Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Dex and OAUTH 2.0 / OIDC @ Golang SF
Search
Brandon Philips
October 22, 2015
1.1k
3
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Dex and OAUTH 2.0 / OIDC @ Golang SF
Brandon Philips
October 22, 2015
More Decks by Brandon Philips
See All by Brandon Philips
Node.js Workflow with Minikube and Skaffold
philips
0
300
Manage the App on Kubernetes
philips
0
370
Production Backbone Monitoring Containerized Apps
philips
0
230
KubeCon EU 2017: Dancing on the Edge of a Volcano
philips
1
860
rkt - KubeCon EU keynote - 2017
philips
1
310
FOSDEM_Keynote_2017-_.pdf
philips
0
170
Tectonic Summit Day 2 Keynote
philips
0
410
Kubernetes: Simple to Manage Anywhere (self-hosted, Tectonic upgrade demo)
philips
0
440
KubeCon Keynote 2016- Distributed Systems Simplified on Kubernetes
philips
2
590
Featured
See All Featured
Sam Torres - BigQuery for SEOs
techseoconnect
PRO
0
290
Become a Pro
speakerdeck
PRO
31
6k
How STYLIGHT went responsive
nonsquared
100
6.2k
brightonSEO & MeasureFest 2025 - Christian Goodrich - Winning strategies for Black Friday CRO & PPC
cargoodrich
3
740
[RailsConf 2023] Rails as a piece of cake
palkan
59
6.7k
Gemini Prompt Engineering: Practical Techniques for Tangible AI Outcomes
mfonobong
2
450
Unlocking the hidden potential of vector embeddings in international SEO
frankvandijk
0
850
Chrome DevTools: State of the Union 2024 - Debugging React & Beyond
addyosmani
10
1.2k
How to Get Subject Matter Experts Bought In and Actively Contributing to SEO & PR Initiatives.
livdayseo
0
140
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
37
6.5k
Navigating the Design Leadership Dip - Product Design Week Design Leaders+ Conference 2024
apolaine
1
360
Game over? The fight for quality and originality in the time of robots
wayneb77
1
210
Transcript
CoreOS Dex, OAUTH 2.0, and OIDC Web Authentication Adventures @coreoslinux
@brandonphilips
Brandon Philips CTO, CoreOS github.com/philips
Demo Instructions github.com/philips/hacks 2015-dex-golangsf
Slides speakerdeck.com/philips
Identity Plumbing of the Web
None
Identity Our Needs
None
The smartest way to run your container infrastructure. tectonic.com @tectonicstack
QUAY Secure hosting for private Docker repositories quay.io @quayio
Why Dex? Solve our uses quay.io, tectonic.com
Why Dex? Share Open Source Solution
Why Dex? Leverage Well Understood Web Security
Identity Open ID Connect (OIDC)
OIDC Nothing to do with OpenID
OIDC OAUTH 2.0 with Types
OIDC Adopted by Google, Facebook, Amazon
OIDC Lots of Language Libraries
OIDC http://openid.net/connect/
OAuth 2.0 Client (web app)
OAuth 2.0 Resource Owner
OAuth 2.0 Auth Server
OAuth 2.0 1. User request protected page
OAuth 2.0 2. User redirected to auth page
OAuth 2.0 3. User authenticates (cookie/pw)
OAuth 2.0 4. User given authz grant
OAuth 2.0 5. User presents grant to client
OAuth 2.0 6. Client exchanges grant for access token
OAuth 2.0 7. ??? Do stuff
OIDC Relying Party
OIDC End User
OIDC Identity Provider
OIDC 0. Relying party periodically syncs public key from IdP
1. User request protected page OIDC
2. User redirected to auth page OIDC
3. User authenticates (cookie/pw) OIDC
4. User given authz grant OIDC
5. User presents grant to client OIDC
6. Relying party exchanges authz code for ID token OIDC
7. Client gets ID token and validate claims OIDC
JOSE Javascript Object Signing and Encryption
JWK Cryptographic Key Object
JWS JSON Web Signature
JWS <<base64 JOSE Header>>.<<base64 payload>>.<<base64 signature>>
JWS <<base64 JOSE Header>>.<<base64 payload>>.<<base64 signature>>
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJoZWxsbyI6IndvcmxkIn0. lnneNaoem98xYFES3mi2CJJjnMONuWAu- FTWB3XJN14
{ "alg": "HS256", "typ": "JWT" }
{ "hello": "world" }
HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), secret )
JWT JSON Web Token
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIyNDgyODk3NjEwMDEiLCJuYW1lI joiSmFuZSBEb2UiL... mphbmVkb2VAZXhhbXBsZS5jb20iLCJwaWN 0dXJlIjoiaHR0cDovL2V4YW1wbGUuY29tL2ph bmVkb2UvbWUuanBnIn0. TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeF ONFh7HgQ
{ "alg": "HS256", "typ": "JWT" }
{ "sub": "248289761001", "name": "Jane Doe", "preferred_username": "j.doe", "email": "
[email protected]
",
"picture": "http://imgur.com/me.jpg" }
JWT Security https://auth0.com/blog/2015/03/31/critical-vulnerabilities-in-json-web-token-libraries/
None
Connectors Delegation of Authentication
Local Connector Email and Password Auth
OIDC Connector Dex as relying party
None
Future Connectors
SSH Agent Connector Login with your SSH public key
LDAP Connector Login with your SSH public key
Dex Features Automatic Key Rotation
Dex Features Scalable Architecture
Dex Features User Management API
Roadmap • Grouping for Users
Help Wanted • More Connectors • Alternative Storage Backends •
U2F and Google Authenticator • > 1 Remote Identities per user
coreos.com/careers work with us
@coreoslinux @tectonicstack @brandonphilips thank you