Postgres Pro
Downloads
Home   >   mailing lists

RE: Using Token (JWT) authentication mechanism in Postgres - Mailing list pgsql-general

From Julio Cesar Tenganan Daza
Subject RE: Using Token (JWT) authentication mechanism in Postgres
Date
Msg-id 1774C5C34773544EB628EB9E6D243FF221EFFFC0@jupiter.pslcol.com.co
Whole thread Raw
In response to Re: Using Token (JWT) authentication mechanism in Postgres  (Alexander Kukushkin <cyberdemn@gmail.com>)
List pgsql-general
Tree view

Hi Alexander,

 

I think we can use PAM authentication with something similar as you did is a good mechanism.

 

And also I have an additional question, can the implemented PAM authentication module be used from JDBC connections? Or they works totally apart?

 

Thank you so much!

 

 

Regards,

 

 

Cesar

 

From: Alexander Kukushkin [mailto:cyberdemn@gmail.com]
Sent: Thursday, January 25, 2018 3:43 AM
To: Julio Cesar Tenganan Daza <ctenganand@psl.com.co>
Cc: pgsql-general@postgresql.org
Subject: Re: Using Token (JWT) authentication mechanism in Postgres

 

Hi,

 

 

2018-01-24 22:27 GMT+01:00 Julio Cesar Tenganan Daza <ctenganand@psl.com.co>:

Hello,

 

I would like to know if is possible to use Token (JWT) authentication mechanism in Postgres? In order to authenticate users and also authorize access to specific tables, This is in a multi-tenant application context where users can create their own tables and share it if they want.

 

Is it possible this authentication mechanism or is there any plugin to achieve it?

 

Postgres can use pam for authentication.

I am not sure that such plugin already exists, but it shouldn't be very hard to implement it.

 

There are a few problems though:

1. JWT token already contains information about username, but you still have to provide it (username) when opening connection.

2. Token has to be send as a connection password. Therefor connection must be encrypted.

3. Usually JWT tokens are quite big in size, but for example when psql is asking you for a password, it thinks that password can't be longer than 100 characters. And this value is hard-coded. It's possible to overcome this issue if you specify your token in PGPASSWORD env variable.

 

We at Zalando are using JWT tokens to authenticate employees when they are accessing postgres databases, but we are not dealing with JWT directly.

We have some OAuth infrastructure in-place, which can validate JWT tokens.

At the end it boiled down to sending http request to tokeninfo service and validating its answer.

 

Source code of PAM module is here: https://github.com/CyberDem0n/pam-oauth2

 

Basically you can do something similar. Either take pam-oauth2 as a reference and add possibility to validate JWT tokens or implement your tokeninfo service.

 

 

 

Thank You for your help!

 

Regards,

 

Cesar

 

Regards,

--

Alexander Kukushkin

pgsql-general by date:

Previous
From: Robert Zenz
Date:
Subject: Information on savepoint requirement within transctions
Next
From: Melvin Davidson
Date:
Subject: Re: Information on savepoint requirement within transctions