Tailscale Custom OIDC with Cloudflare Zero Trust and a Cloudflare Worker

Tailscale supports custom OIDC providers for authentication. Instead of building a full OIDC identity provider from scratch, you can use Cloudflare Zero Trust as the IdP and a tiny Cloudflare Worker as the glue. The worker serves a single endpoint — WebFinger — that lets Tailscale discover the OIDC issuer on your domain. The total amount of code: ~30 lines of TypeScript. Background When you sign up for Tailscale with a custom domain (say user@example.com ), Tailscale needs to find the OIDC provider responsible for that domain. It does this via WebFinger — an HTTP-based protocol for discovering information about resources. Tailscale sends a GET request to: https://example.com/.well-known/webfinger?resource=acct:user@example.com&rel=http://openid.net/specs/connect/1.0/issuer The response must be a JSON Resource Descriptor (JRD) pointing to the OIDC issuer: { "subject" : "acct:user@example.com" , "links" : [ { "rel" : "http://openid.net/specs/connect/1.0/issuer" , "href" : "https://your-i