I tried the demo in the dev7 branch. I followed every step and it works until the verification of the bearer token. Then I get an error message on the postgres instance, that a self signed certificate is used.
{"level":"info","ts":"2026-01-18T12:51:56.012409659Z","logger":"postgres","msg":"record","logging_pod":"pg-oauth-1","record":{"log_time":"2026-01-18 12:51:56.012 UTC","user_name":"app_readonly","database_name":"appdb","process_id":"22234","connection_from":"fdd9:f927:3fbd:44b7::312:45776","session_id":"696cd76c.56da","session_line_num":"1","command_tag":"authentication","session_start_time":"2026-01-18 12:51:56 UTC","virtual_transaction_id":"54/159","transaction_id":"0","error_severity":"DEBUG","sql_state_code":"00000","message":"kc: validator_startup: libcurl=libcurl/8.14.1 OpenSSL/3.5.4 zlib/1.3.1 brotli/1.1.0 zstd/1.5.7 libidn2/2.3.8 libpsl/0.21.2 libssh2/1.11.1 nghttp2/1.64.0 nghttp3/1.8.0 librtmp/2.3 OpenLDAP/2.6.10, timeout_ms=2000","backend_type":"client backend","query_id":"0"}}
{"level":"info","ts":"2026-01-18T12:51:56.012466845Z","logger":"postgres","msg":"record","logging_pod":"pg-oauth-1","record":{"log_time":"2026-01-18 12:51:56.012 UTC","user_name":"app_readonly","database_name":"appdb","process_id":"22234","connection_from":"fdd9:f927:3fbd:44b7::312:45776","session_id":"696cd76c.56da","session_line_num":"2","command_tag":"authentication","session_start_time":"2026-01-18 12:51:56 UTC","virtual_transaction_id":"54/159","transaction_id":"0","error_severity":"DEBUG","sql_state_code":"00000","message":"kc: validate_token: token=(present), role=app_readonly, resource_name=appdb","backend_type":"client backend","query_id":"0"}}
{"level":"info","ts":"2026-01-18T12:51:56.012481974Z","logger":"postgres","msg":"record","logging_pod":"pg-oauth-1","record":{"log_time":"2026-01-18 12:51:56.012 UTC","user_name":"app_readonly","database_name":"appdb","process_id":"22234","connection_from":"fdd9:f927:3fbd:44b7::312:45776","session_id":"696cd76c.56da","session_line_num":"3","command_tag":"authentication","session_start_time":"2026-01-18 12:51:56 UTC","virtual_transaction_id":"54/159","transaction_id":"0","error_severity":"DEBUG","sql_state_code":"00000","message":"kc: issuer_ok: expected_issuer not set -> skip","backend_type":"client backend","query_id":"0"}}
{"level":"info","ts":"2026-01-18T12:51:56.01250016Z","logger":"postgres","msg":"record","logging_pod":"pg-oauth-1","record":{"log_time":"2026-01-18 12:51:56.012 UTC","user_name":"app_readonly","database_name":"appdb","process_id":"22234","connection_from":"fdd9:f927:3fbd:44b7::312:45776","session_id":"696cd76c.56da","session_line_num":"4","command_tag":"authentication","session_start_time":"2026-01-18 12:51:56 UTC","virtual_transaction_id":"54/159","transaction_id":"0","error_severity":"DEBUG","sql_state_code":"00000","message":"kc: calling kc_decision with perm=\"appdb#app_readonly\"","backend_type":"client backend","query_id":"0"}}
{"level":"info","ts":"2026-01-18T12:51:56.012547327Z","logger":"postgres","msg":"record","logging_pod":"pg-oauth-1","record":{"log_time":"2026-01-18 12:51:56.012 UTC","user_name":"app_readonly","database_name":"appdb","process_id":"22234","connection_from":"fdd9:f927:3fbd:44b7::312:45776","session_id":"696cd76c.56da","session_line_num":"5","command_tag":"authentication","session_start_time":"2026-01-18 12:51:56 UTC","virtual_transaction_id":"54/159","transaction_id":"0","error_severity":"DEBUG","sql_state_code":"00000","message":"kc: decision request -> URL=https://keycloak-app-service:8443/realms/demo/protocol/openid-connect/token, audience=postgres-resource, permission=appdb#app_readonly, timeout_ms=2000, client_id=*************urce","backend_type":"client backend","query_id":"0"}}
{"level":"info","ts":"2026-01-18T12:51:56.027596626Z","logger":"postgres","msg":"record","logging_pod":"pg-oauth-1","record":{"log_time":"2026-01-18 12:51:56.027 UTC","user_name":"app_readonly","database_name":"appdb","process_id":"22234","connection_from":"fdd9:f927:3fbd:44b7::312:45776","session_id":"696cd76c.56da","session_line_num":"6","command_tag":"authentication","session_start_time":"2026-01-18 12:51:56 UTC","virtual_transaction_id":"54/159","transaction_id":"0","error_severity":"DEBUG","sql_state_code":"00000","message":"kc: decision resp http=0 time=13.9ms body_len=0 decision=false rc=60(SSL peer certificate or SSH remote key was not OK) err=\"SSL certificate problem: self-signed certificate\"","backend_type":"client backend","query_id":"0"}}
{"level":"info","ts":"2026-01-18T12:51:56.027782164Z","logger":"postgres","msg":"record","logging_pod":"pg-oauth-1","record":{"log_time":"2026-01-18 12:51:56.027 UTC","user_name":"app_readonly","database_name":"appdb","process_id":"22234","connection_from":"fdd9:f927:3fbd:44b7::312:45776","session_id":"696cd76c.56da","session_line_num":"7","command_tag":"authentication","session_start_time":"2026-01-18 12:51:56 UTC","virtual_transaction_id":"54/159","transaction_id":"0","error_severity":"DEBUG","sql_state_code":"00000","message":"kc: response body: ","backend_type":"client backend","query_id":"0"}}
{"level":"info","ts":"2026-01-18T12:51:56.02780485Z","logger":"postgres","msg":"record","logging_pod":"pg-oauth-1","record":{"log_time":"2026-01-18 12:51:56.027 UTC","user_name":"app_readonly","database_name":"appdb","process_id":"22234","connection_from":"fdd9:f927:3fbd:44b7::312:45776","session_id":"696cd76c.56da","session_line_num":"8","command_tag":"authentication","session_start_time":"2026-01-18 12:51:56 UTC","virtual_transaction_id":"54/159","transaction_id":"0","error_severity":"DEBUG","sql_state_code":"00000","message":"kc: authorization = FALSE for perm=\"appdb#app_readonly\"","backend_type":"client backend","query_id":"0"}}
{"level":"info","ts":"2026-01-18T12:51:56.027821665Z","logger":"postgres","msg":"record","logging_pod":"pg-oauth-1","record":{"log_time":"2026-01-18 12:51:56.027 UTC","user_name":"app_readonly","database_name":"appdb","process_id":"22234","connection_from":"fdd9:f927:3fbd:44b7::312:45776","session_id":"696cd76c.56da","session_line_num":"9","command_tag":"authentication","session_start_time":"2026-01-18 12:51:56 UTC","virtual_transaction_id":"54/159","transaction_id":"0","error_severity":"LOG","sql_state_code":"00000","message":"OAuth bearer authentication failed for user \"app_readonly\"","detail":"Validator failed to authorize the provided token.","backend_type":"client backend","query_id":"0"}}
{"level":"info","ts":"2026-01-18T12:51:56.027999628Z","logger":"postgres","msg":"record","logging_pod":"pg-oauth-1","record":{"log_time":"2026-01-18 12:51:56.027 UTC","user_name":"app_readonly","database_name":"appdb","process_id":"22234","connection_from":"fdd9:f927:3fbd:44b7::312:45776","session_id":"696cd76c.56da","session_line_num":"10","command_tag":"authentication","session_start_time":"2026-01-18 12:51:56 UTC","virtual_transaction_id":"54/159","transaction_id":"0","error_severity":"FATAL","sql_state_code":"28000","message":"OAuth bearer authentication failed for user \"app_readonly\"","detail":"Connection matched file \"/var/lib/postgresql/data/pgdata/pg_hba.conf\" line 20: \"host all all ::/0 oauth issuer=\"https://keycloak-app-service:8443/realms/demo\" scope=db_access validator=\"kc_validator\" delegate_ident_mapping=1\"","backend_type":"client backend","query_id":"0"}}
{"level":"info","ts":"2026-01-18T12:51:56.028239093Z","logger":"postgres","msg":"record","logging_pod":"pg-oauth-1","record":{"log_time":"2026-01-18 12:51:56.027 UTC","user_name":"app_readonly","database_name":"appdb","process_id":"22234","connection_from":"fdd9:f927:3fbd:44b7::312:45776","session_id":"696cd76c.56da","session_line_num":"11","command_tag":"authentication","session_start_time":"2026-01-18 12:51:56 UTC","virtual_transaction_id":"54/0","transaction_id":"0","error_severity":"DEBUG","sql_state_code":"00000","message":"kc: validator_shutdown","backend_type":"client backend","query_id":"0"}}
{"level":"info","ts":"2026-01-18T12:51:56.038649535Z","logger":"postgres","msg":"record","logging_pod":"pg-oauth-1","record":{"log_time":"2026-01-18 12:51:56.038 UTC","user_name":"app_readonly","database_name":"appdb","process_id":"22236","connection_from":"fdd9:f927:3fbd:44b7::312:45786","session_id":"696cd76c.56dc","session_line_num":"1","command_tag":"authentication","session_start_time":"2026-01-18 12:51:56 UTC","virtual_transaction_id":"55/330","transaction_id":"0","error_severity":"DEBUG","sql_state_code":"00000","message":"kc: validator_startup: libcurl=libcurl/8.14.1 OpenSSL/3.5.4 zlib/1.3.1 brotli/1.1.0 zstd/1.5.7 libidn2/2.3.8 libpsl/0.21.2 libssh2/1.11.1 nghttp2/1.64.0 nghttp3/1.8.0 librtmp/2.3 OpenLDAP/2.6.10, timeout_ms=2000","backend_type":"client backend","query_id":"0"}}
{"level":"info","ts":"2026-01-18T12:51:56.038702943Z","logger":"postgres","msg":"record","logging_pod":"pg-oauth-1","record":{"log_time":"2026-01-18 12:51:56.038 UTC","user_name":"app_readonly","database_name":"appdb","process_id":"22236","connection_from":"fdd9:f927:3fbd:44b7::312:45786","session_id":"696cd76c.56dc","session_line_num":"2","command_tag":"authentication","session_start_time":"2026-01-18 12:51:56 UTC","virtual_transaction_id":"55/330","transaction_id":"0","error_severity":"DEBUG","sql_state_code":"00000","message":"kc: validate_token: token=(present), role=app_readonly, resource_name=appdb","backend_type":"client backend","query_id":"0"}}
{"level":"info","ts":"2026-01-18T12:51:56.038715998Z","logger":"postgres","msg":"record","logging_pod":"pg-oauth-1","record":{"log_time":"2026-01-18 12:51:56.038 UTC","user_name":"app_readonly","database_name":"appdb","process_id":"22236","connection_from":"fdd9:f927:3fbd:44b7::312:45786","session_id":"696cd76c.56dc","session_line_num":"3","command_tag":"authentication","session_start_time":"2026-01-18 12:51:56 UTC","virtual_transaction_id":"55/330","transaction_id":"0","error_severity":"DEBUG","sql_state_code":"00000","message":"kc: issuer_ok: expected_issuer not set -> skip","backend_type":"client backend","query_id":"0"}}
{"level":"info","ts":"2026-01-18T12:51:56.038868573Z","logger":"postgres","msg":"record","logging_pod":"pg-oauth-1","record":{"log_time":"2026-01-18 12:51:56.038 UTC","user_name":"app_readonly","database_name":"appdb","process_id":"22236","connection_from":"fdd9:f927:3fbd:44b7::312:45786","session_id":"696cd76c.56dc","session_line_num":"4","command_tag":"authentication","session_start_time":"2026-01-18 12:51:56 UTC","virtual_transaction_id":"55/330","transaction_id":"0","error_severity":"DEBUG","sql_state_code":"00000","message":"kc: calling kc_decision with perm=\"appdb#app_readonly\"","backend_type":"client backend","query_id":"0"}}
{"level":"info","ts":"2026-01-18T12:51:56.038896222Z","logger":"postgres","msg":"record","logging_pod":"pg-oauth-1","record":{"log_time":"2026-01-18 12:51:56.038 UTC","user_name":"app_readonly","database_name":"appdb","process_id":"22236","connection_from":"fdd9:f927:3fbd:44b7::312:45786","session_id":"696cd76c.56dc","session_line_num":"5","command_tag":"authentication","session_start_time":"2026-01-18 12:51:56 UTC","virtual_transaction_id":"55/330","transaction_id":"0","error_severity":"DEBUG","sql_state_code":"00000","message":"kc: decision request -> URL=https://keycloak-app-service:8443/realms/demo/protocol/openid-connect/token, audience=postgres-resource, permission=appdb#app_readonly, timeout_ms=2000, client_id=*************urce","backend_type":"client backend","query_id":"0"}}
{"level":"info","ts":"2026-01-18T12:51:56.054094652Z","logger":"postgres","msg":"record","logging_pod":"pg-oauth-1","record":{"log_time":"2026-01-18 12:51:56.053 UTC","user_name":"app_readonly","database_name":"appdb","process_id":"22236","connection_from":"fdd9:f927:3fbd:44b7::312:45786","session_id":"696cd76c.56dc","session_line_num":"6","command_tag":"authentication","session_start_time":"2026-01-18 12:51:56 UTC","virtual_transaction_id":"55/330","transaction_id":"0","error_severity":"DEBUG","sql_state_code":"00000","message":"kc: decision resp http=0 time=14.4ms body_len=0 decision=false rc=60(SSL peer certificate or SSH remote key was not OK) err=\"SSL certificate problem: self-signed certificate\"","backend_type":"client backend","query_id":"0"}}
{"level":"info","ts":"2026-01-18T12:51:56.054137448Z","logger":"postgres","msg":"record","logging_pod":"pg-oauth-1","record":{"log_time":"2026-01-18 12:51:56.053 UTC","user_name":"app_readonly","database_name":"appdb","process_id":"22236","connection_from":"fdd9:f927:3fbd:44b7::312:45786","session_id":"696cd76c.56dc","session_line_num":"7","command_tag":"authentication","session_start_time":"2026-01-18 12:51:56 UTC","virtual_transaction_id":"55/330","transaction_id":"0","error_severity":"DEBUG","sql_state_code":"00000","message":"kc: response body: ","backend_type":"client backend","query_id":"0"}}
{"level":"info","ts":"2026-01-18T12:51:56.054154837Z","logger":"postgres","msg":"record","logging_pod":"pg-oauth-1","record":{"log_time":"2026-01-18 12:51:56.053 UTC","user_name":"app_readonly","database_name":"appdb","process_id":"22236","connection_from":"fdd9:f927:3fbd:44b7::312:45786","session_id":"696cd76c.56dc","session_line_num":"8","command_tag":"authentication","session_start_time":"2026-01-18 12:51:56 UTC","virtual_transaction_id":"55/330","transaction_id":"0","error_severity":"DEBUG","sql_state_code":"00000","message":"kc: authorization = FALSE for perm=\"appdb#app_readonly\"","backend_type":"client backend","query_id":"0"}}
{"level":"info","ts":"2026-01-18T12:51:56.056118162Z","logger":"postgres","msg":"record","logging_pod":"pg-oauth-1","record":{"log_time":"2026-01-18 12:51:56.053 UTC","user_name":"app_readonly","database_name":"appdb","process_id":"22236","connection_from":"fdd9:f927:3fbd:44b7::312:45786","session_id":"696cd76c.56dc","session_line_num":"9","command_tag":"authentication","session_start_time":"2026-01-18 12:51:56 UTC","virtual_transaction_id":"55/330","transaction_id":"0","error_severity":"LOG","sql_state_code":"00000","message":"OAuth bearer authentication failed for user \"app_readonly\"","detail":"Validator failed to authorize the provided token.","backend_type":"client backend","query_id":"0"}}
{"level":"info","ts":"2026-01-18T12:51:56.056336571Z","logger":"postgres","msg":"record","logging_pod":"pg-oauth-1","record":{"log_time":"2026-01-18 12:51:56.054 UTC","user_name":"app_readonly","database_name":"appdb","process_id":"22236","connection_from":"fdd9:f927:3fbd:44b7::312:45786","session_id":"696cd76c.56dc","session_line_num":"10","command_tag":"authentication","session_start_time":"2026-01-18 12:51:56 UTC","virtual_transaction_id":"55/330","transaction_id":"0","error_severity":"FATAL","sql_state_code":"28000","message":"OAuth bearer authentication failed for user \"app_readonly\"","detail":"Connection matched file \"/var/lib/postgresql/data/pgdata/pg_hba.conf\" line 20: \"host all all ::/0 oauth issuer=\"https://keycloak-app-service:8443/realms/demo\" scope=db_access validator=\"kc_validator\" delegate_ident_mapping=1\"","backend_type":"client backend","query_id":"0"}}
{"level":"info","ts":"2026-01-18T12:51:56.056647369Z","logger":"postgres","msg":"record","logging_pod":"pg-oauth-1","record":{"log_time":"2026-01-18 12:51:56.056 UTC","user_name":"app_readonly","database_name":"appdb","process_id":"22236","connection_from":"fdd9:f927:3fbd:44b7::312:45786","session_id":"696cd76c.56dc","session_line_num":"11","command_tag":"authentication","session_start_time":"2026-01-18 12:51:56 UTC","virtual_transaction_id":"55/0","transaction_id":"0","error_severity":"DEBUG","sql_state_code":"00000","message":"kc: validator_shutdown","backend_type":"client backend","query_id":"0"}}
Hello
I tried the demo in the dev7 branch. I followed every step and it works until the verification of the bearer token. Then I get an error message on the postgres instance, that a self signed certificate is used.
The command is
PGOAUTHDEBUG=UNSAFE PGOAUTHCAFILE=/root/ca.crt psql "host=pg-oauth-rw user=app_readonly dbname=appdb oauth_issuer=https://keycloak-app-service:8443/realms/demo oauth_client_id=appA oauth_client_secret=XyIXBUgsLhgvJJO4EQrcp8iJvHqaJIjm oauth_scope='db_access'"Any idea what could be missing?