Exchanging third-party tokens in Dex

Transcript

1. Exchanging third-party tokens in Dex MAKSIM NABOKIKH Platform Lead and

   how it helps you to build a secure cloud native environment

2. Introduce yourself with a couple of jokes Tell what Dex

   is about Explain what Token Exchange is Show how applicable to the existing cloud-native infrastructure it is TODO LIST FOR THE TALK

3. Introduce yourself with a couple of jokes Tell what Dex

   is about Explain what Token Exchange is Show how applicable to the existing cloud-native infrastructure it is TODO LIST FOR THE TALK

4. Originally developed by CoreOS in 2015 (9 y.o.) FACTS CNCF

   Sandbox project since Jun 26, 2020 Community driven project since 2018 after CoreOS acquisition ~9K ~1.6K >25

5. THE MAIN IDEA OF DEX

6. THE MAIN IDEA OF DEX Dex acts as a portal

   to other identity providers through "connectors"; This lets Dex defer authentication to LDAP servers, SAML providers, or established identity providers like GitHub, Google, and Active Directory; Clients write their authentication logic once to talk to Dex, then Dex handles the protocols for a given backend.

7. THE MAIN IDEA

8. THE MAIN IDEA

9. THE MAIN IDEA

10. THE MAIN IDEA

11. WHY DO ENGINEERS LOVE DEX?

12. WHY DO ENGINEERS LOVE DEX? Ultra light: single binary in

    Go (~35 Mb) Simple: code that you can understand spending a couple of hours Kubernetes-native: integrates well with Kubernetes Community’s building block: used by projects like Argo CD or Sigstore True Open Source: community-driven project not owned by a company

13. WHY DO ENGINEERS LOVE DEX? Ultra light: single binary in

    Go (~35 Mb) Simple: code that you can understand spending a couple of hours Kubernetes-native: integrates well with Kubernetes Community’s building block: used by projects like Argo CD or Sigstore True Open Source: community-driven project not owned by a company

14. WHY DO ENGINEERS LOVE DEX? Ultra light: single binary in

    Go (~35 Mb) Simple: code that you can understand spending a couple of hours Kubernetes-native: integrates well with Kubernetes Community’s building block: used by projects like Argo CD or Sigstore True Open Source: community-driven project not owned by a company

15. WHY DO ENGINEERS LOVE DEX? Ultra light: single binary in

    Go (~35 Mb) Simple: code that you can understand spending a couple of hours Kubernetes-native: integrates well with Kubernetes Community’s building block: used by projects like Argo CD or Sigstore True Open Source: community-driven project not owned by a company

16. WHY DO ENGINEERS LOVE DEX? Ultra light: single binary in

    Go (~35 Mb) Simple: code that you can understand spending a couple of hours Kubernetes-native: integrates well with Kubernetes Community’s building block: used by projects like Argo CD or Sigstore True Open Source: community-driven project not owned by a company

17. WHY DO ENGINEERS LOVE DEX? Ultra light: single binary in

    Go (~35 Mb) Simple: code that you can understand spending a couple of hours Kubernetes-native: integrates well with Kubernetes Community’s building block: used by projects like Argo CD or Sigstore True Open Source: community-driven project not owned by a company

18. DEX ARCHITECTURE

19. DEX ARCHITECTURE

20. DEX ARCHITECTURE OIDC

21. DEX ARCHITECTURE OIDC USER AUTHN

22. DEX ARCHITECTURE OIDC USER AUTHN MACHINE AUTHN

23. DEX ARCHITECTURE OIDC Storage USER AUTHN MACHINE AUTHN

24. DEX ARCHITECTURE OIDC Storage USER AUTHN MACHINE AUTHN

25. DEX ARCHITECTURE OIDC Storage USER AUTHN MACHINE AUTHN

26. DEX ARCHITECTURE OIDC Storage USER AUTHN MACHINE AUTHN

27. DEX ARCHITECTURE OIDC Storage USER AUTHN MACHINE AUTHN

28. DEX ARCHITECTURE OIDC Storage Connectors USER AUTHN MACHINE AUTHN

29. DEX ARCHITECTURE OIDC Storage Connectors USER AUTHN MACHINE AUTHN

30. DEX ARCHITECTURE OIDC Storage Connectors USER AUTHN MACHINE AUTHN

31. DEX ARCHITECTURE OIDC Storage Mock Connectors USER AUTHN MACHINE AUTHN

    Local

32. DEX ARCHITECTURE OIDC Storage Mock Connectors USER AUTHN MACHINE AUTHN

    Local

33. Introduce yourself with a couple of jokes Tell what Dex

    is about Explain what Token Exchange is Show how applicable to the existing cloud-native infrastructure it is TODO LIST FOR THE TALK

34. Introduce yourself with a couple of jokes Tell what Dex

    is about Explain what Token Exchange is Show how applicable to the existing cloud-native infrastructure it is TODO LIST FOR THE TALK

35. TOKEN EXCHANGE GRANT

36. TOKEN EXCHANGE GRANT RFC8936: OAuth 2.0 Token Exchange Published in

    January 2020

37. CURRENCY EXCHANGE

38. CURRENCY EXCHANGE

39. CURRENCY EXCHANGE

40. CURRENCY EXCHANGE

41. CURRENCY EXCHANGE

42. CURRENCY EXCHANGE

43. CURRENCY EXCHANGE

44. CURRENCY EXCHANGE

45. CURRENCY EXCHANGE

46. CURRENCY EXCHANGE

47. CURRENCY EXCHANGE

48. CURRENCY EXCHANGE Currency Exchange

49. CURRENCY EXCHANGE Currency Exchange

50. CURRENCY EXCHANGE Currency Exchange

51. CURRENCY EXCHANGE Currency Exchange

52. CURRENCY EXCHANGE Currency Exchange

53. CURRENCY EXCHANGE

54. JWT TOKEN EXCHANGE Token Exchange JWT JWT JWT

55. TOKEN EXCHANGE IN DEX

56. TOKEN EXCHANGE IN DEX Implemented by Sean Liao Merged in

    November 2023 Available in January 2024 (Dex v2.38.0) Works with JWT tokens Works with providers that have OIDC discovery endpoint github.com/seankhliao

57. TOKEN EXCHANGE IN DEX Implemented by Sean Liao Merged in

    November 2023 Available in January 2024 (Dex v2.38.0) Works with JWT tokens Works with providers that have OIDC discovery endpoint github.com/seankhliao

58. TOKEN EXCHANGE IN DEX dexidp.io/docs/token-exchange/ JWT sub: sys:s4:<ns>:<name> exp: 1768243

    sub: xxx name: sys:s4:<ns>:<name> exp: 1769961 Signed by Signed by JWT

59. TOKEN EXCHANGE IN DEX dexidp.io/docs/token-exchange/ JWT sub: sys:s4:<ns>:<name> exp: 1768243

    sub: xxx name: sys:s4:<ns>:<name> exp: 1769961 Signed by Signed by JWT

60. TOKEN EXCHANGE IN DEX dexidp.io/docs/token-exchange/ outh2: grantTypes: # ensure grantTypes

    includes the token-exchange grant (default) - "urn:ietf:params:oauth:grant-type:token-exchange"

61. TOKEN EXCHANGE IN DEX dexidp.io/docs/token-exchange/ connectors: - name: Exchange Provider

    type: oidc id: exchange config: issuer: https://oidc.example.com scopes: - profile - groups - federated:id userNameKey: sub claimMappings: groups: roles

62. TOKEN EXCHANGE IN DEX Easy to understand Easy to configure

    Easy to start A field for experiments!

63. Introduce yourself with a couple of jokes Tell what Dex

    is about Explain what Token Exchange is Show how applicable to the existing cloud-native infrastructure it is TODO LIST FOR THE TALK

64. Introduce yourself with a couple of jokes Tell what Dex

    is about Explain what Token Exchange is Show how applicable to the existing cloud-native infrastructure it is TODO LIST FOR THE TALK

65. CASE 1: CI/CD INTEGRATION

66. CI/CD INTEGRATION The goal: to deploy to a Kubernetes cluster

    Common anti-patterns: Save admin kubeconfig with certificates in the CI/CD system Use ServiceAccount token with an infinite lifetime

67. CI/CD INTEGRATION The goal: to deploy to a Kubernetes cluster

    Common anti-patterns: Save admin kubeconfig with certificates in the CI/CD system Use ServiceAccount token with an infinite lifetime

68. CI/CD INTEGRATION Actors: • GitLab CI/CD • Dex • Kubernetes

    DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN

69. CI/CD INTEGRATION Kubernetes comes to Dex and discovers its JWKS

    endpoint DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN

70. CI/CD INTEGRATION GitLab pipeline is triggered. But there is NO

    ACCESS to Kubernetes DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN

71. CI/CD INTEGRATION Dex comes to GitLab and discovers its JWKS

    endpoint DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN

72. CI/CD INTEGRATION GitLab EXCHANGES tokens with Dex DISCOVERY KEYS DISCOVERY

    KEYS TOKEN TOKEN

73. CI/CD INTEGRATION DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN Finally, using

    the Dex token, GitLab can access Kubernetes

74. CI/CD INTEGRATION DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN Finally, using

    the Dex token, GitLab can access Kubernetes

75. It’s not only GitLab that can be used. It will

    work with other CI/CD systems (GitHub Actions, etc.) as well CI/CD INTEGRATION

76. It’s not only GitLab that can be used. It will

    work with other CI/CD systems (GitHub Actions, etc.) as well CI/CD INTEGRATION All major cloud providers allow authenticating using the CI/CD tokens, and, thanks to Dex, so does K8s

77. It’s not only GitLab that can be used. It will

    work with other CI/CD systems (GitHub Actions, etc.) as well CI/CD INTEGRATION All major cloud providers allow authenticating using the CI/CD tokens, and, thanks to Dex, so does K8s No more anti-patterns!

78. CASE 2: KUBERNETES AUTHMESH

79. KUBERNETES AUTHMESH The goal: to give access to a service

    from one cluster to another

80. KUBERNETES AUTHMESH The goal: to give access to a service

    from one cluster to another

81. KUBERNETES AUTHMESH The goal: to give access to a service

    from one cluster to another

82. The goal: to give access to a service from one

    cluster to another KUBERNETES AUTHMESH Common anti-patterns: Save admin kubeconfig with the certificates in another cluster Use ServiceAccount token with an infinite lifetime

83. KUBERNETES AUTHMESH DISCOVERY KEYS Actors: • Dex • Kubernetes-1 •

    Kubernetes-2 • Kubernetes-3 DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN 1 2 3

84. KUBERNETES AUTHMESH DISCOVERY KEYS One by one, Kubernetes clusters come

    to Dex and discover its JWKS endpoint (#1) DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN 2 3 1

85. KUBERNETES AUTHMESH DISCOVERY KEYS One by one, Kubernetes clusters come

    to Dex and discover its JWKS endpoint (#2) DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN 3 1 2

86. KUBERNETES AUTHMESH DISCOVERY KEYS One by one, Kubernetes clusters come

    to Dex and discover its JWKS endpoint (#3) DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN 1 2 3

87. KUBERNETES AUTHMESH DISCOVERY KEYS Then, Dex discovers Kubernetes each JWKS

    endpoint, one by one again DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN 1 2 3

88. KUBERNETES AUTHMESH DISCOVERY KEYS Then, Dex discovers Kubernetes each JWKS

    endpoint, one by one again (#1) DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN 2 3 1

89. 3 KUBERNETES AUTHMESH DISCOVERY KEYS Then, Dex discovers Kubernetes each

    JWKS endpoint, one by one again (#2) DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN 1 2

90. KUBERNETES AUTHMESH DISCOVERY KEYS Then, Dex discovers Kubernetes each JWKS

    endpoint, one by one again (#3) DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN 1 2 3

91. KUBERNETES AUTHMESH DISCOVERY KEYS Then, Dex discovers Kubernetes each JWKS

    endpoint, one by one again (#3) DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN 1 2 3

92. KUBERNETES AUTHMESH DISCOVERY KEYS Kubernetes-1 workloads have NO DIRECT ACCESS

    to the Kubernetes-3 API DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN 1 2 3

93. KUBERNETES AUTHMESH DISCOVERY KEYS However, they can EXCHANGE their Service

    Account tokens to a Dex token DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN 2 3 1

94. KUBERNETES AUTHMESH DISCOVERY KEYS Finally, the access is provided DISCOVERY

    KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN 1 2 3

95. KUBERNETES AUTHMESH DISCOVERY KEYS Finally, the access is provided DISCOVERY

    KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS DISCOVERY KEYS TOKEN TOKEN 1 2 3

96. KUBERNETES AUTHMESH kubernetes.io/docs/reference/access-authn-authz/authentication/#configuration

97. KUBERNETES AUTHMESH kubernetes.io/docs/reference/access-authn-authz/authentication/#configuration $ initial_token=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token)

98. KUBERNETES AUTHMESH kubernetes.io/docs/reference/access-authn-authz/authentication/#configuration $ initial_token=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token) $ token=$(curl $dex_url/token \

    … \ –data_urlencode grant_type=urn:ietf:params:oauth:grant-type:token-exchange \ –data_urlencode subject_token=$initial_token | jq .access_token)

99. KUBERNETES AUTHMESH kubernetes.io/docs/reference/access-authn-authz/authentication/#configuration $ initial_token=$(cat /var/run/secrets/kubernetes.io/serviceaccount/token) $ token=$(curl $dex_url/token \

    … \ –data_urlencode grant_type=urn:ietf:params:oauth:grant-type:token-exchange \ –data_urlencode subject_token=$initial_token | jq .access_token) $ cat <<EOF { "apiVersion": "client.authentication.k8s.io/v1", "kind": "ExecCredential", "status": { "token": $token } } EOF

100. KUBERNETES AUTHMESH kubernetes.io/docs/reference/access-authn-authz/authentication/#configuration Save to /bin/token-exchange Use in your kubeconfigs:

     users: - name: kubernetes-exchange user: exec: command: token-exchange apiVersion: "client.authentication.k8s.io/v1" interactiveMode: Never This is an example NOT for production use

101. CASE 3: SPIFFE TOKENS

102. SPIFFE TOKENS The goal: to use SPIFFE tokens to have

     an access to a Kubernetes API

103. SPIFFE TOKENS The goal: to use SPIFFE tokens to have

     an access to a Kubernetes API We already have IDs of all our services. Why cannot we reuse them to access Kubernetes?

104. DISCOVERY DISCOVERY KEYS KEYS REGISTRATION UNIX SOCKET SPIFFE TOKEN SPIFFE

     TOKENS Actors: • Dex • SPIRE server • SPIRE agent • Application • Kubernetes SERVER AGENT APP SPIFFE TOKEN TOKEN

105. DISCOVERY DISCOVERY KEYS KEYS REGISTRATION UNIX SOCKET SPIFFE TOKEN SPIFFE

     TOKENS SPIRE agent on a node connects to the SPIRE server SERVER AGENT APP SPIFFE TOKEN TOKEN

106. DISCOVERY KEYS KEYS REGISTRATION UNIX SOCKET SPIFFE TOKEN SPIFFE TOKENS

     Dex comes to SPIRE server and discovers its JWKS endpoint SERVER AGENT APP SPIFFE TOKEN TOKEN DISCOVERY

107. DISCOVERY KEYS KEYS REGISTRATION UNIX SOCKET SPIFFE TOKEN SPIFFE TOKENS

     Kubernetes comes to Dex and discovers its JWKS endpoint SERVER AGENT APP SPIFFE TOKEN TOKEN DISCOVERY

108. DISCOVERY KEYS DISCOVERY KEYS REGISTRATION UNIX SOCKET SPIFFE TOKEN SPIFFE

     TOKENS Application on a node comes to the SPIRE agent and requests its SPIRE JWT token SERVER AGENT APP SPIFFE TOKEN TOKEN

109. DISCOVERY KEYS DISCOVERY KEYS REGISTRATION UNIX SOCKET SPIFFE TOKEN SPIFFE

     TOKENS Using this token, Application cannot access Kubernetes API SERVER AGENT APP SPIFFE TOKEN TOKEN

110. DISCOVERY KEYS DISCOVERY KEYS REGISTRATION UNIX SOCKET SPIFFE TOKEN SPIFFE

     TOKENS Application makes an EXCHANGE and gets the Dex token SERVER AGENT APP SPIFFE TOKEN TOKEN

111. SPIFFE TOKENS DISCOVERY KEYS DISCOVERY KEYS SERVER AGENT APP REGISTRATION

     UNIX SOCKET SPIFFE TOKEN SPIFFE TOKEN TOKEN Finally, our Application can access Kubernetes API

112. SPIFFE TOKENS SPIFFE ID can be used in RBAC as

     a username subjects: - kind: User name: spiffe://example.org/reports It makes Service Accounts in Kubernetes obsolete

113. Introduce yourself with a couple of jokes Tell what Dex

     is about Explain what Token Exchange is Show how applicable to the existing cloud-native infrastructure it is TODO LIST FOR THE TALK

114. Introduce yourself with a couple of jokes Tell what Dex

     is about Explain what Token Exchange is Show how applicable to the existing cloud-native infrastructure it is TODO LIST FOR THE TALK We finally made it to the finals!

115. The Token Exchange feature is a glue between different authentication

     providers WRAPPING UP

116. WRAPPING UP Dex is lightweight and can be used to

     add this capability to any Kubernetes cluster with literally no overhead The Token Exchange feature is a glue between different authentication providers

117. WRAPPING UP Not only Dex benefits from it, yet the

     whole ecosystem Dex is lightweight and can be used to add this capability to any Kubernetes cluster with literally no overhead The Token Exchange feature is a glue between different authentication providers

118. WRAPPING UP If security features are convenient, it improves the

     security in the world in general Not only Dex benefits from it, yet the whole ecosystem Dex is lightweight and can be used to add this capability to any Kubernetes cluster with literally no overhead The Token Exchange feature is a glue between different authentication providers

119. github.com/werf github.com/palark GOTTA AUTHENTICATE ‘EM ALL! THANK YOU! @nabokihms [email protected]

     OPEN SOURCE TOOLS OUR BLOGS AND SOCIAL MEDIA palark.com twitter.com/palark_com MAKSIM NABOKIKH Platform Lead dexidp.io github.com/dexidp/dex DEX SOURCES