Is dex a good fit for multiple social logins in a web application?

[ericchaves]

Hi folks,

I'm new to the OIDC world and would like to get some thoughts on a (crazy?) idea I'm working on. Please forgive me if this isn't the right place for this kind of question—in that case, please let me know where would be more appropriate to ask.

I'm developing a micro SaaS application where I plan to support only social logins. In this app, users won't have separate paths for sign-in and sign-up; there will simply be buttons like "Login with Google," "Login with Microsoft," "Login with Facebook," and so on. I plan to support all major providers, both tech and social (e.g., GitHub, Google, Facebook, Microsoft, Apple, Pinterest, Spotify, etc.). My idea is to automatically create customer accounts on first access, using the user info provided by the chosen identity provider.

Initially, I was planning to use multiple oauth2-proxy containers as middleware (e.g., using forward-auth together with a proxy like Traefik or NGINX), one container per IDP. Then I came across Dex, which at first glance seemed like a better fit since it already supports multiple providers. However, to create user accounts, I need specific data to be present in the ID token, or I may need to query the user-info endpoint from the OIDC/IDP provider. Unfortunately, Dex seems to issue ID tokens with only standard OIDC claims, and I’m concerned that some providers might include data I need in non-standard claims. Additionally, Dex does not handle cookies or implement a forward-auth mechanism, which means I would need to either pair it with a reverse proxy like oauth2-proxy or implement my own cookie-handling logic.

Before dedicating more effort, I’d like to hear some opinions from more experienced folks.

1. Overall, do you think this sign-in/sign-up strategy is viable?
2. When integrating my application with Dex, is there a way to query additional user info using Dex as an intermediary, or would I need to fetch it directly from the IDP's user-info endpoint?
3. If I need to fetch it directly, would custom mapping allow me to include it in Dex's ID token? And if querying the IDP's user-info endpoint is necessary, how could I retrieve the IDP access token from Dex?
4. If I combine oauth2-proxy with Dex, as I understand it, the setup would involve configuring Dex as an IDP for oauth2-proxy (so that oauth2-proxy can handle cookies, etc.). In this case, is using Dex worth it? What would be the advantages of combining Dex with oauth2-proxy versus running multiple oauth2-proxy instances?

Thanks in advance for your input!