Conversation
This PR reorganizes the authentication methods in Solutions, adding a folder to future proof the authentication methods, and adds the OIDC topic.
- add content to oidc, which includes beginner explanations for authentication flow, why use OIDC and standard setup from the PG side.
- Add buttons to overview, and add a lot of links to the oidc chapter for all of our sources.
- Proper installation steps, updated step 1 with readme info and remove step 2 - Reordered TOC to put OIDC first - create a snippet folder with proper oidc authentication flow which can be modified any time to render immediately as opposed to having an svg, using mermaid. - standardize the external identity providers, making a list of them is too bloaty.
dutow
left a comment
dutow
left a comment
There was a problem hiding this comment.
Is the oidc-auth-flow.svg still needed?
|
|
||
| 1. Install the `pg_oidc_validator` package. | ||
|
|
||
| Pre-built packages are not available in the default system repositories. |
There was a problem hiding this comment.
I thought we include it in our distribution? My previous comment was just about PGDG packages, as I don't think we build it for PGDG in our repositories.
|
|
||
| Pre-built packages are not available in the default system repositories. | ||
|
|
||
| You can download pre-built packages from the `pg_oidc_validator` project (see the project releases page): |
There was a problem hiding this comment.
Those are nightly builds, we shouldn't mention/recommend them in our documentation. (also, those DO build againts PGDG, not our distribution)
| 3. Add an OAuth authentication rule to `pg_hba.conf`: | ||
|
|
||
| ```ini | ||
| host all all 192.168.1.0/24 oauth scope="openid",issuer=https://your-oidc-provider |
There was a problem hiding this comment.
please use a custom scope in the example, not a generic one like openid
| * `issuer` is the URL of the OIDC identity provider | ||
|
|
||
| !!! important | ||
| PostgreSQL does not issue OIDC tokens. Clients must obtain an access token from an external identity provider before connecting. |
There was a problem hiding this comment.
i don't understand this sentence, of course it doesn't because it's not an oidc provider, but the "before connecting" part also isn't strictly true, because clients like psql handle this automatically during the connection process.
2 participants
This PR reorganizes the authentication methods in Solutions, adding a folder to future proof the authentication methods, and adds the OIDC topic.