Identity¶
Configure and use Dex OIDC authentication.
Overview¶
Dex provides OpenID Connect (OIDC) authentication for Playpen applications. It supports Azure Entra-compatible semantics and standard OIDC flows.
Accessing Dex¶
Dex is accessible at:
- Internal: dex.playpen-platform.svc.cluster.local:5556
- Local: localhost:5556 (via port-forward)
OIDC endpoints¶
Standard OIDC endpoints are available:
- Discovery:
http://dex.playpen-platform.svc.cluster.local:5556/dex/.well-known/openid-configuration - Authorization:
http://dex.playpen-platform.svc.cluster.local:5556/dex/auth - Token:
http://dex.playpen-platform.svc.cluster.local:5556/dex/token
Get client credentials¶
# Client ID
kubectl get secret dex-credentials -n playpen-platform \
-o jsonpath='{.data.client-id}' | base64 -d
# Client Secret
kubectl get secret dex-credentials -n playpen-platform \
-o jsonpath='{.data.client-secret}' | base64 -d
Integrate with applications¶
Python (Flask)¶
from authlib.integrations.flask_client import OAuth
import os
oauth = OAuth()
oauth.register(
name='dex',
client_id=os.getenv('OIDC_CLIENT_ID'),
client_secret=os.getenv('OIDC_CLIENT_SECRET'),
server_metadata_url='http://dex.playpen-platform.svc.cluster.local:5556/dex/.well-known/openid-configuration',
client_kwargs={'scope': 'openid email profile'}
)
@app.route('/login')
def login():
return oauth.dex.authorize_redirect(redirect_uri)
@app.route('/callback')
def callback():
token = oauth.dex.authorize_access_token()
# Use token for authenticated requests
return redirect('/')
Python (FastAPI)¶
from authlib.integrations.starlette_client import OAuth
from starlette.config import Config
config = Config('.env')
oauth = OAuth(config)
oauth.register(
name='dex',
client_id=config('OIDC_CLIENT_ID'),
client_secret=config('OIDC_CLIENT_SECRET'),
server_metadata_url='http://dex.playpen-platform.svc.cluster.local:5556/dex/.well-known/openid-configuration',
client_kwargs={'scope': 'openid email profile'}
)
@app.get('/login')
async def login(request: Request):
redirect_uri = request.url_for('callback')
return await oauth.dex.authorize_redirect(request, redirect_uri)
Supported flows¶
Authorization Code flow¶
Standard OAuth 2.0 authorization code flow for web applications.
Client Credentials flow¶
For service-to-service authentication:
import requests
token_url = 'http://dex.playpen-platform.svc.cluster.local:5556/dex/token'
data = {
'grant_type': 'client_credentials',
'client_id': os.getenv('OIDC_CLIENT_ID'),
'client_secret': os.getenv('OIDC_CLIENT_SECRET'),
'scope': 'openid'
}
response = requests.post(token_url, data=data)
token = response.json()['access_token']
Verify token¶
import jwt
import requests
# Get public keys
jwks_url = 'http://dex.playpen-platform.svc.cluster.local:5556/dex/keys'
jwks = requests.get(jwks_url).json()
# Decode and verify token
decoded = jwt.decode(
token,
jwks,
algorithms=['RS256'],
audience='your-client-id'
)
Configuration¶
Dex configuration is stored in a ConfigMap:
# View configuration
kubectl get configmap dex-config -n playpen-platform -o yaml
# Update configuration
kubectl edit configmap dex-config -n playpen-platform
# Restart Dex to apply changes
kubectl rollout restart deployment/dex -n playpen-platform
Troubleshooting¶
Token validation fails¶
- Verify client ID and secret are correct
- Check token expiration
- Ensure audience matches client ID
Connection refused¶
- Verify Dex pod is running:
kubectl get pods -n playpen-platform -l app=dex - Check service:
kubectl get svc -n playpen-platform dex - Verify port-forward:
kubectl port-forward -n playpen-platform svc/dex 5556:5556
Next steps¶
- Learn about CI/CD integration
- Configure platform services