OpenID Connect authentication mapped against ldap then sent to application

[mjbludwig]

Hi All,

I apologize for the rather specific question but I have not found a clear answer to the plausibility of this flow in the documentation.

Is it possible to use one or more Dex instances to fit this authentication flow:

1. Unauthenticated user goes to main app site
2. site redirects user to Dex instance for authentication (app connects to Dex using OpenID Connect protocol)
3. Dex then redirects to a 3rd party OpenID Connect provider for authentication, say github in this instance
4. User authenticates with github, github sends the OpenID Connect token (with claims) back to Dex instance
5. Dex maps the authenticating user to a user in ldap ("email" from claim to "mail" ldap attribute maybe)
6. Dex sends the username mapped from ldap in token back to main app.

I have apache using mod_auth_openidc to connect to dex. A current solution would be to use Dex with an OpenID Connect connector to github to do the authentication, the token then comes back to mod_auth_openidc which then uses "mod_authnz_ldap" to map the user in ldap but I am hoping there is a way to do it all in Dex instance[s].

Thanks! Morgan

[frimik]

Auth from one connector (ex: Google) and groups from another specific one (ex: ldap) would be neat to do in one single Dex.

[sylvainOL]

Hello, I guess we're not enough to need this?

For our use case, it's quite important as we have a centralised oidc solution but we want to add groups for some resources via LDAP (or other actually)