Federated OpenID Connect.
Sits in front of LDAP, SAML, GitHub, Google and more — your apps only ever speak OIDC.
capability
Why Dex?
A single authentication layer for your entire platform. Integrate any identity provider through OpenID Connect — without touching your application code.
One protocol to rule them all
Every service speaks OIDC to Dex. Add upstream providers later without redeploying apps, reconfiguring clients, or rewriting auth code.
Built for Kubernetes
Lightweight binary, official Helm chart, minimal configuration. Runs alongside your workloads without drama.
Standards, not surprises
OIDC and OAuth2 all the way down. Battle-tested across organizations of every size, audited, and actively maintained.
Any upstream you need
LDAP, SAML, GitHub, Google, GitLab, Microsoft — and more. Apps stay OIDC-only while Dex handles the mess upstream.
use cases
Where teams ship Dex
Four patterns we see most often in the wild.
Unified platform auth
Integrate your services with Dex once. Add LDAP, SAML or OIDC providers later without touching a single application.
Ship as a dependency
Lightweight enough to bundle next to your application. Your platform instantly supports auth via dozens of providers.
Kubernetes SSO
Seamless single sign-on for the dashboard, internal tools, and the kubectl flow — one OIDC endpoint to trust.
Development & testing
Built-in mock connector lets you authenticate locally during development without provisioning real identities.
positioning
How Dex compares
Dex is one of many OIDC providers in the ecosystem. Here's where it intentionally stops, and where you'd reach for something else.
No JVM, no database required
Keycloak is a heavy Java application that requires a backing database. Dex is a single static Go binary; storage is pluggable and optional.
Login flow and connectors included
Hydra is a headless OAuth2/OIDC server: it redirects the user to a login app you write, which then calls Hydra's admin API to accept consent. Dex ships the login UI and upstream connectors (LDAP, SAML, GitHub, OIDC) in one process.
Protocol provider, not a gateway
Both sit at the HTTP layer and protect upstream routes via ForwardAuth headers — they're reverse-proxy companions. Dex is a full OIDC issuer; any standards-compliant client runs the authorization-code flow against it directly.
Protocol adapter, not a data plane
Zitadel is an event-sourced IAM platform — it owns users, organisations, projects and audit logs on CockroachDB. Dex owns no user state at all: it takes an upstream identity source (LDAP, GitHub, SAML) and re-exposes it as OIDC.
Federates upstream, doesn't replace it
Authentik is a Python/Django application with its own user store, flows engine and admin UI. Dex has no user store — authentication is delegated to whatever IdP you already run, and Dex translates the response into standard OIDC claims.
Runs on your infrastructure
Managed IAM binds your auth path to one cloud's APIs, billing and outage surface. Dex runs as a Kubernetes deployment, a systemd unit or a container on any substrate. User data and audit logs stay inside your network.
getting started
Three steps to running
From zero to a working federated identity service.
Install
Pull the container image, deploy the Helm chart, or build from source. Dex runs anywhere Go runs.
installation guide →Configure
Define clients, storage and connectors in a single YAML file. Templated values supported out of the box.
configuration reference →Connect
Wire up GitHub, Google, LDAP, SAML — or any of the dozens of connectors Dex supports.
browse connectors →
CNCF Sandbox Project Dex is developed under the Cloud Native Computing Foundation — following CNCF governance and best practices.