Conversation
This PR reorganizes the authentication methods in Solutions, adding a folder to future proof the authentication methods, and adds the OIDC topic.
- add content to oidc, which includes beginner explanations for authentication flow, why use OIDC and standard setup from the PG side.
- Add buttons to overview, and add a lot of links to the oidc chapter for all of our sources.
|
|
||
| Percona Distribution for PostgreSQL supports OIDC authentication through the `pg_oidc_validator` library. This library validates OIDC tokens during PostgreSQL authentication. | ||
|
|
||
| If you want to test PostgreSQL OAuth authentication using `pg_oidc_validator` with Keycloak using Docker containers, see the [PostgreSQL OIDC Authentication with pg_oidc_validator :octicons-link-external-16:](https://www.percona.com/blog/postgresql-oidc-authentication-with-pg_oidc_validator/) blog post. |
There was a problem hiding this comment.
We also support other providers (Ping, Okta, etc), I'm not sure if only mentioning keycloak here is a good idea. (or generally, is it okay for the more "stable" documentation to link to "written once, not maintained later" blog posts? things will change)
|
|
||
| The following diagram shows how OIDC authentication works between the client, the identity provider, and PostgreSQL: | ||
|
|
||
|  |
There was a problem hiding this comment.
doesn't our documentation site supports mermaid or something similar, so we can include the "source" of this graph instead of the image directly? This is not maintainable in the long term, if somebody else has to modify the image later.
| For Debian/Ubuntu: | ||
|
|
||
| ```bash | ||
| sudo apt install pg-oidc-validator-pgdg{{pgversion}} |
There was a problem hiding this comment.
do we or pgdg actually publish this package, or the RHEL one? I don't remember these, and I definitely can't find them in the official debian/ubuntu packages. If it is part of a different repository, that should be also mentioned.
| * `scope` is the required OIDC scope | ||
| * `issuer` is the URL of the OIDC identity provider | ||
|
|
||
| 4. Restart PostgreSQL for the changes to take effect: |
There was a problem hiding this comment.
oauth_validator_libraries and pg_hba are both SIGHUP-aware, so a reload is enough, you don't have to restart.
| ``` | ||
|
|
||
| !!! important | ||
| PostgreSQL does not issue OIDC tokens. Clients must obtain an access token from an external identity provider such as Keycloak, Okta, or Microsoft Entra ID before connecting. |
There was a problem hiding this comment.
Here we again mention some specific providers - if we do mention some, we should have one consistent list.
|
|
||
| ## Available authentication methods | ||
|
|
||
| ### LDAP authentication |
There was a problem hiding this comment.
I would change the order here, OIDC is the preferred solution over LDAP.
2 participants
This PR reorganizes the authentication methods in Solutions, adding a folder to future proof the authentication methods, and adds the OIDC topic.