Webfingo is a simple HTTP server that serves WebFinger requests for Keycloak. It is intended for integrating Keycloak with Tailscale.
- Acting as a webserver, receive Webfinger request from Tailscale, e.g. at
https://webfingo.example.com/.well-known/webfinger?resource=acct:john@example.com. - Connect to Keycloak's Postgres database, and look up the user and their realm
- Respond to the HTTP request with a normal WebFinger response
make build
./bin/webfingo --config [your config file]
See ./config/config-example.json. Note that the Keycloak DB config and the
hostname of your Keycloak endpoint will be needed.
- A Keycloak instance with a Postgres database
- Go 1.24 or later
An example systemd service file is provided in
./deployment-config-examples/webfingo.service. This example assumes you have a
user and group named webfingo, and that ./bin/webfingo has been simlinked to
/usr/bin/webfingo.
To install the service, copy the file to /etc/systemd/system/webfingo.service
and run sudo systemctl enable webfingo and sudo systemctl start webfingo.
Remember to set the appropriate config file location.
An example Caddyfile is provided in ./deployment-config-examples/Caddyfile.
This example assumes you have a Caddy server running on the same machine as
Webfingo. Caddy is acting as the TLS endpoint here, and forwarding the request
on in flat HTTP. Ensure that you configure this appropriately to your
infrastructure.