Exchanging third-party tokens in Dex and how it helps you to build a secure cloud native environment
03-18, 09:30–10:00 (Europe/Paris), VIP Area

Dex is a CNCF Sandbox project implementing an OIDC identity and OAuth 2.0 provider that is often used in Kubernetes-based environments.

A well-known issue with authentication using OIDC occurs when you need it on a CLI-only machine. For example, it affects you if you’re using Dex as the identity provider for your Kubernetes or CI system — e.g., you want to exchange the tokens from CI or Kubernetes ServiceAccount with Dex to authenticate in a simple and secure manner. Since this authentication requires performing a redirect, which is challenging in a browserless environment, you need another approach to make it happen.

The OAuth 2.0 Token Exchange specification (RFC 8693) addresses this issue, yet requires you to have it implemented in your provider, such as Dex. With this feature recently introduced in Dex, keeping your cloud native infrastructure secure has become much easier. In this talk, I will explain how you can leverage the token exchange in Dex and demonstrate practical cases where it will help you.


Dex can perform as an essential building block of the cloud native infrastructure built on self-hosted, Open Source, CNCF-backed solutions — with which Dex easily integrates — for both production and non-production use cases. Therefore, delivering such features that encourage new applications of Dex and showcasing them is beneficial to get a bigger community of Dex adopters and potential project contributors. It becomes even more relevant when we consider a growing focus on fostering security for cloud native environments.

I am a software engineer with more than nine years of experience. Since 2020, I’ve been an architect and tech lead of Deckhouse Kubernetes Platform, a certified Kubernetes distribution. Since 2021, I’ve also been a maintainer of Dex, a CNCF Sandbox project. In 2022, I became a Kubernetes organization member and contributor, working together with SIG Auth on significant KEPs related to authentication. I reviewed all PRs related to the new Dex feature described in this talk.