Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Exchanging third-party tokens in Dex

Palark
April 04, 2024
Technology
1
93

Exchanging third-party tokens in Dex

Tech talk by Maksim Nabokikh, Platform Lead @ Palark, presented at Cloud Native Rejekts EU'2024 in Paris.

Dex is an OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors. In this talk, Maksim explains what its new feature called token exchange brings and how you can benefit from it using in Kubernetes, CI/CD, etc.

Find more resources for this talk:
* YouTube video;
* Talk description in the conference schedule.

P.S. Subscribe to the Palark tech blog to get our latest articles on DevOps, SRE, Kubernetes, and more!

Palark

April 04, 2024
Tweet

More Decks by Palark

See All by Palark
DevOps & SRE job satisfaction survey 2023 by Palark
palark
0
51
Making your Kubernetes-based log collection reliable & durable with Vector
palark
1
11k

Other Decks in Technology

See All in Technology
Vueで Webコンポーネントを作って Reactで使う / 20241030-cloudsign-vuefes_after_night
bengo4com
4
2.5k
生成AIの強みと弱みを理解して、生成AIがもたらすパワーをプロダクトの価値へ繋げるために実践したこと / advance-ai-generating
cyberagentdevelopers
PRO
1
180
事業者間調整の行間を読む 調整の具体事例
sugiim
0
1.4k
MAMを軸とした動画ハンドリングにおけるAI活用前提の整備と次世代ビジョン / abema-ai-mam
cyberagentdevelopers
PRO
1
110
20241031_AWS_生成AIハッカソン_GenMuck
tsumita
0
110
話題のGraphRAG、その可能性と課題を理解する
hide212131
4
1.5k
ABEMA のコンテンツ制作を最適化!生成 AI x クラウド映像編集システム / abema-ai-editor
cyberagentdevelopers
PRO
1
180
visionOSでの空間表現実装とImmersive Video表示について / ai-immersive-visionos
cyberagentdevelopers
PRO
1
110
プロダクトチームへのSystem Risk Records導入・運用事例の紹介/Introduction and Case Studies on Implementing and Operating System Risk Records for Product Teams
taddy_919
1
170
Amazon FSx for NetApp ONTAPを利用するにあたっての要件整理と設計のポイント
non97
1
160
使えそうで使われないCloudHSM
maikamibayashi
0
170
日経電子版におけるリアルタイムレコメンドシステム開発の事例紹介/nikkei-realtime-recommender-system
yng87
1
500

Featured

See All Featured
Building a Scalable Design System with Sketch
lauravandoore
459
33k
Facilitating Awesome Meetings
lara
49
6k
Producing Creativity
orderedlist
PRO
341
39k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.6k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
226
22k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
159
15k
Mobile First: as difficult as doing things right
swwweet
222
8.9k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
7.9k
Speed Design
sergeychernyshev
24
570
For a Future-Friendly Web
brad_frost
175
9.4k
Gamification - CAS2011
davidbonilla
80
5k
Making the Leap to Tech Lead
cromwellryan
132
8.9k

Transcript

  1. Exchanging third-party tokens in Dex MAKSIM NABOKIKH Platform Lead and

    how it helps you to build a secure cloud native environment

  2. Introduce yourself with a couple of jokes Tell what Dex

    is about Explain what Token Exchange is Show how applicable to the existing cloud-native infrastructure it is TODO LIST FOR THE TALK

  3. Introduce yourself with a couple of jokes Tell what Dex

    is about Explain what Token Exchange is Show how applicable to the existing cloud-native infrastructure it is TODO LIST FOR THE TALK

  4. Originally developed by CoreOS in 2015 (9 y.o.) FACTS CNCF

    Sandbox project since Jun 26, 2020 Community driven project since 2018 after CoreOS acquisition ~9K ~1.6K >25

  5. THE MAIN IDEA OF DEX

  6. THE MAIN IDEA OF DEX Dex acts as a portal

    to other identity providers through "connectors"; This lets Dex defer authentication to LDAP servers, SAML providers, or established identity providers like GitHub, Google, and Active Directory; Clients write their authentication logic once to talk to Dex, then Dex handles the protocols for a given backend.

  7. THE MAIN IDEA

  8. THE MAIN IDEA

  9. THE MAIN IDEA

  10. THE MAIN IDEA

  11. WHY DO ENGINEERS LOVE DEX?

  12. WHY DO ENGINEERS LOVE DEX? Ultra light: single binary in

    Go (~35 Mb) Simple: code that you can understand spending a couple of hours Kubernetes-native: integrates well with Kubernetes Community’s building block: used by projects like Argo CD or Sigstore True Open Source: community-driven project not owned by a company

  13. WHY DO ENGINEERS LOVE DEX? Ultra light: single binary in

    Go (~35 Mb) Simple: code that you can understand spending a couple of hours Kubernetes-native: integrates well with Kubernetes Community’s building block: used by projects like Argo CD or Sigstore True Open Source: community-driven project not owned by a company

  14. WHY DO ENGINEERS LOVE DEX? Ultra light: single binary in

    Go (~35 Mb) Simple: code that you can understand spending a couple of hours Kubernetes-native: integrates well with Kubernetes Community’s building block: used by projects like Argo CD or Sigstore True Open Source: community-driven project not owned by a company

  15. WHY DO ENGINEERS LOVE DEX? Ultra light: single binary in

    Go (~35 Mb) Simple: code that you can understand spending a couple of hours Kubernetes-native: integrates well with Kubernetes Community’s building block: used by projects like Argo CD or Sigstore True Open Source: community-driven project not owned by a company

  16. WHY DO ENGINEERS LOVE DEX? Ultra light: single binary in

    Go (~35 Mb) Simple: code that you can understand spending a couple of hours Kubernetes-native: integrates well with Kubernetes Community’s building block: used by projects like Argo CD or Sigstore True Open Source: community-driven project not owned by a company

  17. WHY DO ENGINEERS LOVE DEX? Ultra light: single binary in

    Go (~35 Mb) Simple: code that you can understand spending a couple of hours Kubernetes-native: integrates well with Kubernetes Community’s building block: used by projects like Argo CD or Sigstore True Open Source: community-driven project not owned by a company

  18. DEX ARCHITECTURE

  19. DEX ARCHITECTURE

  20. DEX ARCHITECTURE OIDC

  21. DEX ARCHITECTURE OIDC USER AUTHN

  22. DEX ARCHITECTURE OIDC USER AUTHN MACHINE AUTHN

  23. DEX ARCHITECTURE OIDC Storage USER AUTHN MACHINE AUTHN

  24. DEX ARCHITECTURE OIDC Storage USER AUTHN MACHINE AUTHN

  25. DEX ARCHITECTURE OIDC Storage USER AUTHN MACHINE AUTHN

  26. DEX ARCHITECTURE OIDC Storage USER AUTHN MACHINE AUTHN

  27. DEX ARCHITECTURE OIDC Storage USER AUTHN MACHINE AUTHN

  28. DEX ARCHITECTURE OIDC Storage Connectors USER AUTHN MACHINE AUTHN

  29. DEX ARCHITECTURE OIDC Storage Connectors USER AUTHN MACHINE AUTHN

  30. DEX ARCHITECTURE OIDC Storage Connectors USER AUTHN MACHINE AUTHN

  31. DEX ARCHITECTURE OIDC Storage Mock Connectors USER AUTHN MACHINE AUTHN

    Local

  32. DEX ARCHITECTURE OIDC Storage Mock Connectors USER AUTHN MACHINE AUTHN

    Local

  33. Introduce yourself with a couple of jokes Tell what Dex

    is about Explain what Token Exchange is Show how applicable to the existing cloud-native infrastructure it is TODO LIST FOR THE TALK

  34. Introduce yourself with a couple of jokes Tell what Dex

    is about Explain what Token Exchange is Show how applicable to the existing cloud-native infrastructure it is TODO LIST FOR THE TALK

  35. TOKEN EXCHANGE GRANT

  36. TOKEN EXCHANGE GRANT RFC8936: OAuth 2.0 Token Exchange Published in

    January 2020

  37. CURRENCY EXCHANGE

  38. CURRENCY EXCHANGE

  39. CURRENCY EXCHANGE

  40. CURRENCY EXCHANGE

  41. CURRENCY EXCHANGE

  42. CURRENCY EXCHANGE

  43. CURRENCY EXCHANGE

  44. CURRENCY EXCHANGE

  45. CURRENCY EXCHANGE

  46. CURRENCY EXCHANGE

  47. CURRENCY EXCHANGE

  48. CURRENCY EXCHANGE Currency Exchange

  49. CURRENCY EXCHANGE Currency Exchange

  50. CURRENCY EXCHANGE Currency Exchange

  51. CURRENCY EXCHANGE Currency Exchange

  52. CURRENCY EXCHANGE Currency Exchange

  53. CURRENCY EXCHANGE

  54. JWT TOKEN EXCHANGE Token Exchange JWT JWT JWT

  55. TOKEN EXCHANGE IN DEX

  56. TOKEN EXCHANGE IN DEX Implemented by Sean Liao Merged in

    November 2023 Available in January 2024 (Dex v2.38.0) Works with JWT tokens Works with providers that have OIDC discovery endpoint github.com/seankhliao

  57. TOKEN EXCHANGE IN DEX Implemented by Sean Liao Merged in

    November 2023 Available in January 2024 (Dex v2.38.0) Works with JWT tokens Works with providers that have OIDC discovery endpoint github.com/seankhliao

  58. TOKEN EXCHANGE IN DEX dexidp.io/docs/token-exchange/ JWT sub: sys:s4:<ns>:<name> exp: 1768243

    sub: xxx name: sys:s4:<ns>:<name> exp: 1769961 Signed by Signed by JWT

  59. TOKEN EXCHANGE IN DEX dexidp.io/docs/token-exchange/ JWT sub: sys:s4:<ns>:<name> exp: 1768243

    sub: xxx name: sys:s4:<ns>:<name> exp: 1769961 Signed by Signed by JWT

  60. TOKEN EXCHANGE IN DEX dexidp.io/docs/token-exchange/ outh2: grantTypes: # ensure grantTypes

    includes the token-exchange grant (default) - "urn:ietf:params:oauth:grant-type:token-exchange"

  61. TOKEN EXCHANGE IN DEX dexidp.io/docs/token-exchange/ connectors: - name: Exchange Provider

    type: oidc id: exchange config: issuer: https://oidc.example.com scopes: - profile - groups - federated:id userNameKey: sub claimMappings: groups: roles

  62. TOKEN EXCHANGE IN DEX Easy to understand Easy to configure

    Easy to start A field for experiments!

  63. Introduce yourself with a couple of jokes Tell what Dex

    is about Explain what Token Exchange is Show how applicable to the existing cloud-native infrastructure it is TODO LIST FOR THE TALK

  64. Introduce yourself with a couple of jokes Tell what Dex

    is about Explain what Token Exchange is Show how applicable to the existing cloud-native infrastructure it is TODO LIST FOR THE TALK

  65. CASE 1: CI/CD INTEGRATION

  66. CI/CD INTEGRATION The goal: to deploy to a Kubernetes cluster

    Common anti-patterns: Save admin kubeconfig with certificates in the CI/CD system Use ServiceAccount token with an infinite lifetime

  67. CI/CD INTEGRATION The goal: to deploy to a Kubernetes cluster

    Common anti-patterns: Save admin kubeconfig with certificates in the CI/CD system Use ServiceAccount token with an infinite lifetime

  68. CI/CD INTEGRATION Actors: • GitLab CI/CD • Dex • Kubernetes

    DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN

  69. CI/CD INTEGRATION Kubernetes comes to Dex and discovers its JWKS

    endpoint DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN

  70. CI/CD INTEGRATION GitLab pipeline is triggered. But there is NO

    ACCESS to Kubernetes DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN

  71. CI/CD INTEGRATION Dex comes to GitLab and discovers its JWKS

    endpoint DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN

  72. CI/CD INTEGRATION GitLab EXCHANGES tokens with Dex DISCOVERY KEYS DISCOVERY

    KEYS TOKEN TOKEN

  73. CI/CD INTEGRATION DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN Finally, using

    the Dex token, GitLab can access Kubernetes

  74. CI/CD INTEGRATION DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN Finally, using

    the Dex token, GitLab can access Kubernetes

  75. It’s not only GitLab that can be used. It will

    work with other CI/CD systems (GitHub Actions, etc.) as well CI/CD INTEGRATION

  76. It’s not only GitLab that can be used. It will

    work with other CI/CD systems (GitHub Actions, etc.) as well CI/CD INTEGRATION All major cloud providers allow authenticating using the CI/CD tokens, and, thanks to Dex, so does K8s

  77. It’s not only GitLab that can be used. It will

    work with other CI/CD systems (GitHub Actions, etc.) as well CI/CD INTEGRATION All major cloud providers allow authenticating using the CI/CD tokens, and, thanks to Dex, so does K8s No more anti-patterns!

  78. CASE 2: KUBERNETES AUTHMESH

  79. KUBERNETES AUTHMESH The goal: to give access to a service

    from one cluster to another

  80. KUBERNETES AUTHMESH The goal: to give access to a service

    from one cluster to another

  81. KUBERNETES AUTHMESH The goal: to give access to a service

    from one cluster to another

  82. The goal: to give access to a service from one

    cluster to another KUBERNETES AUTHMESH Common anti-patterns: Save admin kubeconfig with the certificates in another cluster Use ServiceAccount token with an infinite lifetime

  83. KUBERNETES AUTHMESH DISCOVERY KEYS Actors: • Dex • Kubernetes-1 •

    Kubernetes-2 • Kubernetes-3 DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN 1 2 3

  84. KUBERNETES AUTHMESH DISCOVERY KEYS One by one, Kubernetes clusters come

    to Dex and discover its JWKS endpoint (#1) DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN 2 3 1

  85. KUBERNETES AUTHMESH DISCOVERY KEYS One by one, Kubernetes clusters come

    to Dex and discover its JWKS endpoint (#2) DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN 3 1 2

  86. KUBERNETES AUTHMESH DISCOVERY KEYS One by one, Kubernetes clusters come

    to Dex and discover its JWKS endpoint (#3) DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN 1 2 3

  87. KUBERNETES AUTHMESH DISCOVERY KEYS Then, Dex discovers Kubernetes each JWKS

    endpoint, one by one again DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN 1 2 3

  88. KUBERNETES AUTHMESH DISCOVERY KEYS Then, Dex discovers Kubernetes each JWKS

    endpoint, one by one again (#1) DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN 2 3 1

  89. 3 KUBERNETES AUTHMESH DISCOVERY KEYS Then, Dex discovers Kubernetes each

    JWKS endpoint, one by one again (#2) DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN 1 2

  90. KUBERNETES AUTHMESH DISCOVERY KEYS Then, Dex discovers Kubernetes each JWKS

    endpoint, one by one again (#3) DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN 1 2 3

  91. KUBERNETES AUTHMESH DISCOVERY KEYS Then, Dex discovers Kubernetes each JWKS

    endpoint, one by one again (#3) DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN 1 2 3

  92. KUBERNETES AUTHMESH DISCOVERY KEYS Kubernetes-1 workloads have NO DIRECT ACCESS

    to the Kubernetes-3 API DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN 1 2 3

  93. KUBERNETES AUTHMESH DISCOVERY KEYS However, they can EXCHANGE their Service

    Account tokens to a Dex token DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN 2 3 1

  94. KUBERNETES AUTHMESH DISCOVERY KEYS Finally, the access is provided DISCOVERY

    KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN 1 2 3

  95. KUBERNETES AUTHMESH DISCOVERY KEYS Finally, the access is provided DISCOVERY

    KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN 1 2 3

  96. KUBERNETES AUTHMESH kubernetes.io/docs/reference/access-authn-authz/authentication/#configuration

  97. KUBERNETES AUTHMESH kubernetes.io/docs/reference/access-authn-authz/authentication/#configuration $ initial_token=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)

  98. KUBERNETES AUTHMESH kubernetes.io/docs/reference/access-authn-authz/authentication/#configuration $ initial_token=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token) $ token=$(curl $dex_url/token \

    … \ –data_urlencode grant_type=urn:ietf:params:oauth:grant-type:token-exchange \ –data_urlencode subject_token=$initial_token | jq .access_token)

  99. KUBERNETES AUTHMESH kubernetes.io/docs/reference/access-authn-authz/authentication/#configuration $ initial_token=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token) $ token=$(curl $dex_url/token \

    … \ –data_urlencode grant_type=urn:ietf:params:oauth:grant-type:token-exchange \ –data_urlencode subject_token=$initial_token | jq .access_token) $ cat <<EOF { "apiVersion": "client.authentication.k8s.io/v1", "kind": "ExecCredential", "status": { "token": $token } } EOF

  100. KUBERNETES AUTHMESH kubernetes.io/docs/reference/access-authn-authz/authentication/#configuration Save to /bin/token-exchange Use in your kubeconfigs:

    users: - name: kubernetes-exchange user: exec: command: token-exchange apiVersion: "client.authentication.k8s.io/v1" interactiveMode: Never This is an example NOT for production use

  101. CASE 3: SPIFFE TOKENS

  102. SPIFFE TOKENS The goal: to use SPIFFE tokens to have

    an access to a Kubernetes API

  103. SPIFFE TOKENS The goal: to use SPIFFE tokens to have

    an access to a Kubernetes API We already have IDs of all our services. Why cannot we reuse them to access Kubernetes?

  104. DISCOVERY DISCOVERY KEYS KEYS REGISTRATION UNIX SOCKET SPIFFE TOKEN SPIFFE

    TOKENS Actors: • Dex • SPIRE server • SPIRE agent • Application • Kubernetes SERVER AGENT APP SPIFFE TOKEN TOKEN

  105. DISCOVERY DISCOVERY KEYS KEYS REGISTRATION UNIX SOCKET SPIFFE TOKEN SPIFFE

    TOKENS SPIRE agent on a node connects to the SPIRE server SERVER AGENT APP SPIFFE TOKEN TOKEN

  106. DISCOVERY KEYS KEYS REGISTRATION UNIX SOCKET SPIFFE TOKEN SPIFFE TOKENS

    Dex comes to SPIRE server and discovers its JWKS endpoint SERVER AGENT APP SPIFFE TOKEN TOKEN DISCOVERY

  107. DISCOVERY KEYS KEYS REGISTRATION UNIX SOCKET SPIFFE TOKEN SPIFFE TOKENS

    Kubernetes comes to Dex and discovers its JWKS endpoint SERVER AGENT APP SPIFFE TOKEN TOKEN DISCOVERY

  108. DISCOVERY KEYS DISCOVERY KEYS REGISTRATION UNIX SOCKET SPIFFE TOKEN SPIFFE

    TOKENS Application on a node comes to the SPIRE agent and requests its SPIRE JWT token SERVER AGENT APP SPIFFE TOKEN TOKEN

  109. DISCOVERY KEYS DISCOVERY KEYS REGISTRATION UNIX SOCKET SPIFFE TOKEN SPIFFE

    TOKENS Using this token, Application cannot access Kubernetes API SERVER AGENT APP SPIFFE TOKEN TOKEN

  110. DISCOVERY KEYS DISCOVERY KEYS REGISTRATION UNIX SOCKET SPIFFE TOKEN SPIFFE

    TOKENS Application makes an EXCHANGE and gets the Dex token SERVER AGENT APP SPIFFE TOKEN TOKEN

  111. SPIFFE TOKENS DISCOVERY KEYS DISCOVERY KEYS SERVER AGENT APP REGISTRATION

    UNIX SOCKET SPIFFE TOKEN SPIFFE TOKEN TOKEN Finally, our Application can access Kubernetes API

  112. SPIFFE TOKENS SPIFFE ID can be used in RBAC as

    a username subjects: - kind: User name: spiffe://example.org/reports It makes Service Accounts in Kubernetes obsolete

  113. Introduce yourself with a couple of jokes Tell what Dex

    is about Explain what Token Exchange is Show how applicable to the existing cloud-native infrastructure it is TODO LIST FOR THE TALK

  114. Introduce yourself with a couple of jokes Tell what Dex

    is about Explain what Token Exchange is Show how applicable to the existing cloud-native infrastructure it is TODO LIST FOR THE TALK We finally made it to the finals!

  115. The Token Exchange feature is a glue between different authentication

    providers WRAPPING UP

  116. WRAPPING UP Dex is lightweight and can be used to

    add this capability to any Kubernetes cluster with literally no overhead The Token Exchange feature is a glue between different authentication providers

  117. WRAPPING UP Not only Dex benefits from it, yet the

    whole ecosystem Dex is lightweight and can be used to add this capability to any Kubernetes cluster with literally no overhead The Token Exchange feature is a glue between different authentication providers

  118. WRAPPING UP If security features are convenient, it improves the

    security in the world in general Not only Dex benefits from it, yet the whole ecosystem Dex is lightweight and can be used to add this capability to any Kubernetes cluster with literally no overhead The Token Exchange feature is a glue between different authentication providers

  119. github.com/werf github.com/palark GOTTA AUTHENTICATE ‘EM ALL! THANK YOU! @nabokihms [email protected]

    OPEN SOURCE TOOLS OUR BLOGS AND SOCIAL MEDIA palark.com twitter.com/palark_com MAKSIM NABOKIKH Platform Lead dexidp.io github.com/dexidp/dex DEX SOURCES