Amazon Cognito
Customer identity and access management service for adding user sign-up, sign-in, and authentication to apps
Dex
Federated OpenID Connect identity service with pluggable connectors
Dex is an identity service that uses OpenID Connect to provide federated authentication across LDAP, SAML, GitHub, Google, Active Directory, and more through pluggable connectors.
Overview
Overview
Dex is a federated identity service that implements OpenID Connect to drive authentication for applications and platforms. Instead of building authentication logic for multiple identity providers, applications authenticate once with dex, which then handles the complexity of connecting to upstream systems.
How It Works
Dex acts as a portal to other identity providers through pluggable "connectors" that support LDAP servers, SAML providers, GitHub, Google, Active Directory, and many others. It issues signed ID Tokens—JSON Web Tokens (JWTs) containing standard claims about user identity, email, groups, and session metadata—that applications consume as service-to-service credentials.
Deployment & Integration
Dex runs natively on Kubernetes using Custom Resource Definitions and integrates directly with the Kubernetes API server's OpenID Connect plugin, enabling cluster authentication through any supported identity provider. Clients like kubectl and kubernetes-dashboard can act on behalf of authenticated users. Beyond Kubernetes, systems including AWS STS already consume dex-issued ID Tokens, making it a versatile choice for organizations standardizing on OpenID Connect across heterogeneous infrastructure.
Highlights
Federated authentication via 15+ connectors including LDAP, SAML, GitHub, Google, and Active Directory
Issues signed OpenID Connect ID Tokens (JWTs) with standard claims for user identity, email, and groups
Native Kubernetes integration with Custom Resource Definitions and API server OpenID Connect plugin
Single authentication interface for clients; dex handles upstream protocol complexity
Pros
- Centralizes authentication logic so clients write OpenID Connect integration once
- Broad connector ecosystem supports enterprise directories, social logins, and federated protocols
- Native Kubernetes support with CRDs simplifies cluster authentication workflows
- Signed ID Tokens enable service-to-service trust without repeated credential checks
Considerations
- Connector limitations can prevent refresh tokens or group claims depending on upstream protocol
- SAML connector is unmaintained and flagged as potentially vulnerable to authentication bypasses
- Alpha and beta connectors may have incomplete feature support or backward-incompatible changes
- Requires understanding of OpenID Connect, OAuth2, and upstream identity provider protocols
Managed products teams compare with
When teams consider Dex, these hosted platforms usually appear on the same shortlist.
Looking for a hosted option? These are the services engineering teams benchmark against before choosing open source.
Fit guide
Great for
- Organizations needing unified authentication across Kubernetes, AWS STS, and custom applications
- Teams consolidating multiple identity providers behind a single OpenID Connect interface
- Kubernetes clusters requiring API server authentication via LDAP, SAML, or social identity providers
- Platforms that consume signed JWT ID Tokens for service-to-service authorization
Not ideal when
- Scenarios requiring offline access or refresh tokens with SAML or OAuth 2.0 connectors
- Production use of the SAML connector due to known maintenance and security concerns
- Environments needing guaranteed group claims from connectors like LinkedIn or Gitea
- Teams without capacity to manage OpenID Connect flows and upstream connector configurations
How teams use it
Kubernetes Cluster Authentication
Users log in to Kubernetes via GitHub or Active Directory; kubectl and dashboard authenticate through dex-issued ID Tokens without managing multiple credential systems.
Multi-Cloud Identity Federation
Applications running on AWS and Kubernetes consume dex ID Tokens, enabling single sign-on across cloud providers using existing LDAP or SAML infrastructure.
Consolidating Social and Enterprise Logins
A SaaS platform offers login via Google, GitHub, and corporate LDAP; dex handles protocol differences while the app maintains one OpenID Connect integration.
Service-to-Service Authorization
Microservices validate dex-signed JWTs containing user identity and group membership, eliminating repeated calls to upstream identity providers for authorization decisions.
Tech snapshot
Go98%
Makefile1%
CSS1%
HTML1%
Dockerfile1%
Shell1%
Frequently asked questions
What is an ID Token and why does dex issue them?
ID Tokens are signed JSON Web Tokens (JWTs) introduced by OpenID Connect. Dex issues them to attest to a user's identity, including claims like email, groups, and session metadata, enabling applications and services to trust user identity without querying upstream providers repeatedly.
Which connectors support refresh tokens?
LDAP, GitHub, GitLab, OpenID Connect, Google, LinkedIn, Microsoft, Bitbucket Cloud, OpenShift, Atlassian Crowd, Gitea, and OpenStack Keystone support refresh tokens. SAML and OAuth 2.0 connectors do not due to protocol limitations.
Can dex run on Kubernetes?
Yes. Dex runs natively on Kubernetes using Custom Resource Definitions and integrates with the API server's OpenID Connect plugin to authenticate users via any supported identity provider.
Is the SAML connector safe to use?
The SAML connector is marked stable but flagged as unmaintained and potentially vulnerable to authentication bypasses. Evaluate your risk tolerance and consider alternative connectors for production workloads.
Do all connectors return group membership claims?
No. Connectors like LinkedIn, Gitea, and AuthProxy do not support group claims. Check the connector table in the documentation to confirm feature support for your identity provider.
Project at a glance
Active- Stars
- 10,521
- Watchers
- 10,521
- Forks
- 1,887
LicenseApache-2.0
Repo age10 years old
Last commit12 hours ago
Primary languageGo
Last synced 4 hours ago