Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Exchanging third-party tokens in Dex

Palark
April 04, 2024

Exchanging third-party tokens in Dex

Tech talk by Maksim Nabokikh, Platform Lead @ Palark, presented at Cloud Native Rejekts EU'2024 in Paris.

Dex is an OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors. In this talk, Maksim explains what its new feature called token exchange brings and how you can benefit from it using in Kubernetes, CI/CD, etc.

Find more resources for this talk:
* YouTube video;
* Talk description in the conference schedule.

P.S. Subscribe to the Palark tech blog to get our latest articles on DevOps, SRE, Kubernetes, and more!

Palark

April 04, 2024
Tweet

More Decks by Palark

Other Decks in Technology

Transcript

  1. Exchanging third-party tokens in Dex MAKSIM NABOKIKH Platform Lead and

    how it helps you to build a secure cloud native environment
  2. Introduce yourself with a couple of jokes Tell what Dex

    is about Explain what Token Exchange is Show how applicable to the existing cloud-native infrastructure it is TODO LIST FOR THE TALK
  3. Introduce yourself with a couple of jokes Tell what Dex

    is about Explain what Token Exchange is Show how applicable to the existing cloud-native infrastructure it is TODO LIST FOR THE TALK
  4. Originally developed by CoreOS in 2015 (9 y.o.) FACTS CNCF

    Sandbox project since Jun 26, 2020 Community driven project since 2018 after CoreOS acquisition ~9K ~1.6K >25
  5. THE MAIN IDEA OF DEX Dex acts as a portal

    to other identity providers through "connectors"; This lets Dex defer authentication to LDAP servers, SAML providers, or established identity providers like GitHub, Google, and Active Directory; Clients write their authentication logic once to talk to Dex, then Dex handles the protocols for a given backend.
  6. WHY DO ENGINEERS LOVE DEX? Ultra light: single binary in

    Go (~35 Mb) Simple: code that you can understand spending a couple of hours Kubernetes-native: integrates well with Kubernetes Community’s building block: used by projects like Argo CD or Sigstore True Open Source: community-driven project not owned by a company
  7. WHY DO ENGINEERS LOVE DEX? Ultra light: single binary in

    Go (~35 Mb) Simple: code that you can understand spending a couple of hours Kubernetes-native: integrates well with Kubernetes Community’s building block: used by projects like Argo CD or Sigstore True Open Source: community-driven project not owned by a company
  8. WHY DO ENGINEERS LOVE DEX? Ultra light: single binary in

    Go (~35 Mb) Simple: code that you can understand spending a couple of hours Kubernetes-native: integrates well with Kubernetes Community’s building block: used by projects like Argo CD or Sigstore True Open Source: community-driven project not owned by a company
  9. WHY DO ENGINEERS LOVE DEX? Ultra light: single binary in

    Go (~35 Mb) Simple: code that you can understand spending a couple of hours Kubernetes-native: integrates well with Kubernetes Community’s building block: used by projects like Argo CD or Sigstore True Open Source: community-driven project not owned by a company
  10. WHY DO ENGINEERS LOVE DEX? Ultra light: single binary in

    Go (~35 Mb) Simple: code that you can understand spending a couple of hours Kubernetes-native: integrates well with Kubernetes Community’s building block: used by projects like Argo CD or Sigstore True Open Source: community-driven project not owned by a company
  11. WHY DO ENGINEERS LOVE DEX? Ultra light: single binary in

    Go (~35 Mb) Simple: code that you can understand spending a couple of hours Kubernetes-native: integrates well with Kubernetes Community’s building block: used by projects like Argo CD or Sigstore True Open Source: community-driven project not owned by a company
  12. Introduce yourself with a couple of jokes Tell what Dex

    is about Explain what Token Exchange is Show how applicable to the existing cloud-native infrastructure it is TODO LIST FOR THE TALK
  13. Introduce yourself with a couple of jokes Tell what Dex

    is about Explain what Token Exchange is Show how applicable to the existing cloud-native infrastructure it is TODO LIST FOR THE TALK
  14. TOKEN EXCHANGE IN DEX Implemented by Sean Liao Merged in

    November 2023 Available in January 2024 (Dex v2.38.0) Works with JWT tokens Works with providers that have OIDC discovery endpoint github.com/seankhliao
  15. TOKEN EXCHANGE IN DEX Implemented by Sean Liao Merged in

    November 2023 Available in January 2024 (Dex v2.38.0) Works with JWT tokens Works with providers that have OIDC discovery endpoint github.com/seankhliao
  16. TOKEN EXCHANGE IN DEX dexidp.io/docs/token-exchange/ JWT sub: sys:s4:<ns>:<name> exp: 1768243

    sub: xxx name: sys:s4:<ns>:<name> exp: 1769961 Signed by Signed by JWT
  17. TOKEN EXCHANGE IN DEX dexidp.io/docs/token-exchange/ JWT sub: sys:s4:<ns>:<name> exp: 1768243

    sub: xxx name: sys:s4:<ns>:<name> exp: 1769961 Signed by Signed by JWT
  18. TOKEN EXCHANGE IN DEX dexidp.io/docs/token-exchange/ outh2: grantTypes: # ensure grantTypes

    includes the token-exchange grant (default) - "urn:ietf:params:oauth:grant-type:token-exchange"
  19. TOKEN EXCHANGE IN DEX dexidp.io/docs/token-exchange/ connectors: - name: Exchange Provider

    type: oidc id: exchange config: issuer: https://oidc.example.com scopes: - profile - groups - federated:id userNameKey: sub claimMappings: groups: roles
  20. TOKEN EXCHANGE IN DEX Easy to understand Easy to configure

    Easy to start A field for experiments!
  21. Introduce yourself with a couple of jokes Tell what Dex

    is about Explain what Token Exchange is Show how applicable to the existing cloud-native infrastructure it is TODO LIST FOR THE TALK
  22. Introduce yourself with a couple of jokes Tell what Dex

    is about Explain what Token Exchange is Show how applicable to the existing cloud-native infrastructure it is TODO LIST FOR THE TALK
  23. CI/CD INTEGRATION The goal: to deploy to a Kubernetes cluster

    Common anti-patterns: Save admin kubeconfig with certificates in the CI/CD system Use ServiceAccount token with an infinite lifetime
  24. CI/CD INTEGRATION The goal: to deploy to a Kubernetes cluster

    Common anti-patterns: Save admin kubeconfig with certificates in the CI/CD system Use ServiceAccount token with an infinite lifetime
  25. CI/CD INTEGRATION Actors: • GitLab CI/CD • Dex • Kubernetes

    DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN
  26. CI/CD INTEGRATION Kubernetes comes to Dex and discovers its JWKS

    endpoint DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN
  27. CI/CD INTEGRATION GitLab pipeline is triggered. But there is NO

    ACCESS to Kubernetes DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN
  28. CI/CD INTEGRATION Dex comes to GitLab and discovers its JWKS

    endpoint DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN
  29. It’s not only GitLab that can be used. It will

    work with other CI/CD systems (GitHub Actions, etc.) as well CI/CD INTEGRATION
  30. It’s not only GitLab that can be used. It will

    work with other CI/CD systems (GitHub Actions, etc.) as well CI/CD INTEGRATION All major cloud providers allow authenticating using the CI/CD tokens, and, thanks to Dex, so does K8s
  31. It’s not only GitLab that can be used. It will

    work with other CI/CD systems (GitHub Actions, etc.) as well CI/CD INTEGRATION All major cloud providers allow authenticating using the CI/CD tokens, and, thanks to Dex, so does K8s No more anti-patterns!
  32. The goal: to give access to a service from one

    cluster to another KUBERNETES AUTHMESH Common anti-patterns: Save admin kubeconfig with the certificates in another cluster Use ServiceAccount token with an infinite lifetime
  33. KUBERNETES AUTHMESH DISCOVERY KEYS Actors: • Dex • Kubernetes-1 •

    Kubernetes-2 • Kubernetes-3 DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN 1 2 3
  34. KUBERNETES AUTHMESH DISCOVERY KEYS One by one, Kubernetes clusters come

    to Dex and discover its JWKS endpoint (#1) DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN 2 3 1
  35. KUBERNETES AUTHMESH DISCOVERY KEYS One by one, Kubernetes clusters come

    to Dex and discover its JWKS endpoint (#2) DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN 3 1 2
  36. KUBERNETES AUTHMESH DISCOVERY KEYS One by one, Kubernetes clusters come

    to Dex and discover its JWKS endpoint (#3) DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN 1 2 3
  37. KUBERNETES AUTHMESH DISCOVERY KEYS Then, Dex discovers Kubernetes each JWKS

    endpoint, one by one again DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN 1 2 3
  38. KUBERNETES AUTHMESH DISCOVERY KEYS Then, Dex discovers Kubernetes each JWKS

    endpoint, one by one again (#1) DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN 2 3 1
  39. 3 KUBERNETES AUTHMESH DISCOVERY KEYS Then, Dex discovers Kubernetes each

    JWKS endpoint, one by one again (#2) DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN 1 2
  40. KUBERNETES AUTHMESH DISCOVERY KEYS Then, Dex discovers Kubernetes each JWKS

    endpoint, one by one again (#3) DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN 1 2 3
  41. KUBERNETES AUTHMESH DISCOVERY KEYS Then, Dex discovers Kubernetes each JWKS

    endpoint, one by one again (#3) DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN 1 2 3
  42. KUBERNETES AUTHMESH DISCOVERY KEYS Kubernetes-1 workloads have NO DIRECT ACCESS

    to the Kubernetes-3 API DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN 1 2 3
  43. KUBERNETES AUTHMESH DISCOVERY KEYS However, they can EXCHANGE their Service

    Account tokens to a Dex token DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN 2 3 1
  44. KUBERNETES AUTHMESH DISCOVERY KEYS Finally, the access is provided DISCOVERY

    KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN 1 2 3
  45. KUBERNETES AUTHMESH DISCOVERY KEYS Finally, the access is provided DISCOVERY

    KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN 1 2 3
  46. KUBERNETES AUTHMESH kubernetes.io/docs/reference/access-authn-authz/authentication/#configuration $ initial_token=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token) $ token=$(curl $dex_url/token \

    … \ –data_urlencode grant_type=urn:ietf:params:oauth:grant-type:token-exchange \ –data_urlencode subject_token=$initial_token | jq .access_token)
  47. KUBERNETES AUTHMESH kubernetes.io/docs/reference/access-authn-authz/authentication/#configuration $ initial_token=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token) $ token=$(curl $dex_url/token \

    … \ –data_urlencode grant_type=urn:ietf:params:oauth:grant-type:token-exchange \ –data_urlencode subject_token=$initial_token | jq .access_token) $ cat <<EOF { "apiVersion": "client.authentication.k8s.io/v1", "kind": "ExecCredential", "status": { "token": $token } } EOF
  48. KUBERNETES AUTHMESH kubernetes.io/docs/reference/access-authn-authz/authentication/#configuration Save to /bin/token-exchange Use in your kubeconfigs:

    users: - name: kubernetes-exchange user: exec: command: token-exchange apiVersion: "client.authentication.k8s.io/v1" interactiveMode: Never This is an example NOT for production use
  49. SPIFFE TOKENS The goal: to use SPIFFE tokens to have

    an access to a Kubernetes API We already have IDs of all our services. Why cannot we reuse them to access Kubernetes?
  50. DISCOVERY DISCOVERY KEYS KEYS REGISTRATION UNIX SOCKET SPIFFE TOKEN SPIFFE

    TOKENS Actors: • Dex • SPIRE server • SPIRE agent • Application • Kubernetes SERVER AGENT APP SPIFFE TOKEN TOKEN
  51. DISCOVERY DISCOVERY KEYS KEYS REGISTRATION UNIX SOCKET SPIFFE TOKEN SPIFFE

    TOKENS SPIRE agent on a node connects to the SPIRE server SERVER AGENT APP SPIFFE TOKEN TOKEN
  52. DISCOVERY KEYS KEYS REGISTRATION UNIX SOCKET SPIFFE TOKEN SPIFFE TOKENS

    Dex comes to SPIRE server and discovers its JWKS endpoint SERVER AGENT APP SPIFFE TOKEN TOKEN DISCOVERY
  53. DISCOVERY KEYS KEYS REGISTRATION UNIX SOCKET SPIFFE TOKEN SPIFFE TOKENS

    Kubernetes comes to Dex and discovers its JWKS endpoint SERVER AGENT APP SPIFFE TOKEN TOKEN DISCOVERY
  54. DISCOVERY KEYS DISCOVERY KEYS REGISTRATION UNIX SOCKET SPIFFE TOKEN SPIFFE

    TOKENS Application on a node comes to the SPIRE agent and requests its SPIRE JWT token SERVER AGENT APP SPIFFE TOKEN TOKEN
  55. DISCOVERY KEYS DISCOVERY KEYS REGISTRATION UNIX SOCKET SPIFFE TOKEN SPIFFE

    TOKENS Using this token, Application cannot access Kubernetes API SERVER AGENT APP SPIFFE TOKEN TOKEN
  56. DISCOVERY KEYS DISCOVERY KEYS REGISTRATION UNIX SOCKET SPIFFE TOKEN SPIFFE

    TOKENS Application makes an EXCHANGE and gets the Dex token SERVER AGENT APP SPIFFE TOKEN TOKEN
  57. SPIFFE TOKENS DISCOVERY KEYS DISCOVERY KEYS SERVER AGENT APP REGISTRATION

    UNIX SOCKET SPIFFE TOKEN SPIFFE TOKEN TOKEN Finally, our Application can access Kubernetes API
  58. SPIFFE TOKENS SPIFFE ID can be used in RBAC as

    a username subjects: - kind: User name: spiffe://example.org/reports It makes Service Accounts in Kubernetes obsolete
  59. Introduce yourself with a couple of jokes Tell what Dex

    is about Explain what Token Exchange is Show how applicable to the existing cloud-native infrastructure it is TODO LIST FOR THE TALK
  60. Introduce yourself with a couple of jokes Tell what Dex

    is about Explain what Token Exchange is Show how applicable to the existing cloud-native infrastructure it is TODO LIST FOR THE TALK We finally made it to the finals!
  61. WRAPPING UP Dex is lightweight and can be used to

    add this capability to any Kubernetes cluster with literally no overhead The Token Exchange feature is a glue between different authentication providers
  62. WRAPPING UP Not only Dex benefits from it, yet the

    whole ecosystem Dex is lightweight and can be used to add this capability to any Kubernetes cluster with literally no overhead The Token Exchange feature is a glue between different authentication providers
  63. WRAPPING UP If security features are convenient, it improves the

    security in the world in general Not only Dex benefits from it, yet the whole ecosystem Dex is lightweight and can be used to add this capability to any Kubernetes cluster with literally no overhead The Token Exchange feature is a glue between different authentication providers
  64. github.com/werf github.com/palark GOTTA AUTHENTICATE ‘EM ALL! THANK YOU! @nabokihms [email protected]

    OPEN SOURCE TOOLS OUR BLOGS AND SOCIAL MEDIA palark.com twitter.com/palark_com MAKSIM NABOKIKH Platform Lead dexidp.io github.com/dexidp/dex DEX SOURCES