Field
|
Description
|
Scheme
|
Required
| | --------------------------- | -------------------------- | --------------------- | ---------------------------- | |
metadata
| | metav1.ObjectMeta |
false
| |
spec
| | ConnectorSpec |
false
| ## ConnectorList ConnectorList contains a list of Connector |
Field
|
Description
|
Scheme
|
Required
| | --------------------------------------- | -------------------------- | --------------------- | ------------------------------------ | |
metadata
| | metav1.ListMeta |
false
| |
items
| | \[]Connector |
true
|
Field
|
Description
|
Scheme
|
Required
| | -------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | ----------------------------------- | |
enabled
|
Whether this Connector is enabled or not. This allows the admin to create the Connector configuration first, and later enable it by toggling this field.
|
bool
|
true
| |
type
|
The type of the Connector.
|
string
|
true
| |
displayName
|
The display name for the Connector. The display name will be shown in the UI of the login page.
|
string
|
true
| |
ldap
| | \*LDAPConnectorConfig | \*LDAPConnectorConfig | |
oidc
| | false | false | |
github
| | \*OIDCConnectorConfig | \*OIDCConnectorConfig | |
saml
| | false | false |
Field
|
Description
|
Scheme
|
Required
| | ----------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------ | |
clientSecretRef
| Reference to secret that contains the client ID and client secret. The secret should contain two keys client- id and client-secret like the following: |
corev1.LocalObjectReference
|
true
| |
redirectURI
|
Dex’s issuer URL + “/callback”
|
string
|
true
| |
orgs
|
Optional organizations and teams, communicated through the “groups” scope.\n\nNOTE: This is an EXPERIMENTAL config option and will likely change.\n\nDex queries the following organizations for group information if the “groups” scope is provided. Group claims are formatted as “(org):(team)”. For example if a user is part of the “engineering” team of the “coreos” org, the group claim would include “coreos:engineering”.\n\nIf orgs are specified in the config then user MUST be a member of at least one of the specified orgs to authenticate with dex.\n\nIf ‘orgs’ is not specified in the config and ‘loadAllGroups’ setting set to true then user authenticate with ALL user’s Github groups. Typical use case for this setup: provide read-only access to everyone and give full permissions if user has ‘my-organization:admins-team’ group claim.\n\nExamples:\n orgs:\n - name: my- organization # Include all teams as claims. - name:
my-organization-with-teams\n # A white list of teams. Only include group claims for these teams.\n teams:\n - red-team - blue-team
|
|
false
|
Field
|
Description
|
Scheme
|
Required
| | -------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------- | ------------------------------------------------------------ | |
loadAllGroups
|
Flag which indicates that all user groups and teams should be loaded.
|
\*bool
|
false
| |
teamNameField
|
Optional choice between ‘name’ (default), ‘slug’, or ‘both’.\n\nAs an example, group claims for member of ‘Site Reliability Engineers’ in Acme organization would yield:\n - \[‘acme:Site Reliability Engineers’] for ‘name’\n - \[‘acme:site-reliability-engineers’] for ‘slug’\n - \[‘acme:Site Reliability Engineers’,\n ‘acme:site-reliability-engineers’] for ‘both’
|
\*string
|
false
| |
useLoginAsID
|
Flag which will switch from using the internal GitHub id to the users handle (@mention) as the user id. It is possible for a user to change their own user name but it is very rare for them to do so.
|
\*bool
|
false
| |
hostName
|
Github API host name. Default to “api.github.com”.
|
\*string
|
false
| |
rootCASecretRef
|
A secret reference to the root CA that will be used for TLS validation. The secret should have type “Opaque” and contain the key “tls.crt”. If not specified, the root CA of the host will be used.
|
\*corev1.LocalObjectReference
|
false
| GithubConnectorConfigOrg |
Field
|
Description
|
Scheme
|
Required
| | ---------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------- | ---------------------------- | |
name
|
Organization name in github (not slug, full name). Only users in this github organization can authenticate.
|
string
|
true
| |
teams
|
Names of teams in a github organization. A user will be able to authenticate if they are members of at least one of these teams. Users in the organization can authenticate if this field is omitted from the config file.
|
\[]string
|
false
|
Field
|
Description
|
Scheme
|
Required
| | ------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------- | ---------------------------------------------------- | |
host
|
Host and optional port of the LDAP server in the form host:port. If the port is not supplied, it will be guessed based
on insecureNoSSL,
and startTLS fields. 389 for insecure or StartTLS connections, 636 otherwise.
|
string
|
true
| |
insecureNoSSL
|
Following field is required if the LDAP host is not using TLS (port 389). Because this option inherently leaks passwords to anyone on the same network as dex, THIS OPTION MAY BE REMOVED WITHOUT WARNING IN A FUTURE RELEASE.
|
\*bool
|
false
| |
insecureSkipVerify
|
If a custom certificate isn’t provide, this option can be used to turn off TLS certificate checks. As noted, it is insecure and shouldn’t be used outside of explorative phases.
|
\*bool
|
false
| |
startTLS
|
Connect to the insecure port then issue a StartTLS command to negotiate a secure connection. If unsupplied secure connections will use the LDAPS protocol.
|
\*bool
|
false
| |
rootCASecretRef
|
A secret reference to the root CA that will be used for TLS validation. The secret should have type “Opaque” and contain the key “tls.crt”. If not specified, the root CA of the host will be used.
|
\*corev1.LocalObjectReference
|
false
|
Field
|
Description
|
Scheme
|
Required
| | ---------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------- | -------------------------------------------------------------------- | |
bindDN
|
The name of the application service account to authenticate with the LDAP server. The connector uses the specified service account search for users and groups. Not required if the LDAP server provides access for anonymous auth.
|
\*string
|
false
| |
bindSecretRef
|
A secret reference to the password of the application service account to authenticate with the LDAP server. The connector uses the specified service account search for users and groups. Not required if the LDAP server provides access for
anonymous auth. The secret should contain the key password like the following:
|
\*corev1.LocalObjectReference
|
false
| |
userSearch
|
User search queries for users.
| \*LDAPConnectorConfigUserSearch |
false
| |
groupSearch
|
Group search queries for groups given a user entry.
| |
false
| ## LDAPConnectorConfigGroupSearch |
Field
|
Description
|
Scheme
|
Required
| | ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------- | ------------------------------- | ---------------------------- | |
baseDN
|
BaseDN to start the search from. It will translate to the query
“(&(objectClass=group)(member=))”.
|
string
|
true
| |
filter
|
Optional filter to apply when searching the directory. For example
“(objectClass=posixGroup)”
|
\*string
|
false
| |
scope
| Can either be sub or one. sub searches the whole sub tree. one only searches one level. Default to sub if not specified. |
\*string
|
false
|
Field
|
Description
|
Scheme
|
Required
| | --------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------- | ------------------------------------ | |
userAttr
|
Following two fields are used to match a user to a group. It adds an additional requirement to the filter that an attribute in the group match the user’s attribute value. For example that the “members” attribute of a group matches the “uid” of the user. The exact filter being added is: (=)
|
\*string
|
false
| |
groupAttr
| |
\*string
|
false
| |
nameAttr
|
The attribute of the group that represents its name.
|
\*string
|
false
| LDAPConnectorConfigUserSearch |
Field
|
Description
|
Scheme
|
Required
| | -------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------- | ---------------------------- | |
baseDN
|
BaseDN to start the search from. It will translate to the query
“(&(objectClass=person)(uid=))”. For example “cn=users,dc=example,dc=com”
|
string
|
true
| |
username
|
Username attribute used for comparing user entries. This will be translated and
combined with the other filter as “(=)”.
|
string
|
true
| |
filter
|
Optional filter to apply when searching the directory. For example
“(objectClass=person)”
|
\*string
|
false
| |
scope
| Can either be sub or one. sub searches the whole sub tree. one only searches one level. Default to sub if not specified. |
\*string
|
false
| |
idAttr
|
A mapping of attributes on the user entry to the name claim. Default to “uid” if not
specified.
|
\*string
|
false
| |
emailAttr
|
A mapping of attributes on the user entry to the email claim. Default to “mail” if not
specified.
|
\*string
|
false
|
Field
|
Description
|
Scheme
|
Required
| | ---------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------- | ---------------------------- | |
nameAttr
|
Maps to display name of users.
|
\*string
|
false
| |
emailSuffix
|
If this is set, the email claim of the id token will be constructed from the idAttr and value of emailSuffix. This should not include the @ character.
|
\*string
|
false
| ## OIDCConnectorConfig |
Field
|
Description
|
Scheme
|
Required
| | ----------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------- | -------------------------------------------- | |
issuer
|
Canonical URL of the provider, also used for configuration discovery. This value MUST match the value returned in the provider config discovery.
|
string
|
true
| |
clientSecretRef
|Reference to secret that contains the client ID and client secret. The secret should contain two
keys client-id and client- secret like the following:
|
corev1.LocalObjectReference
|
true
| |
redirectURI
|
Dex’s issuer URL + “/callback”
|
string
|
true
| |
basicAuthUnsupported
|
Some providers require passing client secret via POST parameters instead of basic auth, despite the OAuth2 RFC discouraging it. Many of these cases are caught internally, but some may need to uncommented the following field.
|
\*bool
|
false
| |
scopes
|
List of additional scopes to request in token
response. Defaults to “profile” and “email”
|
\[]string
|
false
|
Field
|
Description
|
Scheme
|
Required
| | --------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------ | |
hostedDomains
|
Google supports whitelisting allowed domains when using G Suite (Google Apps). The following field can be set to a list of domains that can log in:
|
\[]string
|
false
| |
insecureSkipEmailVerified
|
Some providers return claims without “email\_verified”, when they had no usage of emails verification in enrollment process or if they are acting as a proxy for another IDP (e.g., AWS Cognito with an upstream SAML IDP). This can be overridden with the below option.
|
\*bool
|
false
| |
insecureEnableGroups
|
Groups claims (like the rest of oidc claims through dex) only refresh when the id token is refreshed meaning the regular refresh flow doesn’t update the groups claim. As such by default the oidc connector doesn’t allow groups claims. If you are okay with having potentially stale group claims you can use this option to enable groups claims through the oidc connector on a per-connector basis. This can be overridden with the below option
|
\*bool
|
false
| |
getUserInfo
|
When enabled, the OpenID Connector will query the UserInfo endpoint for additional claims.
UserInfo claims take priority over claims returned by the IDToken. This option should be used when the IDToken doesn’t contain all the claims requested.
|
\*bool
|
false
| |
userIDKey
|
Configurable key which contains the user id claim. Default to sub if not specified. Claims
|
\*string
|
false
|
Field
|
Description
|
Scheme
|
Required
| | ---------------------------------- | -------------------------------------------------------------------------------------- | ------------------------------- | ---------------------------- | |
userNameKey
| Configurable key which contains the user name claim. Default to name if not specified. |
\*string
|
false
| SAMLConnectorConfig |
Field
|
Description
|
Scheme
|
Require d
| | -------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------- | -------------------------------------------- | |
ssoURL
|
SSO URL used for POST value.
|
string
|
true
| |
redirectURI
|
Dex’s callback URI (i.e., Dex’s issuer URL + “callback”). If the response
assertion status value contains a Destination element, it must match this
value exactly. This is also used as the expected audience for AudienceRestriction elements if entityIssuer isn’t specified.
|
string
|
true
| |
usernameAttr
|
Name of attributes in the returned assertions to map to ID token username claim.
|
string
|
true
| |
emailAttr
|
Name of attributes in the returned assertions to map to ID token email claim.
|
string
|
true
| |
groupsAttr
|
Name of attributes in the returned assertions to map to ID token group claims.
|
\*string
|
false
| |
caSecretRef
|
A secret reference to the CA to use when validating the signature of the
SAML response. The secret should have type “Opaque” and contain the key “tls.crt”. This field must be specified
if insecureSkipSignatureValidation is not set.
|
\*corev1.LocalObjectRefer ence
|
false
| |
insecureSkipSignatureValida tion
|
To skip signature validation, uncomment the following field. This should only be used during testing and may be removed in the future.
|
\*bool
|
false
|
Field
|
Description
|
Scheme
|
Require d
| | ----------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------- | ---------------------------------------------------------------------------- | |
entityIssuer
|
Manually specify dex’s Issuer value. When provided dex will include this as the Issuer value during AuthnRequest. It will also override the redirectURI as the required audience when evaluating AudienceRestriction elements in the response.
|
\*string
|
false
| |
ssoIssuer
|
Issuer value expected in the SAML response.
|
\*string
|
false
| |
groupsDelim
|
Delimiter for splitting groups returned as a single string. By default, multiple groups are assumed to be represented as multiple attributes with the same name. If “groupsDelim” is provided groups are assumed to be represented as a single attribute and the delimiter is used to split the attribute’s value into multiple groups.
|
\*string
|
false
| |
nameIDPolicyFormat
|
Requested format of the NameID. The NameID value is is mapped to the user ID of the user. This can be an abbreviated form of the full URI with just the last component. For example, if this value is set to
“emailAddress” the format will resolve
to: urn:oasis:names:tc:SAML:1.1:na meid-format:emailAddress\nIf no value is
specified, this value defaults
to: urn:oasis:names:tc:SAML:2.0:na meid-format:persistent
|
\*string
|
false
| ## Client Client is the Schema for the clients API |
Field
|
Description
|
Scheme
|
Required
| | ----------------------- | -------------------------- | --------------------- | ----------------------- | |
metadata
| | metav1.ObjectMeta |
false
|
Field
|
Description
|
Scheme
|
Required
| | ------------------------------- | -------------------------- | --------------------- | ---------------------------- | | | | | | |
spec
| ClientSpec | |
false
| ## ClientList ClientList contains a list of Client |
Field
|
Description
|
Scheme
|
Required
| | ----------------------- | -------------------------- | ------------------------ | ----------------------- | |
metadata
| | metav1.ListMeta |
false
| |
items
| |
\[]Client
|
true
| ## ClientSpec ClientSpec defines the desired state of Client OAuth2 |
Field
|
Description
|
Scheme
|
Required
| | ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------- | ----------------------------------- | |
displayName
|
The display name for the Client
|
string
|
true
| |
clientSecretRef
|
Reference to a secret that contains the client secret. The secret should contain client-secret key like the following:
|
corev1.LocalObjectReference
|
true
| |
redirectURIs
|
A registered set of redirect URIs. When redirecting from dex to the client, the URI requested to redirect to MUST match one of these values, unless the client is “public”.
|
\[]string
|
true
|
Field
|
Description
|
Scheme
|
Required
| | ----------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------- | --------------------------------------------------- | |
trustedPeers
|
TrustedPeers are a list of peers which can issue tokens on
this client’s behalf using the dynamic
“oauth2:server:client\_id:(client\_id)” scope. If a peer makes such a request, this client’s ID will appear as the ID Token’s audience.\n\nClients inherently trust themselves.
|
\[]string
|
true
| |
public
|
Public clients must use either use a redirectURL 127.0.0.1:X
or “urn:ietf:wg:oauth:2.0:oob”
|
\*bool
|
false
| |
logoURL
|
LogoURL used when displaying this client to the end user.
|
\*string
|
false
| Thank you, Accendile Technologies