Dex is an identity service that uses OpenID Connect to drive authentication for other apps. It acts as a portal to other identity providers through connectors, letting you authenticate users via LDAP, SAML, GitHub, Google, and more.
What Is Dex?
Dex is a CNCF sandbox project that provides a federated OpenID Connect provider. It bridges various identity backends (LDAP, SAML, GitHub, GitLab, Google) into a single OIDC interface for your applications.
Key Features:
- OpenID Connect provider
- 20+ identity connectors
- LDAP, SAML 2.0, GitHub, Google, GitLab, etc.
- Kubernetes authentication
- gRPC and REST API
- Token refresh and rotation
- Groups and claims mapping
- Static and dynamic clients
Installation
# Kubernetes via Helm
helm repo add dex https://charts.dexidp.io
helm install dex dex/dex -n dex --create-namespace \
-f dex-values.yaml
# Or Docker
docker run -d -p 5556:5556 -p 5557:5557 \
-v $(pwd)/dex-config.yaml:/etc/dex/config.yaml \
ghcr.io/dexidp/dex:latest serve /etc/dex/config.yaml
Configuration
# dex-config.yaml
issuer: https://dex.example.com
storage:
type: kubernetes
config:
inCluster: true
web:
http: 0.0.0.0:5556
grpc:
addr: 0.0.0.0:5557
connectors:
- type: github
id: github
name: GitHub
config:
clientID: $GITHUB_CLIENT_ID
clientSecret: $GITHUB_CLIENT_SECRET
redirectURI: https://dex.example.com/callback
orgs:
- name: my-org
- type: ldap
id: ldap
name: LDAP
config:
host: ldap.example.com:636
rootCA: /etc/dex/ldap-ca.crt
bindDN: cn=admin,dc=example,dc=com
bindPW: admin-password
userSearch:
baseDN: ou=People,dc=example,dc=com
filter: "(objectClass=person)"
username: mail
idAttr: uid
emailAttr: mail
nameAttr: cn
groupSearch:
baseDN: ou=Groups,dc=example,dc=com
filter: "(objectClass=groupOfNames)"
userMatchers:
- userAttr: DN
groupAttr: member
nameAttr: cn
staticClients:
- id: my-app
name: My Application
secret: my-app-secret
redirectURIs:
- http://localhost:3000/callback
oauth2:
skipApprovalScreen: true
Using Dex with Your App
from authlib.integrations.requests_client import OAuth2Session
# Setup OAuth2 client
client = OAuth2Session(
client_id="my-app",
client_secret="my-app-secret",
redirect_uri="http://localhost:3000/callback"
)
# Step 1: Generate auth URL
auth_url, state = client.create_authorization_url(
"https://dex.example.com/auth",
scope="openid email profile groups"
)
print(f"Login URL: {auth_url}")
# Step 2: Exchange code for token (after callback)
token = client.fetch_token(
"https://dex.example.com/token",
authorization_response=callback_url
)
print(f"Access Token: {token['access_token']}")
print(f"ID Token: {token['id_token']}")
# Step 3: Get user info
userinfo = client.get("https://dex.example.com/userinfo").json()
print(f"User: {userinfo['email']}, Groups: {userinfo.get('groups', [])}")
Kubernetes OIDC Authentication
# Configure kube-apiserver with Dex OIDC
kube-apiserver \
--oidc-issuer-url=https://dex.example.com \
--oidc-client-id=kubernetes \
--oidc-username-claim=email \
--oidc-groups-claim=groups
Dex gRPC API
import grpc
from dex.api.v2 import dex_pb2, dex_pb2_grpc
channel = grpc.insecure_channel("localhost:5557")
stub = dex_pb2_grpc.DexStub(channel)
# Create a client dynamically
req = dex_pb2.CreateClientReq(
client=dex_pb2.Client(
id="new-app",
name="New Application",
secret="app-secret",
redirect_uris=["http://localhost:8080/callback"]
)
)
response = stub.CreateClient(req)
print(f"Created client: {response.client.id}")
Resources
- Dex Docs
- Dex GitHub — 9.5K+ stars
- Connector Docs
Need to scrape web data for your apps? Check out my web scraping tools on Apify — production-ready actors for Reddit, Google Maps, and more. Questions? Email me at spinov001@gmail.com
Top comments (0)