pgAdmin supports multiple authentication methods including OAuth2 for login into the app in web mode. We have added support for OAuth2 in July 2021. After that, the development team enhanced the OAuth2 functionality.
Scope
After releasing OAuth2 support, pgAdmin introduced OAuth2 scope configuration. Initially, we supported only 2 scopes, i.e. profile and email, now users can configure as many as scopes with OAUTH2_SCOPE parameter.
Profile Parameter
Next, to support Azure AD OAuth2 authentication, we added mail in addition to email profile parameters.
Server Metadata URL
After that, we introduced the server metadata url which is mandatory for some OAuth2 providers like Azure AD, Google etc. Server metadata is a specification that defines a metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 authorization server, including its endpoint locations and authorization server capabilities. Source: https://www.rfc-editor.org/rfc/rfc8414.html.
Use 'OAUTH2_SERVER_METADATA_URL configuration option to set this parameter.
Username Claim
Recently, we have introduced an OAuth2 username claim. By default, pgAdmin uses email as the username for OAuth2 users. It could be possible that some of the profiles don’t have an email address. To solve this issue, a configuration parameter, 'OAUTH2_USERNAME_CLAIM' was added. So if this parameter is set then, pgAdmin will consider this field as a username otherwise it will default to the email address.
Here is the sample pgAdmin Oauth2 configuration for Google.
OAUTH2_CONFIG = [{
'OAUTH2_NAME': 'google',
'OAUTH2_DISPLAY_NAME': 'Google',
'OAUTH2_CLIENT_ID': 'xxxxxxxx',
'OAUTH2_CLIENT_SECRET': 'xxxxxxxx',
'OAUTH2_TOKEN_URL': 'https://oauth2.googleapis.com/token',
'OAUTH2_AUTHORIZATION_URL': 'https://accounts.google.com/o/oauth2/auth',
'OAUTH2_API_BASE_URL': 'https://openidconnect.googleapis.com/v3/',
'OAUTH2_SERVER_METADATA_URL': 'https://accounts.google.com/.well-known/openid-configuration',
'OAUTH2_USERINFO_ENDPOINT': 'userinfo',
'OAUTH2_ICON': 'fa-google',
'OAUTH2_BUTTON_COLOR': '#3253a8',
'OAUTH2_SCOPE': 'openid email'
}]
Note: Multiple Oauth2 provider configurations are supported too.
Conclusion
We are in a continuous process of enhancing and improving pgAdmin for better user experience. These OAuth2 enhancements were requested by users and some of the community members contributed to fulfill these requests. I would like to encourage all to contribute towards open source projects.