How to connect a PHP/MySQL application to Dex?

[lajosarpad]

I would like Dex to search for a user in a MySQL database and I would like to attach a PHP client to it that did the login to MySQL earlier. How can I achieve this?

Before asking this question I tried to learn Dex by reading its documentation and experiment with the app. I tried to make its example app up and running and if that succeeds, then to make changes in yaml for an actual app and a MySQL connection. But since I did not manage to make its example app work, I lack the confidence of doing large changes on the yaml file. This is how I tried initially.

In the below I'm describing how I played around with Dex and what I tried in preparation of setting up a MySQL/PHP client to use it. I tried to make Dex's example app work with Dex, but I'm not sure how it should work.

I have been reading about Dex for quite a while now. I installed Go on my local env and then installed Dex via

git clone https://github.com/dexidp/dex.git
cd dex/
make build

The installation succeeded. I have looked into its example yaml which looks like this:

# DEPRECATED: use config.yaml.dist and config.dev.yaml examples in the repository root.
# TODO: keep this until all references are updated.

# The base path of dex and the external name of the OpenID Connect service.
# This is the canonical URL that all clients MUST use to refer to dex. If a
# path is provided, dex's HTTP service will listen at a non-root URL.
issuer: http://127.0.0.1:5556/dex

# The storage configuration determines where dex stores its state. Supported
# options include SQL flavors and Kubernetes third party resources.
#
# See the documentation (https://dexidp.io/docs/storage/) for further information.
storage:
  type: sqlite3
  config:
    file: examples/dex.db

  # type: mysql
  # config:
  #   host: localhost
  #   port: 3306
  #   database: dex
  #   user: mysql
  #   password: mysql
  #   ssl:
  #     mode: "false"

  # type: postgres
  # config:
  #   host: localhost
  #   port: 5432
  #   database: dex
  #   user: postgres
  #   password: postgres
  #   ssl:
  #     mode: disable

  # type: etcd
  # config:
  #   endpoints:
  #     - http://localhost:2379
  #   namespace: dex/

  # type: kubernetes
  # config:
  #   kubeConfigFile: $HOME/.kube/config

# Configuration for the HTTP endpoints.
web:
  http: 0.0.0.0:5556
  # Uncomment for HTTPS options.
  # https: 127.0.0.1:5554
  # tlsCert: /etc/dex/tls.crt
  # tlsKey: /etc/dex/tls.key

# Configuration for dex appearance
# frontend:
#   issuer: dex
#   logoURL: theme/logo.png
#   dir: web/
#   theme: light

# Configuration for telemetry
telemetry:
  http: 0.0.0.0:5558
  # enableProfiling: true

# Uncomment this block to enable the gRPC API. This values MUST be different
# from the HTTP endpoints.
# grpc:
#   addr: 127.0.0.1:5557
#   tlsCert: examples/grpc-client/server.crt
#   tlsKey: examples/grpc-client/server.key
#   tlsClientCA: examples/grpc-client/ca.crt

# Uncomment this block to enable configuration for the expiration time durations.
# Is possible to specify units using only s, m and h suffixes.
# expiry:
#   deviceRequests: "5m"
#   signingKeys: "6h"
#   idTokens: "24h"
#   refreshTokens:
#     reuseInterval: "3s"
#     validIfNotUsedFor: "2160h" # 90 days
#     absoluteLifetime: "3960h" # 165 days

# Options for controlling the logger.
# logger:
#   level: "debug"
#   format: "text" # can also be "json"

# Default values shown below
# oauth2:
    # grantTypes determines the allowed set of authorization flows.
#   grantTypes:
#     - "authorization_code"
#     - "refresh_token"
#     - "implicit"
#     - "password"
#     - "urn:ietf:params:oauth:grant-type:device_code"
#     - "urn:ietf:params:oauth:grant-type:token-exchange"
    # responseTypes determines the allowed response contents of a successful authorization flow.
    # use ["code", "token", "id_token"] to enable implicit flow for web-only clients.
#   responseTypes: [ "code" ] # also allowed are "token" and "id_token"
    # By default, Dex will ask for approval to share data with application
    # (approval for sharing data from connected IdP to Dex is separate process on IdP)
#   skipApprovalScreen: false
    # If only one authentication method is enabled, the default behavior is to
    # go directly to it. For connected IdPs, this redirects the browser away
    # from application to upstream provider such as the Google login page
#   alwaysShowLoginScreen: false
    # Uncomment the passwordConnector to use a specific connector for password grants
#   passwordConnector: local

# Instead of reading from an external storage, use this list of clients.
#
# If this option isn't chosen clients may be added through the gRPC API.
staticClients:
- id: example-app
  redirectURIs:
  - 'http://127.0.0.1:5555/callback'
  name: 'Example App'
  secret: ZXhhbXBsZS1hcHAtc2VjcmV0
#  - id: example-device-client
#    redirectURIs:
#      - /device/callback
#    name: 'Static Client for Device Flow'
#    public: true
connectors:
- type: mockCallback
  id: mock
  name: Example
# - type: google
#   id: google
#   name: Google
#   config:
#     issuer: https://accounts.google.com
#     # Connector config values starting with a "$" will read from the environment.
#     clientID: $GOOGLE_CLIENT_ID
#     clientSecret: $GOOGLE_CLIENT_SECRET
#     redirectURI: http://127.0.0.1:5556/dex/callback
#     hostedDomains:
#     - $GOOGLE_HOSTED_DOMAIN

# Let dex keep a list of passwords which can be used to login to dex.
enablePasswordDB: true

# A static list of passwords to login the end user. By identifying here, dex
# won't look in its underlying storage for passwords.
#
# If this option isn't chosen users may be added through the gRPC API.
staticPasswords:
- email: "[email protected]"
  # bcrypt hash of the string "password": $(echo password | htpasswd -BinC 10 admin | cut -d: -f2)
  hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
  username: "admin"
  userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"

and tried to play around with it by loading http://127.0.0.1:5556/dex, but I've got the response of

The documentation claims that I need to run

./bin/example-app

but I'm unsure how this is to be executed. If I try to do so in the root of Dex, then it fails due to the obvious reason that bin/example-app does not exist.

All this experimentation is being done to have some solid knowledge in order to integrate a PHP client into Dex and to make Dex connect to a MySQL database.

So, my question is: How can I convert my PHP/MySQL application so that Dex will authenticate using MySQL and provide a JWT to my PHP app? Or, in other words: How do I turn my MySQL database to be the db Dex is querying for a user and how do I turn my PHP app into a client?