Skip to content

SQL-76 Add pgwire password authentication to OIDC authenticator #34801

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
SangJunBak wants to merge 19 commits into
base: main
Choose a base branch
from
Open

SQL-76 Add pgwire password authentication to OIDC authenticator #34801

SangJunBak wants to merge 19 commits into from
+1,871 −246

Conversation

@SangJunBak
Copy link
Contributor

@SangJunBak SangJunBak commented Jan 22, 2026
edited
Loading

see commit messages for details, starting from commit "Add password fallback for OIDC pgwire". Commits before are. being reviewed in #34690.

Will do http pgwire password authentication in a followup PR.

Motivation

Tips for reviewer

Checklist

  • This PR has adequate test coverage / QA involvement has been duly considered. (trigger-ci for additional test/nightly runs)
  • This PR has an associated up-to-date design doc, is a design doc (template), or is sufficiently small to not require a design.
  • If this PR evolves an existing $T ⇔ Proto$T mapping (possibly in a backwards-incompatible way), then it is tagged with a T-proto label.
  • If this PR will require changes to cloud orchestration or tests, there is a companion cloud PR to account for those changes that is tagged with the release-blocker label (example).
  • If this PR includes major user-facing behavior changes, I have pinged the relevant PM to schedule a changelog post.

@SangJunBak SangJunBak force-pushed the jun/add-password-auth-to-oidc branch 7 times, most recently from a8d789b to aed6472 Compare January 27, 2026 19:01
@SangJunBak SangJunBak changed the title Jun/add password auth to OIDC SQL-76 Add pgwire password authentication to OIDC authenticator Jan 28, 2026
@SangJunBak SangJunBak marked this pull request as ready for review January 28, 2026 03:40
@SangJunBak SangJunBak requested review from a team and ggevay as code owners January 28, 2026 03:40
@SangJunBak SangJunBak force-pushed the jun/add-password-auth-to-oidc branch from aed6472 to 1ccd67a Compare January 28, 2026 06:56
@SangJunBak SangJunBak requested review from a team, aljoscha and teskje as code owners January 28, 2026 06:56
@SangJunBak
Extract OidcAuthenticator trait from Frontegg Authenticator
a32d6ad 
We extract
- authenticate
- validate_access_token

Two methods used to authenticate HTTP and pgwire sessions out of the Frontegg authenticator. The goal is we can reuse these methods for a generic OIDC authenticator, used for self managed SSO
@SangJunBak
Extract password retrieval into own method
a17e964
@SangJunBak
Implement OIDC prototype
34378d9 
- Create an OIDC authenticator kind and a minimal set of config variables using CLI args
- Implement JWK fetch on validate and also cache by the JWK key id.
@SangJunBak
Refactor internal_user_metadata out of session clients
f618af5 
I noticed that we were doing this weird round trip of getting internal user metadata from the catalog during authentication, then passing it back when initializing the session. By just doing this on startup, we:
- Remove extraneous code
- Open up ease of creating a unified interface for OIDC clients
@SangJunBak
Add OIDC mock server for testing
4b61289 
- Introduced a new `mz-oidc-mock` package
- Implemented tests for OIDC authentication
@SangJunBak
Implement OIDC option extraction
e1269e4 
- Add functionality to extract `oidc_auth_enabled` from startup options, allowing us to use the password authenticator in the future
@SangJunBak
Fix lint errors
691b5ba
@SangJunBak
Fetch jwks uri from openid-configuration endpoint
4eb7f0d 
Before we were mistakenly fetching from jwks.json instead of getting it from the configuration endpoint
@SangJunBak
Annotate mz imports with default-features
3d11202
@SangJunBak
Refactor OIDC issuer URL documentation and improve password handling …
05b4cbd 
…in authentication

- Updated comments to use backticks for OIDC issuer URL
- Changed password handling in oidc http/ws auth to include the username when validating access tokens.
- Simplified OIDC mock server structure by removing the base URL field
- Remove unneeded assertion on role existence
@SangJunBak
Add OIDC audience validation support
ed2e6ce 
- Add aud claim
- Introduced `oidc_audience` field in OidcConfig to validate JWT's `aud` claim. This follows the spec in the design doc
- Added OIDC mock server audience claims support
- Added tests for audience validation and when we don't need to
@SangJunBak
Combine mz-authenticator-types into mz-auth
0906080 
Didn't realize we already had a shared crate!
@SangJunBak
Remove common OIDC authenticator
1fb3fae 
Due to changed restrictions after a discussion with an external advisor, we decided we no longer need to implement the refresh token flow. However, this also means we no longer have the need for a shared OidcAuthenticator trait.
@SangJunBak
Introduce sentinel type for authentication
56a4fd2 
Before when we had to return internal user metadata data from the auth response, it meant we couldn't forget to call adapter_client.authenticate. By introducing a sentinel type, we make it harder for a developer to. 

We also combine `validate_access_token` into `authenticate` for GenericOidcAuthenticator.
@SangJunBak
Wrap superuser attribute in a custom struct
8462470
@SangJunBak
Extend OIDC traits and enum for password fallback
29b04c5 
- Add external_metadata_rx() method to OidcAuthSessionHandle trait with default None impl
This allows us to create a helper functions for anything implementing OidcAuthenticator.

- Update Authenticator::Oidc to use named fields: {oidc, password}
@SangJunBak
Add password fallback for OIDC pgwire
b474336 
- Add authenticate_with_oidc_token for token-based auth (Frontegg/OIDC JWT)
- Add authenticate_with_password for password-based auth
@SangJunBak
Add test_auth_oidc_password_fallback test
f2efeed 
- Enables tests to pass connection-level options like --oidc_auth_enabled
- Verifies that when oidc_auth_enabled is not set in the connection options, the OIDC authenticator falls back to password authentication.
@SangJunBak
Decrease unions in recursion limit test
0d5b665 
Call stacks above the critical recursion can grow as we add code elsewhere in the system
@SangJunBak SangJunBak force-pushed the jun/add-password-auth-to-oidc branch from 1ccd67a to 0d5b665 Compare January 28, 2026 07:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ggevay ggevay Awaiting requested review from ggevay ggevay is a code owner

@aljoscha aljoscha Awaiting requested review from aljoscha

@teskje teskje Awaiting requested review from teskje

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@SangJunBak