OAuth2 Enhancements in pgAdmin

February 03, 2023

pgAdmin supports multiple authentication methods including OAuth2 for login into the app in web mode. We have added support for OAuth2 in July 2021. After that, the development team enhanced the OAuth2 functionality.

Scope

After releasing OAuth2 support, pgAdmin introduced OAuth2 scope configuration. Initially, we supported only 2 scopes, i.e. profile and email, now users can configure as many as scopes with OAUTH2_SCOPE parameter.

Profile Parameter

Next, to support Azure AD OAuth2 authentication, we added mail in addition to email profile parameters.

Server Metadata URL

After that, we introduced the server metadata url which is mandatory for some OAuth2 providers like Azure AD, Google etc. Server metadata is a specification that defines a metadata format that an OAuth 2.0 client can use to obtain the information needed to interact with an OAuth 2.0 authorization server, including its endpoint locations and authorization server capabilities. Source: https://www.rfc-editor.org/rfc/rfc8414.html.

Use 'OAUTH2_SERVER_METADATA_URL configuration option to set this parameter.

Username Claim

Recently, we have introduced an OAuth2 username claim. By default, pgAdmin uses email as the username for OAuth2 users. It could be possible that some of the profiles don’t have an email address. To solve this issue, a configuration parameter, 'OAUTH2_USERNAME_CLAIM' was added. So if this parameter is set then, pgAdmin will consider this field as a username otherwise it will default to the email address.

Here is the sample pgAdmin Oauth2 configuration for Google. 

OAUTH2_CONFIG = [{
    'OAUTH2_NAME': 'google',
    'OAUTH2_DISPLAY_NAME': 'Google',
    'OAUTH2_CLIENT_ID': 'xxxxxxxx',
    'OAUTH2_CLIENT_SECRET': 'xxxxxxxx',
    'OAUTH2_TOKEN_URL': 'https://oauth2.googleapis.com/token',
    'OAUTH2_AUTHORIZATION_URL': 'https://accounts.google.com/o/oauth2/auth',
    'OAUTH2_API_BASE_URL': 'https://openidconnect.googleapis.com/v3/',
    'OAUTH2_SERVER_METADATA_URL':        'https://accounts.google.com/.well-known/openid-configuration',
    'OAUTH2_USERINFO_ENDPOINT': 'userinfo',
    'OAUTH2_ICON': 'fa-google',
    'OAUTH2_BUTTON_COLOR': '#3253a8',
    'OAUTH2_SCOPE': 'openid email'
}]

Note: Multiple Oauth2 provider configurations are supported too.

Conclusion

We are in a continuous process of enhancing and improving pgAdmin for better user experience. These OAuth2 enhancements were requested by users and some of the community members contributed to fulfill these requests. I would like to encourage all to contribute towards open source projects.

Share this

More Blogs

Explaining ABI Breakage in PostgreSQL 17.1

PostgreSQL comes out with a scheduled major release every year and scheduled minor releases for all supported versions every quarter. But in the November minor releases, two issues caused the...
December 06, 2024

PGVector as Embedding Store in PrivateGPT

EDB has a long history of open source contributions, and while we’re best known for our contributions to Postgres, that’s not the only project we contribute to. e.g Barman, CloudNativePG...
June 05, 2024

pgAdmin User Management in Server Mode

pgAdmin can be deployed as a web application by configuring the app to run in server mode. One can check out server deployment on how to run pgAdmin in server...
August 24, 2023