Use Openid Connect Provider with Postgrest #2089

benfelt · 2021-06-08T08:37:05Z

benfelt
Jun 8, 2021

Hello,

I'd like to know if there is any way to use an Openid Connect provider (like this one on Gitlab) to perform authentication within Postgrest ?

As I read the docs, I understand that we can only use Auth0, because I don't see where we specify the authentication provider url.

Thanks

Answered by wolfgangwalther

Dec 16, 2021

I created an issue in the docs repo. Maybe we can find somebody to provide a how-to or something for a setup like this.

View full answer

colearendt · 2021-09-04T10:29:52Z

colearendt
Sep 4, 2021

You can definitely use other OIDC identity providers, as far as I am aware. I have seen some chatter on gitter and other issues within the postgrest community around using "keycloak" (another OIDC provider).

Basically, as far as I understand it all Postgrest needs is the authorization header mentioned here: https://postgrest.org/en/v8.0/auth.html#client-auth

Now how you get that to work with your setup is another story... my suspicion is that you would need to figure out how to get that JWT into the Authorization header yourself.

For the workflow discussed in the guide there, one way is to get users to send a request to /rpc/jwt_auth (local auth).
The discussion for how to get the JWT for Auth0 is not really discussed, but I suspect you could, for instance, have a endpoint like /rpc/auth0 that automatically redirects to the Auth0 login flow, and when the user comes back, they should have a jwt . This could be any identity provider (i.e. GitLab) though. This would likely be marshalled through the HTTP logic flow here: https://postgrest.org/en/v8.0/api.html#http-logic
You might even could use the prerequest function to intercept requests and redirect... that might be an abuse of intended behavior though
Another option would be to use a proxy in front of postgrest (documentation often talks about nginx) to intercept requests, redirect based on a certain path, etc. This is something I often use nginx or traefik (specifically, traefik-forward-auth) for.

To test how this workflow works with Postgrest, you could always pretend that the "auth workflow" already happened (by doing it somewhere else with your desired identity provider) and then send that jwt to postgrest manually with curl -i -H 'Authorization: Bearer my-jwt-gobbledygook' myserver.com:port/path

Hope that helps, even if a bit delayed 😄

0 replies

wolfgangwalther · 2021-12-16T16:42:58Z

wolfgangwalther
Dec 16, 2021
Maintainer

I created an issue in the docs repo. Maybe we can find somebody to provide a how-to or something for a setup like this.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Use Openid Connect Provider with Postgrest #2089

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 2 comments

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

Select a reply

Use Openid Connect Provider with Postgrest #2089

benfelt Jun 8, 2021

Replies: 2 comments

colearendt Sep 4, 2021

wolfgangwalther Dec 16, 2021 Maintainer

benfelt
Jun 8, 2021

colearendt
Sep 4, 2021

wolfgangwalther
Dec 16, 2021
Maintainer