Enter the terms you wish to search for.

OAuth2 Enhancements in pgAdmin

February 03, 2023

pgAdmin supports multiple authentication methods including OAuth2 for login into the app in web mode. We have added support for OAuth2 in July 2021. After that, the development team enhanced the OAuth2 functionality.

Scope

After releasing OAuth2 support, pgAdmin introduced OAuth2 scope configuration. Initially, we supported only 2 scopes, i.e. profile and email, now users can configure as many as scopes with OAUTH2_SCOPE parameter.

Profile Parameter

Next, to support Azure AD OAuth2 authentication, we added mail in addition to email profile parameters.

Server Metadata URL

After that, we introduced the server metadata url which is mandatory for some OAuth2 providers like Azure AD, Google etc. Server metadata is a specification that defines a metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 authorization server, including its endpoint locations and authorization server capabilities. Source: https://www.rfc-editor.org/rfc/rfc8414.html.

Use 'OAUTH2_SERVER_METADATA_URL configuration option to set this parameter.

Username Claim

Recently, we have introduced an OAuth2 username claim. By default, pgAdmin uses email as the username for OAuth2 users. It could be possible that some of the profiles don’t have an email address. To solve this issue, a configuration parameter, 'OAUTH2_USERNAME_CLAIM' was added. So if this parameter is set then, pgAdmin will consider this field as a username otherwise it will default to the email address.

Here is the sample pgAdmin Oauth2 configuration for Google. 

OAUTH2_CONFIG = [{
    'OAUTH2_NAME': 'google',
    'OAUTH2_DISPLAY_NAME': 'Google',
    'OAUTH2_CLIENT_ID': 'xxxxxxxx',
    'OAUTH2_CLIENT_SECRET': 'xxxxxxxx',
    'OAUTH2_TOKEN_URL': 'https://oauth2.googleapis.com/token',
    'OAUTH2_AUTHORIZATION_URL': 'https://accounts.google.com/o/oauth2/auth',
    'OAUTH2_API_BASE_URL': 'https://openidconnect.googleapis.com/v3/',
    'OAUTH2_SERVER_METADATA_URL':        'https://accounts.google.com/.well-known/openid-configuration',
    'OAUTH2_USERINFO_ENDPOINT': 'userinfo',
    'OAUTH2_ICON': 'fa-google',
    'OAUTH2_BUTTON_COLOR': '#3253a8',
    'OAUTH2_SCOPE': 'openid email'
}]

Note: Multiple Oauth2 provider configurations are supported too.

Conclusion

We are in a continuous process of enhancing and improving pgAdmin for better user experience. These OAuth2 enhancements were requested by users and some of the community members contributed to fulfill these requests. I would like to encourage all to contribute towards open source projects.

Share this

Relevant Blogs

pgAdmin User Management in Server Mode

pgAdmin can be deployed as a web application by configuring the app to run in server mode. One can check out server deployment on how to run pgAdmin in...
August 24, 2023

pgAdmin CI/CD

Almost exactly three years ago I wrote a blog on my personal page entitled Testing pgAdmin which went into great detail discussing how we test pgAdmin prior to releases. Back...
August 24, 2023

More Blogs

Highlights from the PostgreSQL 16 Beta Release

The PostgreSQL Global Development Group released PostgreSQL 16 Beta 1 on May 25, 2023. PostgreSQL 16 improves logical replication by enabling replication from standbys as well as the ability to...
June 02, 2023