tailscale: Can't log in with a plain email address, need GSuite or Office365

Installed the linux client on the latest linux mint but it won’t get past waiting for URL visit:

AuthURL is https://login2.tails...
sendStatus: authRoutine3: state:url-visit-required
To authenticate, visit:

        https://login2.tailscale.io/a/...

authRoutine: state:url-visit-required
direct.WaitLoginURL
doLogin(regen=false, hasUrl=true)
RegisterReq: onode=[empty] node=[wJVU…+tjE] fup=true

Tried in both Firefox and Chromium but same result.

About this issue

  • Original URL
  • State: open
  • Created 4 years ago
  • Reactions: 2
  • Comments: 23 (9 by maintainers)

Most upvoted comments

What if we supported logging in via an email address, but no password?

And then to prove they owned that email address, they emailed a token to a magic email address of ours that verified the DKIM signature and parsed the token?

I’ve written this before (https://github.com/golang/build/blob/442b1a7d81d6d71264b3bf31c305af92fa0cb7dc/cmd/pubsubhelper/pubsubhelper.go#L287) and it was pretty painless.

I’ve seen a few other sites do email-a-link too (like https://opencollective.com/) as their only login method, but I haven’t seen the DKIM thing before.

The UI could be:

  • Enter your email: [ brad@danga.com ] [ Generate login email ]
  • Email login@tailscale.com the token XYZXYZXYZXYZXYZXYZXYZ (with a mailto:login@tailscale.com?subject=XYZXYZXYZXYZXYZXYZXYZ link)
  • … the page long polls and tells them when it’s all good.
+20
bradfitz on Jan 28, 2021

+1 for the “do not want to depend on the largess of google / microsoft for my personal security” bucket. DKIM signing is no barrier.

I would also be pretty happy with with “add a DNS record to locate the oauth2 provider for tailscale to use” rather than “contact support to use another provider”.

+18
DanielHeath on Mar 17, 2021

We are aware of your interest in the functionality, and we use the level of interest in planning engineering efforts over time.

+14
DentonGentry on Aug 4, 2021

+1 to support for non-Google and non-Microsoft accounts. While it’s rare that these accounts might be closed without a warning, I cannot help but wonder what if that happens after all.

+12
arunsathiya on Mar 30, 2021

@lpil, to be clear, I’m not talking about magic email links. We would never send an email (so no abuse or phishing potential). We would provide you with a single-use email address that you send to. We’d then verify the DKIM signature on the email and log you in.

+8
bradfitz on Feb 24, 2021

Since the last update, support for Passkeys has been added: https://tailscale.com/kb/1269/passkeys/

+3
DentonGentry on Jun 2, 2023

Since this feature request was filed, several other relevant features have become available:

+3
DentonGentry on May 4, 2023

As said in #2379, if you are aiming at making a truly “Private WireGuard® network”, using Google/Microsoft/GitHub is directly opposed to it.

The idea of @bradfitz is very viable. The question is what do we do if one is unable to access their email. Maybe use a 2FA app with time authentication as an alternative?

+3
6-AND-9 on Jul 10, 2021

Magic email links would work great for me, nice idea @bradfitz

+1
lpil on Feb 11, 2021
Read more comments on GitHub
← tailscale: Add an option to allow LAN access when using an exit node.
tailscale: Can't rename a machine to the name of a removed machine →