be used.
+
+> [!NOTE] > `TS_STATE_DIR` and `TS_HOSTNAME` are legacy names. These will be replaced by `TSIDP_STATE_DIR` and `TSIDP_HOSTNAME` in the future.
+
+| Environment Variable                     | CLI flag                   |
+| ---------------------------------------- | -------------------------- |
+| `TS_STATE_DIR=<path>` _\*note prefix_    | `-dir <path>`              |
+| `TS_HOSTNAME=<hostname>` _\*note prefix_ | `-hostname <hostname>`     |
+| `TSIDP_PORT=<port>`                      | `-port <port>`             |
+| `TSIDP_LOCAL_PORT=<port>`                | `-local-port <port>`       |
+| `TSIDP_PORT=<port>`                      | `-port <port>`             |
+| `TSIDP_LOCAL_PORT=<local-port>`          | `-local-port <local-port>` |
+| `TSIDP_USE_FUNNEL=1`                     | `-funnel`                  |
+| `TSIDP_ENABLE_STS=1`                     | `-enable-sts`              |
+| `TSIDP_LOG=<level>`                      | `-log <level>`             |
+| `TSIDP_DEBUG_TSNET=1`                    | `-debug-tsnet`             |
+| `TSIDP_DEBUG_ALL_REQUESTS=1`             | `-debug-all-requests`      |
+
+## Application Configuration Guides (WIP)
 
 tsidp can be used as IdP server for any application that supports custom OIDC providers.
 
@@ -126,42 +186,6 @@ tsidp supports all of the endpoints required & suggested by the [MCP Authorizati
 - [MCP Client / Server](./examples/mcp-server/README.md)
 - [MCP Client / Gateway Server](./examples/mcp-gateway/README.md)
 
-## tsidp Configuration Options
-
-The `tsidp` server is configured by several command-line flags:
-
-- `-verbose`: Enable verbose logging
-- `-port`: Port to listen on (default: 443)
-- `-local-port`: Allow requests from localhost
-- `-use-local-tailscaled`: Use local tailscaled instead of tsnet
-- `-funnel`: Use Tailscale Funnel to make tsidp available on the public internet so it works with SaaS products
-- `-hostname`: tsnet hostname
-- `-dir`: tsnet state directory
-- `-enable-sts`: Enable OAuth token exchange using RFC 8693
-- `-enable-debug`: Enable debug printing of requests to the server
-
-### Environment Variables
-
-These are needed while tsidp is in development (< v1.0.0):
-
-- `TAILSCALE_USE_WIP_CODE`: Enable work-in-progress code (default: "1", required)
-- `TS_AUTHKEY`: Your Tailscale authentication key (required)
-
-The docker container accepts environment variables that are mapped to the command-line flags:
-
-| Environment Variable            | CLI flag                   |
-| ------------------------------- | -------------------------- |
-| `TS_HOSTNAME=<hostname>`        | `-hostname <hostname>`     |
-| `TS_STATE_DIR=<directory>`      | `-dir <directory>`         |
-| `TSIDP_USE_FUNNEL=1`            | `-funnel`                  |
-| `TSIDP_PORT=<port>`             | `-port <port>`             |
-| `TSIDP_LOCAL_PORT=<local-port>` | `-local-port <local-port>` |
-| `TSIDP_ENABLE_STS=1`            | `-enable-sts`              |
-| `TSIDP_VERBOSE=1`               | `-verbose`                 |
-| `TSIDP_ENABLE_DEBUG=1`          | `-enable-debug`            |
-
-All environment variables are optional. When omitted the default value for the command-line flag will be used.
-
 ## Support
 
 This is an experimental, work in progress, [community project](https://tailscale.com/kb/1531/community-projects). For issues or questions, file issues on the [GitHub repository](https://github.com/tailscale/tsidp).

scripts/docker/run.sh

@@ -27,16 +27,26 @@ if [ -n "$TSIDP_LOCAL_PORT" ]; then
     ARGS="$ARGS -local-port=$TSIDP_LOCAL_PORT"
 fi
 
-#
-# These flags will eventually be replaced
-# with more specific logging flags.
-#
-if [ -n "$TSIDP_VERBOSE" ]; then
-    ARGS="$ARGS -verbose"
-fi
-
-if [ -n "$TSIDP_ENABLE_DEBUG" ]; then
-    ARGS="$ARGS -enable-debug"
+# logging control
+if [ -n "$TSIDP_LOG" ]; then
+    case "$TSIDP_LOG" in
+        debug|info|warn|error)
+            ARGS="$ARGS -log=$TSIDP_LOG"
+            ;;
+        *)
+            echo "Error: TSIDP_LOG_LEVEL must be one of: debug, info, warn, error"
+            echo "Current value: $TSIDP_LOG"
+            exit 1
+            ;;
+    esac
+fi
+
+if [ -n "$TSIDP_DEBUG_ALL_REQUESTS" ]; then
+    ARGS="$ARGS -debug-all-requests"
+fi
+
+if [ -n "$TSIDP_DEBUG_TSNET" ]; then
+    ARGS="$ARGS -debug-tsnet"
 fi
 
 # Execute tsidp-server with the built arguments

server/appcap.go

@@ -5,7 +5,6 @@ package server
 
 import (
 	"context"
-	"fmt"
 	"net/http"
 	"net/netip"
 
@@ -91,13 +90,13 @@ func (s *IDPServer) addGrantAccessContext(handler http.HandlerFunc) http.Handler
 
 		who, err = s.lc.WhoIs(r.Context(), remoteAddr)
 		if err != nil {
-			http.Error(w, fmt.Sprintf("Error getting WhoIs: %v", err), http.StatusInternalServerError)
+			writeHTTPError(w, r, http.StatusInternalServerError, ecServerError, "Error getting WhoIs", err)
 			return
 		}
 
 		rules, err := tailcfg.UnmarshalCapJSON[capRule](who.CapMap, "tailscale.com/cap/tsidp")
 		if err != nil {
-			http.Error(w, fmt.Sprintf("failed unmarshaling app cap rule %s", err.Error()), http.StatusInternalServerError)
+			writeHTTPError(w, r, http.StatusInternalServerError, ecServerError, "failed unmarshaling app cap rule", err)
 			return
 		}
 		accessRules.rules = rules