Dex with multiple sites

[j...@emailline.net]

I am hosting multiple sites which are not related but all need the same kind of logon capability provided by dex. I.e., an option for email and password auth or any of the popular third parties.

The sites will not share logons and have to maintain user profiles in the site itself. I'd like to keep auth separate but I'd like to know the best approach for this scenario of multi-tenancy.

Some approaches I've considered:

- An instance of dex per site, each using their own local database etc. (This seems a bit overkill.)

- A single oauth2 backend behind a single instance of dex which is in effect the "local" login and implement the multi-tenancy in the custom oauth2 server.

- Attempt writing multi-tenancy into the dex local provider, I'm not familiar with the code base as of yet and don't have any estimation of what that would take.

- Forgo dex in this scenario and embed a solution into each site as a library.

Or maybe something else?

Best,
James

[Brandon Philips]

Dex is used for authentication: telling your system that dex verified that the user is who they say they are.

It is up to your application to implement authorization which is where you give permissions to the user to do something.

For example with Tectonic if you hook dex up to LDAP it will authenticate any user who can authenticate with LDAP, however the Kubernetes API will enforce that only people given access to the Kubernetes API will get access through its RBAC Authorization framework.

--
You received this message because you are subscribed to the Google Groups "CoreOS User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to coreos-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[j...@emailline.net]

Hi Brandon,

Tracking on the authentication vs authorization bit. The question is really on the subject of what dex refers to as the "local connector."

Let's say I have two sites, Library World and Greenwood Water & Power. Unless I am missing the boat if I used the same instance of dex as the authentication on both sites, they would share the same username and password under the local option. Which from the user standpoint would not make any sense. They should not expect a password reset to change both accounts, not to mention the emails should be different (and will need available in a dozen languages).

Based on that I'm either running an instance of dex per site, implementing multi-tenant local connector or mimic the local connector functionality with an OIDC connector to a multi-tenant oauth2 backend. 

Or I'm trying to pigeon-hole dex into the wrong category of tool altogether?

 Best,
James