dex/README.md

dex
=====

[![Docker Repository on Quay.io](https://quay.io/repository/coreos/dex/status?token=2e772caf-ea17-45d5-8455-8fcf39dae6e1 "Docker Repository on Quay.io")](https://quay.io/repository/coreos/dex)

dex is a federated identity management service. It provides OpenID Connect (OIDC) to users, and can proxy to multiple remote identity providers (IdP) to drive actual authentication, as well as managing local username/password credentials.

We named the project 'dex' beceause it is a central index of users that other pieces of software can authenticate against.


## Architecture

dex consists of multiple components:

- **dex-worker** is the primary server component of dex
    - host a user-facing API that drives the OIDC protocol
	- proxy to remote identity providers via "connectors"
    - provides an API for administrators to manage users.
- **dex-overlord** is an auxiliary process responsible for two things:
	- rotation of keys used by the workers to sign identity tokens
	- garbage collection of stale data in the database
    - provides an API for bootstrapping the system.
- **dexctl** is CLI tool used to manage an dex deployment
	- configure identity provider connectors
	- administer OIDC client identities
- **database**; a database is used to for persistent storage for keys, users,
  OAuth sessions and other data. Currently Postgres is the only supported
  database.

A typical dex deployment consists of N dex-workers behind a load balanacer, and one dex-overlord.
The dex-workers directly handle user requests, so the loss of all workers can result in service downtime.
The single dex-overlord runs its tasks periodically, so it does not need to maintain 100% uptime.

## Who Should Use Dex?

A non-exhaustive list of those who would benfit from using dex:

- Those who want a language/framework-agnostic way to manage authentication.
- Those who want to federate authentication from mutiple providers of differing types.
- Those who want to manage user credentials (eg. username and password) and perform authentication locally
- Those who want to create an OIDC Identity Provider for multiple clients to authenticate against.
- Those who want any or all of the above in a Free and Open Source project.

## Connectors

Remote IdPs could implement any auth-N protocol. *Connectors* contain protocol-specific logic and are used to communicate with remote IdPs. Possible examples of connectors could be: OIDC, LDAP, Local credentials, Basic Auth, etc.

dex ships with an OIDC connector, useful for authenticating with services like Google and Salesforce (or even other dex instances!) and a "local" connector, in which dex itself presents a UI for users to authenticate via dex-stored credentials.

Future connectors can be developed and added as future interoperability requirements emerge.

## Relevant Specifications

These specs are referenced and implemented to some degree in the `jose` package of this project.

- [JWK](https://tools.ietf.org/html/draft-ietf-jose-json-web-key-36)
- [JWT](https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-30)
- [JWS](https://tools.ietf.org/html/draft-jones-json-web-signature-04)

OpenID Connect (OIDC) is broken up into several specifications. The following (amongst others) are relevant:

- [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html)
- [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html)
- [OAuth 2.0 RFC](https://tools.ietf.org/html/rfc6749)

## Example OIDC Discovery Endpoints

- https://accounts.google.com/.well-known/openid-configuration
- https://login.salesforce.com/.well-known/openid-configuration

# Next steps:

If you want to try out dex quickly with a single process and no database (do *not* run this way in production!) take a look at the [dev guide][dev-guide].

For running the full stack check out the [getting started guide][getting-started].

[getting-started]: https://github.com/coreos/dex/blob/master/Documentation/getting-started.md
[dev-guide]: https://github.com/coreos/dex/blob/master/Documentation/dev-guide.md

# Coming Soon

- Multiple backing Identity Providers
- Identity Management
- Authorization

## Similar Software

### [CloudFoundry UAA](https://github.com/cloudfoundry/uaa)

>The UAA is a multi tenant identity management service, used in Cloud Foundry, but also available as a stand alone OAuth2 server.

### [OmniAuth](https://github.com/intridea/omniauth)

OmniAuth provides authentication federation at the language (Ruby) level, with a [wide range of integrations](https://github.com/intridea/omniauth/wiki/List-of-Strategies) available.

### [Okta](http://developer.okta.com/product/)
Okta is a commercial product which is similar to dex in that for it too, identity federation is a key feature. It connects to many more authentication providers than dex, and also does the federation in the oppposite direction - it can be used as a SSO to other identity providers.

### [Shibboleth](https://shibboleth.net/)

Shibboleth is an open source system implementing the [SAML](https://www.oasis-open.org/standards#samlv2.0) standard, and can federate from a variety of backends, most notably LDAP.
*: move original project to dex 2015-08-18 05:57:27 +05:30			`dex`
			`=====`

Update README.md 2015-08-29 03:26:00 +05:30			`[![Docker Repository on Quay.io](https://quay.io/repository/coreos/dex/status?token=2e772caf-ea17-45d5-8455-8fcf39dae6e1 "Docker Repository on Quay.io")](https://quay.io/repository/coreos/dex)`
*: move original project to dex 2015-08-18 05:57:27 +05:30
README.md/Documentation: Get Docs up-to-date. * Fix up README * Create getting started guide. * Start dev guide * Start deploy guide 2015-08-22 05:09:46 +05:30			`dex is a federated identity management service. It provides OpenID Connect (OIDC) to users, and can proxy to multiple remote identity providers (IdP) to drive actual authentication, as well as managing local username/password credentials.`

README: explain the name dex People are going to ask, might as well get it out there. 2015-08-25 01:17:31 +05:30			`We named the project 'dex' beceause it is a central index of users that other pieces of software can authenticate against.`
*: move original project to dex 2015-08-18 05:57:27 +05:30
README.md/Documentation: Get Docs up-to-date. * Fix up README * Create getting started guide. * Start dev guide * Start deploy guide 2015-08-22 05:09:46 +05:30
*: move original project to dex 2015-08-18 05:57:27 +05:30			`## Architecture`

			`dex consists of multiple components:`

			`- dex-worker is the primary server component of dex`
README.md/Documentation: Get Docs up-to-date. * Fix up README * Create getting started guide. * Start dev guide * Start deploy guide 2015-08-22 05:09:46 +05:30			`- host a user-facing API that drives the OIDC protocol`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`- proxy to remote identity providers via "connectors"`
README.md/Documentation: Get Docs up-to-date. * Fix up README * Create getting started guide. * Start dev guide * Start deploy guide 2015-08-22 05:09:46 +05:30			`- provides an API for administrators to manage users.`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`- dex-overlord is an auxiliary process responsible for two things:`
			`- rotation of keys used by the workers to sign identity tokens`
			`- garbage collection of stale data in the database`
README.md/Documentation: Get Docs up-to-date. * Fix up README * Create getting started guide. * Start dev guide * Start deploy guide 2015-08-22 05:09:46 +05:30			`- provides an API for bootstrapping the system.`
*: move original project to dex 2015-08-18 05:57:27 +05:30			`- dexctl is CLI tool used to manage an dex deployment`
			`- configure identity provider connectors`
			`- administer OIDC client identities`
README.md/Documentation: Get Docs up-to-date. * Fix up README * Create getting started guide. * Start dev guide * Start deploy guide 2015-08-22 05:09:46 +05:30			`- database; a database is used to for persistent storage for keys, users,`
			`OAuth sessions and other data. Currently Postgres is the only supported`
			`database.`
*: move original project to dex 2015-08-18 05:57:27 +05:30
			`A typical dex deployment consists of N dex-workers behind a load balanacer, and one dex-overlord.`
			`The dex-workers directly handle user requests, so the loss of all workers can result in service downtime.`
			`The single dex-overlord runs its tasks periodically, so it does not need to maintain 100% uptime.`

Documentation: bring dev-guide up to date. 2015-08-25 03:46:30 +05:30			`## Who Should Use Dex?`
README.md/Documentation: Get Docs up-to-date. * Fix up README * Create getting started guide. * Start dev guide * Start deploy guide 2015-08-22 05:09:46 +05:30
README.md: "Similar Software", "who should use" 2015-08-29 02:46:05 +05:30			`A non-exhaustive list of those who would benfit from using dex:`
README.md/Documentation: Get Docs up-to-date. * Fix up README * Create getting started guide. * Start dev guide * Start deploy guide 2015-08-22 05:09:46 +05:30
README.md: "Similar Software", "who should use" 2015-08-29 02:46:05 +05:30			`- Those who want a language/framework-agnostic way to manage authentication.`
			`- Those who want to federate authentication from mutiple providers of differing types.`
			`- Those who want to manage user credentials (eg. username and password) and perform authentication locally`
			`- Those who want to create an OIDC Identity Provider for multiple clients to authenticate against.`
			`- Those who want any or all of the above in a Free and Open Source project.`
README.md/Documentation: Get Docs up-to-date. * Fix up README * Create getting started guide. * Start dev guide * Start deploy guide 2015-08-22 05:09:46 +05:30
*: move original project to dex 2015-08-18 05:57:27 +05:30			`## Connectors`

README.md/Documentation: Get Docs up-to-date. * Fix up README * Create getting started guide. * Start dev guide * Start deploy guide 2015-08-22 05:09:46 +05:30			`Remote IdPs could implement any auth-N protocol. Connectors contain protocol-specific logic and are used to communicate with remote IdPs. Possible examples of connectors could be: OIDC, LDAP, Local credentials, Basic Auth, etc.`

			`dex ships with an OIDC connector, useful for authenticating with services like Google and Salesforce (or even other dex instances!) and a "local" connector, in which dex itself presents a UI for users to authenticate via dex-stored credentials.`

*: move original project to dex 2015-08-18 05:57:27 +05:30			`Future connectors can be developed and added as future interoperability requirements emerge.`

			`## Relevant Specifications`

			These specs are referenced and implemented to some degree in the `jose` package of this project.

			`- [JWK](https://tools.ietf.org/html/draft-ietf-jose-json-web-key-36)`
			`- [JWT](https://tools.ietf.org/html/draft-ietf-oauth-json-web-token-30)`
			`- [JWS](https://tools.ietf.org/html/draft-jones-json-web-signature-04)`

			`OpenID Connect (OIDC) is broken up into several specifications. The following (amongst others) are relevant:`

			`- [OpenID Connect Core 1.0](https://openid.net/specs/openid-connect-core-1_0.html)`
			`- [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0.html)`
			`- [OAuth 2.0 RFC](https://tools.ietf.org/html/rfc6749)`

			`## Example OIDC Discovery Endpoints`

			`- https://accounts.google.com/.well-known/openid-configuration`
			`- https://login.salesforce.com/.well-known/openid-configuration`

README.md/Documentation: Get Docs up-to-date. * Fix up README * Create getting started guide. * Start dev guide * Start deploy guide 2015-08-22 05:09:46 +05:30			`# Next steps:`
*: move original project to dex 2015-08-18 05:57:27 +05:30
README.md/Documentation: Get Docs up-to-date. * Fix up README * Create getting started guide. * Start dev guide * Start deploy guide 2015-08-22 05:09:46 +05:30			`If you want to try out dex quickly with a single process and no database (do not run this way in production!) take a look at the [dev guide][dev-guide].`
*: move original project to dex 2015-08-18 05:57:27 +05:30
README.md/Documentation: Get Docs up-to-date. * Fix up README * Create getting started guide. * Start dev guide * Start deploy guide 2015-08-22 05:09:46 +05:30			`For running the full stack check out the [getting started guide][getting-started].`
*: move original project to dex 2015-08-18 05:57:27 +05:30
README.md/Documentation: Get Docs up-to-date. * Fix up README * Create getting started guide. * Start dev guide * Start deploy guide 2015-08-22 05:09:46 +05:30			`[getting-started]: https://github.com/coreos/dex/blob/master/Documentation/getting-started.md`
			`[dev-guide]: https://github.com/coreos/dex/blob/master/Documentation/dev-guide.md`
*: move original project to dex 2015-08-18 05:57:27 +05:30
			`# Coming Soon`

			`- Multiple backing Identity Providers`
			`- Identity Management`
			`- Authorization`
README.md: "Similar Software", "who should use" 2015-08-29 02:46:05 +05:30
			`## Similar Software`

			`### [CloudFoundry UAA](https://github.com/cloudfoundry/uaa)`

			`>The UAA is a multi tenant identity management service, used in Cloud Foundry, but also available as a stand alone OAuth2 server.`

			`### [OmniAuth](https://github.com/intridea/omniauth)`

			`OmniAuth provides authentication federation at the language (Ruby) level, with a [wide range of integrations](https://github.com/intridea/omniauth/wiki/List-of-Strategies) available.`

			`### [Okta](http://developer.okta.com/product/)`
			`Okta is a commercial product which is similar to dex in that for it too, identity federation is a key feature. It connects to many more authentication providers than dex, and also does the federation in the oppposite direction - it can be used as a SSO to other identity providers.`

			`### [Shibboleth](https://shibboleth.net/)`

			`Shibboleth is an open source system implementing the [SAML](https://www.oasis-open.org/standards#samlv2.0) standard, and can federate from a variety of backends, most notably LDAP.`