Re: Using pgadmin as an OAuth2 proxy for PostgreSQL - Mailing list pgsql-admin

@font-face {font-family:"Cambria Math"; panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face {font-family:Calibri; panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal {margin:0cm; margin-bottom:.0001pt; font-size:11.0pt; font-family:"Calibri",sans-serif; mso-fareast-language:EN-US;}a:link, span.MsoHyperlink {mso-style-priority:99; color:#0563C1; text-decoration:underline;}a:visited, span.MsoHyperlinkFollowed {mso-style-priority:99; color:#954F72; text-decoration:underline;}span.E-MailFormatvorlage17 {mso-style-type:personal-compose; font-family:"Calibri",sans-serif; color:windowtext;}.MsoChpDefault {mso-style-type:export-only; font-family:"Calibri",sans-serif; mso-fareast-language:EN-US;}div.WordSection1 {page:WordSection1;}

Hi all,

 

our current project has the requirement that users should get read access to our backend databases. The users are stored in Azure AD and my first idea was to use OAuth2 / OIDC to authenticate the users. Since pgadmin provides OAuth2 authentication, is it possible to somehow map roles in the access token that we get from Azure AD to a Postgres user in pgadmin, so that the users can just log into using their Azure AD account and then get access to a number of databases that I have configured?

 

I already tried the OAuth2 login in pgadmin and it’s working fine, but I haven’t figured out how to deploy the database credentials. I know that I could use a password file, but it has to be located in the storage directory of the user, where he could download it using the storage manager. Since users should not be able to access the password, we cannot use this. It would also be feasible if the owner of the password would have to enter the password on the machine of each of the users, but even if I select “Save password”, the password is not saved, even though master passwords and password saving are activated in the config.

 

We are running the latest Docker image dpage/pgadmin4 in a Kubernetes cluster. The pgadmin version is 6.17.

 

Thanks in advance for your help and best regards,

Tobias

**************************************************************** Die in dieser E-Mail enthaltenen Informationen sind vertraulich. Diese E-Mail ist ausschliesslich fuer den Adressaten bestimmt und jeglicher Zugriff durch andere Personen ist nicht zulaessig. Falls Sie nicht einer der genannten Empfaenger sind, ist jede Veroeffentlichung, Vervielfaeltigung, Verteilung oder sonstige in diesem Zusammenhang stehende Handlung untersagt und unter Umstaenden ungesetzlich. Sollte diese Nachricht nicht fuer Sie bestimmt sein, so bitten wir Sie, den Absender unverzueglich zu informieren und die E-Mail zu loeschen. **************************************************************** The information contained in this e-mail is confidential. This e-mail is intended solely for the addressee(s) and may not be accessed by anyone else. If you are not a named recipient, any disclosure, copying, distribution or related action is prohibited and might be unlawful. If the e-mail is not intended for you, please notify the sender immediately and delete it. ****************************************************************