Configuring your app
The example app uses the following Go packages to perform the code flow:
First, client details should be present in the dex configuration. For example, we could register an app with dex with the following section:
In this case, the Go code would be configured as:
// Initialize a provider by specifying dex's issuer URL.
provider, err:=oidc.NewProvider(ctx, "https://dex-issuer-url.com")
iferr!=nil {
// handle error
}
// Configure the OAuth2 config with the client values.
oauth2Config:=oauth2.Config{
// client_id and client_secret of the client.
ClientID: "example-app",
ClientSecret: "example-app-secret",
// The redirectURL.
RedirectURL: "http://127.0.0.1:5555/callback",
// Discovery returns the OAuth2 endpoints.
Endpoint: provider.Endpoint(),
// "openid" is a required scope for OpenID Connect flows.
//
// Other scopes, such as "groups" can be requested.
Scopes: []string{oidc.ScopeOpenID, "profile", "email", "groups"},
}
// Create an ID token parser.
idTokenVerifier:=provider.Verifier(&oidc.Config{ClientID: "example-app"})
Dex and dex-k8s-authenticator setup
For connecting Dex you should have a Kubernetes certificate and key. Let’s obtain from the master:
sudo cat /srv/kubernetes/ca.{crt,key}
-----BEGIN CERTIFICATE-----
AAAAAAAAAAABBBBBBBBBBCCCCCC
-----END CERTIFICATE----------BEGIN RSA PRIVATE KEY-----
DDDDDDDDDDDEEEEEEEEEEFFFFFF
-----END RSA PRIVATE KEY-----
Clone the dex-k8s-authenticator repo:
Example: mapping a schema to a search config
Writing a search configuration often involves mapping an existing LDAP schema to the various options dex provides. To query an existing LDAP schema install the OpenLDAP tool ldapsearch. For rpm based distros run:
For apt-get:
Example: searching a active directory server with groups
The following configuration will allow the LDAP connector to search a Active Directory using an LDAP filter.
Example: searching a freeipa server with groups
The following configuration will allow the LDAP connector to search a FreeIPA directory using an LDAP filter.
Getting started
The dex repo contains a basic LDAP setup using
OpenLDAP .
Kubeapiserver setup
You need to provide OIDC configuration for the kubeAPIServer as below and update cluster:
Overview
The LDAP connector allows email/password based authentication, backed by a LDAP directory.
The connector executes two primary queries:
Rbac configuration
Create ClusterRole for your group, in our case with read-only permissions:
cat << EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cluster-read-all
rules:
-
apiGroups:
- ""
- apps
- autoscaling
- batch
- extensions
- policy
- rbac.authorization.k8s.io
- storage.k8s.io
resources:
- componentstatuses
- configmaps
- cronjobs
- daemonsets
- deployments
- events
- endpoints
- horizontalpodautoscalers
- ingress
- ingresses
- jobs
- limitranges
- namespaces
- nodes
- pods
- pods/log
- pods/exec
- persistentvolumes
- persistentvolumeclaims
- resourcequotas
- replicasets
- replicationcontrollers
- serviceaccounts
- services
- statefulsets
- storageclasses
- clusterroles
- roles
verbs:
- get
- watch
- list
- nonResourceURLs: ["*"]
verbs:
- get
- watch
- list
- apiGroups: [""]
resources: ["pods/exec"]
verbs: ["create"]
EOF
Create ClusterRoleBinding configuration:
cat <<EOF | kubectl create -f -
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: dex-cluster-auth
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-read-all
subjects:
kind: Group
name: "super-org:team-red"
EOF
Now you are ready to start testing.
State tokens
The state parameter is an arbitrary string that dex will always return with the callback. It plays a security role, preventing certain kinds of OAuth2 attacks. Specifically it can be used by clients to ensure:
A more thorough discussion of these kinds of best practices can be found in the
“OAuth 2.0 Threat Model and Security Considerations”RFC.