AI Swap APIs

AI SWAP - DEX API Reference

Connector

Connector is the Schema for the connectors API

Field

Description

Scheme

Required

metadata

metav1.ObjectMeta

false

spec

ConnectorSpec

false

ConnectorList

ConnectorList contains a list of Connector

Field

Description

Scheme

Required

metadata

metav1.ListMeta

false

items

[]Connector

true

ConnectorSpec

ConnectorSpec defines the desired state of Connector

Field

Description

Scheme

Required

enabled

Whether this Connector is enabled or not. This allows the admin to create the Connector configuration first, and later enable it by toggling this field.

bool

true

type

The type of the Connector.

string

true

displayName

The display name for the Connector. The display name will be shown in the UI of the login page.

string

true

ldap

*LDAPConnectorConfig

*LDAPConnectorConfig

oidc

false

false

github

*OIDCConnectorConfig

*OIDCConnectorConfig

saml

false

false

GithubConnectorConfig

Field

Description

Scheme

Required

clientSecretRef

Reference to secret that contains the client ID and client secret. The secret should contain two keys client- id and client-secret like the following:

corev1.LocalObjectReference

true

redirectURI

Dex’s issuer URL + “/callback”

string

true

orgs

Optional organizations and teams, communicated through the “groups” scope.\n\nNOTE: This is an EXPERIMENTAL config option and will likely change.\n\nDex queries the following organizations for group information if the “groups” scope is provided. Group claims are formatted as “(org):(team)”. For example if a user is part of the “engineering” team of the “coreos” org, the group claim would include “coreos:engineering”.\n\nIf orgs are specified in the config then user MUST be a member of at least one of the specified orgs to authenticate with dex.\n\nIf ‘orgs’ is not specified in the config and ‘loadAllGroups’ setting set to true then user authenticate with ALL user’s Github groups. Typical use case for this setup: provide read-only access to everyone and give full permissions if user has ‘my-organization:admins-team’ group claim.\n\nExamples:\n orgs:\n - name: my- organization # Include all teams as claims. - name:

my-organization-with-teams\n # A white list of teams. Only include group claims for these teams.\n teams:\n - red-team - blue-team

false

Field

Description

Scheme

Required

loadAllGroups

Flag which indicates that all user groups and teams should be loaded.

*bool

false

teamNameField

Optional choice between ‘name’ (default), ‘slug’, or ‘both’.\n\nAs an example, group claims for member of ‘Site Reliability Engineers’ in Acme organization would yield:\n - [‘acme:Site Reliability Engineers’] for ‘name’\n - [‘acme:site-reliability-engineers’] for ‘slug’\n - [‘acme:Site Reliability Engineers’,\n ‘acme:site-reliability-engineers’] for ‘both’

*string

false

useLoginAsID

Flag which will switch from using the internal GitHub id to the users handle (@mention) as the user id. It is possible for a user to change their own user name but it is very rare for them to do so.

*bool

false

hostName

Github API host name. Default to “api.github.com”.

*string

false

rootCASecretRef

A secret reference to the root CA that will be used for TLS validation. The secret should have type “Opaque” and contain the key “tls.crt”. If not specified, the root CA of the host will be used.

*corev1.LocalObjectReference

false

GithubConnectorConfigOrg

Field

Description

Scheme

Required

name

Organization name in github (not slug, full name). Only users in this github organization can authenticate.

string

true

teams

Names of teams in a github organization. A user will be able to authenticate if they are members of at least one of these teams. Users in the organization can authenticate if this field is omitted from the config file.

[]string

false

LDAPConnectorConfig

This config for LDAP is derived from the Config Structure

Field

Description

Scheme

Required

host

Host and optional port of the LDAP server in the form host:port. If the port is not supplied, it will be guessed based

on insecureNoSSL,

and startTLS fields. 389 for insecure or StartTLS connections, 636 otherwise.

string

true

insecureNoSSL

Following field is required if the LDAP host is not using TLS (port 389). Because this option inherently leaks passwords to anyone on the same network as dex, THIS OPTION MAY BE REMOVED WITHOUT WARNING IN A FUTURE RELEASE.

*bool

false

insecureSkipVerify

If a custom certificate isn’t provide, this option can be used to turn off TLS certificate checks. As noted, it is insecure and shouldn’t be used outside of explorative phases.

*bool

false

startTLS

Connect to the insecure port then issue a StartTLS command to negotiate a secure connection. If unsupplied secure connections will use the LDAPS protocol.

*bool

false

rootCASecretRef

A secret reference to the root CA that will be used for TLS validation. The secret should have type “Opaque” and contain the key “tls.crt”. If not specified, the root CA of the host will be used.

*corev1.LocalObjectReference

false

Field

Description

Scheme

Required

bindDN

The name of the application service account to authenticate with the LDAP server. The connector uses the specified service account search for users and groups. Not required if the LDAP server provides access for anonymous auth.

*string

false

bindSecretRef

A secret reference to the password of the application service account to authenticate with the LDAP server. The connector uses the specified service account search for users and groups. Not required if the LDAP server provides access for

anonymous auth. The secret should contain the key password like the following:

*corev1.LocalObjectReference

false

userSearch

User search queries for users.

*LDAPConnectorConfigUserSearch

false

groupSearch

Group search queries for groups given a user entry.

false

LDAPConnectorConfigGroupSearch

Field

Description

Scheme

Required

baseDN

BaseDN to start the search from. It will translate to the query

“(&(objectClass=group)(member=))”.

string

true

filter

Optional filter to apply when searching the directory. For example

“(objectClass=posixGroup)”

*string

false

scope

Can either be sub or one. sub searches the whole sub tree. one only searches one level. Default to sub if not specified.

*string

false

Field

Description

Scheme

Required

userAttr

Following two fields are used to match a user to a group. It adds an additional requirement to the filter that an attribute in the group match the user’s attribute value. For example that the “members” attribute of a group matches the “uid” of the user. The exact filter being added is: (=)

*string

false

groupAttr

*string

false

nameAttr

The attribute of the group that represents its name.

*string

false

LDAPConnectorConfigUserSearch

Field

Description

Scheme

Required

baseDN

BaseDN to start the search from. It will translate to the query

“(&(objectClass=person)(uid=))”. For example “cn=users,dc=example,dc=com”

string

true

username

Username attribute used for comparing user entries. This will be translated and

combined with the other filter as “(=)”.

string

true

filter

Optional filter to apply when searching the directory. For example

“(objectClass=person)”

*string

false

scope

Can either be sub or one. sub searches the whole sub tree. one only searches one level. Default to sub if not specified.

*string

false

idAttr

A mapping of attributes on the user entry to the name claim. Default to “uid” if not

specified.

*string

false

emailAttr

A mapping of attributes on the user entry to the email claim. Default to “mail” if not

specified.

*string

false

Field

Description

Scheme

Required

nameAttr

Maps to display name of users.

*string

false

emailSuffix

If this is set, the email claim of the id token will be constructed from the idAttr and value of emailSuffix. This should not include the @ character.

*string

false

OIDCConnectorConfig

Field

Description

Scheme

Required

issuer

Canonical URL of the provider, also used for configuration discovery. This value MUST match the value returned in the provider config discovery.

string

true

clientSecretRef

Reference to secret that contains the client ID and client secret. The secret should contain two

keys client-id and client- secret like the following:

corev1.LocalObjectReference

true

redirectURI

Dex’s issuer URL + “/callback”

string

true

basicAuthUnsupported

Some providers require passing client secret via POST parameters instead of basic auth, despite the OAuth2 RFC discouraging it. Many of these cases are caught internally, but some may need to uncommented the following field.

*bool

false

scopes

List of additional scopes to request in token

response. Defaults to “profile” and “email”

[]string

false

Field

Description

Scheme

Required

hostedDomains

Google supports whitelisting allowed domains when using G Suite (Google Apps). The following field can be set to a list of domains that can log in:

[]string

false

insecureSkipEmailVerified

Some providers return claims without “email_verified”, when they had no usage of emails verification in enrollment process or if they are acting as a proxy for another IDP (e.g., AWS Cognito with an upstream SAML IDP). This can be overridden with the below option.

*bool

false

insecureEnableGroups

Groups claims (like the rest of oidc claims through dex) only refresh when the id token is refreshed meaning the regular refresh flow doesn’t update the groups claim. As such by default the oidc connector doesn’t allow groups claims. If you are okay with having potentially stale group claims you can use this option to enable groups claims through the oidc connector on a per-connector basis. This can be overridden with the below option

*bool

false

getUserInfo

When enabled, the OpenID Connector will query the UserInfo endpoint for additional claims.

UserInfo claims take priority over claims returned by the IDToken. This option should be used when the IDToken doesn’t contain all the claims requested.

*bool

false

userIDKey

Configurable key which contains the user id claim. Default to sub if not specified. Claims

*string

false

Field

Description

Scheme

Required

userNameKey

Configurable key which contains the user name claim. Default to name if not specified.

*string

false

SAMLConnectorConfig

Field

Description

Scheme

Require d

ssoURL

SSO URL used for POST value.

string

true

redirectURI

Dex’s callback URI (i.e., Dex’s issuer URL + “callback”). If the response

assertion status value contains a Destination element, it must match this

value exactly. This is also used as the expected audience for AudienceRestriction elements if entityIssuer isn’t specified.

string

true

usernameAttr

Name of attributes in the returned assertions to map to ID token username claim.

string

true

emailAttr

Name of attributes in the returned assertions to map to ID token email claim.

string

true

groupsAttr

Name of attributes in the returned assertions to map to ID token group claims.

*string

false

caSecretRef

A secret reference to the CA to use when validating the signature of the

SAML response. The secret should have type “Opaque” and contain the key “tls.crt”. This field must be specified

if insecureSkipSignatureValidation is not set.

*corev1.LocalObjectRefer ence

false

insecureSkipSignatureValida tion

To skip signature validation, uncomment the following field. This should only be used during testing and may be removed in the future.

*bool

false

Field

Description

Scheme

Require d

entityIssuer

Manually specify dex’s Issuer value. When provided dex will include this as the Issuer value during AuthnRequest. It will also override the redirectURI as the required audience when evaluating AudienceRestriction elements in the response.

*string

false

ssoIssuer

Issuer value expected in the SAML response.

*string

false

groupsDelim

Delimiter for splitting groups returned as a single string. By default, multiple groups are assumed to be represented as multiple attributes with the same name. If “groupsDelim” is provided groups are assumed to be represented as a single attribute and the delimiter is used to split the attribute’s value into multiple groups.

*string

false

nameIDPolicyFormat

Requested format of the NameID. The NameID value is is mapped to the user ID of the user. This can be an abbreviated form of the full URI with just the last component. For example, if this value is set to

“emailAddress” the format will resolve

to: urn:oasis:names:tc:SAML:1.1:na meid-format:emailAddress\nIf no value is

specified, this value defaults

to: urn:oasis:names:tc:SAML:2.0:na meid-format:persistent

*string

false

Client

Client is the Schema for the clients API

Field

Description

Scheme

Required

metadata

metav1.ObjectMeta

false

Field

Description

Scheme

Required

spec

ClientSpec

false

ClientList

ClientList contains a list of Client

Field

Description

Scheme

Required

metadata

metav1.ListMeta

false

items

[]Client

true

ClientSpec

ClientSpec defines the desired state of Client OAuth2

Field

Description

Scheme

Required

displayName

The display name for the Client

string

true

clientSecretRef

Reference to a secret that contains the client secret. The secret should contain client-secret key like the following:

corev1.LocalObjectReference

true

redirectURIs

A registered set of redirect URIs. When redirecting from dex to the client, the URI requested to redirect to MUST match one of these values, unless the client is “public”.

[]string

true

Field

Description

Scheme

Required

trustedPeers

TrustedPeers are a list of peers which can issue tokens on

this client’s behalf using the dynamic

“oauth2:server:client_id:(client_id)” scope. If a peer makes such a request, this client’s ID will appear as the ID Token’s audience.\n\nClients inherently trust themselves.

[]string

true

public

Public clients must use either use a redirectURL 127.0.0.1:X

or “urn:ietf:wg:oauth:2.0:oob”

*bool

false

logoURL

LogoURL used when displaying this client to the end user.

*string

false

Thank you,

Accendile Technologies

Last updated