PG-2238 - Add the OIDC topic #930
There are no files selected for viewing
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,89 @@ | ||
| # OIDC authentication | ||
|
|
||
| [OpenID Connect :octicons-link-external-16:](https://openid.net/developers/how-connect-works/) (or OIDC) authentication allows you to authenticate using tokens issued by an external identity provider. Instead of managing database passwords, you can delegate authentication to centralized identity services. | ||
|
|
||
| Percona Distribution for PostgreSQL supports OIDC authentication through the `pg_oidc_validator` library. This library validates OIDC tokens during PostgreSQL authentication. | ||
|
|
||
| If you want to test PostgreSQL OAuth authentication using `pg_oidc_validator` with Keycloak using Docker containers, see the [PostgreSQL OIDC Authentication with pg_oidc_validator :octicons-link-external-16:](https://www.percona.com/blog/postgresql-oidc-authentication-with-pg_oidc_validator/) blog post. | ||
|
|
||
| For additional configuration details and source code, see the [pg_oidc_validator project :octicons-link-external-16:](https://github.com/Percona-Lab/pg_oidc_validator). | ||
|
|
||
| !!! important | ||
| OIDC authentication relies on [PostgreSQL OAuth authentication :octicons-link-external-16:](https://www.postgresql.org/docs/current/auth-oauth.html), introduced in PostgreSQL 18. | ||
|
|
||
| ## When to use OIDC authentication | ||
|
|
||
| OIDC authentication is useful when you want to: | ||
|
|
||
| * integrate PostgreSQL with an existing single sign-on (SSO) platform | ||
| * reduce the need to manage database passwords | ||
| * centralize identity management across applications and databases | ||
|
|
||
| !!! tip | ||
| OIDC authentication simplifies access management for PostgreSQL when using an identity provider that supports OpenID Connect. | ||
|
|
||
| ## OIDC authentication architecture | ||
|
|
||
| OIDC authentication works as follows: | ||
|
|
||
| 1. The client obtains an access token from an external identity provider | ||
| 2. The client connects to PostgreSQL using OAuth authentication | ||
| 3. PostgreSQL forwards the token to the `pg_oidc_validator` module | ||
| 4. The validator verifies the token signature and claims | ||
| 5. If validation succeeds, PostgreSQL allows the connection | ||
|
|
||
| The following diagram shows how OIDC authentication works between the client, the identity provider, and PostgreSQL: | ||
|
|
||
|  | ||
|
There was a problem hiding this comment. doesn't our documentation site supports mermaid or something similar, so we can include the "source" of this graph instead of the image directly? This is not maintainable in the long term, if somebody else has to modify the image later. |
||
|
|
||
| !!! tip | ||
| Before configuring OIDC authentication, ensure that your PostgreSQL deployment can access the identity provider that issues OIDC tokens. | ||
|
|
||
| ## Set up OIDC authentication | ||
|
|
||
| Follow these steps to set up OIDC authentication for your PostgreSQL database. | ||
| {.power-number} | ||
|
|
||
| 1. Install the `pg_oidc_validator` package: | ||
|
|
||
| For Debian/Ubuntu: | ||
|
|
||
| ```bash | ||
| sudo apt install pg-oidc-validator-pgdg{{pgversion}} | ||
|
There was a problem hiding this comment. do we or pgdg actually publish this package, or the RHEL one? I don't remember these, and I definitely can't find them in the official debian/ubuntu packages. If it is part of a different repository, that should be also mentioned. |
||
| ``` | ||
|
|
||
| For RHEL/Oracle Linux/Rocky Linux: | ||
|
|
||
| ```bash | ||
| sudo dnf install pg-oidc-validator-pgdg{{pgversion}} | ||
| ``` | ||
|
|
||
| 2. Edit `postgresql.conf` and add the validator library: | ||
|
|
||
| ```ini | ||
| oauth_validator_libraries = 'pg_oidc_validator' | ||
| ``` | ||
|
|
||
| !!! note | ||
| This setting tells PostgreSQL to load the OIDC validator during startup. | ||
|
|
||
| 3. Add an OAuth authentication rule to `pg_hba.conf`: | ||
|
|
||
| ```ini | ||
| host all all 192.168.1.0/24 oauth scope="openid",issuer=https://your-oidc-provider | ||
| ``` | ||
|
|
||
| Where: | ||
|
|
||
| * `oauth` enables OAuth authentication | ||
| * `scope` is the required OIDC scope | ||
| * `issuer` is the URL of the OIDC identity provider | ||
|
|
||
| 4. Restart PostgreSQL for the changes to take effect: | ||
|
There was a problem hiding this comment.
|
||
|
|
||
| ```bash | ||
| sudo systemctl restart postgresql-{{pgversion}} | ||
| ``` | ||
|
|
||
| !!! important | ||
| PostgreSQL does not issue OIDC tokens. Clients must obtain an access token from an external identity provider such as Keycloak, Okta, or Microsoft Entra ID before connecting. | ||
|
There was a problem hiding this comment. Here we again mention some specific providers - if we do mention some, we should have one consistent list. |
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,19 @@ | ||
| # Authentication | ||
|
|
||
| Centralized authentication allows you to manage database access using external identity systems instead of local PostgreSQL users. | ||
|
|
||
| Percona Distribution for PostgreSQL supports multiple authentication mechanisms that integrate with enterprise identity infrastructure. | ||
|
|
||
| ## Available authentication methods | ||
|
|
||
| ### LDAP authentication | ||
|
There was a problem hiding this comment. I would change the order here, OIDC is the preferred solution over LDAP. |
||
|
|
||
| Use LDAP directories such as OpenLDAP or Active Directory to centrally manage database users. | ||
|
|
||
| [LDAP authentication :material-arrow-right:](ldap.md){.md-button} | ||
|
|
||
| ### OIDC authentication | ||
|
|
||
| Authenticate users using OpenID Connect identity providers such as Keycloak, Okta, or Microsoft Entra ID. | ||
|
|
||
| [OIDC authentication :material-arrow-right:](oidc.md){.md-button} | ||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We also support other providers (Ping, Okta, etc), I'm not sure if only mentioning keycloak here is a good idea. (or generally, is it okay for the more "stable" documentation to link to "written once, not maintained later" blog posts? things will change)