If one has many self-deployed and private services, a unified and painless authentication experience is very important.
I have been searching for such solutions for a long time, and finally satisfied with OpenResty and
HTTP Basic Authentication is interrupting (the popup) and annoying. Worse, there is no solution to extend the authentication expiration time.
The services deployed for my lab use the SSO interface that provided by GitLab. Many other services, including statping and Seafile, use GitLab SSO as the login entry point. However, it would be funny to deploy such a heavy service just for its authentication functionality. Further, even if we have the SSO server, it still needs additional steps (hand-writing some glue codes) to connect the authentication server with other services.
Dex implements OpenID Connect. It is related to two kinds of applications. The first would consume the authentication. In our use case, they are self-deployed private services. Another kind of applications will produce the auth, tell Dex the profile (or other information) of the user (if he/she is successfully authenticated), e.g., GitLab, GitHub, Google, and SAML servers. Of course, Dex can be used with simple Email-password pairs.
Dex official provides detailed docs of how to config the dex server.
If you are using Arch Linux like me, AUR also has a packaged named
dex-idp (although it is abandoned).
Refer to that, it is easy to write a usable PKGBUILD.
Note that there is a typo in the provided file
Example PKGBUILD of v2.28.1
The lua module openidc make it possible to use OpenID authentication in OpenResty web server. Following the official example, we can config the OpenID Connect Discovery, then set App Secrets and App ID.
It is quite flexible to handle the authentication results. For example, only allow the user with a specific Email to access the service.
Part of openresty configuration
The user will be redirected several times when he/she visits a private path to complete the autentication:
- Service -> Dex
- Dex -> Auth Server (GitHub/Google)
- Auth Server -> Dex
- Dex -> Service/503
If the browser session has been already authenticated, the progress will be imperceptible, which is very elegant.