Set Up Authentication Using the Default Dex Identity Provider

GoodData Cloud Native (GoodData.CN) includes Dex, a built-in OpenID Connect (OIDC) identity provider. Dex lets you create and manage user credentials without setting up an external OIDC provider.

Do Not Use In Production Environment

We do not recommend using Dex in production environments. Dex is intended only for non-production or proof-of-concept deployments. Dex exposes the full user list, including users outside your organization. For production environments, use a secure, external OIDC provider such as Okta, Auth0, or Google.

Using Dex with Istio Gateway and wildcard certificates

If you enable Istio Gateway mode and use a wildcard TLS certificate on the shared Gateway, do not host Dex on a hostname covered by that wildcard certificate. Envoy does not allow overlapping wildcard and specific certificates on the same Gateway. Deploy Dex on a separate hostname with its own certificate that does not overlap with the wildcard domain. See Istio details in Install → Configuration Options → Istio (Service Mesh & Gateway).

Prerequisites

Before proceeding, ensure:

  • You have created your organization.
  • You know the admin username and password you configured when creating the Organization.

Create a Bootstrap Token

You need a bootstrap token to call administrative APIs (for example, to create Dex users and map them to your Organization).

Steps:

  1. Construct a token string in the format:

    <adminUser>:bootstrap:<adminPassword>

    for example:

    admin:bootstrap:MySecretPassword

  2. Encode the string using Base64:

    echo -n 'admin:bootstrap:MySecretPassword' | base64

    Keep the -n option, without it the token will be invalid.

Your encoded token will look similar to:

YWRtaW46Ym9vdHN0cmFwOk15U2VjcmV0UGFzc3dvcmQ=

Store the token securely, it grants full administrative access.

Manage Users in Dex

Once GoodData.CN is deployed, Dex is available without extra configuration. You need to populate it with one or more users first.

Create User 

curl -H "Authorization: Bearer $BOOTSTRAP_API_TOKEN" \
     -H "Content-type: application/json" \
     -d '{"email": "boss@alpha.example.com", "password": "123456", "displayName": "John Doe"}' \
     --request POST $HOST_URL/api/v1/auth/users

The response includes an authenticationId — save this value, as you’ll need it to map the user to the Organization.

Update User 

curl -H "Authorization: Bearer $BOOTSTRAP_API_TOKEN" \
     -H "Content-type: application/json" \
     -d '{"email": "boss@alpha.example.com", "password": "Bett3rPa$$w0rd", "displayName": "John Doe"}' \
     --request PUT $HOST_URL/api/v1/auth/users/boss@alpha.example.com

List, View, and Delete Users

In addition to creating and updating a user, you can also perform these actions:

  • List all users — submit a GET request to /api/v1/auth/users. This request returns all users in Dex, including those outside your organization.

  • View a user — submit a GET request to /api/v1/auth/users/{email}.

  • Delete a user — submit a DELETE request to /api/v1/auth/users/{email}. This deletes the user’s credentials but does not fully remove the user. To remove the user completely, also delete their mapping from the Organization.

Map Users to Organization

After creating users in Dex, map them to your organization using their authenticationId. See Map Users to an Organization.

Configure Quiver
Manage JDBC Drivers