Re: Using pgadmin as an OAuth2 proxy for PostgreSQL

Hi Tobias, Ron,

On Mon, 19 Dec 2022 at 16:50, Ron <ronljohnsonjr(at)gmail(dot)com> wrote:

> Why not authenticate Postgresql users directly to AD using GSSAPI?
>

Despite its name, Azure AD is not an Active Directory. It doesn't support
LDAP and Kerberos out of box.

I have done the implementation you are looking for. I need to dig into my
backups to find it. Therefore, if you are ready to cook by yourself, I'm
giving the recipe rather than the food :)

You need to have full control over the operating system that PostgreSQL
runs on. Otherwise, it won't work for you.
PostgreSQL supports PAM authentication. And, PAM supports running arbitrary
executables thanks to pam_exec module. There are many applications of Azure
AD authentication written in many programming languages. I used one[1] of
them written in Python as an example. And, I wrote a python script that
validates users' credentials. The rest is simple. I created a user group,
aad, in PostgreSQL and added developers to that user group. If they are a
member of that group, they are authenticated against Azure AD thanks to
pg_hba.conf file :) I'm adding 2 lines below as an example.

local all +aad pam
pamservice=postgresql-pam-aad
hostssl all +aad 0.0.0.0/0 pam
pamservice=postgresql-pam-aad

[1]: https://github.com/samedyildirim/openvpn-azure-ad-auth
[2]: https://www.postgresql.org/docs/15/auth-pam.html

Best regards.
Samed YILDIRIM

> On 12/19/22 07:12, Rettstadt, Tobias wrote:
>
> Hi all,
>
>
>
> our current project has the requirement that users should get read access
> to our backend databases. The users are stored in Azure AD and my first
> idea was to use OAuth2 / OIDC to authenticate the users. Since pgadmin
> provides OAuth2 authentication, is it possible to somehow map roles in the
> access token that we get from Azure AD to a Postgres user in pgadmin, so
> that the users can just log into using their Azure AD account and then get
> access to a number of databases that I have configured?
>
>
>
> I already tried the OAuth2 login in pgadmin and it’s working fine, but I
> haven’t figured out how to deploy the database credentials. I know that I
> could use a password file, but it has to be located in the storage
> directory of the user, where he could download it using the storage
> manager. Since users should not be able to access the password, we cannot
> use this. It would also be feasible if the owner of the password would have
> to enter the password on the machine of each of the users, but even if I
> select “Save password”, the password is not saved, even though master
> passwords and password saving are activated in the config.
>
>
>
> We are running the latest Docker image dpage/pgadmin4 in a Kubernetes
> cluster. The pgadmin version is 6.17.
>
>
>
> Thanks in advance for your help and best regards,
>
> Tobias
> **************************************************************** Die in
> dieser E-Mail enthaltenen Informationen sind vertraulich. Diese E-Mail ist
> ausschliesslich fuer den Adressaten bestimmt und jeglicher Zugriff durch
> andere Personen ist nicht zulaessig. Falls Sie nicht einer der genannten
> Empfaenger sind, ist jede Veroeffentlichung, Vervielfaeltigung, Verteilung
> oder sonstige in diesem Zusammenhang stehende Handlung untersagt und unter
> Umstaenden ungesetzlich. Sollte diese Nachricht nicht fuer Sie bestimmt
> sein, so bitten wir Sie, den Absender unverzueglich zu informieren und die
> E-Mail zu loeschen.
> **************************************************************** The
> information contained in this e-mail is confidential. This e-mail is
> intended solely for the addressee(s) and may not be accessed by anyone
> else. If you are not a named recipient, any disclosure, copying,
> distribution or related action is prohibited and might be unlawful. If the
> e-mail is not intended for you, please notify the sender immediately and
> delete it. ****************************************************************
>
>
> --
> Angular momentum makes the world go 'round.
>