Closed willnorris closed 2 weeks ago
This issue is stale because it has been open for 90 days with no activity.
@willnorris hey Will, I am looking into this. Thanks for opening the issue!
Maybe we should allow the control server to advertise support
For the clients, we are pretty familiar with CapVer. But I am not aware -and cannot find it anywhere- an equivalent facility for the Control Server to announce its capabilities (e.g., supports tailnet lock, or this one on the check mode...). Am I missing something?
No, that was just an idea we had. We never ended up implementing it.
This issue is stale because it has been open for 90 days with no activity.
This issue is stale because it has been open for 90 days with no activity.
This issue was closed because it has been inactive for 14 days since being marked as stale.
The Tailscale web client (the one you get by running
tailscale web
), is currently getting a complete overhaul, bringing it more-or-less on par with the native clients. Because it exposes much more functionality than the old client, we are adding an additional auth flow which is effectively identical to SSH check mode, but tied to specific browser sessions. In order to make changes via a device's web client, the user has to have an active session that has authenticated with the control server.For launch, we are only going to enforce check mode when using a "tailscale.com" control server, and just not require it otherwise. I'm opening this as a tracking bug for adding support in headscale so that we can use check mode with headscale as well. (Maybe we should allow the control server to advertise support, so then we only require it with newer headscale versions? We'll see)
Web client source: https://github.com/tailscale/tailscale/tree/main/client/web Machine API calls to control server can be seen in
doWebClientNoiseRequest
of https://github.com/tailscale/tailscale/blob/main/ipn/ipnlocal/web_client.go