-
Notifications
You must be signed in to change notification settings - Fork 1.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Get OIDC token issued by Dex using a token issued by one of the connectors. #2657
Comments
RFC8693 defines a token-exchange grant_type that accepts a token for authentication. Dex could accept this grant type in on the token endpoint for an OIDC connector, validate the token via JWKS, and issue a new token using the claimMapping. |
I would love to see this implemented. My use case is I use ArgoCD with Dex on Azure with AzureAD. Users are using AAD no problem, but I want my pipelines to be able to access ArgoCD's API with a JWT (avoiding local accounts). The pipeline easily gets a sts.windows.net JWT from the machine identity/service principal in the pipeline, so if I could exchange that AAD token for a Dex token then machine access would be very smooth. |
I'm trying to implement token exchange with AzureAD and I'm getting an "unsupported_grant_type", is it only available for Github Actions? |
@churrascats Which version of Dex do you use? |
I'm using dex:v2.37.0 Here is my dex config... Really appreciate your support. issuer: http://localhost:8000/dex storage: web: oauth2: staticClients:
connectors:
|
Preflight Checklist
Problem Description
In some scenarios, there can only be one OIDC provider, e.g. kube-apiserver. Dex can serve this role well by providing various connectors. However, when it comes to a program which has been issued an OIDC token from another issuer, it cannot be used to exchange for a Dex issued token programmingly.
Proposed Solution
OIDC connectors can be configured as ``passive", which will be hidden to the interactive users.
An api interface can be added to Dex, say
/token
. When aPOST
request like below is received, the token from the Authorization header will be extracted and verified against each configured passive OIDC connector. If one of them get passed, the client will be issued an OIDC token issued by Dex.Alternatives Considered
No response
Additional Information
The use case is, I would like a Kubernetes cluster can be accessed by both interactive normal users and programmingly CI jobs. CI jobs running on gitlab runners are issued an OIDC token by the gitlab instance via an environment variable. If this is implemented, then the CI job can get a token issued by Dex using this OIDC token, which can then be used to access the kubernetes cluster.
This function is previously mentioned in #1484 (comment), but the topic for that issue is totally different.
The text was updated successfully, but these errors were encountered: