FR: Add OAuth key support

[shubb30]

I was trying for several days to get this to work, until I turned on Tailscale debug logs, and found.

"level":"debug","ts":1715360455.7697527,"logger":"tailscale","msg":"Received error: key cannot be used for node auth: {KeyCapabilityBits(CONTROL_API_SCOPE_DEVICES|OAUTH_CLIENT) [tag:caddy-test]}"}

Switching to a personal token works correctly.
The same OAuth token can be used for standard Tailscale client auth. Please add OAuth token support to this plugin.

Here are the Caddy Tailscale build info.

ep	github.com/tailscale/caddy-tailscale	v0.0.0-20240507224936-af99185a32ce	h1:hcYvYL4T6kU8JvDKzN5AkfQkxnppa7Zn5XWncEQTwRE=
dep	github.com/tailscale/golang-x-crypto	v0.0.0-20240108194725-7ce1f622c780	h1:U0J2CUrrTcc2wmr9tSLYEo+USfwNikRRsmxVLD4eZ7E=
dep	github.com/tailscale/goupnp	v1.0.1-0.20210804011211-c64d0f06ea05	h1:4chzWmimtJPxRs2O36yuGRW3f9SYV+bMTTvMBI0EKio=
dep	github.com/tailscale/hujson	v0.0.0-20221223112325-20486734a56a	h1:SJy1Pu0eH1C29XwJucQo73FrleVK6t4kYz4NVhp34Yw=
dep	github.com/tailscale/netlink	v1.1.1-0.20211101221916-cabfb018fe85	h1:zrsUcqrG2uQSPhaUPjUQwozcRdDdSxxqhNgNZ3drZFk=
dep	github.com/tailscale/peercred	v0.0.0-20240214030740-b535050b2aa4	h1:Gz0rz40FvFVLTBk/K8UNAenb36EbDSnh+q7Z9ldcC8w=
dep	github.com/tailscale/tscert	v0.0.0-20230806124524-28a91b69a046	h1:8rUlviSVOEe7TMk7W0gIPrW8MqEzYfZHpsNWSf8s2vg=
dep	github.com/tailscale/web-client-prebuilt	v0.0.0-20240226180453-5db17b287bf1	h1:tdUdyPqJ0C97SJfjB9tW6EylTtreyee9C44de+UBG0g=
dep	github.com/tailscale/wireguard-go	v0.0.0-20231121184858-cc193a0b3272	h1:zwsem4CaamMdC3tFoTpzrsUSMDPV0K6rhnQdF7kXekQ=
dep	tailscale.com	v1.62.0	h1:iI1fPDNXXETMbVEatos7xSR6Bv6aCuonD7B1X3glnPE=

[chrishoage]

I hacked in support this evening since I hit a hard-to-diagnose issue when my local tailscale state for whatever reason needed to re-auth again, but the auth key attached to the container expired long ago. The logs did not indicate any failure until i turned on debug logging.

Frustrated by this and not wishing to re-experience it I whipped up chrishoage@6b1956d

{
  log tailscale {
    level DEBUG
  }
  tailscale {
    ephemeral
    tags tag:container
  }
}

:80 {
  bind tailscale/test-caddy
  respond OK
}

There are several things that likely need to happen to make this production ready.

1. The ability for tsnet to advertise tags should be fixed FR: expose AdvertiseTags through tsnet library tailscale#8531 - it looks like there is an open PR to address this from the community but it hasn't been addressed by the maintainers yet
2. I am not handling preauth flags at all, just hard coding this to true.
3. there are zero tests and the quality is "how fast can I accomplish this task"

I'll be open to cleaning it up and up-streaming if when my already open MR is merged #94

[erikologic]

Hey this looks merged https://github.com/tailscale/tailscale/pull/15840/files

[willnorris]

related: tailscale/tailscale#17191 I think adding this to tsnet should just work with caddy, or maybe with minimal modifications to pass along tags from the caddy config

[erikologic]

#109 works for me :D