How to build a SSO service using dex?

[Josta Yeè]

Hi,

I just found the dex project & wonder how could I build a SSO provider on top of it, is there any documentation how to configure a local db to store data? How to keep sessions/tokens & do the authentications?

[Bobby Rullo]

Hi Josta,

If you mean a single-sign-on service for a variety of web based applications, that's pretty much what dex is made to do out of the box - take a read through the various guides, and give it a try.

If you're talking about something more ambitious, like using Dex to authenticate access to things like your laptop, then it's more complicated and it's not something I've spent much time trying to figure out.

Right now the only database that dex supports is Postgres, so as long as you have a postgres DB set up that is routable from wherever dex is you're good to go. 

Not sure what sessions and tokens you are talking about, but dex will do the necessary bookeeping for keeping track of your OIDC (oauth2) sessions and refresh tokens. 

Right now the authentication methods that are available are email/password and delegating to another OIDC provider (eg. Google)

Hope that helps! 

Bobby

On Mon, Oct 26, 2015 at 12:47 AM Josta Yeè <jos...@gmail.com> wrote:

Hi,

I just found the dex project & wonder how could I build a SSO provider on top of it, is there any documentation how to configure a local db to store data? How to keep sessions/tokens & do the authentications?

--
You received this message because you are subscribed to the Google Groups "CoreOS User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to coreos-user...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Josta Yeè]

Hi Bobby,

I'm a little confused about the documents and example app:

1. If I specified "local" to /tmp/dex_connectors.json, does it mean a local OIDC connector which backend by Postgre db? If so, what the difference between type local and type oidc from getting-started.md?

2. The example app's register link also redirect to login page, so doesn't dex support direct user registration?

Sorry for my poor English.

[Bobby Rullo]

Hey Josta,

Sorry for taking so long to reply. Replies inline:

On Mon, Oct 26, 2015 at 8:35 PM Josta Yeè <jos...@gmail.com> wrote:

Hi Bobby,

I'm a little confused about the documents and example app:

1. If I specified "local" to /tmp/dex_connectors.json, does it mean a local OIDC connector which backend by Postgre db? If so, what the difference between type local and type oidc from getting-started.md?

Not exactly.

"local" means a name and password backed by postgres, and using a page hosted by (your) dex to authenticate via email and password. In other words if you are hosting dex at "https://auth.example.com", when you authenticate you will see a "Log in via Email" link which when clicked will take you a email/password page at "https://auth.example.com/auth/local/login". That's why it's called local: it's a connector connecting dex to itself. 

 

2. The example app's register link also redirect to login page, so doesn't dex support direct user registration?

This one is my fault - I introduced a flag which turns off registration by default and failed to update the docs. See https://github.com/coreos/dex/pull/170 for enlightenment.

Bobby

[Bobby Rullo]

I hit send and then realized that I didn't explain what the "oidc" connector type is. The "oidc" connector allows users to authenticate with an external OIDC provider - that could be Google, or even some other Dex installation. What this means in plain terms is that you will see a "Log in With <<connector name>>" link which will take you to a page hosted by (for example) Google, which will redirect you back to Dex, which will redirect you back to your app. 

This allows you to manage your own set of users within dex, but give those users the ability to authenticate via a service they already have an account on; what happens behind the scenes is that dex creates an account for that user and ties it to the external OIDC account.

Hope this all makes sense,

Bobby

[Josta Yeè]

Hi Bobby,

Thank you very much for clarification, it's really helpful.