Documentation: explain how to write an app that uses dex

[ericchiang]

Brought up by @set321go in #753

This can include:

• App that wants to talk to the Kubernetes API on behalf of a user.
• App that uses OpenID Connect to authenticate a user (it does its own authz).
• App that uses a proxy headers to authenticate a user going through an OpenID Connect aware proxy.
• Putting an app that doesn't do authentication or authorization behind an OpenID Connect aware proxy.

p1 because this kind of documentation is a blocker for users who want to use dex.

[freefood89]

hello @ericchiang

I am new here and would like to look into contributing to docs first, but I need some clarification on this issue:

1. How many examples do you need? I was thinking of starting off with express + passport, and maybe flask as well.
2. Which OpenID Connect aware proxy were you hoping to get covered? I've never used an OIDC proxy before so I would like to try it out. I found UNINETT/goidc-proxy but I don't like it because it has no releases

[ericchiang]

@freefood89 we're going to be rolling a OpenID Connect proxy ourselves. If you want to try express+passport we'd be super happy to include it in our examples. It also helps us test our implementation.

[freefood89]

@ericchiang feel free to assign the issue to me if you can/want to

[ericchiang]

@freefood89 I don't think I can (your outside the org). There's a lot to this issue anyway, so I don't think it's a big deal.

Please reach out if you need any help or find any issues.

I remember one of the frameworks requiring parts of the spec we don't implement. You may want to look at #376 for background.

[freefood89]

Looks like the only working express app I know that uses Dex consumes a hacked passport module called oidc-passport, which I know is not a supported module because it's written by the friend that got it working. I'm contemplating writing a passport module myself, but for now I will look into making an example using flask first.

Looking back, it's kind of funny that I was having him write a user API as a companion to Dex. I didn't realize till now that the lack of a userinfo API was causing this much trouble.

[ericchiang]

@freefood89 there's a proposal for adding the userinfo endpoint in that issue #376 (comment). If you want to give it a crack, feel free.

[akshatprakash]

we need an identity provider for our app. we need all the features which were removed in v2. namely

1. Registration flows.
2. Local user management.
3. SMTP configuration and email verification.
4. Several of the login connectors that have yet to be ported.

is there a way to implement these in go, so that when you guys are done with adding them back into v2, i can easily just update dex api and these features get handled by dex instead of our custom code?

i reckon yall will be adding these features using the gRPC api..

[ericchiang]

Registration flows.
Local user management.
SMTP configuration and email verification.

@akshatprakash we don't have plans to add those features back in. Dex isn't a user management system, so these are more appropriate for orthogonal apps that want to talk to dex's gRPC API or use it's login flows. E.g. for the registration flows, we would probably add a link to our login screen that send the user to a different app that handles registration.

[SEJeff]

@akshatprakash perhaps CoreOS's fork of bit.ly's oauth2 proxy will do what you want?

[SEJeff]

@ericchiang also, could you common on your PR on bitly's oauth2_proxy? Seems like they're relatively close to merging it with a small bit of love. Seems worth doing.

[ericchiang]

@SEJeff PR updated. Know anyone at bitly to help it get merged? :)