If you write internal apps, this is a lot easier to support.
You don't have to think about redirects, sessions, cookies, syncing your users and their roles in TS and Keycloak, maintaining two separate policy files and all that.
The tradeoff you get is lock in to tailscale and no portability. Though I assume that is true about some of the networking features tailscale offers as well.
You don't have to think about redirects, sessions, cookies, syncing your users and their roles in TS and Keycloak, maintaining two separate policy files and all that.