tsnet,internal/client/tailscale: resolve OAuth into authkeys in tsnet (#17191)

* tsnet,internal/client/tailscale: resolve OAuth into authkeys in tsnet

Updates #8403.

* internal/client/tailscale: omit OAuth library via build tag

Updates #12614.

Signed-off-by: Naman Sood <mail@nsood.in>

cmd/k8s-operator/depaware.txt

@@ -798,13 +798,15 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
         tailscale.com/envknob/featureknob                            from tailscale.com/client/web+
         tailscale.com/feature                                        from tailscale.com/ipn/ipnext+
         tailscale.com/feature/buildfeatures                          from tailscale.com/wgengine/magicsock+
+        tailscale.com/feature/condregister/oauthkey                  from tailscale.com/tsnet
         tailscale.com/feature/condregister/portmapper                from tailscale.com/tsnet
+        tailscale.com/feature/oauthkey                               from tailscale.com/feature/condregister/oauthkey
         tailscale.com/feature/portmapper                             from tailscale.com/feature/condregister/portmapper
         tailscale.com/feature/syspolicy                              from tailscale.com/logpolicy
         tailscale.com/health                                         from tailscale.com/control/controlclient+
         tailscale.com/health/healthmsg                               from tailscale.com/ipn/ipnlocal+
         tailscale.com/hostinfo                                       from tailscale.com/client/web+
-        tailscale.com/internal/client/tailscale                      from tailscale.com/cmd/k8s-operator
+        tailscale.com/internal/client/tailscale                      from tailscale.com/cmd/k8s-operator+
         tailscale.com/internal/noiseconn                             from tailscale.com/control/controlclient
         tailscale.com/ipn                                            from tailscale.com/client/local+
         tailscale.com/ipn/conffile                                   from tailscale.com/ipn/ipnlocal+
@@ -1030,7 +1032,7 @@ tailscale.com/cmd/k8s-operator dependencies: (generated by github.com/tailscale/
    D    golang.org/x/net/route                                       from tailscale.com/net/netmon+
         golang.org/x/net/websocket                                   from tailscale.com/k8s-operator/sessionrecording/ws
         golang.org/x/oauth2                                          from golang.org/x/oauth2/clientcredentials+
-        golang.org/x/oauth2/clientcredentials                        from tailscale.com/cmd/k8s-operator
+        golang.org/x/oauth2/clientcredentials                        from tailscale.com/cmd/k8s-operator+
         golang.org/x/oauth2/internal                                 from golang.org/x/oauth2+
         golang.org/x/sync/errgroup                                   from github.com/mdlayher/socket+
         golang.org/x/sys/cpu                                         from github.com/tailscale/certstore+

cmd/tailscale/cli/up.go

@@ -12,13 +12,11 @@ import (
 	"fmt"
 	"log"
 	"net/netip"
-	"net/url"
 	"os"
 	"os/signal"
 	"reflect"
 	"runtime"
 	"sort"
-	"strconv"
 	"strings"
 	"syscall"
 	"time"
@@ -26,7 +24,7 @@ import (
 	shellquote "github.com/kballard/go-shellquote"
 	"github.com/peterbourgon/ff/v3/ffcli"
 	qrcode "github.com/skip2/go-qrcode"
-	"golang.org/x/oauth2/clientcredentials"
+	_ "tailscale.com/feature/condregister/oauthkey"
 	"tailscale.com/health/healthmsg"
 	"tailscale.com/internal/client/tailscale"
 	"tailscale.com/ipn"
@@ -566,9 +564,13 @@ func runUp(ctx context.Context, cmd string, args []string, upArgs upArgsT) (retE
 		if err != nil {
 			return err
 		}
-		authKey, err = resolveAuthKey(ctx, authKey, upArgs.advertiseTags)
+		// Try to use an OAuth secret to generate an auth key if that functionality
-		if err != nil {
+		// is available.
-			return err
+		if f, ok := tailscale.HookResolveAuthKey.GetOk(); ok {
+			authKey, err = f(ctx, authKey, strings.Split(upArgs.advertiseTags, ","))
+			if err != nil {
+				return err
+			}
 		}
 		err = localClient.Start(ctx, ipn.Options{
 			AuthKey:     authKey,
@@ -1109,90 +1111,6 @@ func exitNodeIP(p *ipn.Prefs, st *ipnstate.Status) (ip netip.Addr) {
 	return
 }
 
-// resolveAuthKey either returns v unchanged (in the common case) or, if it
-// starts with "tskey-client-" (as Tailscale OAuth secrets do) parses it like
-//
-//	tskey-client-xxxx[?ephemeral=false&bar&preauthorized=BOOL&baseURL=...]
-//
-// and does the OAuth2 dance to get and return an authkey. The "ephemeral"
-// property defaults to true if unspecified. The "preauthorized" defaults to
-// false. The "baseURL" defaults to https://api.tailscale.com.
-// The passed in tags are required, and must be non-empty. These will be
-// set on the authkey generated by the OAuth2 dance.
-func resolveAuthKey(ctx context.Context, v, tags string) (string, error) {
-	if !strings.HasPrefix(v, "tskey-client-") {
-		return v, nil
-	}
-	if tags == "" {
-		return "", errors.New("oauth authkeys require --advertise-tags")
-	}
-
-	clientSecret, named, _ := strings.Cut(v, "?")
-	attrs, err := url.ParseQuery(named)
-	if err != nil {
-		return "", err
-	}
-	for k := range attrs {
-		switch k {
-		case "ephemeral", "preauthorized", "baseURL":
-		default:
-			return "", fmt.Errorf("unknown attribute %q", k)
-		}
-	}
-	getBool := func(name string, def bool) (bool, error) {
-		v := attrs.Get(name)
-		if v == "" {
-			return def, nil
-		}
-		ret, err := strconv.ParseBool(v)
-		if err != nil {
-			return false, fmt.Errorf("invalid attribute boolean attribute %s value %q", name, v)
-		}
-		return ret, nil
-	}
-	ephemeral, err := getBool("ephemeral", true)
-	if err != nil {
-		return "", err
-	}
-	preauth, err := getBool("preauthorized", false)
-	if err != nil {
-		return "", err
-	}
-
-	baseURL := "https://api.tailscale.com"
-	if v := attrs.Get("baseURL"); v != "" {
-		baseURL = v
-	}
-
-	credentials := clientcredentials.Config{
-		ClientID:     "some-client-id", // ignored
-		ClientSecret: clientSecret,
-		TokenURL:     baseURL + "/api/v2/oauth/token",
-	}
-
-	tsClient := tailscale.NewClient("-", nil)
-	tsClient.UserAgent = "tailscale-cli"
-	tsClient.HTTPClient = credentials.Client(ctx)
-	tsClient.BaseURL = baseURL
-
-	caps := tailscale.KeyCapabilities{
-		Devices: tailscale.KeyDeviceCapabilities{
-			Create: tailscale.KeyDeviceCreateCapabilities{
-				Reusable:      false,
-				Ephemeral:     ephemeral,
-				Preauthorized: preauth,
-				Tags:          strings.Split(tags, ","),
-			},
-		},
-	}
-
-	authkey, _, err := tsClient.CreateKey(ctx, caps)
-	if err != nil {
-		return "", err
-	}
-	return authkey, nil
-}
-
 func warnOnAdvertiseRoutes(ctx context.Context, prefs *ipn.Prefs) {
 	if len(prefs.AdvertiseRoutes) > 0 || prefs.AppConnector.Advertise {
 		// TODO(jwhited): compress CheckIPForwarding and CheckUDPGROForwarding

cmd/tailscale/depaware.txt

@@ -105,13 +105,15 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         tailscale.com/feature                                        from tailscale.com/tsweb+
         tailscale.com/feature/buildfeatures                          from tailscale.com/cmd/tailscale/cli
         tailscale.com/feature/capture/dissector                      from tailscale.com/cmd/tailscale/cli
+        tailscale.com/feature/condregister/oauthkey                  from tailscale.com/cmd/tailscale/cli
         tailscale.com/feature/condregister/portmapper                from tailscale.com/cmd/tailscale/cli
+        tailscale.com/feature/oauthkey                               from tailscale.com/feature/condregister/oauthkey
         tailscale.com/feature/portmapper                             from tailscale.com/feature/condregister/portmapper
         tailscale.com/feature/syspolicy                              from tailscale.com/cmd/tailscale/cli
         tailscale.com/health                                         from tailscale.com/net/tlsdial+
         tailscale.com/health/healthmsg                               from tailscale.com/cmd/tailscale/cli
         tailscale.com/hostinfo                                       from tailscale.com/client/web+
-        tailscale.com/internal/client/tailscale                      from tailscale.com/cmd/tailscale/cli
+        tailscale.com/internal/client/tailscale                      from tailscale.com/cmd/tailscale/cli+
         tailscale.com/internal/noiseconn                             from tailscale.com/cmd/tailscale/cli
         tailscale.com/ipn                                            from tailscale.com/client/local+
         tailscale.com/ipn/ipnstate                                   from tailscale.com/client/local+
@@ -253,7 +255,7 @@ tailscale.com/cmd/tailscale dependencies: (generated by github.com/tailscale/dep
         golang.org/x/net/proxy                                       from tailscale.com/net/netns
    D    golang.org/x/net/route                                       from tailscale.com/net/netmon+
         golang.org/x/oauth2                                          from golang.org/x/oauth2/clientcredentials
-        golang.org/x/oauth2/clientcredentials                        from tailscale.com/cmd/tailscale/cli
+        golang.org/x/oauth2/clientcredentials                        from tailscale.com/feature/oauthkey
         golang.org/x/oauth2/internal                                 from golang.org/x/oauth2+
         golang.org/x/sync/errgroup                                   from github.com/mdlayher/socket+
         golang.org/x/sys/cpu                                         from golang.org/x/crypto/argon2+

cmd/tailscaled/deps_test.go

@@ -122,3 +122,16 @@ func TestOmitACME(t *testing.T) {
 		},
 	}.Check(t)
 }
+
+func TestOmitOAuthKey(t *testing.T) {
+	deptest.DepChecker{
+		GOOS:   "linux",
+		GOARCH: "amd64",
+		Tags:   "ts_omit_oauthkey,ts_include_cli",
+		OnDep: func(dep string) {
+			if strings.HasPrefix(dep, "golang.org/x/oauth2") {
+				t.Errorf("unexpected dep with ts_omit_oauthkey: %q", dep)
+			}
+		},
+	}.Check(t)
+}

cmd/tsidp/depaware.txt

@@ -217,6 +217,7 @@ tailscale.com/cmd/tsidp dependencies: (generated by github.com/tailscale/depawar
         tailscale.com/appc                                           from tailscale.com/ipn/ipnlocal
      💣 tailscale.com/atomicfile                                     from tailscale.com/ipn+
         tailscale.com/client/local                                   from tailscale.com/client/web+
+        tailscale.com/client/tailscale                               from tailscale.com/internal/client/tailscale
         tailscale.com/client/tailscale/apitype                       from tailscale.com/client/local+
         tailscale.com/client/web                                     from tailscale.com/ipn/ipnlocal
         tailscale.com/clientupdate                                   from tailscale.com/client/web+
@@ -239,12 +240,15 @@ tailscale.com/cmd/tsidp dependencies: (generated by github.com/tailscale/depawar
         tailscale.com/envknob/featureknob                            from tailscale.com/client/web+
         tailscale.com/feature                                        from tailscale.com/ipn/ipnext+
         tailscale.com/feature/buildfeatures                          from tailscale.com/wgengine/magicsock+
+        tailscale.com/feature/condregister/oauthkey                  from tailscale.com/tsnet
         tailscale.com/feature/condregister/portmapper                from tailscale.com/tsnet
+        tailscale.com/feature/oauthkey                               from tailscale.com/feature/condregister/oauthkey
         tailscale.com/feature/portmapper                             from tailscale.com/feature/condregister/portmapper
         tailscale.com/feature/syspolicy                              from tailscale.com/logpolicy
         tailscale.com/health                                         from tailscale.com/control/controlclient+
         tailscale.com/health/healthmsg                               from tailscale.com/ipn/ipnlocal+
         tailscale.com/hostinfo                                       from tailscale.com/client/web+
+        tailscale.com/internal/client/tailscale                      from tailscale.com/tsnet+
         tailscale.com/internal/noiseconn                             from tailscale.com/control/controlclient
         tailscale.com/ipn                                            from tailscale.com/client/local+
         tailscale.com/ipn/conffile                                   from tailscale.com/ipn/ipnlocal+
@@ -457,6 +461,9 @@ tailscale.com/cmd/tsidp dependencies: (generated by github.com/tailscale/depawar
         golang.org/x/net/ipv6                                        from github.com/prometheus-community/pro-bing+
         golang.org/x/net/proxy                                       from tailscale.com/net/netns
    D    golang.org/x/net/route                                       from tailscale.com/net/netmon+
+        golang.org/x/oauth2                                          from golang.org/x/oauth2/clientcredentials
+        golang.org/x/oauth2/clientcredentials                        from tailscale.com/feature/oauthkey
+        golang.org/x/oauth2/internal                                 from golang.org/x/oauth2+
         golang.org/x/sync/errgroup                                   from github.com/mdlayher/socket+
         golang.org/x/sys/cpu                                         from github.com/tailscale/certstore+
   LD    golang.org/x/sys/unix                                        from github.com/google/nftables+

feature/buildfeatures/feature_oauthkey_disabled.go

@@ -0,0 +1,13 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Code generated by gen.go; DO NOT EDIT.
+
+//go:build ts_omit_oauthkey
+
+package buildfeatures
+
+// HasOAuthKey is whether the binary was built with support for modular feature "OAuth secret-to-authkey resolution support".
+// Specifically, it's whether the binary was NOT built with the "ts_omit_oauthkey" build tag.
+// It's a const so it can be used for dead code elimination.
+const HasOAuthKey = false

feature/buildfeatures/feature_oauthkey_enabled.go

@@ -0,0 +1,13 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Code generated by gen.go; DO NOT EDIT.
+
+//go:build !ts_omit_oauthkey
+
+package buildfeatures
+
+// HasOAuthKey is whether the binary was built with support for modular feature "OAuth secret-to-authkey resolution support".
+// Specifically, it's whether the binary was NOT built with the "ts_omit_oauthkey" build tag.
+// It's a const so it can be used for dead code elimination.
+const HasOAuthKey = true

feature/condregister/oauthkey/doc.go

@@ -0,0 +1,10 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Package oauthkey registers support for OAuth key resolution
+// if it's not disabled via the ts_omit_oauthkey build tag.
+// Currently (2025-09-19), tailscaled does not need OAuth key
+// resolution, only the CLI and tsnet do, so this package is
+// pulled out separately to avoid linking OAuth packages into
+// tailscaled.
+package oauthkey

feature/condregister/oauthkey/maybe_oauthkey.go

@@ -0,0 +1,8 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+//go:build !ts_omit_oauthkey
+
+package oauthkey
+
+import _ "tailscale.com/feature/oauthkey"

feature/featuretags/featuretags.go

@@ -105,6 +105,7 @@ var Features = map[FeatureTag]FeatureMeta{
 	"desktop_sessions": {"DesktopSessions", "Desktop sessions support", nil},
 	"drive":            {"Drive", "Tailscale Drive (file server) support", nil},
 	"kube":             {"Kube", "Kubernetes integration", nil},
+	"oauthkey":         {"OAuthKey", "OAuth secret-to-authkey resolution support", nil},
 	"portmapper":       {"PortMapper", "NAT-PMP/PCP/UPnP port mapping support", nil},
 	"relayserver":      {"RelayServer", "Relay server", nil},
 	"serve":            {"Serve", "Serve and Funnel support", nil},

feature/oauthkey/oauthkey.go

@@ -0,0 +1,108 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+// Package oauthkey registers support for using OAuth client secrets to
+// automatically request authkeys for logging in.
+package oauthkey
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/url"
+	"strconv"
+	"strings"
+
+	"golang.org/x/oauth2/clientcredentials"
+	"tailscale.com/feature"
+	"tailscale.com/internal/client/tailscale"
+)
+
+func init() {
+	feature.Register("oauthkey")
+	tailscale.HookResolveAuthKey.Set(resolveAuthKey)
+}
+
+// resolveAuthKey either returns v unchanged (in the common case) or, if it
+// starts with "tskey-client-" (as Tailscale OAuth secrets do) parses it like
+//
+//	tskey-client-xxxx[?ephemeral=false&bar&preauthorized=BOOL&baseURL=...]
+//
+// and does the OAuth2 dance to get and return an authkey. The "ephemeral"
+// property defaults to true if unspecified. The "preauthorized" defaults to
+// false. The "baseURL" defaults to https://api.tailscale.com.
+// The passed in tags are required, and must be non-empty. These will be
+// set on the authkey generated by the OAuth2 dance.
+func resolveAuthKey(ctx context.Context, v string, tags []string) (string, error) {
+	if !strings.HasPrefix(v, "tskey-client-") {
+		return v, nil
+	}
+	if len(tags) == 0 {
+		return "", errors.New("oauth authkeys require --advertise-tags")
+	}
+
+	clientSecret, named, _ := strings.Cut(v, "?")
+	attrs, err := url.ParseQuery(named)
+	if err != nil {
+		return "", err
+	}
+	for k := range attrs {
+		switch k {
+		case "ephemeral", "preauthorized", "baseURL":
+		default:
+			return "", fmt.Errorf("unknown attribute %q", k)
+		}
+	}
+	getBool := func(name string, def bool) (bool, error) {
+		v := attrs.Get(name)
+		if v == "" {
+			return def, nil
+		}
+		ret, err := strconv.ParseBool(v)
+		if err != nil {
+			return false, fmt.Errorf("invalid attribute boolean attribute %s value %q", name, v)
+		}
+		return ret, nil
+	}
+	ephemeral, err := getBool("ephemeral", true)
+	if err != nil {
+		return "", err
+	}
+	preauth, err := getBool("preauthorized", false)
+	if err != nil {
+		return "", err
+	}
+
+	baseURL := "https://api.tailscale.com"
+	if v := attrs.Get("baseURL"); v != "" {
+		baseURL = v
+	}
+
+	credentials := clientcredentials.Config{
+		ClientID:     "some-client-id", // ignored
+		ClientSecret: clientSecret,
+		TokenURL:     baseURL + "/api/v2/oauth/token",
+	}
+
+	tsClient := tailscale.NewClient("-", nil)
+	tsClient.UserAgent = "tailscale-cli"
+	tsClient.HTTPClient = credentials.Client(ctx)
+	tsClient.BaseURL = baseURL
+
+	caps := tailscale.KeyCapabilities{
+		Devices: tailscale.KeyDeviceCapabilities{
+			Create: tailscale.KeyDeviceCreateCapabilities{
+				Reusable:      false,
+				Ephemeral:     ephemeral,
+				Preauthorized: preauth,
+				Tags:          tags,
+			},
+		},
+	}
+
+	authkey, _, err := tsClient.CreateKey(ctx, caps)
+	if err != nil {
+		return "", err
+	}
+	return authkey, nil
+}

internal/client/tailscale/oauthkeys.go

@@ -0,0 +1,20 @@
+// Copyright (c) Tailscale Inc & AUTHORS
+// SPDX-License-Identifier: BSD-3-Clause
+
+package tailscale
+
+import (
+	"context"
+
+	"tailscale.com/feature"
+)
+
+// HookResolveAuthKey resolves to [oauthkey.ResolveAuthKey] when the
+// corresponding feature tag is enabled in the build process.
+//
+// authKey is a standard device auth key or an OAuth client secret to
+// resolve into an auth key.
+// tags is the list of tags being advertised by the client (required to be
+// provided for the OAuth secret case, and required to be the same as the
+// list of tags for which the OAuth secret is allowed to issue auth keys).
+var HookResolveAuthKey feature.Hook[func(ctx context.Context, authKey string, tags []string) (string, error)]

tsnet/depaware.txt

@@ -213,6 +213,7 @@ tailscale.com/tsnet dependencies: (generated by github.com/tailscale/depaware)
         tailscale.com/appc                                           from tailscale.com/ipn/ipnlocal
      💣 tailscale.com/atomicfile                                     from tailscale.com/ipn+
         tailscale.com/client/local                                   from tailscale.com/client/web+
+        tailscale.com/client/tailscale                               from tailscale.com/internal/client/tailscale
         tailscale.com/client/tailscale/apitype                       from tailscale.com/client/local+
  LDW    tailscale.com/client/web                                     from tailscale.com/ipn/ipnlocal
         tailscale.com/clientupdate                                   from tailscale.com/client/web+
@@ -235,12 +236,15 @@ tailscale.com/tsnet dependencies: (generated by github.com/tailscale/depaware)
         tailscale.com/envknob/featureknob                            from tailscale.com/client/web+
         tailscale.com/feature                                        from tailscale.com/ipn/ipnext+
         tailscale.com/feature/buildfeatures                          from tailscale.com/wgengine/magicsock+
+        tailscale.com/feature/condregister/oauthkey                  from tailscale.com/tsnet
         tailscale.com/feature/condregister/portmapper                from tailscale.com/tsnet
+        tailscale.com/feature/oauthkey                               from tailscale.com/feature/condregister/oauthkey
         tailscale.com/feature/portmapper                             from tailscale.com/feature/condregister/portmapper
         tailscale.com/feature/syspolicy                              from tailscale.com/logpolicy
         tailscale.com/health                                         from tailscale.com/control/controlclient+
         tailscale.com/health/healthmsg                               from tailscale.com/ipn/ipnlocal+
         tailscale.com/hostinfo                                       from tailscale.com/client/web+
+        tailscale.com/internal/client/tailscale                      from tailscale.com/tsnet+
         tailscale.com/internal/noiseconn                             from tailscale.com/control/controlclient
         tailscale.com/ipn                                            from tailscale.com/client/local+
         tailscale.com/ipn/conffile                                   from tailscale.com/ipn/ipnlocal+
@@ -450,6 +454,9 @@ tailscale.com/tsnet dependencies: (generated by github.com/tailscale/depaware)
         golang.org/x/net/ipv6                                        from github.com/prometheus-community/pro-bing+
  LDW    golang.org/x/net/proxy                                       from tailscale.com/net/netns
   DI    golang.org/x/net/route                                       from tailscale.com/net/netmon+
+        golang.org/x/oauth2                                          from golang.org/x/oauth2/clientcredentials
+        golang.org/x/oauth2/clientcredentials                        from tailscale.com/feature/oauthkey
+        golang.org/x/oauth2/internal                                 from golang.org/x/oauth2+
         golang.org/x/sync/errgroup                                   from github.com/mdlayher/socket+
         golang.org/x/sys/cpu                                         from github.com/tailscale/certstore+
  LDAI    golang.org/x/sys/unix                                        from github.com/google/nftables+

tsnet/tsnet.go

@@ -29,9 +29,11 @@ import (
 	"tailscale.com/client/local"
 	"tailscale.com/control/controlclient"
 	"tailscale.com/envknob"
+	_ "tailscale.com/feature/condregister/oauthkey"
 	_ "tailscale.com/feature/condregister/portmapper"
 	"tailscale.com/health"
 	"tailscale.com/hostinfo"
+	"tailscale.com/internal/client/tailscale"
 	"tailscale.com/ipn"
 	"tailscale.com/ipn/ipnauth"
 	"tailscale.com/ipn/ipnlocal"
@@ -680,6 +682,14 @@ func (s *Server) start() (reterr error) {
 	prefs.RunWebClient = s.RunWebClient
 	prefs.AdvertiseTags = s.AdvertiseTags
 	authKey := s.getAuthKey()
+	// Try to use an OAuth secret to generate an auth key if that functionality
+	// is available.
+	if f, ok := tailscale.HookResolveAuthKey.GetOk(); ok {
+		authKey, err = f(s.shutdownCtx, s.getAuthKey(), prefs.AdvertiseTags)
+		if err != nil {
+			return fmt.Errorf("resolving auth key: %w", err)
+		}
+	}
 	err = lb.Start(ipn.Options{
 		UpdatePrefs: prefs,
 		AuthKey:     authKey,