Skip to content

Commit 80c666d

Browse files
committed
Updated the oidc topic
- Proper installation steps, updated step 1 with readme info and remove step 2 - Reordered TOC to put OIDC first - create a snippet folder with proper oidc authentication flow which can be modified any time to render immediately as opposed to having an svg, using mermaid. - standardize the external identity providers, making a list of them is too bloaty.
1 parent 4ac80d0 commit 80c666d

4 files changed

Lines changed: 38 additions & 24 deletions

File tree

docs/solutions/authentication/oidc.md

Lines changed: 15 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -2,9 +2,9 @@
22

33
[OpenID Connect :octicons-link-external-16:](https://openid.net/developers/how-connect-works/) (or OIDC) authentication allows you to authenticate using tokens issued by an external identity provider. Instead of managing database passwords, you can delegate authentication to centralized identity services.
44

5-
Percona Distribution for PostgreSQL integrates OIDC authentication using the pg_oidc_validator library, which validates OIDC tokens during client authentication.
5+
Percona Distribution for PostgreSQL integrates OIDC authentication using the `pg_oidc_validator` library, which validates OIDC tokens during client authentication.
66

7-
The library is compatible with standard OIDC providers.
7+
The library is compatible with any identity provider that implements the OIDC standard.
88

99
For configuration details and source code, see the [pg_oidc_validator project :octicons-link-external-16:](https://github.com/Percona-Lab/pg_oidc_validator).
1010

@@ -34,7 +34,7 @@ OIDC authentication works as follows:
3434

3535
The following diagram shows how OIDC authentication works between the client, the identity provider, and PostgreSQL:
3636

37-
![OIDC authentication flow](../../_images/diagrams/oidc-auth-flow.svg)
37+
--8<-- "diagrams/oidc/auth-flow.md"
3838

3939
!!! tip
4040
Before configuring OIDC authentication, ensure that your PostgreSQL deployment can access the identity provider that issues OIDC tokens.
@@ -44,20 +44,24 @@ The following diagram shows how OIDC authentication works between the client, th
4444
Follow these steps to set up OIDC authentication for your PostgreSQL database.
4545
{.power-number}
4646

47-
1. Install the `pg_oidc_validator` package:
47+
1. Install the `pg_oidc_validator` package.
4848

49-
For Debian/Ubuntu:
49+
Pre-built packages are not available in the default system repositories.
5050

51-
```bash
52-
sudo apt install pg-oidc-validator-pgdg{{pgversion}}
53-
```
51+
You can download pre-built packages from the `pg_oidc_validator` project (see the project releases page):
52+
53+
- Debian/Ubuntu: available for Ubuntu 24.04
54+
- RHEL/Oracle Linux/Rocky Linux: RPM packages for OL8 and OL9
5455

55-
For RHEL/Oracle Linux/Rocky Linux:
56+
Alternatively, you can build the extension from source:
5657

5758
```bash
58-
sudo dnf install pg-oidc-validator-pgdg{{pgversion}}
59+
make USE_PGXS=1 install -j
5960
```
6061

62+
!!! note
63+
A C++23 compiler and standard library is required to build pg_oidc_validator.
64+
6165
2. Edit `postgresql.conf` and add the validator library:
6266

6367
```ini
@@ -79,11 +83,5 @@ Follow these steps to set up OIDC authentication for your PostgreSQL database.
7983
* `scope` is the required OIDC scope
8084
* `issuer` is the URL of the OIDC identity provider
8185

82-
4. Restart PostgreSQL for the changes to take effect:
83-
84-
```bash
85-
sudo systemctl restart postgresql-{{pgversion}}
86-
```
87-
8886
!!! important
89-
PostgreSQL does not issue OIDC tokens. Clients must obtain an access token from an external identity provider such as Keycloak, Okta, or Microsoft Entra ID before connecting.
87+
PostgreSQL does not issue OIDC tokens. Clients must obtain an access token from an external identity provider before connecting.

docs/solutions/authentication/overview.md

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -6,14 +6,14 @@ Percona Distribution for PostgreSQL supports multiple authentication mechanisms
66

77
## Available authentication methods
88

9-
### LDAP authentication
10-
11-
Use LDAP directories such as OpenLDAP or Active Directory to centrally manage database users.
12-
13-
[LDAP authentication :material-arrow-right:](ldap.md){.md-button}
14-
159
### OIDC authentication
1610

1711
Authenticate users using OpenID Connect identity providers such as Keycloak, Okta, or Microsoft Entra ID.
1812

1913
[OIDC authentication :material-arrow-right:](oidc.md){.md-button}
14+
15+
### LDAP authentication
16+
17+
Use LDAP directories such as OpenLDAP or Active Directory to centrally manage database users.
18+
19+
[LDAP authentication :material-arrow-right:](ldap.md){.md-button}

mkdocs.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -64,8 +64,8 @@ nav:
6464
- Upgrade spatial database: solutions/postgis-upgrade.md
6565
- Authentication:
6666
- Overview: solutions/authentication/overview.md
67-
- LDAP authentication: solutions/authentication/ldap.md
6867
- OIDC authentication: solutions/authentication/oidc.md
68+
- LDAP authentication: solutions/authentication/ldap.md
6969
- Upgrade:
7070
- "Major upgrade": major-upgrade.md
7171
- minor-upgrade.md
Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
```mermaid
2+
sequenceDiagram
3+
participant Client
4+
participant IdP as Identity Provider (OIDC)
5+
participant PostgreSQL
6+
participant Validator as pg_oidc_validator
7+
8+
Client->>IdP: Request authentication
9+
IdP-->>Client: Return OIDC access token
10+
11+
Client->>PostgreSQL: Connect using OAuth token
12+
PostgreSQL->>Validator: Validate token
13+
Validator-->>PostgreSQL: Token valid / invalid
14+
15+
PostgreSQL-->>Client: Connection allowed or rejected
16+
```

0 commit comments

Comments
 (0)