This project is a simple WebFinger implementation hosted on a Cloudflare Worker and deployed via Pulumi.
This application handles requests to the /.well-known/webfinger endpoint, responding with appropriate resource descriptors, if available.
It follows the specification defined by RFC 7033.
This is useful for if you want to configure a custom OIDC provider for Tailscale, since you can run this free of charge on Cloudflare.
- Node.js and npm
- Wrangler
- Pulumi CLI
- Cloudflare Account and API keys (configured in Pulumi)
Set the CLOUDFLARE_API_TOKEN from the Dashboard with at least Workers Routes:Edit, Workers Scripts:Edit, and Account Settings:Edit privileges.
The application requires specific Pulumi secrets for deployment to Cloudflare. Ensure these are set before running the deployment:
accountId: Your Cloudflare account ID.zoneName: The domain name associated with your Cloudflare account.zoneId: The zone ID for the domain you are deploying to.descriptors: The JSON-encoded array of WebFinger descriptors (allowing for more than one subject) as defined by RFC 7033. Replace the$.subjectand$.links[0].hrefas required.
You can set these secrets using the Pulumi CLI:
pulumi config set accountId <your_account_id>
pulumi config set zoneName <your_zone_name>
pulumi config set zoneId <your_zone_id>
pulumi config set descriptors '<your_descriptors_json>'- Build: Compile TypeScript to JavaScript using Wrangler.
npm run build- Deploy: Use Pulumi to deploy the Cloudflare worker and configure routing.
npm run deploy