Enhance Tailscale integration by adding OAuth support: update configuration to include OAuth client ID, secret, and scopes, modify Tailscale service to prioritize OAuth over API key, and update README with new authentication methods and deployment instructions. Update Dockerfile to use Go 1.23 and adjust environment variables in Docker Compose and Kubernetes manifests accordingly.

Author: rajsinghtech

Dockerfile

@@ -12,7 +12,7 @@ COPY frontend/ ./
 RUN npm run build
 
 # Backend build stage
-FROM golang:1.21-alpine AS backend-build
+FROM golang:1.23-alpine AS backend-build
 
 WORKDIR /app/backend
 

README.md

@@ -10,6 +10,20 @@ A modern, real-time web application for visualizing and analyzing network traffi
 
 The fastest way to get started using pre-built images:
 
+**Using OAuth (Recommended):**
+```bash
+docker run -d \
+  --name tsflow \
+  -p 8080:8080 \
+  -e TAILSCALE_OAUTH_CLIENT_ID=your-client-id \
+  -e TAILSCALE_OAUTH_CLIENT_SECRET=your-client-secret \
+  -e TAILSCALE_TAILNET=your-organization \
+  -e ENVIRONMENT=production \
+  --restart unless-stopped \
+  ghcr.io/rajsinghtech/tsflow:latest
+```
+
+**Using API Key:**
 ```bash
 docker run -d \
   --name tsflow \
@@ -29,12 +43,28 @@ Navigate to `http://localhost:8080` to access the dashboard.
 
 Go to the [Logs tab](https://login.tailscale.com/admin/logs) in your Tailscale Admin Console and ensure that Network Flow Logs are **enabled**. **Note**: This requires a **Premium** or **Enterprise** plan.
 
-### Finding Your Tailscale Credentials
+### Authentication Methods
+
+TSFlow supports two authentication methods with Tailscale. You only need to configure one method.
+
+#### Method 1: OAuth Client Credentials (Recommended)
+
+OAuth provides better security through automatic token refresh and fine-grained permissions.
+
+1. Go to the [OAuth clients page](https://login.tailscale.com/admin/settings/oauth) in your Tailscale Admin Console
+2. Create a new OAuth client
+3. Copy the Client ID and Client Secret
+4. Set the following environment variables:
+   - `TAILSCALE_OAUTH_CLIENT_ID=your-client-id`
+   - `TAILSCALE_OAUTH_CLIENT_SECRET=your-client-secret`
+   - `TAILSCALE_OAUTH_SCOPES=all:read,devices:read,network-logs:read` (optional, defaults to `all:read`)
+
+#### Method 2: API Key (Legacy)
 
-#### API Key
 1. Go to the [API keys page](https://login.tailscale.com/admin/settings/keys) in your Tailscale Admin Console
 2. Create a new API key
 3. Copy the generated API key (starts with `tskey-api-`)
+4. Set `TAILSCALE_API_KEY=your-api-key`
 
 #### Organization Name
 1. Go to the [Settings page](https://login.tailscale.com/admin/settings/general) in your Tailscale Admin Console
@@ -45,16 +75,41 @@ Go to the [Logs tab](https://login.tailscale.com/admin/logs) in your Tailscale A
 
 | Variable | Description | Required | Default |
 |----------|-------------|----------|---------|
-| `TAILSCALE_API_KEY` | Your Tailscale API key | Yes | - |
 | `TAILSCALE_TAILNET` | Your organization name | Yes | - |
+| **OAuth Method** |
+| `TAILSCALE_OAUTH_CLIENT_ID` | OAuth client ID | Yes* | - |
+| `TAILSCALE_OAUTH_CLIENT_SECRET` | OAuth client secret | Yes* | - |
+| `TAILSCALE_OAUTH_SCOPES` | OAuth scopes (comma-separated) | No | `all:read` |
+| **API Key Method** |
+| `TAILSCALE_API_KEY` | Your Tailscale API key | Yes* | - |
+| **Other** |
 | `PORT` | Backend server port | No | `8080` |
 
+*Either OAuth credentials OR API key must be provided
+
 ## Deployment Options
 
 ### Using Docker Compose
 
 Create a `docker-compose.yml` file:
 
+**Using OAuth (Recommended):**
+```yaml
+services:
+  tsflow:
+    image: ghcr.io/rajsinghtech/tsflow:latest
+    container_name: tsflow
+    ports:
+      - "8080:8080"
+    environment:
+      - TAILSCALE_OAUTH_CLIENT_ID=your-client-id
+      - TAILSCALE_OAUTH_CLIENT_SECRET=your-client-secret
+      - TAILSCALE_TAILNET=your-organization
+      - PORT=8080
+    restart: unless-stopped
+```
+
+**Using API Key:**
 ```yaml
 services:
   tsflow:

backend/backend

@@ -1,11 +1,14 @@
 module github.com/rajsinghtech/tsflow/backend
 
-go 1.21
+go 1.23.0
+
+toolchain go1.24.4
 
 require (
 	github.com/gin-contrib/cors v1.4.0
 	github.com/gin-gonic/gin v1.9.1
 	github.com/joho/godotenv v1.4.0
+	golang.org/x/oauth2 v0.30.0
 )
 
 require (

backend/go.mod

@@ -98,6 +98,8 @@ golang.org/x/crypto v0.9.0/go.mod h1:yrmDGqONDYtNj3tH8X9dzUun2m2lzPa9ngI6/RUPGR0
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
+golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
+golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210630005230-0f9fa26af87c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

backend/go.sum

@@ -2,35 +2,52 @@ package config
 
 import (
 	"errors"
+	"log"
 	"os"
+	"strings"
 )
 
 // Config holds the application configuration
 type Config struct {
-	TailscaleAPIKey  string
-	TailscaleTailnet string
-	Port             string
-	Environment      string
+	TailscaleAPIKey            string
+	TailscaleTailnet           string
+	TailscaleOAuthClientID     string
+	TailscaleOAuthClientSecret string
+	TailscaleOAuthScopes       []string
+	Port                       string
+	Environment                string
 }
 
 // Load loads configuration from environment variables
 func Load() *Config {
 	return &Config{
-		TailscaleAPIKey:  os.Getenv("TAILSCALE_API_KEY"),
-		TailscaleTailnet: os.Getenv("TAILSCALE_TAILNET"),
-		Port:             getEnvWithDefault("PORT", "8080"),
-		Environment:      getEnvWithDefault("ENVIRONMENT", "development"),
+		TailscaleAPIKey:            os.Getenv("TAILSCALE_API_KEY"),
+		TailscaleTailnet:           os.Getenv("TAILSCALE_TAILNET"),
+		TailscaleOAuthClientID:     os.Getenv("TAILSCALE_OAUTH_CLIENT_ID"),
+		TailscaleOAuthClientSecret: os.Getenv("TAILSCALE_OAUTH_CLIENT_SECRET"),
+		TailscaleOAuthScopes:       parseScopes(os.Getenv("TAILSCALE_OAUTH_SCOPES")),
+		Port:                       getEnvWithDefault("PORT", "8080"),
+		Environment:                getEnvWithDefault("ENVIRONMENT", "development"),
 	}
 }
 
 // Validate validates the configuration
 func (c *Config) Validate() error {
-	if c.TailscaleAPIKey == "" {
-		return errors.New("TAILSCALE_API_KEY is required")
-	}
 	if c.TailscaleTailnet == "" {
 		return errors.New("TAILSCALE_TAILNET is required")
 	}
+
+	hasAPIKey := c.TailscaleAPIKey != ""
+	hasOAuth := c.TailscaleOAuthClientID != "" && c.TailscaleOAuthClientSecret != ""
+
+	if !hasAPIKey && !hasOAuth {
+		return errors.New("either TAILSCALE_API_KEY or both TAILSCALE_OAUTH_CLIENT_ID and TAILSCALE_OAUTH_CLIENT_SECRET must be provided")
+	}
+
+	if hasAPIKey && hasOAuth {
+		log.Println("Both API key and OAuth credentials provided. OAuth will take precedence.")
+	}
+
 	return nil
 }
 
@@ -41,3 +58,15 @@ func getEnvWithDefault(key, defaultValue string) string {
 	}
 	return defaultValue
 }
+
+// parseScopes parses a comma-separated string of OAuth scopes
+func parseScopes(scopesStr string) []string {
+	if scopesStr == "" {
+		return []string{"all:read"}
+	}
+	scopes := strings.Split(scopesStr, ",")
+	for i, scope := range scopes {
+		scopes[i] = strings.TrimSpace(scope)
+	}
+	return scopes
+}

backend/internal/config/config.go

@@ -1,18 +1,24 @@
 package services
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"io"
 	"net/http"
 	"time"
+
+	"github.com/rajsinghtech/tsflow/backend/internal/config"
+	"golang.org/x/oauth2/clientcredentials"
 )
 
 // TailscaleService handles interactions with the Tailscale API
 type TailscaleService struct {
-	apiKey  string
-	tailnet string
-	client  *http.Client
+	apiKey      string
+	oauthConfig *clientcredentials.Config
+	tailnet     string
+	client      *http.Client
+	useOAuth    bool
 }
 
 // Device represents a Tailscale device
@@ -58,14 +64,31 @@ type NetworkLogsResponse struct {
 }
 
 // NewTailscaleService creates a new Tailscale service
-func NewTailscaleService(apiKey, tailnet string) *TailscaleService {
-	return &TailscaleService{
-		apiKey:  apiKey,
-		tailnet: tailnet,
-		client: &http.Client{
+func NewTailscaleService(cfg *config.Config) *TailscaleService {
+	ts := &TailscaleService{
+		tailnet: cfg.TailscaleTailnet,
+	}
+
+	// Prioritize OAuth if configured, fallback to API key
+	if cfg.TailscaleOAuthClientID != "" && cfg.TailscaleOAuthClientSecret != "" {
+		ts.oauthConfig = &clientcredentials.Config{
+			ClientID:     cfg.TailscaleOAuthClientID,
+			ClientSecret: cfg.TailscaleOAuthClientSecret,
+			Scopes:       cfg.TailscaleOAuthScopes,
+			TokenURL:     "https://api.tailscale.com/api/v2/oauth/token",
+		}
+		ts.client = ts.oauthConfig.Client(context.Background())
+		ts.client.Timeout = 2 * time.Minute
+		ts.useOAuth = true
+	} else if cfg.TailscaleAPIKey != "" {
+		ts.apiKey = cfg.TailscaleAPIKey
+		ts.client = &http.Client{
 			Timeout: 2 * time.Minute,
-		},
+		}
+		ts.useOAuth = false
 	}
+
+	return ts
 }
 
 // makeRequest makes an authenticated request to the Tailscale API
@@ -77,7 +100,11 @@ func (ts *TailscaleService) makeRequest(endpoint string) ([]byte, error) {
 		return nil, fmt.Errorf("failed to create request: %w", err)
 	}
 
-	req.Header.Set("Authorization", "Bearer "+ts.apiKey)
+	// OAuth client handles authentication automatically via HTTP client
+	// For API key authentication, set Authorization header manually
+	if !ts.useOAuth && ts.apiKey != "" {
+		req.Header.Set("Authorization", "Bearer "+ts.apiKey)
+	}
 	req.Header.Set("Accept", "application/json")
 
 	resp, err := ts.client.Do(req)

backend/internal/services/tailscale.go

@@ -22,7 +22,7 @@ func main() {
 		log.Fatalf("Configuration error: %v", err)
 	}
 
-	tailscaleService := services.NewTailscaleService(cfg.TailscaleAPIKey, cfg.TailscaleTailnet)
+	tailscaleService := services.NewTailscaleService(cfg)
 	handlerService := handlers.NewHandlers(tailscaleService)
 
 	if cfg.Environment == "production" {
@@ -77,6 +77,13 @@ func main() {
 	log.Printf("Starting TSFlow server on port %s", port)
 	log.Printf("Tailnet: %s", cfg.TailscaleTailnet)
 	log.Printf("Environment: %s", cfg.Environment)
+	
+	// Log authentication method being used
+	if cfg.TailscaleOAuthClientID != "" && cfg.TailscaleOAuthClientSecret != "" {
+		log.Printf("Authentication: OAuth Client Credentials (Client ID: %s)", cfg.TailscaleOAuthClientID)
+	} else {
+		log.Printf("Authentication: API Key")
+	}
 
 	if err := router.Run("0.0.0.0:" + port); err != nil {
 		log.Fatalf("Failed to start server: %v", err)

backend/main.go

@@ -6,6 +6,9 @@ services:
     environment:
       - TAILSCALE_API_KEY=${TAILSCALE_API_KEY}
       - TAILSCALE_TAILNET=${TAILSCALE_TAILNET}
+      - TAILSCALE_OAUTH_CLIENT_ID=${TAILSCALE_OAUTH_CLIENT_ID}
+      - TAILSCALE_OAUTH_CLIENT_SECRET=${TAILSCALE_OAUTH_CLIENT_SECRET}
+      - TAILSCALE_OAUTH_SCOPES=${TAILSCALE_OAUTH_SCOPES}
       - PORT=8080
       - ENVIRONMENT=production
     env_file:

docker-compose.yml

@@ -5,4 +5,7 @@ metadata:
 type: Opaque
 stringData:
   TAILSCALE_API_KEY: ${TAILSCALE_API_KEY}
-  TAILSCALE_TAILNET: ${TAILSCALE_TAILNET}
+  TAILSCALE_TAILNET: ${TAILSCALE_TAILNET}
+  TAILSCALE_OAUTH_CLIENT_ID: ${TAILSCALE_OAUTH_CLIENT_ID}
+  TAILSCALE_OAUTH_CLIENT_SECRET: ${TAILSCALE_OAUTH_CLIENT_SECRET}
+  TAILSCALE_OAUTH_SCOPES: ${TAILSCALE_OAUTH_SCOPES}