Dex as OAuth2 Server
1,806 views
Skip to first unread message
abhishek jain
Jun 17, 2016, 4:11:23 PM6/17/16
to dex-dev
Hi
Does dex supports all different grant types (password, client credential, implicit and authorization code )? Is it possible I can use dex as authorization server with basic authentication ?.
Eric Chiang
Jun 17, 2016, 4:23:01 PM6/17/16
to dex-dev
I believe you're asking about "Resource Owner Password Grants" (grant_type=password).[0]
This is problematic because this isn't allowed within OpneID connect, and because dex often doesn't know your password. For example when it's federating to another OAuth provider.
This is problematic because this isn't allowed within OpneID connect, and because dex often doesn't know your password. For example when it's federating to another OAuth provider.
Eric
abhishek jain
Jun 17, 2016, 4:36:48 PM6/17/16
to dex-dev
@Eric
As we know, Authorization Code Grant and Implicit Grant are typical 3-legged flows including interaction between a client, an authorization server and a user. While the Resource Owner Password Credential Grant and Client Credential Grant are 2-legged which means the client uses pre-authorized scopes so that no interaction with the user is necessary, removing the need to perform one of the legs in the typical flow.
I agree OpenID Connect usually good with implicit and authorization code flow. But, Is it possible to use dex as OAuth2.0 authorization server only and plugin basic authentication provider to get access token ?
Eric Chiang
Jun 17, 2016, 4:44:53 PM6/17/16
to abhishek jain, dex-dev
> But, Is it possible to use dex as OAuth2.0 authorization server only and plugin basic authentication provider to get access token ?
No. Again, most of the time dex doesn't know your password, so such a flow would be impossible. Also we're fond of 3-legged flows since they allow us to do things like present multiple login options to the user and add two factor auth later down the line.
Why is it necessary that you be able to handle passwords yourself?
Eric
Why is it necessary that you be able to handle passwords yourself?
Eric
--
You received this message because you are subscribed to the Google Groups "dex-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dex-dev+u...@googlegroups.com.
To post to this group, send email to dex...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dex-dev/3531b1a0-618c-439e-8c37-84b0b0ebab07%40googlegroups.com.
abhishek jain
Jun 17, 2016, 7:04:18 PM6/17/16
to dex-dev
It is because if I need to develop my own mobile app client to my own proprietary server and needs to perform authentication then delegation through OAuth, I don't prefer WebUI inside mobile app because of use case requirement (That is the case for implicit and authorization code). The only case left is basic authentication with client credentials or what do you think ?
Eric Chiang
Jun 21, 2016, 2:56:18 PM6/21/16
to dex-dev
Sorry for the delayed response.
We really don't want to support resource owner password grants right now. It flat out wont work with a lot of dex's identity backends and skips any checks like two factor auth or scope confirmation pages we feel are very important to dex's security model.
If there are some special scopes callbacks you'd like to support we'd entertain that. For example we recently added oob callbacks inspired by google[0].
We really don't want to support resource owner password grants right now. It flat out wont work with a lot of dex's identity backends and skips any checks like two factor auth or scope confirmation pages we feel are very important to dex's security model.
If there are some special scopes callbacks you'd like to support we'd entertain that. For example we recently added oob callbacks inspired by google[0].
Herbert Mühlburger
Aug 18, 2017, 4:14:22 AM8/18/17
to dex-dev
What about the Client Credentials Flow[0]? Dos dex support that flow?
Herbert
Eric Chiang
Aug 18, 2017, 12:17:50 PM8/18/17
to Herbert Mühlburger, dex-dev
Dex doesn't actually use access tokens for anything, so there's no reason to support a client credentials flow. All of our features involve an end user at some point.
Eric
To view this discussion on the web visit https://groups.google.com/d/msgid/dex-dev/a063bc1c-1c9d-4ac9-ab0b-ff95ef42e8ed%40googlegroups.com.
martin....@agillic.com
Nov 1, 2017, 5:23:08 AM11/1/17
to dex-dev
Are you really saying that you are only considering end-users in Dex?
I need to do service to service authorization and should use the Client Credentials Grant. Is this not on your radar at all?
Br
Martin
I need to do service to service authorization and should use the Client Credentials Grant. Is this not on your radar at all?
Br
Martin
Eric Chiang
Nov 1, 2017, 10:37:22 AM11/1/17
to martin....@agillic.com, dex-dev
Since dex doesn't use access tokens, there's no reason to support the client credentials grant because there's nothing useful in the OAuth2 token response for just a client.
I'm not aware of standards for issuing OpenID Connect id_tokens for a client and not a client/end user pair.
There are plenty of frameworks for service to service authentication (e.g. https://spiffe.io). Maybe one of those would suit your use case better?
Eric
Asanka Dissanayake
May 31, 2019, 10:02:00 AM5/31/19
to dex-dev
Hi Eric,
If dex doesn't use access tokens at all, why does it even return access_token in the token response ? Dex doesn't have an introspection endpoint, so access_tokens are entirely useless.
Thanks,
Asanka
On Wednesday, November 1, 2017 at 10:37:22 AM UTC-4, Eric Chiang wrote:
Since dex doesn't use access tokens, there's no reason to support the client credentials grant because there's nothing useful in the OAuth2 token response for just a client.
I'm not aware of standards for issuing OpenID Connect id_tokens for a client and not a client/end user pair.
There are plenty of frameworks for service to service authentication (e.g. https://spiffe.io). Maybe one of those would suit your use case better?
Eric
Reply all
Reply to author
Forward
0 new messages