OpenID Connect with Dex¶
Dex is a lightweight OpenID Connect authentication provider written in Go, and is the default authentication mechanism shipped with Open OnDemand.
Installing OnDemand Dex package¶
First the OnDemand yum repos must be enabled, see Install Software From Package.
sudo yum install ondemand-dex
Installing OnDemand Dex from source¶
Go version 1.14.x with the
Build and install the ondemand-dex binary:
GOPATH=$(go env GOPATH) go get github.com/dexidp/dex cd $GOPATH/src/github.com/dexidp/dex make sudo install -m 0755 bin/dex /usr/sbin/ondemand-dex
ondemand-dex user and group:
sudo groupadd -r ondemand-dex sudo useradd -r -d /var/lib/ondemand-dex -g ondemand-dex -s /sbin/nologin -c "OnDemand Dex"
ondemand-dex repo and install web files and systemd unit file
cd /tmp git clone https://github.com/OSC/ondemand-dex sudo mkdir /usr/share/ondemand-dex sudo cp -R ondemand-dex/web /usr/share/ondemand-dex/web sudo install -m 0644 ondemand-dex/examples/ondemand-dex.service /etc/systemd/system/ondemand-dex.service
Configuring OnDemand Dex¶
OnDemand Dex is configured by modifying the Open OnDemand Portal ood_portal.yml file
The default location for Dex configurations is
When changes are needed for OnDemand Dex run the following command:
sudo /opt/ood/ood-portal-generator/sbin/update_ood_portal sudo systemctl restart ondemand-dex
If OnDemand is configured to use SSL and SSL certificates are not configured in Dex,
the default behavior is for Dex to use copies of the OnDemand certificates for SSL.
This means when the OnDemand certificates are updated it’s necessary to run
update_ood_portal to make new copies of the certificates and restart
Managing the OnDemand Dex service¶
The service for OnDemand Dex is
sudo systemctl enable ondemand-dex.service sudo systemctl start ondemand-dex.service
By default when using SSL, Dex will use port
5554 for the communication between OnDemand and Dex as well as login interactions with users accessing OnDemand. The port used for non-SSL is
5556. The port being used by Dex must be externally accessible.
- Firewalld example:
$ sudo firewall-cmd --zone=public --add-port=5554/tcp --permanent $ sudo firewall-cmd --reload
- Iptables example:
$ sudo iptables -I INPUT -p tcp -m tcp --dport 5554 -j ACCEPT $ sudo iptables-save > /etc/sysconfig/iptables
Configuring OnDemand Dex behind Apache reverse proxy¶
The OnDemand Dex service can be proxied behind the Apache web service using a reverse proxy. This would mean port 5554 or 5556 would not need to be opened.
Enabling the OnDemand Dex reverse proxy logic will force Dex to listen only on
localhost and only
Example of configuration change to put Dex behind the Apache reverse proxy
Configuring OnDemand Dex for LDAP¶
an LDAP server preferably with SSL support (
The following is an example configuration using OpenLDAP.
# /etc/ood/config/ood_portal.yml --- # ... dex: connectors: - type: ldap id: ldap name: LDAP config: host: openldap.my_center.edu:636 insecureSkipVerify: false bindDN: cn=admin,dc=example,dc=org bindPW: admin userSearch: baseDN: ou=People,dc=example,dc=org filter: "(objectClass=posixAccount)" username: uid idAttr: uid emailAttr: mail nameAttr: gecos preferredUsernameAttr: uid groupSearch: baseDN: ou=Groups,dc=example,dc=org filter: "(objectClass=posixGroup)" userMatchers: - userAttr: DN groupAttr: member nameAttr: cn
For documentation on Dex LDAP configuration please see the Dex LDAP docs
If you supply a
bindPWin this file it’s recommended to change the file permissions on
0600make the file only readable by
root:sudo chown root:root /etc/ood/config/ood_portal.yml sudo chmod 0600 /etc/ood/config/ood_portal.yml
Customizing OnDemand Dex¶
The theme for Dex can be customized to be site-specific, see Customize Dex Theme.
OnDemand Dex configuration reference¶
The OnDemand Dex configuration works by attempting to expose all Dex configuration options as keys nested under the
dex key in
The following reference is for
/etc/ood/config/ood_portal.yml values set under the
ssl (Boolean, null)
Boolean to set if SSL is used, is
trueif OnDemand is configured for SSL, otherwise this defaults to
false. This value is used to determine which listen ports to use for Dex as well as OIDC configurations for OnDemand
http_port (String, Integer)
The HTTP port used by Dex, default is
5556. Used to define
web -> httpin the Dex configuration as well as OIDC configurations
https_port (String, Integer)
The HTTPS port used by Dex, default is
5554. This value is only set if SSL is enabled. Used to define
web -> httpsin the Dex configuration as well as OIDC configurations
tls_cert (String, null)
The path to TLS cert used by Dex. The default is to use the SSL certificate for OnDemand if OnDemand is configured with SSL. Used to define
web -> tlsCertin the Dex configuration. If using the OnDemand certificate, a copy is made to
ondemand-dexuser must be able to read this file if configured.
tls_key (String, null)
The path to TLS key used by Dex. The default is to use the SSL key for OnDemand if OnDemand is configured with SSL. Used to define
web -> tlsKeyin the Dex configuration. If using the OnDemand key, a copy is made to
ondemand-dexuser must be able to read this file if configured.
The path to the Dex SQLite storage file. Defaults to
/etc/ood/dex/dex.db. Used to define
storage -> config -> filein the Dex configuration.
The client ID used for the OnDemand OIDC client. The default is to use the
servernamefor OnDemand, and if that is not defined the host’s FQDN is used. Sets
staticClients -> idin the Dex configuration as well as OnDemand OIDC configurations.
The client secret used for the OnDemand OIDC client. The default is a randomly generated secret stored in
/etc/ood/dex/ondemand.secret. The value for this configuration can either be the secret string or path to file storing the secret. If using a file, the
ondemand-dexuser must be able to read the file. Sets
staticClients -> secretin the Dex configuration as well as OnDemand OIDC configurations.
Additional OIDC client URIs to authorize for the OnDemand client. The values provided for this are merged with the default redirect URI generated for OnDemand. Sets
staticClients -> redirectURIsin the Dex configuration as well as OnDemand OIDC configurations.
The default OIDC client name for Dex. Defaults to
staticClients -> namein the Dex configuration.
This defines the external connectors used to authenticate users with Dex. If this value is not provided the default behavior is to set a static password of
ood@localhost. This value is passed directly to the Dex configuration for
connectors. For an example of LDAP configuration see Configuring OnDemand Dex for LDAP.
This defines various changes for the themes and frontend look of Dex. The value provided is passed directly to the Dex configuration for
dirkey is not set the default of
/usr/share/ondemand-dex/webis used. If
themekey is not set the default of
frontend: dir: "/usr/share/ondemand-dex/web" theme: "ondemand"
The configuration for Dex’s gRPC API. Value is passed directly to the Dex configuration
grpc: addr: "127.0.0.1:5557" tlsCert: "/etc/ood/dex/grpc-server.crt" tlsKey: "/etc/ood/dex/grpc-server.key" tlsClientCA: "/etc/ood/dex/grpc-ca.crt"
The configuration for Dex’s expirations. Value is passed directly to the Dex configuration
expiry: signingKeys: "6h" idTokens: "24h"