Dex — OpenID Connect Identity Provider with Pluggable Connectors

Introduction

Dex is a federated OpenID Connect (OIDC) provider that acts as a portal to other identity providers. It lets applications authenticate users through a single OIDC interface while delegating the actual credential verification to upstream systems like LDAP, SAML, GitHub, GitLab, or Google.

What Dex Does

• Issues OIDC tokens by federating authentication to upstream identity providers
• Supports connectors for LDAP, SAML 2.0, GitHub, GitLab, Google, Microsoft, and more
• Provides OAuth 2.0 authorization code, refresh token, and device code flows
• Stores client registrations and refresh tokens in SQL databases or Kubernetes CRDs
• Serves as the default identity provider for Kubernetes API server OIDC integration

Architecture Overview

Dex is a single Go binary that exposes an OIDC discovery endpoint, authorization endpoint, and token endpoint. When a user initiates login, Dex redirects to the configured upstream connector, receives the identity assertion, and mints its own ID token and refresh token. Storage backends include SQLite, PostgreSQL, MySQL, etcd, and Kubernetes custom resources. The connector plugin system is compiled in at build time.

Self-Hosting & Configuration

• Deploy as a standalone binary, Docker container, or Helm chart on Kubernetes
• Define connectors in config.yaml specifying upstream provider credentials and scopes
• Register OAuth2 clients with their redirect URIs and secrets in the same config file
• Choose a storage backend: SQLite for development, PostgreSQL or Kubernetes CRDs for production
• Enable TLS by pointing Dex to certificate and key files or terminating at a reverse proxy

Key Features

• Connectors for 15+ identity providers including enterprise SAML and LDAP
• Kubernetes-native storage using CRDs for zero-database deployments
• Refresh token rotation with configurable expiry policies
• Groups and cross-client trust for multi-service architectures
• Lightweight single binary with minimal resource requirements

Comparison with Similar Tools

• Keycloak — full-featured IAM with admin UI and user management; Dex is a focused OIDC federation layer
• Authentik — self-hosted identity provider with rich UI; Dex is simpler and lighter for pure OIDC federation
• Authelia — authentication portal with 2FA; Dex focuses on OIDC token issuance rather than session management
• Ory Hydra — OAuth2/OIDC server requiring a separate login UI; Dex includes a built-in login flow
• Zitadel — cloud-native IAM platform; Dex is a minimal federation proxy without user management

FAQ

Q: Can Dex manage users directly? A: Dex supports a static password connector for testing, but it is designed to federate to external providers rather than manage users itself.

Q: How does Dex integrate with Kubernetes? A: Configure the Kubernetes API server with --oidc-issuer-url pointing to Dex. Users authenticate via Dex and receive tokens that the API server validates.

Q: Does Dex support multi-factor authentication? A: MFA is handled by the upstream identity provider. Dex passes through whatever authentication the connector requires.

Q: Can I add a custom connector? A: Yes, but custom connectors must be compiled into the Dex binary. The project provides a Go interface for implementing new connectors.

Sources

• https://github.com/dexidp/dex
• https://dexidp.io