Dex

Dex is an OpenID Connect provider and identity federation proxy that translates authentication signals from various upstream sources into a unified OpenID Connect interface. It functions as a multi-protocol identity broker, enabling client applications to implement a single standard while delegating user verification to external identity providers.

The project distinguishes itself through a pluggable connector architecture that bridges disparate protocols including LDAP, SAML, and OAuth2. It provides specific integrations for services such as GitHub, Google, GitLab, and Microsoft, while offering the ability to normalize provider-specific attributes and resolve recursive group memberships into consistent identity tokens.

The system covers broad capability areas including OAuth 2.0 client management, identity token issuance, and access filtering based on domains or group memberships. It also provides specialized gateway functionality for Kubernetes cluster authentication, mapping OIDC claims to Kubernetes identities for API server validation.

Configuration and session state can be persisted across multiple backends, including SQL databases, etcd, or Kubernetes Custom Resource Definitions.

Features

Identity Federation Providers - Provides a system that enables authentication via external identity providers using standardized protocols to present a unified issuer.
Identity Providers - Acts as a centralized identity provider that unifies various upstream authentication protocols into a single OIDC interface.
OpenID Connect Providers - Translates various upstream authentication protocols like LDAP and SAML into a single OpenID Connect endpoint.
API Server Authentication Plugins - Enables the Kubernetes API server to authenticate requests via an external OIDC provider plugin.
Identity - Federates multiple external identity sources and normalizes user claims into consistent identity tokens.
OpenID Connect Token Validations - Authorizes Kubernetes API requests by validating bearer tokens against an OpenID Connect issuer.
Claim Mapping - Transforms provider-specific user attributes and group memberships into normalized claims for downstream applications.
User Identity Verification - Extracts user claims by validating the signature and expiration of bearer tokens from trusted clients.
Protocol Translation - Converts LDAP and SAML signals from identity providers into OpenID Connect tokens for client applications.
Identity Protocol Translation - Converts disparate identity signals from LDAP, SAML, and OAuth2 into standardized JSON Web Tokens.
Kubernetes Identity Integration - Integrates OpenID Connect with the Kubernetes API server to enable cluster login via external identity providers.
LDAP Search Bind - Implements the search-then-bind authentication flow to verify user identities against an LDAP directory.
Client Registrations - Registers and manages client applications, redirect URIs, and secret credentials for secure authorization flows.
OAuth 2.0 Authorization Servers - Implements a full OAuth 2.0 authorization server to manage client registrations and grant access to protected resources.
OAuth2 Client Management - Provides tools for registering client applications and defining their allowed redirect URIs and secret credentials.
OAuth2 Implementations - Executes standard OAuth 2.0 authorization patterns and implicit flows to grant resource access.
OIDC Identity Token Issuance - Functions as an OIDC provider that issues signed identity tokens after verifying users via upstream flows.
OIDC Discovery Document Hosting - Publishes standardized OpenID Connect discovery documents and public keys to automate client integration and token verification.
SAML Authentication - Implements SAML 2.0 HTTP POST binding to verify identities and map assertion attributes to profiles.
Single Sign-On - Centralizes authentication for multiple applications by delegating user verification to a shared identity provider.
Identity Connector Architectures - Implements a pluggable architecture to translate various upstream authentication protocols into a unified OpenID Connect interface.
OIDC Claim Mapping - Transforms provider-specific user attributes and group memberships into normalized OIDC claims for downstream applications.
Group Membership Retrieval - Retrieves Google Workspace group memberships using a service account and the Admin SDK Directory API.
Identity Metadata Persistence - Persists configuration and session data across relational databases or Kubernetes API resources.
Pluggable Database Backends - Supports multiple database storage options, including SQL and etcd, for persisting system configuration and session state.
SQLite or PostgreSQL Storage - Stores identity data in SQLite, Postgres, or MySQL with automatic database migrations.
Native Kubernetes Object Storage - Maintains identity state using Custom Resource Definitions within a Kubernetes cluster.
Nested Group Memberships - Traverses nested group structures in LDAP and directory services to determine full user membership hierarchies.
Header Field Mapping - Configures specific HTTP headers to supply user email and group lists from a proxy.
Group Membership Enforcement - Validates user identity and access rights based on group membership filters provided by upstream identity sources.
Identity Federation - Federates identities by querying OpenShift OAuth servers to retrieve user profiles and group memberships.
Identity Provider Integrations - Integrates with OpenStack Keystone to verify user identities and synchronize group memberships.
Claim Configuration - Controls which user attributes and scopes are included in the issued identity tokens.
Directory Search - Enables locating user and group entries using configurable base DNs and search filters.
Attribute Mappings - Provides configurations for linking internal user profile fields to standard LDAP directory attributes.
LinkedIn Integrations - Implements specific OAuth2 authentication and authorization flows for LinkedIn identity verification.
Proxy Token Issuance - Issues internal identity tokens mapped to upstream provider credentials for peer application trust.
UserInfo Endpoints - Queries the OIDC UserInfo endpoint to retrieve additional user claims that take priority over ID token claims.
Proxy Authentication - Extracts user identities and group memberships from custom HTTP headers provided by an upstream proxy.
External Group Synchronization - Populates group claims in identity tokens by retrieving organization and team memberships from GitHub.
OIDC Upstream Federation - Redirects users to an upstream OIDC provider and extracts identity claims through standard OAuth2 flows.
etcd Metadata Stores - Stores system configuration and session state in an etcd v3 cluster using custom namespaces and SSL.
OAuth 2.0 Provider Integrations - Connects to any standards-compliant OAuth 2.0 provider to authenticate users via a generic connector.

anomalyco/openauth

6,971View on GitHub

OpenAuth is a standards-based authentication server and identity provider that implements OAuth 2.0 and OpenID Connect protocols. It serves as a centralized system for managing user identities, issuing access tokens, and orchestrating authentication flows across various services. The project functions as a federated identity gateway, aggregating external providers such as Google, GitHub, Microsoft, Apple, and Discord into a unified login flow. It distinguishes itself with a multi-tenant architecture that supports pluggable identity providers and customizable user interface frameworks for bran

ory/hydra

17,236View on GitHub

Hydra is a headless identity server that functions as a certified OAuth2 and OpenID Connect provider. It is designed as an authentication engine that manages authorization handshakes and token lifecycles while remaining decoupled from the user interface. The project distinguishes itself through a headless architecture, allowing external management of login and consent flows. It provides specialized capabilities for dynamic client registration, JSON Web Token issuance, and a system for rotating encryption secrets without service downtime. The system covers a broad range of identity operations

apereo/cas

11,347View on GitHub

This project is an open-source identity provider and single sign-on platform that centralizes user authentication for multiple web applications and services. It functions as a multi-protocol authentication gateway, verifying user identities and issuing tokens through the CAS protocol as well as industry standards including SAML, OAuth2, and OpenID Connect. The system acts as a federated identity server, allowing authentication to be delegated to external third-party or corporate identity providers. It distinguishes itself through identity attribute governance, which manages which specific use

coreos/dex

10,885View on GitHub

Dex is an OpenID Connect identity provider that functions as an identity federation gateway. It authenticates users and issues signed tokens for applications by using a variety of pluggable connectors to interface with external identity sources. The project focuses on federating multiple external identity providers into a single authentication portal. It maps diverse external authentication sources to a uniform internal user representation and manages the orchestration of authorization handshakes between clients and identity sources. Capability areas include centralized user authentication,

dexidpdex

Features