evilhamsterman
commented
8 months ago OAuth clients can restrict devices to certain tags, in fact you are are required to use tags unlike Auth keys which you can use without tags.
From the documentation https://tailscale.com/kb/1215/oauth-clients#generating-long-lived-auth-keys
When you create an OAuth client with the scope devices, you must select one or more ACL tags, which can be any tag or set of tags in your tailnet. Auth keys created with this client must have those exact tags, or tags owned by the client’s tags. Additionally, these tags need to be specified in the API call.
And when you generate an OAuth client with device:write permissions it forces you to select a tag(s) before it will generate the client
GustavoKatel
sylr
The README recommends the use of the OAuth API to register the client. There seems to be no fine grained permissions to limit the usage of the OAuth credentials to only register devices to a certain tag. If the key is exposed somehow it can impact the security of your Tailnet.
With the authkey you can restrict the devices to a certain tag (that can be used in a ACL to restrict the runners to certain parts of the network).
What was the reasoning to retire the authkey functionality?