Skip to content

Adoption & Ecosystem

Who uses it

Dex's main habitat is inside other open-source projects, which embed it as their OIDC provider. Its ADOPTERS.md lists both projects and companies. A representative set:

OrganisationUse caseSource
Argo CDSSO for its web UI and CLIADOPTERS.md
sigstoreAuthentication in the public Fulcio CA, binding code-signing certs to OIDC identitiesADOPTERS.md
KubeflowExternal OIDC authentication component of the Kubeflow PlatformADOPTERS.md
KymaKubernetes API-server authentication and protection of integrated UIs (Grafana, Loki, Jaeger)ADOPTERS.md
LitmusChaosOAuth2 login in ChaosCenterADOPTERS.md
ChefUser authentication in Chef AutomateADOPTERS.md
EricssonKubernetes API-server auth in Cloud Container DistributionADOPTERS.md
FlantAccess to core components of its Managed Kubernetes serviceADOPTERS.md
KastenAuth for the K10 backup platform dashboardADOPTERS.md
PydioOIDC service for Pydio CellsADOPTERS.md

The file lists more, including Aspect, Banzai Cloud, JuliaBox, Pusher, Elastisys (Welkin), Terrakube, and LLMariner. Each entry there carries a link to the adopter and a description of the use case.

Adoption signals

As observed on the repository in July 2026: roughly 10,900 GitHub stars, about 1,950 forks, and around 260 contributors over the project's lifetime. The current release line is v2.45.x, with v2.45.1 published in March 2026. The README carries an OpenSSF Scorecard and an OpenSSF Best Practices badge. The clearest signal of reach is indirect: Dex ships inside widely-deployed projects like Argo CD, so its real install base is far larger than its own download numbers suggest.

Ecosystem

Dex sits at a well-worn junction in the Kubernetes stack. The Kubernetes API server's OIDC authentication consumes Dex ID Tokens directly, usually reached from the command line through kubectl plugins such as kubelogin. AWS STS can likewise federate against a Dex issuer. For web UIs that are not OIDC-aware, oauth2-proxy is a common front end that authenticates through Dex. Operationally, the gRPC admin API (api/api.proto) lets external tooling manage clients and connectors at runtime.

Alternatives

AlternativeDiffers by
KeycloakA full IAM platform: it owns a user database, admin console, and role management. Dex is a thin delegating provider with no user store.
ZitadelA product-oriented, multi-tenant IdP with auditing and self-service. Dex is a smaller building block meant to be embedded.
Ory HydraAlso a focused OAuth2/OIDC server, but Hydra pushes login and user management to a separate app you build; Dex's selling point is built-in connectors that delegate to existing upstreams.
AutheliaA reverse-proxy forward-auth gate with its own login and 2FA; it grew OIDC provider support later. Dex started as an OIDC provider and does not do proxy-level gating.

Pick Dex when you want a small provider that federates to a directory or OAuth2 upstream and issues Kubernetes-consumable tokens, especially embedded in another product. Pick Keycloak or Zitadel when you need to be the system of record for users, with registration, roles, and an admin UI.

One trade-off to weigh: the README marks the SAML 2.0 connector as unmaintained and likely vulnerable to authentication bypasses (discussion #1884). If your only upstream is SAML, account for that before choosing Dex.

Sources