Skip to content

Add SSH connector with RFC 8693 token exchange #4527

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
nikogura wants to merge 11 commits into
base: master
Choose a base branch
from
+3,175 −6
Open

Add SSH connector with RFC 8693 token exchange #4527

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
be4b2ba
add ssh connector for kubectl integration
nikogura Sep 19, 2025
c32b688
add challenge/response function to ssh
nikogura Sep 19, 2025
f0dff5d
update generated code
nikogura Sep 19, 2025
da7b3a7
fix user enumeration flaws
nikogura Sep 23, 2025
a0d8607
upgrade JWT to dual-audience model
nikogura Sep 24, 2025
f771a0c
add support for RFC 8693 Section 2.1 'audience parameters'
nikogura Sep 24, 2025
8dda821
Add SSH connector integration tests
nikogura Feb 11, 2026
a2c5de0
upgrade dependencies
nikogura Feb 11, 2026
26afa1d
merge upstream changes
nikogura Feb 25, 2026
cb171dd
revert regenerated protobuf file changes due to local toolchain
nikogura Mar 16, 2026
193ab89
merge upstream master and fix non-constant format strings in oauth2.go
nikogura Mar 16, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 16 additions & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,21 @@ Because these tokens are signed by dex and [contain standard-based claims][stand

For details on how to request or validate an ID Token, see [_"Writing apps that use dex"_][using-dex].

## Security Model for JWT-Based Authentication

For connectors that process JWT tokens (such as the SSH connector), dex implements a secure verification model:

**JWT is Just a Packaging Format**: JWTs contain no trusted data until cryptographic verification succeeds against keys configured by dex administrators.

**Administrative Control**: The dex connector configuration provides complete access control:
- **WHO can connect**: Only users explicitly configured in the connector can authenticate
- **HOW they prove identity**: Each user's configured public keys/credentials define valid authentication methods
- **WHAT they can access**: User configuration determines scopes (email, groups, permissions)

**Security Separation**: Authentication (cryptographic proof) is completely separated from authorization (administrative policy), preventing clients from influencing their own permissions.

This model prevents key injection attacks and ensures that all security decisions remain under administrative control rather than being influenced by client-provided data.

## Kubernetes and Dex

Dex runs natively on top of any Kubernetes cluster using Custom Resource Definitions and can drive API server authentication through the OpenID Connect plugin. Clients, such as the [`kubernetes-dashboard`](https://github.com/kubernetes/dashboard) and `kubectl`, can act on behalf of users who can login to the cluster through any identity provider dex supports.
Expand Down Expand Up @@ -82,6 +97,7 @@ Dex implements the following connectors:
| [Atlassian Crowd](https://dexidp.io/docs/connectors/atlassian-crowd/) | yes | yes | yes * | beta | preferred_username claim must be configured through config |
| [Gitea](https://dexidp.io/docs/connectors/gitea/) | yes | no | yes | beta | |
| [OpenStack Keystone](https://dexidp.io/docs/connectors/keystone/) | yes | yes | no | alpha | |
| [SSH](connector/ssh/) | yes | yes | yes | alpha | Authenticate using SSH keys with OAuth2 Token Exchange support. Uses secure JWT verification model where only administrator-configured keys can verify tokens. |

Stable, beta, and alpha are defined as:

Expand Down
434 changes: 434 additions & 0 deletions connector/ssh/README.md
View file
Open in desktop

Large diffs are not rendered by default.

Loading