Programmatic access to Dex + OpenLDAP

[mtszkw]

Hi all,

I deployed Kubeflow with Dex authentication and added OpenLDAP connector to enable LDAP authentication. Now I would like to be able to access my Kubeflow programatically through LDAP. It seems that programmatic auth is a difficult topic for Dex and I only managed to find a workaround for basic auth, but maybe there's a way go also sign in using LDAP?

BTW The workaround from PR above looks good (username, password), but I have to be able to choose LDAP URL now as I have two different authentication methods. While main Dex dashboard is at 127.0.0.1 for me, LDAP sign in page is at http://127.0.0.1:8080/dex/auth/ldap?req=XXXXXXXXXXXXXXX where XXXX is a random token generated for each request. Just typing http://127.0.0.1:8080/dex/auth/ldap doesn't work so I'm afraid I cannot hardcore the URL in my code.

[nabokihms]

Hello! About the second question, you can authenticate through a specific connector by providing a connector_id like http://127.0.0.1:8080/dex/auth?connector_id =ldap.

For the first one, if I get it right, you can use the password credentials grant.

1. Go to dex configuration and add

oauth2:
  passwordConnector: ldap

2. Get the token by requesting the /token endpoint.

curl -X POST 'http://127.0.0.1:5556/dex/token' \
  --data 'grant_type=password' \
  --data "client_id=example-app" \
  --data "client_secret=ZXhhbXBsZS1hcHAtc2VjcmV0" \
  --data "scope=openid" \
  --data "username=admin@example.com" \
  --data "password=password" 

{"access_token":"liajdqyefr5xkpmhoxjrjrh3q","token_type":"bearer","expires_in":86399,"id_token":"eyJhbGciOiJSUzI1NiIsImtpZCI6ImE4YmY0MGIyODZkYzcyNTA4YzMzYTkxMmQ5YjhhOTJiNjg3NTJiMzkifQ.eyJpc3MiOiJodHRwOi8vMTI3LjAuMC4xOjU1NTYvZGV4Iiwic3ViIjoiQ2lRd09HRTROamcwWWkxa1lqZzRMVFJpTnpNdE9UQmhPUzB6WTJReE5qWXhaalUwTmpZU0JXeHZZMkZzIiwiYXVkIjoiZXhhbXBsZS1hcHAiLCJleHAiOjE2MjUwMzc2MzUsImlhdCI6MTYyNDk1MTIzNSwiYXRfaGFzaCI6ImYyT092bF9kd29DVmtmSlFmUjdDWFEifQ.gn3CBXzNOQXv2waVFRhP6DGfVZbUc2-K0d6k5CQa6YUmLIriW3rKMORtrGJL9hnw4ow6Pwdh7s_9-iME1lnOOsYksTmdJjUISF9nTk2_F9neJxGUc_KIvkBH_WDVHH9reBMOSgHE0n40_M5aFiyop6xLsqs0CvbCbLvEKo8_xOZA7-Oae0SvTQQN2nKhcacIUmvZF0Lqk0bqXa0Ej-aeNkktZctWHge_-a6wpZ4fhen19I2zmTFAILAlHV3UBS9gnxX9vcDAExTYfVA9ADSbyg3aYXcPQ0XDqdpFZ7NmkVFpp1eAoUAW9NMSt0kgQ3eQ0WItG_cjiJSG_3NzPSVNYg"}

[mtszkw]

Hi @nabokihms,

Let me reverse the order:

1. Unfortunately when going to http://127.0.0.1:8080/dex/auth?connector_id=ldap I see an error:

Bad Request
Invalid client_id ("").

2. How do I get client_secret in your password credentials solution? For now, I only managed to authenticate using session cookies (similarly to the code here: How to do programmatic authentication with Dex? kubeflow/kfctl#140 (comment)), but I would prefer not to use cookies and use token instead. How could provide me more details on that? Or can I give you more context for you to help me?

Thanks in advance!