Maksim Nabokikh
I am a software engineer with more than nine years of experience. Since 2020, I’ve been an architect and tech lead of Deckhouse Kubernetes Platform, a certified Kubernetes distribution. Since 2021, I’ve also been a maintainer of Dex, a CNCF Sandbox project. In 2022, I became a Kubernetes organization member and contributor, working together with SIG Auth on significant KEPs related to authentication. I reviewed all PRs related to the new Dex feature described in this talk.
Sessions
Dex is a CNCF Sandbox project implementing an OIDC identity and OAuth 2.0 provider that is often used in Kubernetes-based environments.
A well-known issue with authentication using OIDC occurs when you need it on a CLI-only machine. For example, it affects you if you’re using Dex as the identity provider for your Kubernetes or CI system — e.g., you want to exchange the tokens from CI or Kubernetes ServiceAccount with Dex to authenticate in a simple and secure manner. Since this authentication requires performing a redirect, which is challenging in a browserless environment, you need another approach to make it happen.
The OAuth 2.0 Token Exchange specification (RFC 8693) addresses this issue, yet requires you to have it implemented in your provider, such as Dex. With this feature recently introduced in Dex, keeping your cloud native infrastructure secure has become much easier. In this talk, I will explain how you can leverage the token exchange in Dex and demonstrate practical cases where it will help you.