-
Notifications
You must be signed in to change notification settings - Fork 39
PG-2238 - Add the OIDC topic #930
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from 6 commits
Commits
Show all changes
9 commits
Select commit
Hold shift + click to select a range
a9c0160
PG-2238 - Add the OIDC topic
Andriciuc 9b712db
Add content to oidc.md
Andriciuc fb388e2
Add buttons and links
Andriciuc 4ac80d0
reword the intro paragraph and remove leading config to blog
Andriciuc 80c666d
Updated the oidc topic
Andriciuc d8fe01a
Update overview.md
Andriciuc 877c540
Update with second round of feedback
Andriciuc c200f26
Update oidc.md
Andriciuc 69996bb
Delete oidc-auth-flow.svg
Andriciuc File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,87 @@ | ||
| # OIDC authentication | ||
|
|
||
| [OpenID Connect :octicons-link-external-16:](https://openid.net/developers/how-connect-works/) (or OIDC) authentication allows you to authenticate using tokens issued by an external identity provider. Instead of managing database passwords, you can delegate authentication to centralized identity services. | ||
|
|
||
| Percona Distribution for PostgreSQL integrates OIDC authentication using the `pg_oidc_validator` library, which validates OIDC tokens during client authentication. | ||
|
|
||
| The library is compatible with any identity provider that implements the OIDC standard. | ||
|
|
||
| For configuration details and source code, see the [pg_oidc_validator project :octicons-link-external-16:](https://github.com/Percona-Lab/pg_oidc_validator). | ||
|
|
||
| !!! important | ||
| OIDC authentication relies on [PostgreSQL OAuth authentication :octicons-link-external-16:](https://www.postgresql.org/docs/current/auth-oauth.html), introduced in PostgreSQL 18. | ||
|
|
||
| ## When to use OIDC authentication | ||
|
|
||
| OIDC authentication is useful when you want to: | ||
|
|
||
| * integrate PostgreSQL with an existing single sign-on (SSO) platform | ||
| * reduce the need to manage database passwords | ||
| * centralize identity management across applications and databases | ||
|
|
||
| !!! tip | ||
| OIDC authentication simplifies access management for PostgreSQL when using an identity provider that supports OpenID Connect. | ||
|
|
||
| ## OIDC authentication architecture | ||
|
|
||
| OIDC authentication works as follows: | ||
|
|
||
| 1. The client obtains an access token from an external identity provider | ||
| 2. The client connects to PostgreSQL using OAuth authentication | ||
| 3. PostgreSQL forwards the token to the `pg_oidc_validator` module | ||
| 4. The validator verifies the token signature and claims | ||
| 5. If validation succeeds, PostgreSQL allows the connection | ||
|
|
||
| The following diagram shows how OIDC authentication works between the client, the identity provider, and PostgreSQL: | ||
|
|
||
| --8<-- "diagrams/oidc/auth-flow.md" | ||
|
|
||
| !!! tip | ||
| Before configuring OIDC authentication, ensure that your PostgreSQL deployment can access the identity provider that issues OIDC tokens. | ||
|
|
||
| ## Set up OIDC authentication | ||
|
|
||
| Follow these steps to set up OIDC authentication for your PostgreSQL database. | ||
| {.power-number} | ||
|
|
||
| 1. Install the `pg_oidc_validator` package. | ||
|
|
||
| Pre-built packages are not available in the default system repositories. | ||
|
|
||
| You can download pre-built packages from the `pg_oidc_validator` project (see the project releases page): | ||
|
Andriciuc marked this conversation as resolved.
Outdated
|
||
|
|
||
| - Debian/Ubuntu: available for Ubuntu 24.04 | ||
| - RHEL/Oracle Linux/Rocky Linux: RPM packages for OL8 and OL9 | ||
|
|
||
| Alternatively, you can build the extension from source: | ||
|
|
||
| ```bash | ||
| make USE_PGXS=1 install -j | ||
| ``` | ||
|
|
||
| !!! note | ||
| A C++23 compiler and standard library is required to build pg_oidc_validator. | ||
|
|
||
| 2. Edit `postgresql.conf` and add the validator library: | ||
|
|
||
| ```ini | ||
| oauth_validator_libraries = 'pg_oidc_validator' | ||
| ``` | ||
|
|
||
| !!! note | ||
| This setting tells PostgreSQL to load the OIDC validator during startup. | ||
|
|
||
| 3. Add an OAuth authentication rule to `pg_hba.conf`: | ||
|
|
||
| ```ini | ||
| host all all 192.168.1.0/24 oauth scope="openid",issuer=https://your-oidc-provider | ||
|
Andriciuc marked this conversation as resolved.
Outdated
|
||
| ``` | ||
|
|
||
| Where: | ||
|
|
||
| * `oauth` enables OAuth authentication | ||
| * `scope` is the required OIDC scope | ||
| * `issuer` is the URL of the OIDC identity provider | ||
|
|
||
| !!! important | ||
| PostgreSQL does not issue OIDC tokens. Clients must obtain an access token from an external identity provider before connecting. | ||
|
Andriciuc marked this conversation as resolved.
Outdated
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| # Authentication | ||
|
|
||
| Centralized authentication allows you to manage database access using external identity systems instead of local PostgreSQL users. | ||
|
|
||
| Percona Distribution for PostgreSQL supports multiple authentication mechanisms that integrate with enterprise identity infrastructure. | ||
|
|
||
| ## Available authentication methods | ||
|
|
||
| ### OIDC authentication | ||
|
|
||
| Authenticate users using OpenID Connect identity providers. | ||
|
|
||
| [OIDC authentication :material-arrow-right:](oidc.md){.md-button} | ||
|
|
||
| ### LDAP authentication | ||
|
|
||
| Use LDAP directories such as OpenLDAP or Active Directory to centrally manage database users. | ||
|
|
||
| [LDAP authentication :material-arrow-right:](ldap.md){.md-button} |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,16 @@ | ||
| ```mermaid | ||
| sequenceDiagram | ||
| participant Client | ||
| participant IdP as Identity Provider (OIDC) | ||
| participant PostgreSQL | ||
| participant Validator as pg_oidc_validator | ||
|
|
||
| Client->>IdP: Request authentication | ||
| IdP-->>Client: Return OIDC access token | ||
|
|
||
| Client->>PostgreSQL: Connect using OAuth token | ||
| PostgreSQL->>Validator: Validate token | ||
| Validator-->>PostgreSQL: Token valid / invalid | ||
|
|
||
| PostgreSQL-->>Client: Connection allowed or rejected | ||
| ``` |
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.