dex - A federated OpenID Connect provider

Dex is an OpenID Connect server that allows users to login through upstream identity providers. Clients use a standards-based OAuth2 flow to login users, while the actual authentication is performed by established user management systems such as Google, GitHub, FreeIPA, etc.

OpenID Connect is a flavor of OAuth that builds on top of OAuth2 using the JOSE standards. This allows dex to provide:

• Short-lived, signed tokens with standard fields (such as email) issued on behalf of users.
• "well-known" discovery of OAuth2 endpoints.
• OAuth2 mechanisms such as refresh tokens and revocation for long term access.
• Automatic signing key rotation.

Standards-based token responses allows applications to interact with any OpenID Connect server instead of writing backend specific "access_token" dances. Systems that can already consume ID Tokens issued by dex include:

• Kubernetes
• Amazon STS

Documentation

• Getting started
• What's new in v2
• Storage options
• Intro to OpenID Connect
• gRPC API
• Identity provider logins (coming soon!)
• Client libraries (coming soon!)

Getting help

• For bugs and feature requests (including documentation!), file an issue.
• For general discussion about both using and developing dex, join the dex-dev mailing list.
• For more details on dex development plans, check out the GitHub milestones.