Authentication Through an OpenID Connect Provider

Overview

Dex is able to use another OpenID Connect provider as an authentication source. When logging in, dex will redirect to the upstream provider and perform the necessary OAuth2 flows to determine the end users email, username, etc. More details on the OpenID Connect protocol can be found in An overview of OpenID Connect .

Prominent examples of OpenID Connect providers include Google Accounts, Salesforce, and Azure AD v2 ( not v1).

Caveats

When using refresh tokens, changes to the upstream claims aren’t propagated to the id_token returned by dex. If a user’s email changes, the “email” claim returned by dex won’t change unless the user logs in again. Progress for this is tracked in issue #863.

Configuration

  1. connectors:
  2. - type: oidc
  3. id: google
  4. name: Google
  5. config:
  6. # Canonical URL of the provider, also used for configuration discovery.
  7. # This value MUST match the value returned in the provider config discovery.
  8. #
  9. # See: https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderConfig
  10. issuer: https://accounts.google.com
  11. # Connector config values starting with a "$" will read from the environment.
  12. clientID: $GOOGLE_CLIENT_ID
  13. clientSecret: $GOOGLE_CLIENT_SECRET
  14. # Dex's issuer URL + "/callback"
  15. redirectURI: http://127.0.0.1:5556/callback
  16. # Some providers require passing client_secret via POST parameters instead
  17. # of basic auth, despite the OAuth2 RFC discouraging it. Many of these
  18. # cases are caught internally, but some may need to uncomment the
  19. # following field.
  20. #
  21. # basicAuthUnsupported: true
  22. # Google supports whitelisting allowed domains when using G Suite
  23. # (Google Apps). The following field can be set to a list of domains
  24. # that can log in:
  25. #
  26. # hostedDomains:
  27. # - example.com
  28. # List of additional scopes to request in token response
  29. # Default is profile and email
  30. # Full list at https://dexidp.io/docs/custom-scopes-claims-clients/
  31. # scopes:
  32. # - profile
  33. # - email
  34. # - groups
  35. # Some providers return claims without "email_verified", when they had no usage of emails verification in enrollment process
  36. # or if they are acting as a proxy for another IDP etc AWS Cognito with an upstream SAML IDP
  37. # This can be overridden with the below option
  38. # insecureSkipEmailVerified: true
  39. # Groups claims (like the rest of oidc claims through dex) only refresh when the id token is refreshed
  40. # meaning the regular refresh flow doesn't update the groups claim. As such by default the oidc connector
  41. # doesn't allow groups claims. If you are okay with having potentially stale group claims you can use
  42. # this option to enable groups claims through the oidc connector on a per-connector basis.
  43. # This can be overridden with the below option
  44. # insecureEnableGroups: true
  45. # When enabled, the OpenID Connector will query the UserInfo endpoint for additional claims. UserInfo claims
  46. # take priority over claims returned by the IDToken. This option should be used when the IDToken doesn't contain
  47. # all the claims requested.
  48. # https://openid.net/specs/openid-connect-core-1_0.html#UserInfo
  49. # getUserInfo: true
  50. # The set claim is used as user id.
  51. # Claims list at https://openid.net/specs/openid-connect-core-1_0.html#Claims
  52. # Default: sub
  53. # userIDKey: nickname
  54. # The set claim is used as user name.
  55. # Default: name
  56. # userNameKey: nickname
  57. # For offline_access, the prompt parameter is set by default to "prompt=consent".
  58. # However this is not supported by all OIDC providers, some of them support different
  59. # value for prompt, like "prompt=login" or "prompt=none"
  60. # promptType: consent
  61. # Some providers return non-standard claims (eg. mail).
  62. # Use claimMapping to map those claims to standard claims:
  63. # https://openid.net/specs/openid-connect-core-1_0.html#Claims
  64. # claimMapping can only map a non-standard claim to a standard one if it's not returned in the id_token.
  65. claimMapping:
  66. # The set claim is used as preferred username.
  67. # Default: preferred_username
  68. # preferred_username: other_user_name
  69. # The set claim is used as email.
  70. # Default: email
  71. # email: mail
  72. # The set claim is used as groups.
  73. # Default: groups
  74. # groups: "cognito:groups"