No description
Find a file
Eric Chiang f816cfb187 Merge pull request #499 from samueldg/fix_docs_typos
docs: fix various typos & Markdown lint issues
2016-06-30 15:48:26 -07:00
admin return 409 for duplicate client ids 2016-06-28 16:09:20 -07:00
client return 409 for duplicate client ids 2016-06-28 16:09:20 -07:00
cmd *: add --enable-automatic-registration flag to worker 2016-06-17 16:29:56 -07:00
connector clean up LDAP connector 2016-06-28 15:01:39 -07:00
contrib contrib/k8s: YAML brevity via references, add min. resource requests 2016-04-21 15:50:26 -07:00
db return 409 for duplicate client ids 2016-06-28 16:09:20 -07:00
Documentation Documentation: clean up release documentation 2016-06-30 15:34:06 -07:00
email *: don't let generated comment become package comment 2016-06-10 12:40:58 -07:00
examples examples: support OOB in example app. 2016-06-20 17:03:13 -07:00
functional clean up LDAP connector 2016-06-28 15:01:39 -07:00
integration return 409 for duplicate client ids 2016-06-28 16:09:20 -07:00
pkg *: remove unused code 2016-02-29 11:29:36 -08:00
refresh refresh tokens: grant claims based on scopes 2016-06-14 14:14:36 -07:00
repo *: remove in memory user repo 2016-02-12 13:19:05 -08:00
schema schema: update schema docs 2016-06-21 12:09:06 -07:00
scope scope: don't validate empty scopes 2016-06-24 08:31:59 -07:00
server server: support out-of-band auth flow 2016-06-20 17:03:13 -07:00
session server: CodeToken now does Cross-Client auth 2016-06-07 17:22:41 -07:00
static clean up LDAP connector 2016-06-28 15:01:39 -07:00
user return 409 status code on duplicate email errors 2016-06-28 13:52:28 -07:00
vendor *: update go-oidc to shorten length of key IDs 2016-06-28 10:37:03 -07:00
.gitignore examples: add sample for clients 2016-05-18 18:18:20 -07:00
.travis.yml Merge pull request #483 from ericchiang/ldap-groups 2016-06-28 16:06:14 -07:00
build *: fix release script 2016-03-02 12:41:24 -08:00
build-docker fix build-docker script 2016-06-28 13:35:41 -07:00
CONTRIBUTING.md docs: fix various typos & Markdown lint issues 2016-06-30 18:39:16 -04:00
cover *: move original project to dex 2015-08-18 11:26:57 -07:00
DCO *: move original project to dex 2015-08-18 11:26:57 -07:00
Dockerfile Dockerfile: use right env var for email templates 2015-10-22 12:07:07 -07:00
env *: allow builds with development versions of Go 2016-06-03 11:19:19 -07:00
git-version fix/git-version: Update git-version to use valid docker tag if "dirty" 2016-04-21 17:00:26 -07:00
glide.lock *: update go-oidc to shorten length of key IDs 2016-06-28 10:37:03 -07:00
glide.yaml *: update go-oidc to shorten length of key IDs 2016-06-28 10:37:03 -07:00
go-docker use go 1.6.2 for docker go build 2016-05-04 20:19:52 +02:00
LICENSE *: move original project to dex 2015-08-18 11:26:57 -07:00
MAINTAINERS *: update MAINTAINERS 2016-01-08 14:54:39 -08:00
NOTICE *: move original project to dex 2015-08-18 11:26:57 -07:00
proposal_link Revert "Use Github templates for issues/proposals" 2016-06-20 09:40:01 -07:00
PROPOSAL_TEMPLATE.md Revert "Use Github templates for issues/proposals" 2016-06-20 09:40:01 -07:00
README.md docs: fix various typos & Markdown lint issues 2016-06-30 18:39:16 -04:00
release *: fix release script 2016-03-02 12:41:24 -08:00
test test: add schema/adminschema to tests 2016-06-15 11:42:50 -07:00
test-functional functional: test sample clients file is valid 2016-06-07 16:47:29 -07:00

dex

Build Status Docker Repository on Quay.io GoDoc

dex is a federated identity management service. It provides OpenID Connect (OIDC) and OAuth 2.0 to users, and can proxy to multiple remote identity providers (IdP) to drive actual authentication, as well as managing local username/password credentials.

We named the project 'dex' because it is a central index of users that other pieces of software can authenticate against.

Architecture

dex consists of multiple components:

  • dex-worker is the primary server component of dex
    • host a user-facing API that drives the OIDC protocol
    • proxy to remote identity providers via "connectors"
    • provides an API for administrators to manage users.
  • dex-overlord is an auxiliary process responsible for various administrative tasks:
    • rotation of keys used by the workers to sign identity tokens
    • garbage collection of stale data in the database
    • provides an API for bootstrapping the system.
  • dexctl is a CLI tool used to manage a dex deployment
    • configure identity provider connectors
    • administer OIDC client identities
  • database; a database is used to for persistent storage for keys, users, OAuth sessions and other data. Currently Postgres (9.4+) is the only supported database.

A typical dex deployment consists of N dex-workers behind a load balancer, and one dex-overlord. The dex-workers directly handle user requests, so the loss of all workers can result in service downtime. The single dex-overlord runs its tasks periodically, so it does not need to maintain 100% uptime.

Who Should Use Dex?

A non-exhaustive list of those who would benefit from using dex:

  • Those who want a language/framework-agnostic way to manage authentication.
  • Those who want to federate authentication from multiple providers of differing types.
  • Those who want to manage user credentials (e.g. username and password) and perform authentication locally.
  • Those who want to create an OIDC Identity Provider for multiple clients to authenticate against.
  • Those who want any or all of the above in a Free and Open Source project.

Getting help with dex

  • For bugs and feature requests (including documentation!), file an issue.
  • For general discussion about both using and developing dex, join the dex-dev mailing list.
  • For more details on dex development plans, check out the roadmap.

Connectors

Remote IdPs could implement any auth-N protocol. Connectors contain protocol-specific logic and are used to communicate with remote IdPs. Possible examples of connectors could be: OIDC, LDAP, Local credentials, Basic Auth, etc.

dex ships with an OIDC connector, useful for authenticating with services like Google and Salesforce (or even other dex instances!) and a "local" connector, in which dex itself presents a UI for users to authenticate via dex-stored credentials.

Future connectors can be developed and added as future interoperability requirements emerge.

Relevant Specifications

These specs are referenced and implemented to some degree in the jose package of this project.

OpenID Connect (OIDC) is broken up into several specifications. The following (amongst others) are relevant:

Example OIDC Discovery Endpoints

Next steps

If you want to try out dex quickly with a single process and no database (do not run this way in production!) take a look at the dev guide.

For running the full stack check out the getting started guide.

Coming Soon

  • Multiple backing Identity Providers
  • Identity Management
  • Authorization

Similar Software

Auth0

Auth0 is a commercial product which implements the OpenID Connect protocol and JWT. It comes with built-in support for 30+ social providers (and provide extensibility points to add customs); enterprise providers like ADFS, SiteMinder, Ping, Tivoli, or any SAML provider; LDAP/AD connectors that can be run behind firewalls via an open source agent/connector; built-in user/password stores with email and phone verification; legacy user/password stores running Mongo, PG, MySQL, SQL Server among others; multi-factor auth; passwordless support; custom extensibility of the auth pipeline through node.js and many other things.

You could chain dex with Auth0, dex as RP and Auth0 as OpenId Connect Provider, and bring to dex all the providers that come in Auth0 plus the user management capabilities.

CloudFoundry UAA

The UAA is a multi tenant identity management service, used in Cloud Foundry, but also available as a stand alone OAuth2 server.

OmniAuth

OmniAuth provides authentication federation at the language (Ruby) level, with a wide range of integrations available.

Okta

Okta is a commercial product which is similar to dex in that for it too, identity federation is a key feature. It connects to many more authentication providers than dex, and also does the federation in the opposite direction - it can be used as a SSO to other identity providers.

Shibboleth

Shibboleth is an open source system implementing the SAML standard, and can federate from a variety of backends, most notably LDAP.